Methods and systems for providing high-security cryptographic keys to mobile radios

US 9,288,043 B1
Filed: 10/17/2014
Issued: 03/15/2016
Est. Priority Date: 10/17/2014
Status: Active Grant

First Claim

Patent Images

1. A method carried out by a key-management infrastructure, the method comprising:

receiving first and second disassembly products of a high-security cryptographic key; and

providing the first and second disassembly products to a mobile radio for reassembly of the high-security cryptographic key,wherein providing the first disassembly product to the mobile radio comprises providing the first disassembly product to the mobile radio over a local connection via a restricted-access key variable loader, andwherein providing the second disassembly product to the mobile radio comprises;

generating a medium-security-encrypted second disassembly product at least in part by encrypting the second disassembly product based on at least one medium-security cryptographic key; and

providing the medium-security-encrypted second disassembly product to the mobile radio over an air interface.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

At least one embodiment takes the form of a process carried out by a key-management infrastructure (KMI). The KMI receives first and second disassembly products of a high-security cryptographic key and provides the first and second disassembly products to a mobile radio for reassembly of the high-security cryptographic key. Providing the first disassembly product to the mobile radio includes providing the first disassembly product to the mobile radio over a local connection via a restricted-access key variable loader. Providing the second disassembly product to the mobile radio includes (i) generating a medium-security-encrypted second disassembly product at least in part by encrypting the second disassembly product based on at least one medium-security cryptographic key, and (ii) providing the medium-security-encrypted second disassembly product to the mobile radio over an air interface.

6 Citations

20 Claims

1. A method carried out by a key-management infrastructure, the method comprising:
- receiving first and second disassembly products of a high-security cryptographic key; and
  
  providing the first and second disassembly products to a mobile radio for reassembly of the high-security cryptographic key,wherein providing the first disassembly product to the mobile radio comprises providing the first disassembly product to the mobile radio over a local connection via a restricted-access key variable loader, andwherein providing the second disassembly product to the mobile radio comprises;
  
  generating a medium-security-encrypted second disassembly product at least in part by encrypting the second disassembly product based on at least one medium-security cryptographic key; and
  
  providing the medium-security-encrypted second disassembly product to the mobile radio over an air interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein:
    - the key-management infrastructure comprises an Association of Public-Safety Communications Officials-International (APCO) Project 25 (P25) key-management facility, andthe method being carried out by the key-management infrastructure comprises the method being carried out by the APCO P25 key-management facility.
  - 3. The method of claim 1, wherein:
    - the first disassembly product comprises a random number, andthe second disassembly product is based on both the high-security cryptographic key and the random number.
  - 4. The method of claim 3, wherein the second disassembly product comprises an XOR of the high-security cryptographic key and the random number.
  - 5. The method of claim 1, further comprising confirming that the mobile radio is authorized to receive the high-security cryptographic key prior to completing the providing of both the first and second disassembly products to the mobile radio.
  - 6. The method of claim 1, wherein:
    - the at least one medium-security cryptographic key comprises a medium-security traffic encryption key (MS-TEK), andencrypting the second disassembly product based on the at least one medium-security cryptographic key comprises encrypting the second disassembly product based on the MS-TEK.
  - 7. The method of claim 6, wherein:
    - the at least one medium-security cryptographic key further comprises a medium-security key encryption key (MS-KEK), andencrypting the second disassembly product based on the MS-TEK comprises encrypting the second disassembly product based on both the MS-KEK and the MS-TEK.
  - 8. The method of claim 7, wherein encrypting the second disassembly product based on both the MS-KEK and the MS-TEK comprises:
    - generating a first encryption result at least in part by encrypting the second disassembly product based on the MS-KEK; and
      
      encrypting the first encryption result based on the MS-TEK.
  - 9. The method of claim 1, wherein:
    - the at least one medium-security cryptographic key comprises a medium-security key encryption key (MS-KEK), andencrypting the second disassembly product based on the at least one medium-security cryptographic key comprises encrypting the second disassembly product based on the MS-KEK.
  - 10. The method of claim 1, wherein the high-security cryptographic key comprises a high-security key encryption key (HS-KEK).
  - 11. The method of claim 10, further comprising:
    - receiving a high-security traffic encryption key (HS-TEK) that is encrypted based on the HS-KEK; and
      
