System and method for communicating with a key management system

US 8,667,267 B1
Filed: 01/31/2012
Issued: 03/04/2014
Est. Priority Date: 01/31/2011
Status: Active Grant

First Claim

Patent Images

1. A method for providing authenticated access, comprising:

sending an encrypted message over a network from a computer having an encrypted file system to a key server, the encrypted message comprising;

a new seed;

an old seed;

a message block containing a request for encryption data used to decrypt data in the encrypted file system; and

an encryption encapsulation block including information for decrypting the message block, wherein the new seed, old seed, message block and encryption encapsulation block are encrypted;

at the key server;

receiving the encrypted message;

determining if the encrypted message can be decrypted using an encryption key;

rejecting the request in response to determining that the encrypted message cannot be decrypted using the encryption key;

performing further authentication in response to decrypting the encrypted message, wherein performing further authentication comprises;

comparing the new seed to a set of authentication data;

comparing the old seed to the set of authentication data in response to the new seed not matching the set of authentication data;

rejecting the request in response to neither the new seed nor the old seed matching the authentication data; and

determining that the request is authenticated in response to either the old seed or new seed matching the authentication data;

determining if the request is authorized in response to determining that the request is authenticated; and

returning the encryption data to the computer in response to determining that the request is authorized.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for providing authenticated access to an encrypted file system includes generating a first seed; providing a request for a key to a key server, the request including at least a first seed block having a first encryption, a message block having a second encryption, and an encryption encapsulation block having a third encryption, the encryption encapsulation block including information for decrypting the message block; at the key server, decrypting the encryption encapsulation block and using the information therein to decrypt the at least a first seed block and the message block; and authenticating the message if the first seed in the at least a first seed block matches a first predetermined seed.

Citations

21 Claims

1. A method for providing authenticated access, comprising:
- sending an encrypted message over a network from a computer having an encrypted file system to a key server, the encrypted message comprising;
  
  a new seed;
  
  an old seed;
  
  a message block containing a request for encryption data used to decrypt data in the encrypted file system; and
  
  an encryption encapsulation block including information for decrypting the message block, wherein the new seed, old seed, message block and encryption encapsulation block are encrypted;
  
  at the key server;
  
  receiving the encrypted message;
  
  determining if the encrypted message can be decrypted using an encryption key;
  
  rejecting the request in response to determining that the encrypted message cannot be decrypted using the encryption key;
  
  performing further authentication in response to decrypting the encrypted message, wherein performing further authentication comprises;
  
  comparing the new seed to a set of authentication data;
  
  comparing the old seed to the set of authentication data in response to the new seed not matching the set of authentication data;
  
  rejecting the request in response to neither the new seed nor the old seed matching the authentication data; and
  
  determining that the request is authenticated in response to either the old seed or new seed matching the authentication data;
  
  determining if the request is authorized in response to determining that the request is authenticated; and
  
  returning the encryption data to the computer in response to determining that the request is authorized.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein determining if the request is authorized further comprises validating the request against a catalog of transactions that can be performed by the computer.
  - 3. The method of claim 1, wherein the new seed and old seed are encrypted in a seed block using a first type of encryption, the message block is encrypted using a second type of encryption and the encryption encapsulation block is encrypted using a third type of decryption.
  - 4. The method of claim 1, further comprising:
    - generating a message hash at the key server;
      
      comparing the generated message hash to a received message hash included in the message block; and
      
      rejecting the request in response to the generated message hash and received message hash not matching.
  - 5. The method of claim 1, further comprising:
    - at the computer, using the encryption data to generate a file system encryption key; and
      
      storing the file system encryption key in a key ring for the encrypted file system.
  - 6. The method of claim 1, further comprising storing the encryption data in a key ring for the encrypted file system.

7. A system comprising:
- a first server computer operably coupled to a network, the first server including an encrypted file system;
  
  a key server computer operatively coupled to the network, the key server computer comprising a processor and a non-transitory computer readable medium storing a set of computer executable instructions that, when executed by a processor, cause the processor to perform a method comprising;
  
  receiving an encrypted message from the first server, the encrypted message comprising;
  
  a new seed;
  
  an old seed;
  
  a message block containing a request for encryption data used to decrypt data in the encrypted file system; and
  
  an encryption encapsulation block including information for decrypting the message block, wherein the new seed, old seed, message block and encryption encapsulation block are encrypted and wherein the old seed is a seed that was contained in a previous message to the key server;
  
  determining if the encrypted message can be decrypted using an encryption key;
  
  rejecting the request in response to determining that the encrypted message cannot be decrypted using the encryption key;
  
