System and method for communicating with a key management system
First Claim
1. A method for providing authenticated access, comprising:
- sending an encrypted message over a network from a computer having an encrypted file system to a key server, the encrypted message comprising;
a new seed;
an old seed;
a message block containing a request for encryption data used to decrypt data in the encrypted file system; and
an encryption encapsulation block including information for decrypting the message block, wherein the new seed, old seed, message block and encryption encapsulation block are encrypted;
at the key server;
receiving the encrypted message;
determining if the encrypted message can be decrypted using an encryption key;
rejecting the request in response to determining that the encrypted message cannot be decrypted using the encryption key;
performing further authentication in response to decrypting the encrypted message, wherein performing further authentication comprises;
comparing the new seed to a set of authentication data;
comparing the old seed to the set of authentication data in response to the new seed not matching the set of authentication data;
rejecting the request in response to neither the new seed nor the old seed matching the authentication data; and
determining that the request is authenticated in response to either the old seed or new seed matching the authentication data;
determining if the request is authorized in response to determining that the request is authenticated; and
returning the encryption data to the computer in response to determining that the request is authorized.
6 Assignments
0 Petitions
Accused Products
Abstract
A method for providing authenticated access to an encrypted file system includes generating a first seed; providing a request for a key to a key server, the request including at least a first seed block having a first encryption, a message block having a second encryption, and an encryption encapsulation block having a third encryption, the encryption encapsulation block including information for decrypting the message block; at the key server, decrypting the encryption encapsulation block and using the information therein to decrypt the at least a first seed block and the message block; and authenticating the message if the first seed in the at least a first seed block matches a first predetermined seed.
-
Citations
21 Claims
-
1. A method for providing authenticated access, comprising:
sending an encrypted message over a network from a computer having an encrypted file system to a key server, the encrypted message comprising; a new seed; an old seed; a message block containing a request for encryption data used to decrypt data in the encrypted file system; and an encryption encapsulation block including information for decrypting the message block, wherein the new seed, old seed, message block and encryption encapsulation block are encrypted; at the key server; receiving the encrypted message; determining if the encrypted message can be decrypted using an encryption key; rejecting the request in response to determining that the encrypted message cannot be decrypted using the encryption key; performing further authentication in response to decrypting the encrypted message, wherein performing further authentication comprises; comparing the new seed to a set of authentication data; comparing the old seed to the set of authentication data in response to the new seed not matching the set of authentication data; rejecting the request in response to neither the new seed nor the old seed matching the authentication data; and determining that the request is authenticated in response to either the old seed or new seed matching the authentication data; determining if the request is authorized in response to determining that the request is authenticated; and returning the encryption data to the computer in response to determining that the request is authorized. - View Dependent Claims (2, 3, 4, 5, 6)
-
7. A system comprising:
-
a first server computer operably coupled to a network, the first server including an encrypted file system; a key server computer operatively coupled to the network, the key server computer comprising a processor and a non-transitory computer readable medium storing a set of computer executable instructions that, when executed by a processor, cause the processor to perform a method comprising; receiving an encrypted message from the first server, the encrypted message comprising; a new seed; an old seed; a message block containing a request for encryption data used to decrypt data in the encrypted file system; and an encryption encapsulation block including information for decrypting the message block, wherein the new seed, old seed, message block and encryption encapsulation block are encrypted and wherein the old seed is a seed that was contained in a previous message to the key server; determining if the encrypted message can be decrypted using an encryption key; rejecting the request in response to determining that the encrypted message cannot be decrypted using the encryption key; performing further authentication in response to decrypting the encrypted message, wherein performing further authentication comprises; comparing the new seed to a set of authentication data; comparing the old seed to the set of authentication data in response to the new seed not matching the set of authentication data; rejecting the request in response to neither the new seed nor the old seed matching the authentication data; and determining that the request is authenticated in response to either the old seed or new seed matching the authentication data; determining if the request is authorized in response to determining that the request is authenticated; and returning the encryption data to the first server in response to determining that the request is authorized. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A computer program product comprising a non-transitory computer readable medium storing a set of computer instructions that, when executed by a processor, cause the processor to perform a method comprising:
-
maintain a store of encryption data for authorized computers; receiving an encrypted message from a first computer, the encrypted message comprising; a new seed; an old seed; a message block containing a request for encryption data used to decrypt data in an encrypted file system; and an encryption encapsulation block including information for decrypting the message block, wherein the new seed, old seed, message block and encryption encapsulation block are encrypted and wherein the old seed is a seed that was contained in a previous message from the computer; determining if the encrypted message can be decrypted using an encryption key; rejecting the request in response to determining that the encrypted message cannot be decrypted using the encryption key; performing further authentication in response to decrypting the encrypted message, wherein performing further authentication comprises; comparing the new seed to a set of authentication data; comparing the old seed to the set of authentication data in response to the new seed not matching the set of authentication data; rejecting the request in response to neither the new seed nor the old seed matching the authentication data; and determining that the request is authenticated in response to either the old seed or new seed matching the authentication data; determining if the request is authorized in response to determining that the request is authenticated; and returning the encryption data to the first computer in response to determining that the request is authorized. - View Dependent Claims (17, 18, 19, 20, 21)
-
Specification