Supporting the use of a secret key

US 9,530,013 B2
Filed: 03/25/2015
Issued: 12/27/2016
Est. Priority Date: 08/19/2013
Status: Active Grant

First Claim

Patent Images

1. A method performed by an apparatus of a first installation, which stores key identifications with allocation to a respective user, wherein a second installation stores secret keys which each can be found by means of a respective key identification, the method comprising:

authenticating a user who logs onto the first installation via a user device,creating a temporary identifier as a basis for retrieving a secret key held ready for the user in the second installation and allocating the temporary identifier to the user,transmitting the temporary identifier to the user device,receiving a request for a key identification from the second installation, wherein the request contains the temporary identifier which was transmitted to the second installation from the user device,determining the user allocated to the received temporary identifier and determining the key identification stored for the determined user, andtransmitting the key identification to the second installation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first installation stores key identifications with allocation to a respective user and a second installation stores secret keys which each can be found by means of a key identification. The first installation authenticates a user who logs onto the first installation via a user device, creates a temporary identifier, allocates the identifier to the user and transmits the identifier to the user device. The second installation receives a request for a secret key from the user device together with the identifier and requests a key identification from the first installation, wherein the received identifier is transmitted. The first installation determines a user allocated to the received identifier, identifies a key identification stored for the determined user and transmits the key identification to the second installation. This second installation determines a secret key based on the received key identification and transmits the secret key to the user device.

Citations

20 Claims

1. A method performed by an apparatus of a first installation, which stores key identifications with allocation to a respective user, wherein a second installation stores secret keys which each can be found by means of a respective key identification, the method comprising:
- authenticating a user who logs onto the first installation via a user device,creating a temporary identifier as a basis for retrieving a secret key held ready for the user in the second installation and allocating the temporary identifier to the user,transmitting the temporary identifier to the user device,receiving a request for a key identification from the second installation, wherein the request contains the temporary identifier which was transmitted to the second installation from the user device,determining the user allocated to the received temporary identifier and determining the key identification stored for the determined user, andtransmitting the key identification to the second installation.
- View Dependent Claims (2, 3, 4)
- - 2. The method according to claim 1, further comprising:
    - checking a validity of the received temporary identifier, wherein the key identification is only identified and transmitted if the validity of the received temporary identifier is established.
  - 3. The method according to claim 1, wherein the first installation stores encrypted data for the user which can be decrypted in the user device by means of the secret key allocated to the user in the second installation, the user device being separate from the first installation, and wherein access to the data in the first installation is enabled for the user after the authentication or after a separate authentication.
  - 4. The method according to claim 3, wherein the encrypted data one ofwas encrypted by a third party device and made available to the first installation andwas encrypted by a device of the user and made available to the first installation.

5. An apparatus of a first installation, which stores key identifications with allocation to a respective user, wherein a second installation stores secret keys which each can be found by means of a respective key identification, the apparatus comprising at least one processor and at least one memory storing a program, wherein the at least one memory and the program are configured to, with the at least one processor, cause the apparatus to perform the following:
- authenticate a user who logs onto the first installation via a user device,create a temporary identifier as a basis for retrieving a secret key held ready for the user in the second installation and allocating the temporary identifier to the user,transmit the temporary identifier to the user device,receive a request for a key identification from the second installation, wherein the request contains the temporary identifier which was transmitted to the second installation from the user device,determine the user allocated to the received temporary identifier and determining the key identification stored for the determined user, andtransmit the key identification to the second installation.
- View Dependent Claims (6, 7, 8, 9)
- - 6. The apparatus according to claim 5, wherein the at least one memory and the program are further configured to, with the at least one processor, cause the apparatus to:
    - check a validity of the received temporary identifier, wherein the key identification is only identified and transmitted if the validity of the received temporary identifier is established.
  - 7. The apparatus according to claim 5, wherein the first installation stores encrypted data for the user which can be decrypted in the user device by means of the secret key allocated to the user in the second installation, the user device being separate from the first installation, and wherein access to the data in the first installation is enabled for the user after the authentication or after a separate authentication.
  - 8. The apparatus according to claim 7, wherein the encrypted data one ofwas encrypted by a third party device and made available to the first installation andwas encrypted by a device of the user and made available to the first installation.
  - 9. The apparatus according to claim 5, wherein the apparatus is one of a server of a message deliverer and a module for a server of a message deliverer.

10. A non-transitory computer-readable storage medium which stores a program comprising program instructions, wherein the program instructions when executed by a processor cause an apparatus of a first installation, which stores key identifications with allocation to a respective user, to perform the following, wherein a second installation stores secret keys which each can be found by means of a respective key identification:
- authenticate a user who logs onto the first installation via a user device,create a temporary identifier as a basis for retrieving a secret key held ready for the user in the second installation and allocating the temporary identifier to the user,transmit the temporary identifier to the user device,receive a request for a key identification from the second installation, wherein the request contains the temporary identifier which was transmitted to the second installation from the user device,determine the user allocated to the received temporary identifier and determining the key identification stored for the determined user, andtransmit the key identification to the second installation.