  performing further authentication in response to decrypting the encrypted message, wherein performing further authentication comprises;
  
  comparing the new seed to a set of authentication data;
  
  comparing the old seed to the set of authentication data in response to the new seed not matching the set of authentication data;
  
  rejecting the request in response to neither the new seed nor the old seed matching the authentication data; and
  
  determining that the request is authenticated in response to either the old seed or new seed matching the authentication data;
  
  determining if the request is authorized in response to determining that the request is authenticated; and
  
  returning the encryption data to the first server in response to determining that the request is authorized.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The system of claim 7, wherein determining if the request is authorized further comprises validating the request against a catalog of transactions that can be performed by the first server.
  - 9. The system of claim 7, wherein the new seed and old seed are encrypted in a seed block using a first type of encryption, the message block is encrypted using a second type of encryption and the encryption encapsulation block is encrypted using a third type of decryption.
  - 10. The system of claim 7, wherein:
    - the first server computer is configured to include a first message hash in the message block such that the message hash is received by the key server; and
      
      the key server computer is further configured to;
      
      generate a second message hash;
      
      compare the generated second message hash to the first message hash received in the message block; and
      
      rejecting the request in response to the generated message hash and the first message hash not matching.
  - 11. The system of claim 7, wherein is the first server is further configured to maintain a key ring for the encrypted file system, the key ring storing information received from the key server.
  - 12. The system of claim 7, wherein the new seed, old seed and message block are encrypted using a bit string, the bit string encrypted in the encryption encapsulation block using a public key of the key server.
  - 13. The system of claim 7, wherein the new seed and old seed are encrypted using a first bit string and the message block is encrypted using a second bit string, the second bit string encrypted in the encryption encapsulation block using a public key of the key server.
  - 14. The system of claim 13, wherein the first bit string comprises a first single use passphrase and the second bit string comprises a second single use passphrase.
  - 15. The system of claim 7, wherein the first server is configured to include a new seed and an old seed in messages to the key server.

16. A computer program product comprising a non-transitory computer readable medium storing a set of computer instructions that, when executed by a processor, cause the processor to perform a method comprising:
- maintain a store of encryption data for authorized computers;
  
  receiving an encrypted message from a first computer, the encrypted message comprising;
  
  a new seed;
  
  an old seed;
  
  a message block containing a request for encryption data used to decrypt data in an encrypted file system; and
  
  an encryption encapsulation block including information for decrypting the message block, wherein the new seed, old seed, message block and encryption encapsulation block are encrypted and wherein the old seed is a seed that was contained in a previous message from the computer;
  
  determining if the encrypted message can be decrypted using an encryption key;
  
  rejecting the request in response to determining that the encrypted message cannot be decrypted using the encryption key;
  
  performing further authentication in response to decrypting the encrypted message, wherein performing further authentication comprises;
  
  comparing the new seed to a set of authentication data;
  
  comparing the old seed to the set of authentication data in response to the new seed not matching the set of authentication data;
  
  rejecting the request in response to neither the new seed nor the old seed matching the authentication data; and
  
  determining that the request is authenticated in response to either the old seed or new seed matching the authentication data;
  
  determining if the request is authorized in response to determining that the request is authenticated; and
  
  returning the encryption data to the first computer in response to determining that the request is authorized.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The computer program product of claim 16, wherein determining if the request is authorized further comprises validating the request against a catalog of transactions that can be performed by the computer.
  - 18. The computer program product of claim 16, wherein the new seed and old seed are encrypted using a first type of encryption, the message block is encrypted using a second type of encryption and the encryption encapsulation block is encrypted using a third type of decryption.
  - 19. The computer program product of claim 16, further comprising instructions executable by the processor to:
    - generate a message hash;
      
      compare the generated message hash to a received message hash included in the message block; and
      
      in response to the generated message hash and the received message hash not matching, rejecting the request.
  - 20. The computer program product of claim 16, wherein the requested encryption data comprises a file system encryption key.
  - 21. The computer program product of claim 16, wherein the requested encryption data comprises information used to generate a file system encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cloudera Incorporated
Original Assignee
Gazzang Incorporated (Cloudera Incorporated)
Inventors
Garcia, Eduardo, Colorado, Carlos Arturo
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
BROWN, DE'MARIS R

Application Number

US13/362,695
Time in Patent Office

763 Days
Field of Search

None
US Class Current

713/153
CPC Class Codes

H04L 63/061 for key exchange, e.g. in p...

H04L 63/0869 for achieving mutual authen...

System and method for communicating with a key management system

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for communicating with a key management system

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links