System, method and apparatus for cryptography key management for mobile devices
First Claim
1. A method comprising binding encryption and decryption keys using a unique user identifier (UID), a unique device identifier (UDID), and a user password (Pswd) to a client mobile device in an enterprise cryptography key management system, wherein binding the encryption and decryption keys comprises:
- requesting the UDID from the client mobile device by the cryptography key management system;
receiving a hashed unique device identifier H(UDID) encrypted by the Pswd by the cryptography key management system from a key management application module included on the client mobile device; and
associating the H(UDID) with the user account, comprising;
decrypting the encrypted H(UDID) by the cryptography key management system using the Pswd;
if decryption fails, then terminating communication with the client mobile device; and
if the decryption is successful, then validating integrity of the decrypted H(UDID) by comparing the H(UDID) sent by the key management application module with other H(UDID)s in the cryptography key management system to ensure that the H(UDID) is unique for the client mobile device; and
registering a cryptography/data recovery key for the associated client mobile device with the enterprise using the cryptography/data recovery key, the UID, the H(UDID), and a unique key identifier (KeyID),wherein registering the cryptography/data recovery key for the associated client mobile device with the enterprise comprises, upon validating that the H(UDID) exists for the UID;
storing the data recovery key and the KeyID associated with the UDID by the cryptography key management system,encrypting the KeyID using a symmetric cryptography key derived from the Pswd to obtain a password-encrypted KeyID and sending the password-encrypted KeyID to the key management application module by the cryptography key management system, anddecrypting the password-encrypted KeyID using a symmetric cryptography key derived from the password to obtain the KeyID and storing the obtained KeyID by the key management application module.
2 Assignments
0 Petitions
Accused Products
Abstract
A technique that binds encryption and decryption keys using a UID, a UDID, and a Pswd to a client mobile device in an enterprise. In one example embodiment, this is achieved by creating a new user account using the UID and the DPswd in an inactive state and communicating the UID and the DPswd to an intended user using a secure communication medium by an administrator. The intended user then logs into a cryptography key management system using the UID and the DPswd via a client mobile device. The UDID associated with the client mobile device is then hashed to create a H(UDID). The H(UDID) is then sent to the cryptography key management system by a local key management application module. The H(UDID) is then authenticated by the cryptography key management system. An encryption/decryption key is then assigned for the client mobile device.
-
Citations
19 Claims
-
1. A method comprising binding encryption and decryption keys using a unique user identifier (UID), a unique device identifier (UDID), and a user password (Pswd) to a client mobile device in an enterprise cryptography key management system, wherein binding the encryption and decryption keys comprises:
-
requesting the UDID from the client mobile device by the cryptography key management system; receiving a hashed unique device identifier H(UDID) encrypted by the Pswd by the cryptography key management system from a key management application module included on the client mobile device; and associating the H(UDID) with the user account, comprising; decrypting the encrypted H(UDID) by the cryptography key management system using the Pswd; if decryption fails, then terminating communication with the client mobile device; and if the decryption is successful, then validating integrity of the decrypted H(UDID) by comparing the H(UDID) sent by the key management application module with other H(UDID)s in the cryptography key management system to ensure that the H(UDID) is unique for the client mobile device; and registering a cryptography/data recovery key for the associated client mobile device with the enterprise using the cryptography/data recovery key, the UID, the H(UDID), and a unique key identifier (KeyID), wherein registering the cryptography/data recovery key for the associated client mobile device with the enterprise comprises, upon validating that the H(UDID) exists for the UID; storing the data recovery key and the KeyID associated with the UDID by the cryptography key management system, encrypting the KeyID using a symmetric cryptography key derived from the Pswd to obtain a password-encrypted KeyID and sending the password-encrypted KeyID to the key management application module by the cryptography key management system, and decrypting the password-encrypted KeyID using a symmetric cryptography key derived from the password to obtain the KeyID and storing the obtained KeyID by the key management application module. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method comprising changing a user password (Pswd) in a cryptography key management system via a client mobile device using a unique user identifier (UID), a unique device identifier (UDID), a unique key identifier, a current password (Pswd), and a new password (NewPswd), the method further comprising:
-
requesting the UID, the Pswd and the NewPswd from an intended user via the client mobile device; determining the UDID associated with the client mobile device; hashing the UDID (H(UDID)) by a key management application module included on the client mobile device; encrypting the hashed UDID and the NewPswd using a symmetric cryptography key derived from the Pswd to obtain a password-encrypted H(UDID) and an encrypted NewPswd; sending the password-encrypted H(UDID) and the encrypted NewPswd to the cryptography key management system by the key management application module and requesting a change in the Pswd; connecting the key management application module to a secure key database via a valid user role by the cryptography key management system upon a successful validation of the UID and returning the Pswd for the UID to the cryptography key management system by the secure key database; decrypting the password-encrypted H(UDID) and the encrypted NewPswd using a symmetric cryptography key derived from the Pswd to obtain the H(UDID) and the NewPswd by the cryptography key management system; and