Encrypting and storing data

US 9,992,017 B2
Filed: 06/28/2013
Issued: 06/05/2018
Est. Priority Date: 06/28/2013
Status: Active Grant

First Claim

Patent Images

1. A user equipment that encrypts and stores data to communicate to a server of a communication network, the user equipment comprising:

a processor coupled to a first memory and configured to;

establish a session between the user equipment and the server of the communication network;

generate two or more keys based on a shared secret made available to the user equipment and the server, wherein the two or more keys comprise at least one perfect forward secrecy key, and at least one partial forward secrecy key, wherein the at least one partial forward secrecy key is generated based on a cryptographic function applied to the shared secret and a session identifier associated with the established session;

encrypt data using the at least one partial forward secrecy key;

store the encrypted data in the first memory of the user equipment;

generate an updated partial forward secrecy key based on an application of a one-way function to the partial forward secrecy key and the session identifier responsive to the encryption of the data using the at least one partial forward secrecy key; and

store the updated partial forward secrecy key in a second memory of the user equipment to encrypt future communications during the established session with the server; and

a transmitter configured to transmit the stored encrypted data in a communication to the server during the established session.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for encrypting and storing data. The methods and apparatus provide different levels of security and usability. The methods and apparatus generate two or more keys based on a shared secret made available to a user equipment and a server. The two or more keys comprise at least one perfect forward secrecy key, and at least one limited forward secrecy key. The methods and apparatus encrypt data using at least one of the two or more keys. The methods and apparatus store the encrypted data in a memory of the user equipment and/or transmit the data from the user equipment to the server.

19 Citations

15 Claims

1. A user equipment that encrypts and stores data to communicate to a server of a communication network, the user equipment comprising:
- a processor coupled to a first memory and configured to;
  
  establish a session between the user equipment and the server of the communication network;
  
  generate two or more keys based on a shared secret made available to the user equipment and the server, wherein the two or more keys comprise at least one perfect forward secrecy key, and at least one partial forward secrecy key, wherein the at least one partial forward secrecy key is generated based on a cryptographic function applied to the shared secret and a session identifier associated with the established session;
  
  encrypt data using the at least one partial forward secrecy key;
  
  store the encrypted data in the first memory of the user equipment;
  
  generate an updated partial forward secrecy key based on an application of a one-way function to the partial forward secrecy key and the session identifier responsive to the encryption of the data using the at least one partial forward secrecy key; and
  
  store the updated partial forward secrecy key in a second memory of the user equipment to encrypt future communications during the established session with the server; and
  
  a transmitter configured to transmit the stored encrypted data in a communication to the server during the established session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The user equipment according to claim 1, wherein the processor is configured to generate a master key based on the shared secret.
  - 3. The user equipment according to claim 2, wherein the processor is further configured to generate a salt, and to generate the master key based on the shared secret and the salt.
  - 4. The user equipment according to claim 2, wherein the processor is configured to generate the partial forward secrecy key based on a one-way function of the master key and the session identifier.
  - 5. The user equipment according to claim 4, wherein the processor is configured to generate the session identifier.
  - 6. The user equipment according to claim 2, wherein the processor is further configured to generate a salt, and to generate the master key based on the shared secret and the salt, and wherein the transmitter is further configured to transmit the salt to the server.
  - 7. The user equipment according to claim 2, wherein the processor is configured to generate the at least one partial forward secrecy key based on a one-way function of the master key and the session identifier, and wherein the transmitter is further configured to transmit the session identifier to the server.
  - 8. The user equipment according to claim 1, wherein processor is configured to select at least one of the two or more keys to encrypt the data based on a user input.

