Key management on device for perimeters
First Claim
1. A method, at a computing device, for enabling recovery of an encryption key used for encrypting data of an encryption perimeter, the method comprising:
- establishing, with a server, a public/private key pair, the public key being stored on the computing device and the private key being stored on the server;
using a Password Key Derivation Function (PKDF) for computing a PKDF value, based on a password, at the computing device, the PKDF value being used to derive the encryption key by combining the PKDF value with device specific random data;
encrypting data within the encryption perimeter on the computing device with the encryption key;
encrypting the PKDF value with the public key;
storing the encrypted PKDF value;
deleting the password and the PKDF value from memory on the computing device;
establishing a secure channel with the server;
sending the encrypted PKDF value to the server;
receiving a decrypted PKDF value from the server; and
combining the decrypted PKDF value with the device specific random data to derive the encryption key;
wherein the secure channel is established with cryptographic credentials which are distinct from the password, the PKDF value, and the public and private key pair.
8 Assignments
0 Petitions
Accused Products
Abstract
There is provided a method and apparatus for resetting a password for a device or managing the device, the device having an encryption perimeter. A device shares a public/private key pair with a server, the public key being on the device and the private key being on the server. An intermediate value is encrypted on the mobile device using the public key. If the password is lost or the device needs to be managed, the server can request the encrypted intermediate value, decrypt it, and send the decrypted value to the mobile device which may then resume operations. A new password may be provided by the server or the user may set a new password once the encryption key is recreated from the decrypted intermediate value.
79 Citations
19 Claims
-
1. A method, at a computing device, for enabling recovery of an encryption key used for encrypting data of an encryption perimeter, the method comprising:
-
establishing, with a server, a public/private key pair, the public key being stored on the computing device and the private key being stored on the server; using a Password Key Derivation Function (PKDF) for computing a PKDF value, based on a password, at the computing device, the PKDF value being used to derive the encryption key by combining the PKDF value with device specific random data; encrypting data within the encryption perimeter on the computing device with the encryption key; encrypting the PKDF value with the public key; storing the encrypted PKDF value; deleting the password and the PKDF value from memory on the computing device; establishing a secure channel with the server; sending the encrypted PKDF value to the server; receiving a decrypted PKDF value from the server; and combining the decrypted PKDF value with the device specific random data to derive the encryption key; wherein the secure channel is established with cryptographic credentials which are distinct from the password, the PKDF value, and the public and private key pair. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method, at a server, for enabling recovery of an encryption key used for encrypting data of an encryption perimeter on a computing device, comprising:
-
establishing with the computing device, a public/private key pair, the public key being stored on the computing device and the private key being stored on the server; establishing a secure channel with the computing device; receiving, via the secure channel, an encrypted Password Key Derivation Function (PKDF) value, the PKDF value being based on a password; decrypting the encrypted PKDF value with the private key; and sending the decrypted PKDF value to the computing device via the secure channel; wherein the encryption key on the computing device is derivable from the decrypted PKDF value by combining the PKDF value with device specific random data; wherein data within the encryption perimeter on the computing device is encrypted with the encryption key; and wherein the secure channel is established with cryptographic credentials which are distinct from the password, the PKDF value, and the public and private key pair. - View Dependent Claims (7, 8, 9)
-
-
10. A computing device configured for enabling recovery of an encryption key used for encrypting data of an encryption perimeter, comprising:
-
a communications subsystem; a processor; and memory; wherein the communications subsystem, the processor, and the memory, cooperate to; establish, with a server, a public/private key pair, the public key being stored on the computing device and the private key being stored on the server; use a Password Key Derivation Function (PKDF) for computing a PKDF value, based on a password, at the computing device, the PKDF value being used to derive the encryption key by combining the PKDF value with device specific random data; encrypt data within the encryption perimeter on the computing device with the encryption key; encrypt the PKDF value with the public key; store the encrypted PKDF value; delete the password and the PKDF value from memory on the computing device; establish a secure channel with the server; send the encrypted PKDF value to the server; receive a decrypted PKDF value from the server; and combine the decrypted PKDF value with the device specific random data to derive the encryption key; wherein the secure channel is established with cryptographic credentials which are distinct from the password, the PKDF value, and the public and private key pair. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A server, configured for enabling recovery of an encryption key used for encrypting data of an encryption perimeter on a computing device comprising:
-
a communications subsystem; a microprocessor; and memory; wherein the communications subsystem, microprocessor and memory cooperate to; establish with the computing device, a public/private key pair, the public key being stored on the computing device and the private key being stored on the server; establish a secure channel with the computing device; receive, via the secure channel, an encrypted Password Key Derivation Function (PKDF) value, the PKDF value being based on a password; decrypt the encrypted PKDF value with the private key; and send the decrypted PKDF value to the computing device via the secure channel; wherein the encryption key on the computing device is derivable from the decrypted PKDF value by combining the PKDF value with device specific random data; wherein data within the encryption perimeter on the computing device is encrypted with the encryption key; and wherein the secure channel is established with cryptographic credentials which are distinct from the password, the PKDF value, and the public and private key pair. - View Dependent Claims (16, 17)
-
-
18. A non-transitory computer-readable medium having stored thereon executable code for execution by a processor of a computing device, the computing device comprising an encryption perimeter encrypted with an encryption key, the executable code comprising instructions for:
-
establishing, with a server, a public/private key pair, the public key being stored on the computing device and the private key being stored on the server; using a Password Key Derivation Function (PKDF) for computing a PKDF value, based on a password, at the computing device, the PKDF value being used to derive the encryption key by combining the PKDF value with device specific random data; encrypting data within the encryption perimeter on the computing device with the encryption key; encrypting the PKDF value with the public key; storing the encrypted PKDF value; deleting the password and the PKDF value from memory on the computing device; establishing a secure channel with the server; sending the encrypted PKDF value to the server; receiving a decrypted PKDF value from the server; and combining the decrypted PKDF value with device specific random data wherein the secure channel is established with cryptographic credentials which are distinct from the password, the PKDF value, and the public and private key pair.
-
-
19. A non-transitory computer-readable medium having stored thereon executable code for execution by a processor of a server, the executable code comprising instructions for:
-
establishing with a computing device, a public/private key pair, the public key being stored on the computing device and the private key being stored on the server, the computing device comprising an encryption perimeter encrypted with an encryption key; establishing a secure channel with the computing device; receiving, via the secure channel, an encrypted Password Key Derivation Function (PKDF) value, the PKDF value being based on a password; decrypting the encrypted PKDF value with the private key; and sending the decrypted PKDF value to the computing device via the secure channel; wherein the encryption key on the computing device is derivable from the decrypted PKDF value by combining the PKDF value with device specific random data; wherein data within an encryption perimeter on the computing device is encrypted with the encryption key; and wherein the secure channel is established with cryptographic credentials which are distinct from the password, the PKDF value, and the public and private key pair.
-
Specification