determining whether the decryption of the password-encrypted H(UDID) and the encrypted NewPswd was successful, comprising; if decryption fails, then terminating communication with the client mobile device; and if the decryption is successful, then validating integrity of the decrypted H(UDID) by comparing the H(UDID) sent by the key management application module with an H(UDID) already stored in the cryptography key management system for the UID; and registering a cryptography/data recovery key for the client mobile device using the cryptography/data recovery key, the UID, the H(UDID), and a unique key identifier (KeyID), comprising, upon validating that the H(UDID) exists for the UID; storing the data recovery key and the KeyID associated with the UDID, encrypting the KeyID using a symmetric cryptography key derived from the NewPswd to obtain a password-encrypted KeyID and sending the password-encrypted KeyID to the key management application module by the cryptography key management system, and decrypting the password-encrypted KeyID using a symmetric cryptography key derived from the NewPswd to obtain the KeyID and storing the obtained KeyID by the key management application module. - View Dependent Claims (9)
-
-
10. An article comprising:
-
a non-transitory computer readable storage medium having instructions that, when executed by a processor cause the processor to; bind encryption and decryption keys using a unique user identifier (UID), a unique device identifier (UDID), and a user password (Pswd) to a client mobile device in an enterprise cryptography key management system, wherein to bind the encryption and decryption keys, the instructions are to cause the processor to; request the UDID from the client mobile device by the cryptography key management system; send a hashed unique device identifier H(UDID) encrypted by the Pswd along with the UID to the cryptography key management system by a key management application module included on the client mobile device; associate the H(UDID) with the user account, comprising; decrypting the encrypted H(UDID) by the cryptography key management system using the Pswd; if decryption fails, then terminating communication with the client mobile device; and if the decryption is successful, then validating integrity of the decrypted H(UDID) by comparing the H(UDID) sent by the key management application module with other H(UDID)s in the cryptography key management system to ensure that the H(UDID) is unique for the client mobile device; and register a cryptography/data recovery key for the associated client mobile device with the enterprise using the cryptography/data recovery key, the UID, the H(UDID), and a unique key identifier (KeyID), wherein to register the cryptography/data recovery key for the associated client mobile device, the instructions are to cause the processor to, upon validating that the H(UDID) exists for the UID; store the data recovery key and the KeyID associated with the UDID, encrypt the KeyID using a symmetric cryptography key derived from the Pswd to obtain a password-encrypted KeyID and send the password-encrypted KeyID to the key management application module, and decrypt the password-encrypted KeyID using a symmetric cryptography key derived from the password to obtain the KeyID and store the obtained KeyID by the key management application module. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A cryptography key management apparatus, comprising:
-
a cryptography key management system that allows a user to create a new user account with the system and register with the system, allows the registered user to register a new client mobile device with the system, allows the registered user to register a cryptography/data recovery key with the system and associate/bind it with the client mobile device in the system, allows the registered user to request a cryptography key for encryption for the client mobile device from the system, allows the registered user to request a registered cryptography/data recovery key for decryption for the client mobile device from the system, allows the registered user to change its password/authentication tokens in the system, allows the registered user to decrypt the data stored encrypted on a removable media if the mobile device on which the encryption performed is lost or unavailable and allows an administrator to create and manage user accounts in the key management system; a secure key database coupled to the cryptography key management system to store the registered user account information, the registered cryptography/data recovery key information and information binding the cryptography/data recovery key with the registered client mobile device and the registered user, wherein the user account information comprises a unique user identifier (UID), a unique device identifier (UDID) of the registered client mobile device, password (Pswd)/authentication tokens stored in encrypted format and the account state, wherein to bind encryption and decryption keys using the UID, the UDID, and the Pswd to the client mobile device, the cryptography key management system is to; request the UDID from the client mobile device; receive a hashed unique device identifier H(UDID) encrypted by the Pswd along with the UID from a key management application module included on the client mobile device; and associate the H(UDID) with the user account, comprising; decrypt the encrypted H(UDID) by the cryptography key management system using the Pswd; if decryption fails, terminate communication with the client mobile device; and if the decryption is successful, validate integrity of the decrypted H(UDID) by comparing the H(UDID) sent by the key management application module with other H(UDID)s in the cryptography key management system to ensure that the H(UDID) is unique for the client mobile device; and wherein to register the cryptography/data recovery key for the client mobile device, upon validating that the H(UDID) exists for the UID, the cryptography key management system is to; store the data recovery key and a unique key identifier (KeyID) associated with the UDID, encrypt the KeyID using a symmetric cryptography key derived from the Pswd to obtain a password-encrypted KeyID and send the password-encrypted KeyID to the key management application module, and decrypt the password-encrypted KeyID using a symmetric cryptography key derived from the password to obtain the KeyID and store the obtained KeyID by the key management application module. - View Dependent Claims (18, 19)
-
Specification