11. A method performed by an apparatus of a second installation which stores secret keys which each can be found by means of a respective key identification, wherein a first installation stores key identifications with allocation to a respective user, the method comprising:
- receiving a request for a secret key from a user device together with a temporary identifier,requesting a key identification from the first installation, wherein the received temporary identifier is transmitted,receiving the key identification from the first installation for the user allocated to the temporary identifier in the first installation,determining the secret key based on the received key identification andtransmitting the secret key to the user device.
- View Dependent Claims (12, 13, 14)
- - 12. The method according to claim 11, wherein the secret keys are stored in the second installation encrypted with the respectively associated key identification, and wherein the secret key determined based on the received key identification is the secret key encrypted with the received key identification, further comprising:
    - decrypting the determined encrypted secret key with the received key identification, wherein the transmission of the secret key to the user device comprises a secure transmission of the decrypted secret key.
  - 13. The method according to claim 12, further comprising for the secure transmission of the decrypted secret key:
    - encrypting the decrypted secret key with a one-time password received from the user device, the one-time password being encrypted with a public key of a key pair of the second installation, wherein the received encrypted one-time password is decrypted with a private key of the key pair of the second installation before it is used for encrypting the secret key of the user, and wherein the transmission of the secret key to the user device comprises a transmission of the secret key encrypted with the one-time password.
  - 14. The method according to claim 11, wherein the secret keys are stored in the second installation with allocation to a cryptographically derived value of the respective key identification, and wherein determining the secret key based on the received key identification comprises cryptographically deriving a value of the received key identification and determining the secret key which is stored with allocation to the cryptographically derived value.

15. An apparatus of a second installation which stores secret keys which each can be found by means of a respective key identification, wherein a first installation stores key identifications with allocation to a respective user, the apparatus comprising at least one processor and at least one memory storing a program, wherein the at least one memory and the program are configured to, with the at least one processor, cause an apparatus to perform the following:
- receive a request for a secret key from a user device together with a temporary identifier,request a key identification from the first installation, wherein the received temporary identifier is transmitted,receive the key identification from the first installation for the user allocated to the temporary identifier in the first installation,determine the secret key based on the received key identification, andtransmit the secret key to the user device.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The apparatus according to claim 15, wherein the secret keys are stored in the second installation encrypted with the respectively associated key identification, and wherein the secret key determined based on the received key identification is the secret key encrypted with the received key identification, the at least one memory and the program are further configured to, with the at least one processor, cause the apparatus to:
    - decrypt the determined encrypted secret key with the received key identification, wherein the transmission of the secret key to the user device comprises a secure transmission of the decrypted secret key.
  - 17. The apparatus according to claim 16, wherein for the secure transmission of the decrypted secret key the at least one memory and the program are further configured to, with the at least one processor, cause the apparatus to:
    - encrypt the decrypted secret key with a one-time password received from the user device, the one-time password being encrypted with a public key of a key pair of the second installation, wherein the received encrypted one-time password is decrypted with a private key of the key pair of the second installation before it is used for encrypting the secret key of the user, and wherein the transmission of the secret key to the user device comprises a transmission of the secret key encrypted with the one-time password.
  - 18. The apparatus according to claim 15, wherein the secret keys are stored in the second installation with allocation to a cryptographically derived value of the respective key identification, and wherein determining the secret key based on the received key identification comprises cryptographically deriving a value of the received key identification and determining the secret key which is stored with allocation to the cryptographically derived value.
  - 19. The apparatus according to claim 15, wherein the apparatus is one of a server and a module for a server.

20. A non-transitory computer-readable storage medium which stores a program comprising program instructions, wherein the program instructions when executed by a processor cause an apparatus of a second installation which stores secret keys which each can be found by means of a respective key identification to perform the following, wherein a first installation stores key identifications with allocation to a respective user:
- receive a request for a secret key from a user device together with a temporary identifier,request a key identification from the first installation, wherein the received temporary identifier is transmitted,receive the key identification from the first installation for the user allocated to the temporary identifier in the first installation,determine the secret key based on the received key identification, andtransmit the secret key to the user device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Deutsche Post AG
Original Assignee
Deutsche Post AG
Inventors
Bobinski, Mike, Voucko, Michael
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
LWIN, MAUNG T

Application Number

US14/667,959
Publication Number

US 20150199528A1
Time in Patent Office

643 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 8/61   Installation

H04L 2463/062   applying encryption of the ...

H04L 63/067   using one-time keys cryptog...

H04L 63/0815   providing single-sign-on or...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0863   involving passwords or one-...

H04L 9/0894   Escrow, recovery or storing...

H04W 12/04   Key management, e.g. using ...

H04W 12/35   Protecting application or s...

Supporting the use of a secret key

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Supporting the use of a secret key

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links