Mobile device key management

US 9,634,999 B1
Filed: 11/04/2014
Issued: 04/25/2017
Est. Priority Date: 11/04/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

securing a master key using a password-based key to generate a first encryption information, the password-based key generated based at least in part on a password associated with a mobile device;

securing the master key using an unlock key to generate a second encryption information, wherein the unlock key is stored at a server;

deleting the master key from the mobile device after generating the first encryption information and the second encryption information, wherein deleting the master key from the mobile device renders secured data on the mobile device inaccessible; and

storing the first encryption information and the second encryption information on the mobile device, wherein the mobile device is configured to;

extract the master key from the first encryption information using the password; and

in the event that the master key is not extracted using the password, extract the master key from the second encryption information using the unlock key received from the server, wherein to receive the unlock key from the server, the server is configured to authenticate an identity associated with a user of the mobile device.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mobile device key management is disclosed. A master key is secured using a password-based key to generate a first encryption information. The password-based key is generated based at least in part on a password associated with a mobile device. The master key is also secured using an unlock key to generate a second encryption information. The unlock key is stored at a server, and in certain cases is not stored on the mobile device. The first encryption information and the second encryption information are stored on the mobile device. The mobile device is configured to extract the master key from the first encryption information using the password. In the event that the master key is not extracted using the password, the mobile device is configured to extract the master key from the second encryption information using the unlock key received from the server.

27 Citations

View as Search Results

20 Claims

1. A method, comprising:
- securing a master key using a password-based key to generate a first encryption information, the password-based key generated based at least in part on a password associated with a mobile device;
  
  securing the master key using an unlock key to generate a second encryption information, wherein the unlock key is stored at a server;
  
  deleting the master key from the mobile device after generating the first encryption information and the second encryption information, wherein deleting the master key from the mobile device renders secured data on the mobile device inaccessible; and
  
  storing the first encryption information and the second encryption information on the mobile device, wherein the mobile device is configured to;
  
  extract the master key from the first encryption information using the password; and
  
  in the event that the master key is not extracted using the password, extract the master key from the second encryption information using the unlock key received from the server, wherein to receive the unlock key from the server, the server is configured to authenticate an identity associated with a user of the mobile device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein the password-based key is generated based at least in part on the password associated with the mobile device and a salt.
  - 3. The method of claim 1, wherein the unlock key is not stored on the mobile device.
  - 4. The method of claim 1, wherein the master key and the unlock key are generated at the mobile device.
  - 5. The method of claim 4, further comprising:
    - sending the unlock key to the server upon generation of the second encryption information; and
      
      deleting the unlock key from the mobile device.
  - 6. The method of claim 1, wherein the master key and the unlock key are generated at the server.
  - 7. The method of claim 6, wherein the step of securing the master key using the unlock key to generate the second encryption information is performed at the server.
  - 8. The method of claim 7, wherein the server deletes the master key after generating the second encryption information.
  - 9. The method of claim 7, further comprising sending the second encryption information and the unlock key to the mobile device.
  - 10. The method of claim 9, wherein the step of securing the master key using the password-based key to generate the first encryption information is performed at the mobile device.
  - 11. The method of claim 1, further comprising:
    - receiving input including the password;
      
      extracting the master key from the first encryption information using the password; and
      
      providing the master key to an application, wherein the application uses the master key to access data encrypted using the master key.
  - 12. The method of claim 1, further comprising:
    - determining that data is to be removed from the mobile device; and
      
      removing, based at least in part on the determination, the first encryption information and second encryption information from the mobile device.
  - 13. The method of claim 1, further comprising:
    - receiving a lost password indication;
      
      sending a request to the server to retrieve the unlock key; and
      
      extracting the master key from the second encryption information using the unlock key received from the server.
  - 14. The method of claim 1, further comprising:
    - receiving an indication that the password is to be changed;
      
      extracting the master key from the first encryption information using the password; and
      
      securing the master key using a second password-based key to generate an updated first encryption information, the second password-based key generated based at least in part on a new password.
  - 15. The method of claim 1, further comprising:
    - determining that the password is to be changed;
      
      receiving a new password;
      
      comparing the new password to one or more previous passwords, the previous passwords included in a password history file encrypted using the master key; and
      
      determining that the new password is valid based at least in part on the comparison.
  - 16. The method of claim 15, wherein the password history file includes:
    - one or more hashes of previous passwords, each hash derived from a previous password and a salt.
  - 17. The method of claim 16, wherein each of the one or more hashes are derived using the same salt.
  - 18. The method of claim 17, wherein comparing includes:
    - generating a hash of the new password using the salt; and
      
      comparing the hash of the new password to the one or more hashes of previous passwords included in the password history file.

19. A system, comprising:
- a processor; and
  
  a memory coupled with the processor, wherein the memory is configured to provide the processor with instructions which when executed cause the processor to;
  
  secure a master key using a password-based key to generate a first encryption information, the password-based key generated based at least in part on a password associated with a mobile device;
  
  secure the master key using an unlock key to generate a second encryption information, wherein the unlock key is stored at a server;
  
  delete the master key from the mobile device after generating the first encryption information and the second encryption information, wherein deleting the master key from the mobile device renders secured data on the device inaccessible; and
  
  store the first encryption information and the second encryption information on the mobile device, wherein the mobile device is configured to;
  
  extract the master key from the first encryption information using the password; and
  
  in the event that the master key is not extracted using the password, extract the master key from the second encryption information using the unlock key received from the server, wherein to receive the unlock key from the server, the server is configured to authenticate an identity associated with a user of the mobile device.

20. A computer program product, the computer program product being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for:
- securing a master key using a password-based key to generate a first encryption information, the password-based key generated based at least in part on a password associated with a mobile device;
  
  securing the master key using an unlock key to generate a second encryption information, wherein the unlock key is stored at a server;
  
  deleting the master key from the mobile device after generating the first encryption information and the second encryption information, wherein deleting the master key from the mobile device renders secured data on the device inaccessible; and
  
  storing the first encryption information and the second encryption information on the mobile device wherein the mobile device is configured to;
  
  extract the master key from the first encryption information using the password; and
  
  in the event that the master key is not extracted using the password, extract the master key from the second encryption information using the unlock key received from the server, wherein to receive the unlock key from the server, the server is configured to authenticate an identity associated with a user of the mobile device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ivanti, Inc. (Ivanti Software, Inc.)
Original Assignee
MobileIron, Inc.
Inventors
Marion, Eric M., Whiteman, Robert Elliott
Primary Examiner(s)
Traore, Fatoumata

Application Number

US14/533,008
Time in Patent Office

903 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/6227   where protection concerns t...

G06F 21/64   Protecting data integrity, ...

G06F 21/78   to assure secure storage of...

H04L 2463/061   applying further key deriva...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0838   using one-time-passwords

H04W 12/041   Key generation or derivation

H04W 12/06   Authentication

Mobile device key management

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Mobile device key management

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links