Apparatus and method for secure delivery of data utilizing encryption key management

US 9,819,485 B2
Filed: 05/01/2014
Issued: 11/14/2017
Est. Priority Date: 05/01/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

obtaining, by a remote management server comprising a processing system including a processor, a master key;

obtaining, by the remote management server, derivation data associated with an end user device;

generating, by the remote management server, a derived encryption key by applying a first one-way function to the master key and the derivation data;

providing, by the remote management server over a network, the derived encryption key to a universal integrated circuit card of the end user device to enable the universal integrated circuit card to generate a temporary encryption key for encrypting data by applying a second one-way function to the derived encryption key and a nonce, wherein the derived encryption key is provided to the universal integrated circuit card of the end user device without being provided to a secure device processor of the end user device, wherein the providing of the derived encryption key to the universal integrated circuit card enables the universal integrated circuit card to provide the temporary encryption key to the secure device processor for the encrypting of the data without the secure device processor receiving the derived encryption key;

preventing the master key from being provided by the remote management server to the end user device;

preventing the universal integrated circuit card of the end user device from accessing the master key, wherein the universal integrated circuit card, the secure device processor and a device processor are components housed in the end user device and in communication with each other;

providing, by the remote management server over the network, a public nonce key to the universal integrated circuit card to enable the universal integrated circuit card to encrypt the nonce to generate, an encrypted nonce; and

providing, by the remote management server over the network, a private nonce key to an application server to enable the application server to decrypt the encrypted nonce that is received by the application server from the end user device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device that incorporates the subject disclosure may perform, for example, receiving a derived encryption key from a remote management server without receiving a master key from which the derived encryption key was generated, applying a one-way function to the derived encryption key and a nonce to generate a temporary encryption key, obtaining data for transmission to a recipient device, encrypting the data using the temporary encryption key to generate encrypted data, and providing the encrypted data over a network to the recipient device. Other embodiments are disclosed.

44 Citations

View as Search Results

17 Claims

1. A method comprising:
- obtaining, by a remote management server comprising a processing system including a processor, a master key;
  
  obtaining, by the remote management server, derivation data associated with an end user device;
  
  generating, by the remote management server, a derived encryption key by applying a first one-way function to the master key and the derivation data;
  
  providing, by the remote management server over a network, the derived encryption key to a universal integrated circuit card of the end user device to enable the universal integrated circuit card to generate a temporary encryption key for encrypting data by applying a second one-way function to the derived encryption key and a nonce, wherein the derived encryption key is provided to the universal integrated circuit card of the end user device without being provided to a secure device processor of the end user device, wherein the providing of the derived encryption key to the universal integrated circuit card enables the universal integrated circuit card to provide the temporary encryption key to the secure device processor for the encrypting of the data without the secure device processor receiving the derived encryption key;
  
  preventing the master key from being provided by the remote management server to the end user device;
  
  preventing the universal integrated circuit card of the end user device from accessing the master key, wherein the universal integrated circuit card, the secure device processor and a device processor are components housed in the end user device and in communication with each other;
  
  providing, by the remote management server over the network, a public nonce key to the universal integrated circuit card to enable the universal integrated circuit card to encrypt the nonce to generate, an encrypted nonce; and
  
  providing, by the remote management server over the network, a private nonce key to an application server to enable the application server to decrypt the encrypted nonce that is received by the application server from the end user device.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 comprising:
    - providing, by the remote management server over the network, the derived encryption key to the application server to enable the application server to decrypt encrypted data using the derived encryption key and the nonce, wherein the encrypted data is received by the application server from the end user device.
  - 3. The method of claim 1, wherein the nonce comprises a non-repeating data set that includes a time stamp.
  - 4. The method of claim 1, wherein the generating of the derived encryption key utilizes an elliptic curve, and wherein a size of nonces generated by the universal integrated circuit card varies over time.
  - 5. The method of claim 1, wherein the master key is not provided by the remote management server to the application server.
  - 6. The method of claim 1, wherein the obtaining of the master key includes accessing the master key stored in a memory of the remote management server, and further comprising:
    - providing, by the remote management server over the network, a public temporary encryption key to the universal integrated circuit card of the end user device to enable the universal integrated circuit card to encrypt the temporary encryption key to generate an encrypted temporary encryption key; and
      
      providing, by the remote management server over the network, a private temporary encryption key to the application server to enable the application server to decrypt the encrypted temporary encryption key that is received by the application server from the end user device.

