Token-based key generation
First Claim
1. A method performed by a first computing device, the method comprising:
- engaging in a handshake procedure with a remote second computing device to establish a secure channel;
generating a first encryption key using a first token having a secret seed, the first encryption key being the same as a second encryption key generated by the second computing device using a second token having the same secret seed; and
using the first encryption key to engage in encrypted communications with the second computing device,wherein;
generating the first encryption key using the first token includes cryptographically combining the secret seed with a current time value;
engaging in the handshake procedure includes;
receiving a remote clock value within a handshake message from the second computing device, the remote clock value indicating a current clock value of a clock device in the possession of the second computing device;
obtaining the current time value from a local clock device in the possession of the first computing device; and
calculating a clock skew between the remote clock value and the current time value; and
cryptographically combining the secret seed with the current time value includes offsetting the current time value by the clock skew.
18 Assignments
0 Petitions
Accused Products
Abstract
One embodiment is directed to a method performed by a computing device. The method includes (a) engaging in a handshake procedure with a remote second computing device to establish a secure channel, (b) generating a first encryption key using a first token having a secret seed, the first encryption key being the same as a second encryption key generated by the second computing device using a second token having the same secret seed, and (c) using the first encryption key to engage in encrypted communications with the second computing device. Other embodiments are directed to a computerized apparatus and a computer program product for performing a method similar to that described above.
-
Citations
18 Claims
-
1. A method performed by a first computing device, the method comprising:
-
engaging in a handshake procedure with a remote second computing device to establish a secure channel; generating a first encryption key using a first token having a secret seed, the first encryption key being the same as a second encryption key generated by the second computing device using a second token having the same secret seed; and using the first encryption key to engage in encrypted communications with the second computing device, wherein; generating the first encryption key using the first token includes cryptographically combining the secret seed with a current time value; engaging in the handshake procedure includes; receiving a remote clock value within a handshake message from the second computing device, the remote clock value indicating a current clock value of a clock device in the possession of the second computing device; obtaining the current time value from a local clock device in the possession of the first computing device; and calculating a clock skew between the remote clock value and the current time value; and cryptographically combining the secret seed with the current time value includes offsetting the current time value by the clock skew. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
receiving the remote clock value within the handshake message from the second computing device includes receiving the remote clock value within a key identity hint field of the TLS ServerKeyExchange message.
-
-
8. The method of claim 1 wherein both the first token and the second token are hardware tokens.
-
9. The method of claim 8 wherein the method further comprises, prior to engaging in the handshake procedure:
-
determining, by a central authority, that there is a need for the first computing device and the second computing device to securely communicate with each other; and in response to determining, pre-provisioning, by the central authority, the first hardware token to the first computing device and the second hardware token to the second computing device.
-
-
10. The method of claim 1 wherein receiving the remote clock value within the handshake message from the second computing device includes receiving the remote clock value within a key identity hint field of the handshake message.
-
11. The method of claim 10 wherein the handshake message from the second computing device is a Transport Layer Security (TLS) ServerKeyExchange message.
-
12. A system comprising:
-
a first computing device; a second computing device; a network connecting the first computing device and the second computing device; a first token device assigned to the first computing device, the first token device being programmed with a secret seed; and a second token device assigned to the second computing device, the second token device being programmed with the same secret seed as the first token device; wherein the first computing device is configured to; engage in a handshake procedure with the second computing device to establish a secure channel; generate a first encryption key using the first token device, the first encryption key being the same as a second encryption key generated by the second computing device using the second token; and use the first encryption key to engage in encrypted communications with the second computing device over the network; wherein; generating the first encryption key using the first token includes cryptographically combining the secret seed with a current time value; engaging in the handshake procedure includes; obtaining the current time value from a local clock device in the possession of the first computing device; and sending the current time value within a handshake message to the second computing device for the second computing device to use in correcting a remote clock value indicating a current clock value of a clock device in the possession of the second computing device, wherein sending the current time value within the handshake message to the second computing device includes embedding the current time value within a key identity field of the handshake message. - View Dependent Claims (13, 14, 15)
-
-
16. An apparatus comprising:
-
a clock; a network interface for communicating with a remote computing device over a network; a processor; and memory, the memory storing a set of instructions which, when executed by the processor, cause the apparatus to perform the operations of; engaging in a handshake procedure with the remote computing device to establish a secure channel; generating a first encryption key using a first token having a secret seed, the first token being under the control of the apparatus, the first encryption key being the same as a second encryption key generated by the remote computing device using a second token having the same secret seed, the second token under the control of the remote computing apparatus; and using the first encryption key to engage in encrypted communications with the remote computing device; wherein; generating the first encryption key using the first token includes cryptographically combining the secret seed with a current time value; engaging in the handshake procedure includes; receiving a remote clock value within a handshake message from the remote computing device, the remote clock value indicating a current clock value of a clock device in the possession of the remote computing device; obtaining the current time value from the clock; and calculating a clock skew between the remote clock value and the current time value; and cryptographically combining the secret seed with the current time value includes offsetting the current time value by the clock skew. - View Dependent Claims (17, 18)
-
Specification