Token-based key generation

US 9,071,424 B1
Filed: 03/29/2013
Issued: 06/30/2015
Est. Priority Date: 03/29/2013
Status: Active Grant

First Claim

Patent Images

1. A method performed by a first computing device, the method comprising:

engaging in a handshake procedure with a remote second computing device to establish a secure channel;

generating a first encryption key using a first token having a secret seed, the first encryption key being the same as a second encryption key generated by the second computing device using a second token having the same secret seed; and

using the first encryption key to engage in encrypted communications with the second computing device,wherein;

generating the first encryption key using the first token includes cryptographically combining the secret seed with a current time value;

engaging in the handshake procedure includes;

receiving a remote clock value within a handshake message from the second computing device, the remote clock value indicating a current clock value of a clock device in the possession of the second computing device;

obtaining the current time value from a local clock device in the possession of the first computing device; and

calculating a clock skew between the remote clock value and the current time value; and

cryptographically combining the secret seed with the current time value includes offsetting the current time value by the clock skew.

View all claims

18 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment is directed to a method performed by a computing device. The method includes (a) engaging in a handshake procedure with a remote second computing device to establish a secure channel, (b) generating a first encryption key using a first token having a secret seed, the first encryption key being the same as a second encryption key generated by the second computing device using a second token having the same secret seed, and (c) using the first encryption key to engage in encrypted communications with the second computing device. Other embodiments are directed to a computerized apparatus and a computer program product for performing a method similar to that described above.

37 Citations

View as Search Results

18 Claims

1. A method performed by a first computing device, the method comprising:
- engaging in a handshake procedure with a remote second computing device to establish a secure channel;
  
  generating a first encryption key using a first token having a secret seed, the first encryption key being the same as a second encryption key generated by the second computing device using a second token having the same secret seed; and
  
  using the first encryption key to engage in encrypted communications with the second computing device,wherein;
  
  generating the first encryption key using the first token includes cryptographically combining the secret seed with a current time value;
  
  engaging in the handshake procedure includes;
  
  receiving a remote clock value within a handshake message from the second computing device, the remote clock value indicating a current clock value of a clock device in the possession of the second computing device;
  
  obtaining the current time value from a local clock device in the possession of the first computing device; and
  
  calculating a clock skew between the remote clock value and the current time value; and
  
  cryptographically combining the secret seed with the current time value includes offsetting the current time value by the clock skew.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein the method further comprises:
    - generating a revised encryption key after a period of time by cryptographically combining the secret seed with a time value indicative of passage of the period of time; and
      
      after generating the revised encryption key, using the revised encryption key instead of the first encryption key to engage in encrypted communications with the second computing device.
  - 3. The method of claim 2 wherein the period of time is a fixed interval.
  - 4. The method of claim 2 wherein the method further includes:
    - estimating an average amount of time it would take an attacker to guess the first encryption key using a key cracking procedure; and
      
      setting the period of time to be less than the estimated average amount of time.
  - 5. The method of claim 2 wherein the method further includes:
    - estimating an average amount of time it would take an attacker to guess the first encryption key using a key cracking procedure; and
      
      setting the period of time to be an order of magnitude less than the estimated average amount of time.
  - 6. The method of claim 2 wherein the method further includes:
    - estimating an average amount of time it would take an attacker to guess the first encryption key using a key cracking procedure; and
      
      setting the period of time to be a factor less than the estimated average amount of time, a magnitude of the factor depending on a degree of sensitivity of the secure channel.
  - 7. The method of claim 1 whereinthe handshake message from the second computing device is a Transport Layer Security (TLS) ServerKeyExchange message;
    - and
8. The method of claim 1 wherein both the first token and the second token are hardware tokens.
9. The method of claim 8 wherein the method further comprises, prior to engaging in the handshake procedure:
- determining, by a central authority, that there is a need for the first computing device and the second computing device to securely communicate with each other; and
  
  in response to determining, pre-provisioning, by the central authority, the first hardware token to the first computing device and the second hardware token to the second computing device.
10. The method of claim 1 wherein receiving the remote clock value within the handshake message from the second computing device includes receiving the remote clock value within a key identity hint field of the handshake message.
11. The method of claim 10 wherein the handshake message from the second computing device is a Transport Layer Security (TLS) ServerKeyExchange message.