7. A communication device comprising:
- a secure element having a secure element memory that stores first executable instructions that, when executed by the secure element, facilitate performance of first set of operations, comprising;
  
  receiving a derived encryption key from a remote management server without receiving a master key from which the derived encryption key was generated, wherein the secure element is prevented from accessing the master key, wherein the derived encryption key is generated by applying a first one-way function to the master key and derivation data;
  
  generating a temporary encryption key by applying a second one-way function to the derived encryption key and a nonce;
  
  receiving a public nonce key from the remote management server; and
  
  encrypting the nonce using the public nonce key to generate an encrypted nonce;
  
  a secure device processor having a secure device processor memory that stores second executable instructions that, when executed by the secure device processor, facilitate performance of second set of operations, comprising;
  
  receiving the temporary encryption key from the secure element without receiving the derived encryption key;
  
  obtaining data for transmission to a recipient device;
  
  encrypting the data using the temporary encryption key to generate encrypted data;
  
  providing the encrypted data over a network to the recipient device;
  
  receiving the encrypted nonce from the secure element; and
  
  providing the encrypted nonce over the network to the recipient device to enable the recipient device to decrypt the encrypted nonce using a private nonce key received by the recipient device from the remote management server,wherein the secure element, the secure device processor and a device processor are separate components housed in the communication device and in communication with each other.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The communication device of claim 7, wherein the device processor comprises a plurality of processors operating in a distributed processing environment, and wherein the first set of operations further comprise:
    - generating a number; and
      
      generating the nonce from the number, wherein the nonce comprises a non-repeating data set that includes a time stamp.
  - 9. The communication device of claim 7, wherein the first set of operations further comprise:
    - receiving a public temporary encryption key from the remote management server;
      
      encrypting the temporary encryption key using the public temporary encryption key to generate an encrypted temporary encryption key; and
      
      wherein the second set of operations further comprise;
      
      receiving the encrypted temporary encryption key from the secure element; and
      
      providing the encrypted temporary encryption key over the network to the recipient device to enable the recipient device to decrypt the encrypted temporary encryption key using a private temporary encryption key received by the recipient device from the remote management server.
  - 10. The communication device of claim 7, wherein the second set of operations further comprise:
    - monitoring for a key rotation event;
      
      providing a key rotation request to the secure element responsive to detecting the key rotation event; and
      
      wherein the first set of operations further comprise generating a second temporary encryption key responsive to the key rotation request.
  - 11. The communication device of claim 10, wherein the temporary encryption key and the second temporary encryption key are generated by the secure element during a single communication session, and wherein the second temporary encryption key is generated from the derived encryption key and a second nonce.
  - 12. The communication device of claim 7, wherein the second set of operations further comprise:
    - generating a number;
      
      generating a time stamp;
      
      providing the number and the time stamp to the secure element; and
      
      wherein the first set of operations further comprise;
      
      generating the nonce from the number and the time stamp.
  - 13. The communication device of claim 7, wherein the nonce is generated by the secure element according to information provided by the secure device processor, and wherein the derived encryption key received from the remote management server is a fixed length static key.
  - 14. The communication device of claim 7, wherein the first set of operations further comprise:
    - receiving an encrypted second nonce from the recipient device;
      
      decrypting the nonce using the private nonce key to generate a second nonce;
      
      generating a second temporary encryption key from the derived encryption key and the second nonce; and
      
      wherein the second set of operations further comprise;
      
      receiving encrypted second data from the recipient device;
      
      receiving the second temporary encryption key from the secure element; and
      
      decrypting the encrypted second data using the second temporary encryption key.

15. A method comprising:
- receiving, by a secure element of a communication device comprising a processing system, a derived encryption key from a remote management server without receiving a master key from which the derived encryption key was generated, wherein the secure element is prevented from accessing the master key, and wherein the derived encryption key is generated by applying a first one-way function to the master key and derivation data;
  
  generating, by the secure element, a temporary encryption key by applying a second one-way function to the derived encryption key and a nonce;
  
  obtaining, by a secure device processor of the communication device, data for transmission to a recipient device;
  
  encrypting, by the secure device processor, the data using the temporary encryption key to generate encrypted data;
  
  providing, by the communication device, the encrypted data over a network to the recipient device,receiving, by the communication device, a public nonce key from the remote management server;
  
  encrypting, by the communication device, the nonce using the public nonce key to generate an encrypted nonce; and
  
  providing, by the communication device, the encrypted nonce over the network to the recipient device to enable the recipient device to decrypt the encrypted nonce using a private nonce key received by the recipient device from the remote management server,wherein the secure element, the secure device processor and a device processor are separate components housed in the communication device and in communication with each other.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15, comprising:
    - receiving, by the communication device, a public temporary encryption key from the remote management server;
      
      encrypting, by the communication device, the temporary encryption key using the public temporary encryption key to generate an encrypted temporary encryption key; and
      
      providing, by the communication device, the encrypted temporary encryption key over the network to the recipient device to enable the recipient device to decrypt the encrypted temporary encryption key using a private temporary encryption key received by the recipient device from the remote management server.
  - 17. The method of claim 15, comprising:
    - detecting a key rotation event; and
      
      generating a second temporary encryption key responsive to the detecting of the key rotation event.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Chastain, Walter Cooper, Chin, Stephen Emille
Primary Examiner(s)
Kabir, Jahangir

Application Number

US14/267,019
Publication Number

US 20150319151A1
Time in Patent Office

1,293 Days
Field of Search

713150, 713168, 713171
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/604   Tools and structures for ma...

H04L 2463/061   applying further key deriva...

H04L 63/045   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/068   using time-dependent keys, ...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/083   involving central third par...

H04W 12/04   Key management, e.g. using ...

H04W 12/35   Protecting application or s...

Apparatus and method for secure delivery of data utilizing encryption key management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

44 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for secure delivery of data utilizing encryption key management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links