Protecting cryptographic secrets using file system attributes

US 9,171,145 B2
Filed: 05/24/2013
Issued: 10/27/2015
Est. Priority Date: 05/24/2013
Status: Active Grant

First Claim

Patent Images

1. A method for protecting a shared secret, the method comprising:

generating, by operation of a processor, a key based on at least a file system attribute of a file stored in a file system of a computing device, wherein the file system attribute of the file is an identifier assigned by the file system to uniquely identify the file stored in the file system of the computing device, and wherein the file system attribute is an inode of a file storing the shared secret in the file system;

encrypting the shared secret with the key; and

storing the encrypted shared secret in a storage memory on the computing device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for protecting cryptographic secrets stored locally in a device, such as a mobile phone. A client device creates or downloads a shared secret to be used in a server transaction. To protect this shared secret locally, the client device encrypts the shared secret using a key generated a file system attributes value, along with other sources of entropy. The file system attributes value may correspond to the inode of a file in a UNIX-based file system. Thereafter, when the shared secret is required for logical computation, the client device reconstructs the key using the file system attributes value and the other previous sources of entropy. The client device may use the key to decrypt the information and use the shared secret for its required purpose, e.g., in generating a one-time password for a login session.

Citations

18 Claims

1. A method for protecting a shared secret, the method comprising:
- generating, by operation of a processor, a key based on at least a file system attribute of a file stored in a file system of a computing device, wherein the file system attribute of the file is an identifier assigned by the file system to uniquely identify the file stored in the file system of the computing device, and wherein the file system attribute is an inode of a file storing the shared secret in the file system;
  
  encrypting the shared secret with the key; and
  
  storing the encrypted shared secret in a storage memory on the computing device.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising removing the key from the storage memory.
  - 3. The method of claim 1, further comprising:
    - reconstructing the key based on the file system attribute;
      
      decrypting the shared secret with the key; and
      
      performing a computation with the shared secret.
  - 4. The method of claim 3, wherein performing the computation comprises generating a one-time password in authenticating the client device to a server.
  - 5. The method of claim 3, wherein performing the computation comprises sending the shared secret to a server in a challenge-response authentication.
  - 6. The method of claim 3, wherein performing the computation comprises generating a one or more cryptographic keys with the shared secret.

7. A non-transitory computer-readable storage medium storing instructions, which, when executed on a processor, performs an operation for protecting a shared secret, the operation comprising:
- generating, by operation of a processor, a key based on at least a file system attribute of a file stored in a file system of a computing device, wherein the file system attribute of the file is an identifier assigned by the file system to uniquely identify the file stored in the file system of the computing device, and wherein the file system attribute is an inode of a file storing the shared secret in the file system;
  
  encrypting the shared secret with the key; and
  
  storing the encrypted shared secret in a storage memory on the computing device.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The non-transitory computer-readable storage medium of claim 7, wherein the operation further comprises removing the key from the storage memory.
  - 9. The non-transitory computer-readable storage medium of claim 7, the operation further comprising:
    - reconstructing the key based on the file system attribute;
      
      decrypting the shared secret with the key; and
      
      performing a computation with the shared secret.
  - 10. The non-transitory computer-readable storage medium of claim 9, wherein performing the computation comprises generating a one-time password in authenticating the client device to a server.
  - 11. The non-transitory computer-readable storage medium of claim 9, wherein performing the computation comprises sending the shared secret to a server in a challenge-response authentication.
  - 12. The non-transitory computer-readable storage medium of claim 11, wherein performing the computation comprises generating a plurality of unique keys with the shared secret.

13. A system, comprising:
- a processor anda memory hosting an application, which, when executed on the processor, performs an operation for protecting a shared secret in a UNIX-based file system, the operation comprising;
  
  generating, by operation of a processor, a key based on a file system attribute of at least a file stored in a file system of a computing device, wherein the file system attribute of the file is an identifier assigned by the file system to uniquely identify the file stored in the file system of the computing device, and wherein the file system attribute is an inode of a file storing the shared secret in the file system,encrypting the shared secret with the key, andstoring the encrypted shared secret in a storage memory on the computing device.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, wherein the operation further comprises removing the key from the storage memory.
  - 15. The system of claim 13, the operation further comprising:
    - reconstructing the key based on the file system attribute;
      
      decrypting the shared secret with the key; and
      
      performing a computation with the shared secret.
  - 16. The system of claim 15, wherein performing the computation comprises generating a one-time password in authenticating the client device to a server.
  - 17. The system of claim 15, wherein performing the computation comprises sending the shared secret to a server in a challenge-response authentication.
  - 18. The system of claim 15, wherein performing the computation comprises generating a plurality of unique keys with the shared secret.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Dash, Sambit, Pai, Ramanath
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US13/902,194
Publication Number

US 20140351587A1
Time in Patent Office

886 Days
Field of Search

713/165
US Class Current

1/1
CPC Class Codes

G06F 21/44   Program or device authentic...

H04L 2463/061   applying further key deriva...

H04L 2463/062   applying encryption of the ...

H04L 63/0838   using one-time-passwords

H04L 63/0869   for achieving mutual authen...

H04W 12/04   Key management, e.g. using ...

H04W 12/068   using credential vaults, e....

Protecting cryptographic secrets using file system attributes

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting cryptographic secrets using file system attributes

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links