      providing the high-security-encrypted HS-TEK to the mobile radio over the air interface for decryption by the mobile radio based on the HS-KEK.
  - 12. The method of claim 11, further comprising:
    - encrypting the HS-TEK based on at least one medium-security cryptographic key prior to providing the HS-TEK to the mobile radio over the air interface.
  - 13. The method of claim 11, wherein a radio access network (RAN) comprises the key-management infrastructure, the method further comprising the RAN:
    - receiving inbound high-security traffic that is encrypted based on the HS-TEK;
      
      generating medium-security-encrypted inbound high-security traffic at least in part by encrypting the received inbound high-security traffic based on at least one medium-security cryptographic key; and
      
      forwarding the medium-security-encrypted inbound high-security traffic over the air interface to the mobile radio.
  - 14. The method of claim 11, wherein a radio access network (RAN) comprises the key-management infrastructure, the method further comprising the RAN:
    - receiving medium-security-encrypted outbound high-security traffic over the air interface from the mobile radio, the outbound high-security traffic being encrypted based on the HS-TEK;
      
      decrypting the received medium-security-encrypted outbound high-security traffic based on at least one medium-security cryptographic key; and
      
      forwarding the outbound high-security traffic via a packet-data connection.
  - 15. The method of claim 1, wherein the high-security cryptographic key comprises a high-security traffic encryption key (HS-TEK).
  - 16. The method of claim 15, wherein a radio access network (RAN) comprises the key-management infrastructure, the method further comprising the RAN:
    - receiving inbound high-security traffic that is encrypted based on the HS-TEK;
      
      generating medium-security-encrypted inbound high-security traffic at least in part by encrypting the received inbound high-security traffic based on at least one medium-security cryptographic key; and
      
      forwarding the medium-security-encrypted inbound high-security traffic over the air interface to the mobile radio.
  - 17. The method of claim 15, wherein a radio access network (RAN) comprises the key-management infrastructure, the method further comprising the RAN:
    - receiving medium-security-encrypted outbound high-security traffic over the air interface from the mobile radio, the outbound high-security traffic being encrypted based on the HS-TEK;
      
      decrypting the received medium-security-encrypted outbound high-security traffic based on at least one medium-security cryptographic key; and
      
      forwarding the outbound high-security traffic via a packet-data connection.
  - 18. The method of claim 1, further comprising, prior to providing the medium-security-encrypted second disassembly product to the mobile radio over the air interface:
    - generating a storage-encrypted second disassembly product at least in part by encrypting the second disassembly product based on a storage cryptographic key;
      
      storing the storage-encrypted second disassembly product in a cryptographic key storage;
      
      retrieving the storage-encrypted second disassembly product from the cryptographic key storage; and
      
      decrypting the storage-encrypted second disassembly product based on the storage cryptographic key.
  - 19. The method of claim 1, wherein:
    - the mobile radio comprises a high-security hardware module, andproviding the first and second disassembly products to the mobile radio for reassembly of the high-security cryptographic key comprises providing the first and second disassembly products to the high-security hardware module.

20. A key-management infrastructure comprising:
- a communication interface;
  
  a processor; and
  
  a non-transitory data storage medium containing instructions executable by the processor for causing the key-management infrastructure to carry out a set of functions, the set of functions including;
  
  receiving first and second disassembly products of a high-security cryptographic key; and
  
  providing the first and second disassembly products to a mobile radio for reassembly of the high-security cryptographic key,wherein providing the first disassembly product to the mobile radio comprises providing the first disassembly product to the mobile radio over a local connection via a restricted-access key variable loader,wherein providing the second disassembly product to the mobile radio comprises;
  
  generating a medium-security-encrypted second disassembly product at least in part by encrypting the second disassembly product based on at least one medium-security cryptographic key; and
  
  providing the medium-security-encrypted second disassembly product to the mobile radio over an air interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Motorola Solutions, Inc.
Original Assignee
Motorola Solutions, Inc.
Inventors
Mihm, Thomas J Jr., Fuchs, Kenneth C
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
Doan, Trang

Application Number

US14/516,761
Time in Patent Office

515 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 9/006   involving public key infras...

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/083   involving central third par...

Methods and systems for providing high-security cryptographic keys to mobile radios

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

6 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for providing high-security cryptographic keys to mobile radios

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links