12. A system comprising:
- a first computing device;
  
  a second computing device;
  
  a network connecting the first computing device and the second computing device;
  
  a first token device assigned to the first computing device, the first token device being programmed with a secret seed; and
  
  a second token device assigned to the second computing device, the second token device being programmed with the same secret seed as the first token device;
  
  wherein the first computing device is configured to;
  
  engage in a handshake procedure with the second computing device to establish a secure channel;
  
  generate a first encryption key using the first token device, the first encryption key being the same as a second encryption key generated by the second computing device using the second token; and
  
  use the first encryption key to engage in encryptedcommunications with the second computing device over the network;
  
  wherein;
  
  generating the first encryption key using the first token includes cryptographically combining the secret seed with a current time value;
  
  engaging in the handshake procedure includes;
  
  obtaining the current time value from a local clock device in the possession of the first computing device; and
  
  sending the current time value within a handshake message to the second computing device for the second computing device to use in correcting a remote clock value indicating a current clock value of a clock device in the possession of the second computing device, wherein sending the current time value within the handshake message to the second computing device includes embedding the current time value within a key identity field of the handshake message.
- View Dependent Claims (13, 14, 15)
- - 13. The system of claim 12 wherein the secret seed is shared only by the first token device and the second token device, the secret seed not being shared by any other token device.
  - 14. The system of claim 12 wherein:
    - the secret seed is shared by a third token device in addition the first token device and the second token device; and
      
      engaging in the handshake procedure with the second computing device to establish the secure channel further includes;
      
      sending a first unique identifier of the first computing device to the second computing device; and
      
      receiving a second unique identifier of the second computer from the second computer; and
      
      generating the first encryption key using the first token device further includes cryptographically combining the secret seed with both the first unique identifier and the second unique identifier.
  - 15. The system of claim 12 wherein the handshake message sent to the second computing device is a Transport Layer Security (TLS) ClientKeyExchange message.

16. An apparatus comprising:
- a clock;
  
  a network interface for communicating with a remote computing device over a network;
  
  a processor; and
  
  memory, the memory storing a set of instructions which, when executed by the processor, cause the apparatus to perform the operations of;
  
  engaging in a handshake procedure with the remote computing device to establish a secure channel;
  
  generating a first encryption key using a first token having a secret seed, the first token being under the control of the apparatus, the first encryption key being the same as a second encryption key generated by the remote computing device using a second token having the same secret seed, the second token under the control of the remote computing apparatus; and
  
  using the first encryption key to engage in encrypted communications with the remote computing device;
  
  wherein;
  
  generating the first encryption key using the first token includes cryptographically combining the secret seed with a current time value;
  
  engaging in the handshake procedure includes;
  
  receiving a remote clock value within a handshake message from the remote computing device, the remote clock value indicating a current clock value of a clock device in the possession of the remote computing device;
  
  obtaining the current time value from the clock; and
  
  calculating a clock skew between the remote clock value and the current time value; and
  
  cryptographically combining the secret seed with the current time value includes offsetting the current time value by the clock skew.
- View Dependent Claims (17, 18)
- - 17. The apparatus of claim 16 wherein receiving the remote clock value within the handshake message from the remote computing device includes receiving the remote clock value within a key identity hint field of the handshake message.
  - 18. The apparatus of claim 17 wherein the handshake message from the remote computing device is a Transport Layer Security (TLS) ServerKeyExchange message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RSA Security LLC (Symphony Technology Group LLC)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Dennis, Paul A., Bowness, Piers
Primary Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US13/853,207
Time in Patent Office

823 Days
Field of Search

713/151, 380/44
US Class Current

1/1
CPC Class Codes

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/0869   involving random numbers or...

H04L 9/0877   using additional device, e....

H04L 9/12   Transmitting and receiving ...

Token-based key generation

First Claim

18 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Token-based key generation

First Claim

18 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links