Key management on device for perimeters

US 9,698,975 B2
Filed: 02/15/2012
Issued: 07/04/2017
Est. Priority Date: 02/15/2012
Status: Active Grant

First Claim

Patent Images

1. A method, at a computing device, for enabling recovery of an encryption key used for encrypting data of an encryption perimeter, the method comprising:

establishing, with a server, a public/private key pair, the public key being stored on the computing device and the private key being stored on the server;

using a Password Key Derivation Function (PKDF) for computing a PKDF value, based on a password, at the computing device, the PKDF value being used to derive the encryption key by combining the PKDF value with device specific random data;

encrypting data within the encryption perimeter on the computing device with the encryption key;

encrypting the PKDF value with the public key;

storing the encrypted PKDF value;

deleting the password and the PKDF value from memory on the computing device;

establishing a secure channel with the server;

sending the encrypted PKDF value to the server;

receiving a decrypted PKDF value from the server; and

combining the decrypted PKDF value with the device specific random data to derive the encryption key;

wherein the secure channel is established with cryptographic credentials which are distinct from the password, the PKDF value, and the public and private key pair.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There is provided a method and apparatus for resetting a password for a device or managing the device, the device having an encryption perimeter. A device shares a public/private key pair with a server, the public key being on the device and the private key being on the server. An intermediate value is encrypted on the mobile device using the public key. If the password is lost or the device needs to be managed, the server can request the encrypted intermediate value, decrypt it, and send the decrypted value to the mobile device which may then resume operations. A new password may be provided by the server or the user may set a new password once the encryption key is recreated from the decrypted intermediate value.

79 Citations

View as Search Results

19 Claims

1. A method, at a computing device, for enabling recovery of an encryption key used for encrypting data of an encryption perimeter, the method comprising:
- establishing, with a server, a public/private key pair, the public key being stored on the computing device and the private key being stored on the server;
  
  using a Password Key Derivation Function (PKDF) for computing a PKDF value, based on a password, at the computing device, the PKDF value being used to derive the encryption key by combining the PKDF value with device specific random data;
  
  encrypting data within the encryption perimeter on the computing device with the encryption key;
  
  encrypting the PKDF value with the public key;
  
  storing the encrypted PKDF value;
  
  deleting the password and the PKDF value from memory on the computing device;
  
  establishing a secure channel with the server;
  
  sending the encrypted PKDF value to the server;
  
  receiving a decrypted PKDF value from the server; and
  
  combining the decrypted PKDF value with the device specific random data to derive the encryption key;
  
  wherein the secure channel is established with cryptographic credentials which are distinct from the password, the PKDF value, and the public and private key pair.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the encryption key is used for encrypting and decrypting data in the encryption perimeter.
  - 3. The method of claim 1 wherein the PKDF is a one-way hash function.
  - 4. The method of claim 1, wherein the encryption key is derived by applying at least one cryptographic hash iteration to the PKDF value.
  - 5. The method of claim 1, wherein the computing device is one of a smart phone, a tablet, or a personal computer.

6. A method, at a server, for enabling recovery of an encryption key used for encrypting data of an encryption perimeter on a computing device, comprising:
- establishing with the computing device, a public/private key pair, the public key being stored on the computing device and the private key being stored on the server;
  
  establishing a secure channel with the computing device;
  
  receiving, via the secure channel, an encrypted Password Key Derivation Function (PKDF) value, the PKDF value being based on a password;
  
  decrypting the encrypted PKDF value with the private key; and
  
  sending the decrypted PKDF value to the computing device via the secure channel;
  
  wherein the encryption key on the computing device is derivable from the decrypted PKDF value by combining the PKDF value with device specific random data;
  
  wherein data within the encryption perimeter on the computing device is encrypted with the encryption key; and
  
  wherein the secure channel is established with cryptographic credentials which are distinct from the password, the PKDF value, and the public and private key pair.
- View Dependent Claims (7, 8, 9)
- - 7. The method of claim 6, wherein the PKDF value comprises a hash of a password.
  - 8. The method of claim 6, wherein the private key is uniquely associated with the computing device.
  - 9. The method of claim 6 further comprising, after receiving the encrypted PKDF value, sending a new password to the mobile device via the secure channel.