9. A method performed by a user equipment operable to communicate with a server of a communication network, the method comprising:
- establishing a session between the user equipment and the server of the communication network;
  
  generating, two or more keys based on a shared secret made available to the user equipment and the server, wherein the two or more keys comprise at least one perfect forward secrecy key, and at least one partial forward secrecy key, wherein the at least one partial forward secrecy key is generated based on a cryptographic function applied to the shared secret and a session identifier associated with the established session;
  
  encrypting data using the at least one partial forward secrecy key;
  
  storing the encrypted data in a first memory of the user equipment;
  
  generating an updated partial forward secrecy key based on an application of a one-way function to the partial forward secrecy key and the session identifier responsive to the encryption of the data using the at least one partial forward secrecy key;
  
  storing the updated partial forward secrecy key in a second memory of the user equipment to encrypt future communications during the established session with the server; and
  
  transmitting the stored encrypted data in a communication to the server during the established session.
- View Dependent Claims (10)
- - 10. A computer program product comprising a non-transitory computer readable storage medium storing code configured, when executed by a computer, to carry out the method according to claim 9.

11. A server in communication with a user equipment operating in a communication network, the server comprising:
- a receiver configured to receive encrypted data in a communication from the user equipment;
  
  a processor and memory, the processor configured to;
  
  establish a session between the user equipment and the server;
  
  generate two or more keys based on a shared secret made available to the user equipment and the server, wherein the two or more keys comprise at least one perfect forward secrecy key, and at least one partial forward secrecy key, wherein the at least one partial forward secrecy key is generated based on a cryptographic function applied to the shared secret and a session identifier associated with the established session;
  
  decrypt the received encrypted data using the at least one partial forward secrecy key;
  
  store at least part of the decrypted data in the memory;
  
  generate an updated partial forward secrecy key based on an application of a one-way function to the partial forward secrecy key and the session identifier responsive to the decryption of the data using the at least one partial forward secrecy key; and
  
  store the updated partial forward secrecy key in the memory to decrypt future communications from the user equipment during the established session.
- View Dependent Claims (12, 13)
- - 12. The server according to claim 11, wherein the processor is configured to generate a master key based on the shared secret, and wherein the key generator is further configured to generate the at least one perfect forward secrecy key by applying a one-way function on the master key and a seed value generated by the server.
  - 13. The server according to claim 12, wherein the processor is configured to delete the seed value from the memory after the perfect forward secrecy key has been generated.

14. A method performed by a server in communication with a user equipment operating in a communication network, the method comprising:
- establishing a session between the user equipment and the server;
  
  receiving encrypted data in the established session from the user equipment;
  
  generating two or more keys based on a shared secret made available to the user equipment and the server, wherein the two or more keys comprise at least one perfect forward secrecy key, and at least one partial forward secrecy key, wherein the at least one partial forward secrecy key is generated based on a cryptographic function applied to the shared secret and a session identifier associated with the established session;
  
  decrypting the received encrypted data using the at least one partial forward secrecy key;
  
  storing the decrypted data in a memory of the server;
  
  generating an updated partial forward secrecy key based on an application of a one-way function to the partial forward secrecy key and the session identifier responsive to the decryption of the data using the at least one partial forward secrecy key; and
  
  storing the updated partial forward secrecy key in the memory to decrypt future communications from the user equipment during the established session with.
- View Dependent Claims (15)
- - 15. A computer program product comprising a non-transitory computer readable storage medium storing code configured, when executed by a computer, to carry out the method according to claim 14.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Nslund, Mats, Melo De Brito Carvalho, Tereza Cristina, Iwaya, Leonardo Horn, Simplicio Junior, Marcos Antonio
Primary Examiner(s)
Simitoski, Michael

Application Number

US14/900,557
Publication Number

US 20160156464A1
Time in Patent Office

1,803 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2209/24   Key scheduling, i.e. genera...

H04L 63/061   for key exchange, e.g. in p...

H04L 9/0822   using key encryption key

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/0861   Generation of secret inform...

H04L 9/088   Usage controlling of secret...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

Encrypting and storing data

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

19 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Encrypting and storing data

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links