Method and system for decoupling user authentication and data encryption on mobile devices
First Claim
1. A method for decoupling user authentication and data encryption on mobile devices, the method comprising:
- (a) generating an encryption key (“
EK”
) for encrypting data and a key encryption key (“
KEK”
) for encrypting the EK, wherein neither the EK nor the KEK are generated using a user authentication secret as a seed;
(b) obtaining an encrypted EK by encrypting the EK using the KEK;
(c) storing the encrypted EK on a data container device (“
DCD”
);
(d) storing the KEK on a key vault device (“
KVD”
) that is distinct from the DCD;
(e) generating a KEK identifier (“
KEK_ID”
) that identifies the KEK; and
(f) storing the KEK ID in memory accessible to an application resident on the DCD that accesses the data and on the KVD.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for decoupling user authentication and data encryption on mobile devices includes generating an encryption key (“EK”) for encrypting data and a key encryption key (“KEK”) for encrypting the EK, obtaining an encrypted EK by encrypting the EK using the KEK, storing the encrypted EK on a data container device (“DCD”), and storing the KEK on a key vault device (“KVD”) that is distinct from the DCD. Neither the EK nor KEK are generated using a user authentication secret as a seed. The DCD may fetch the KEK from the KVD as desired to decrypt the EK and to encrypt and decrypt data stored on the DCD. Examples of the DCD include a memory stick, smartphone, or tablet computer, while examples of the KVD include a dongle, smartphone, or tablet computer.
8 Citations
79 Claims
-
1. A method for decoupling user authentication and data encryption on mobile devices, the method comprising:
-
(a) generating an encryption key (“
EK”
) for encrypting data and a key encryption key (“
KEK”
) for encrypting the EK, wherein neither the EK nor the KEK are generated using a user authentication secret as a seed;(b) obtaining an encrypted EK by encrypting the EK using the KEK; (c) storing the encrypted EK on a data container device (“
DCD”
);(d) storing the KEK on a key vault device (“
KVD”
) that is distinct from the DCD;(e) generating a KEK identifier (“
KEK_ID”
) that identifies the KEK; and(f) storing the KEK ID in memory accessible to an application resident on the DCD that accesses the data and on the KVD. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method for decoupling user authentication and data encryption on mobile devices, the method comprising:
-
(a) decrypting an encrypted encryption key (“
EK”
) stored on a data container device (“
DCD”
) by;(i) wirelessly retrieving to the DCD from a key vault device (“
KVD”
) a key encryption key (“
KEK”
) used to encrypt the EK; and(ii) decrypting the encrypted EK using the KEK; and (b) encrypting or decrypting data stored on the DCD using the EK, wherein neither the EK nor the KEK are generated using a user authentication secret as a seed; (c) generating a KEK identifier (“
KEK_ID”
) that identifies the KEK; and(d) storing the KEK_ID in memory accessible to an application resident on the DCD that accesses the data and on the KVD. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
-
-
40. A system for decoupling user authentication and data encryption on mobile devices, the system comprising:
-
(a) a data container device (“
DCD”
) wirelessly linked to a key vault device (“
KVD”
), the DCD comprising a DCD memory and a DCD controller communicative with the DCD memory, the DCD memory having encoded thereon statements and instructions cause the DCD controller to;(i) generate an encryption key (“
EK”
) for encrypting data and a key encryption key (“
KEK”
) for encrypting the EK, wherein neither the EK nor the KEK are generated using a user authentication secret as a seed;(ii) obtain an encrypted EK by encrypting the EK using KEK; (iii) store the encrypted EK in the DCD memory; (iv) send the KEK to the KVD; (v) generate a KEK identifier (“
KEK_ID”
) that identifies the KEK; and(vi) store the KEK_ID in the DCD memory, wherein the DCD memory is accessible to an application resident on the DCD that accesses the data; and (b) the KVD comprising a KVD memory and a KVD controller communicative with the KVD memory, the KVD memory having encoded thereon statements and instructions to cause the KVD controller to; (i) receive the KEK from the DCD; and (ii) store the KEK in the KVD memory. - View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58)
-
-
59. A system for decoupling user authentication and data encryption on mobile devices, the system comprising a data container device (“
- DCD”
) wirelessly linked to a key vault device (“
KVD”
), the DCD comprising a DCD memory and a DCD controller communicative with the DCD memory and the KVD comprising a KVD memory and a KVD controller communicative with the KVD memory, the DCD memory having encoded thereon statements and instructions to cause the DCD controller to;(a) decrypt an encrypted encryption key (“
EK”
) stored in the DCD memory by;(i) wirelessly retrieving from the KVD a key encryption key (“
KEK”
) used to encrypt the EK; and(ii) decrypting the encrypted EK using the KEK; (b) encrypt or decrypt data stored in the DCD memory using the EK, wherein neither the EK nor the KEK are generated using a user authentication secret as a seed; (c) generate a KEK identifier (“
KEK_ID”
) that identifies the KEK; and(d) store the KEK_ID in the DCD memory, wherein the DCD memory is accessible to an application resident on the DCD that accesses the data. - View Dependent Claims (60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77)
- DCD”
-
78. A non-transitory computer readable medium having encoded thereon statements and instructions to cause a controller to:
-
(a) generate an encryption key (“
EK”
) for encrypting data and a key encryption key (“
KEK”
) for encrypting the EK, wherein neither the EK nor the KEK are generated using a user authentication secret as a seed;(b) obtain an encrypted EK by encrypting the EK using the KEK; (c) store the encrypted EK on a data container device (“
DCD”
);(d) store the KEK on a key vault device (“
KVD”
) that is distinct from the DCD;(e) generating a KEK identifier (“
KEK_ID”
) that identifies the KEK; and(f) storing the KEK_ID in memory accessible to an application resident on the DCD that accesses the data and on the KVD.
-
-
79. A non-transitory computer readable medium having encoded thereon statements and instructions to cause a controller to:
-
(a) decrypt an encrypted encryption key (“
EK”
) stored on a data container device (“
DCD”
) by;(i) wirelessly retrieving to the DCD from a key vault device (“
KVD”
) a key encryption key (“
KEK”
) used to encrypt the EK; and(ii) decrypting the encrypted EK using the KEK; (b) encrypt or decrypt data stored on the DCD using the EK, wherein neither the EK nor the KEK are generated using a user authentication secret as a seed; (c) generating a KEK identifier (“
KEK_ID”
) that identifies the KEK; and(d) storing the KEK_ID in memory accessible to an application resident on the DCD that accesses the data and on the KVD.
-
Specification