10. A computing device configured for enabling recovery of an encryption key used for encrypting data of an encryption perimeter, comprising:
- a communications subsystem;
  
  a processor; and
  
  memory;
  
  wherein the communications subsystem, the processor, and the memory, cooperate to;
  
  establish, with a server, a public/private key pair, the public key being stored on the computing device and the private key being stored on the server;
  
  use a Password Key Derivation Function (PKDF) for computing a PKDF value, based on a password, at the computing device, the PKDF value being used to derive the encryption key by combining the PKDF value with device specific random data;
  
  encrypt data within the encryption perimeter on the computing device with the encryption key;
  
  encrypt the PKDF value with the public key;
  
  store the encrypted PKDF value;
  
  delete the password and the PKDF value from memory on the computing device;
  
  establish a secure channel with the server;
  
  send the encrypted PKDF value to the server;
  
  receive a decrypted PKDF value from the server; and
  
  combine the decrypted PKDF value with the device specific random data to derive the encryption key;
  
  wherein the secure channel is established with cryptographic credentials which are distinct from the password, the PKDF value, and the public and private key pair.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The computing device of claim 10, wherein the encryption key is used for encrypting and decrypting data in the encryption perimeter.
  - 12. The computing device of claim 10 wherein the PKDF is a one-way hash function.
  - 13. The computing device of claim 10, wherein the encryption key is obtained by applying at least one cryptographic hash iteration to the PKDF value.
  - 14. The computing device of claim 10, wherein the computing device is one of a smart phone, a tablet, or a personal computer.

15. A server, configured for enabling recovery of an encryption key used for encrypting data of an encryption perimeter on a computing device comprising:
- a communications subsystem;
  
  a microprocessor; and
  
  memory;
  
  wherein the communications subsystem, microprocessor and memory cooperate to;
  
  establish with the computing device, a public/private key pair, the public key being stored on the computing device and the private key being stored on the server;
  
  establish a secure channel with the computing device;
  
  receive, via the secure channel, an encrypted Password Key Derivation Function (PKDF) value, the PKDF value being based on a password;
  
  decrypt the encrypted PKDF value with the private key; and
  
  send the decrypted PKDF value to the computing device via the secure channel;
  
  wherein the encryption key on the computing device is derivable from the decrypted PKDF value by combining the PKDF value with device specific random data;
  
  wherein data within the encryption perimeter on the computing device is encrypted with the encryption key; and
  
  wherein the secure channel is established with cryptographic credentials which are distinct from the password, the PKDF value, and the public and private key pair.
- View Dependent Claims (16, 17)
- - 16. The server of claim 15, wherein the private key is uniquely associated with the computing device.
  - 17. The server of claim 15, wherein the communications subsystem, the microprocessor and the memory further cooperate to, after receiving the encrypted PKDF value, send a new password to the computing device via the secure channel.

18. A non-transitory computer-readable medium having stored thereon executable code for execution by a processor of a computing device, the computing device comprising an encryption perimeter encrypted with an encryption key, the executable code comprising instructions for:
- establishing, with a server, a public/private key pair, the public key being stored on the computing device and the private key being stored on the server;
  
  using a Password Key Derivation Function (PKDF) for computing a PKDF value, based on a password, at the computing device, the PKDF value being used to derive the encryption key by combining the PKDF value with device specific random data;
  
  encrypting data within the encryption perimeter on the computing device with the encryption key;
  
  encrypting the PKDF value with the public key;
  
  storing the encrypted PKDF value;
  
  deleting the password and the PKDF value from memory on the computing device;
  
  establishing a secure channel with the server;
  
  sending the encrypted PKDF value to the server;
  
  receiving a decrypted PKDF value from the server; and
  
  combining the decrypted PKDF value with device specific random datawherein the secure channel is established with cryptographic credentials which are distinct from the password, the PKDF value, and the public and private key pair.

19. A non-transitory computer-readable medium having stored thereon executable code for execution by a processor of a server, the executable code comprising instructions for:
- establishing with a computing device, a public/private key pair, the public key being stored on the computing device and the private key being stored on the server, the computing device comprising an encryption perimeter encrypted with an encryption key;
  
  establishing a secure channel with the computing device;
  
  receiving, via the secure channel, an encrypted Password Key Derivation Function (PKDF) value, the PKDF value being based on a password;
  
  decrypting the encrypted PKDF value with the private key; and
  
  sending the decrypted PKDF value to the computing device via the secure channel;
  
  wherein the encryption key on the computing device is derivable from the decrypted PKDF value by combining the PKDF value with device specific random data;
  
  wherein data within an encryption perimeter on the computing device is encrypted with the encryption key; and
  
  wherein the secure channel is established with cryptographic credentials which are distinct from the password, the PKDF value, and the public and private key pair.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
2236008 Ontario Inc. (Blackberry Limited), Blackberry Limited
Inventors
Nagarajan, Sivakumar, Dikic, Srdan, McConnaughay, Mark A., Bozsitz, Marius, Bender, Christopher Lyle
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
ALMEIDA, DEVIN E

Application Number

US13/397,413
Publication Number

US 20130212392A1
Time in Patent Office

1,966 Days
Field of Search

380286
US Class Current
CPC Class Codes

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0863   involving passwords or one-...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

Key management on device for perimeters

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

79 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Key management on device for perimeters

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links