System and methods for opportunistic cryptographic key management on an electronic device

US 9,998,282 B2
Filed: 08/29/2017
Issued: 06/12/2018
Est. Priority Date: 10/30/2013
Status: Active Grant

First Claim

Patent Images

1. A method for cryptographic key generation, the method comprising:

configuring a computing device to;

(a) select a cryptographic key generation mode among a plurality of cryptographic key generation modes, wherein the plurality of cryptographic key generation modes includes, at least, a first cryptographic key generation mode and a second cryptographic key generation mode, wherein the first and second cryptographic key generation modes are different, and(b) execute a cryptographic key generation according to the selected cryptographic key generation mode;

performing, by the computing device, a self-assessment of capabilities of the computing device to generate a cryptographic key that is useable by the computing device, wherein the self-assessment indicates a level of cryptographic key generation of a plurality of levels of cryptographic key generation, wherein performing the self-assessment by the computing device includes;

analyzing hardware compute processing capabilities and/or software computing features of the computing device, andusing results of the analyzing to generate a cryptographic key generation capability level of the computing device; and

identifying a minimum-security capability threshold, wherein;

(i) when the cryptographic key generation capability level satisfies the minimum-security capability threshold, selecting by the computing device the first cryptographic key generation mode, and(ii) when the cryptographic key generation capability level does not satisfy the minimum-security capability threshold, selecting by the computing device the second cryptographic key generation mode; and

generating the cryptographic key according to the selected cryptographic key generation mode.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for opportunistic cryptographic key management includes generating a security capability assessment on a first electronic device based on security capabilities of the device, selecting a key management mode based on the security capability assessment, generating a cryptographic key based on the key management mode, and storing the cryptographic key based on the key management mode.

Citations

20 Claims

1. A method for cryptographic key generation, the method comprising:
- configuring a computing device to;
  
  (a) select a cryptographic key generation mode among a plurality of cryptographic key generation modes, wherein the plurality of cryptographic key generation modes includes, at least, a first cryptographic key generation mode and a second cryptographic key generation mode, wherein the first and second cryptographic key generation modes are different, and(b) execute a cryptographic key generation according to the selected cryptographic key generation mode;
  
  performing, by the computing device, a self-assessment of capabilities of the computing device to generate a cryptographic key that is useable by the computing device, wherein the self-assessment indicates a level of cryptographic key generation of a plurality of levels of cryptographic key generation, wherein performing the self-assessment by the computing device includes;
  
  analyzing hardware compute processing capabilities and/or software computing features of the computing device, andusing results of the analyzing to generate a cryptographic key generation capability level of the computing device; and
  
  identifying a minimum-security capability threshold, wherein;
  
  (i) when the cryptographic key generation capability level satisfies the minimum-security capability threshold, selecting by the computing device the first cryptographic key generation mode, and(ii) when the cryptographic key generation capability level does not satisfy the minimum-security capability threshold, selecting by the computing device the second cryptographic key generation mode; and
  
  generating the cryptographic key according to the selected cryptographic key generation mode.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein:
    - the first cryptographic key generation mode comprises an on-device cryptographic key generation mode, the on-device cryptographic key generation mode enabling the computing device to generate the cryptographic key using one or more hardware components of the computing device; and
      
      the second cryptographic key generation mode comprises a remote key generation mode, the remote key generation mode enabling the computing device to use one or more hardware components of a remote computing device to generate the cryptographic key.
  - 3. The method of claim 2, wherein:
    - the remote key generation mode includes using one of;
      
      an external computing device that is communicatively coupled to the computing device via a local communication network, anda remote computing server that is in operable communication with the computing device via a network.
  - 4. The method of claim 3, wherein:
    - the remote computing server comprises a component of multi-factor authentication service platform, wherein the remote computing server includes computer processing capabilities for remote generating cryptographic keys.
  - 5. The method of claim 1, further comprising:
    - identifying, at the computing device, a cryptographic key generation request, wherein the cryptographic key generation request includes the minimum-security capability threshold.
  - 6. The method of claim 5, further comprising:
    - using the key generation request to set the minimum-security capability threshold that is referenced in selecting the first or the second cryptographic key generation modes.
  - 7. The method of claim 1, further comprising:
    - identifying, at the computing device, a cryptographic key generation request, wherein the cryptographic key generation request includes an option prioritization used for dynamically selecting the first or the second cryptographic key generation modes, wherein the option prioritization indicates a priority for selecting available cryptographic key generation options available to the computing device.
  - 8. The method of claim 7, further comprising:
    - selecting the cryptographic key generation mode using (i) the results of the analyzing and (ii) the option prioritization included with the cryptographic key generation request.
  - 9. The method of claim 1, wherein performing the self-assessment further includes:
    - analyzing platform-enabled key management capabilities of the computing device, the platform-enabled key management capabilities includes one or more security features enabled by an operating system of the computing device that operate to protect a generated cryptographic key.
  - 10. The method of claim 1, wherein performing the self-assessment further includes:
    - analyzing device usage protection capabilities of the computing device, the device usage protection capabilities include one or more authentication features implemented by the computing device for using the computing device.
  - 11. The method of claim 1, wherein:
    - each of the plurality of selectable cryptographic key generation modes includes cryptographic key creation configuration data that defines one or more parameters for generating the cryptographic key, andwherein the one or more parameters define where the cryptographic key is generated and a cryptographic key type to be generated, wherein the cryptographic key type includes one of an asymmetric key and a symmetric key.
  - 12. The method of claim 1, wherein:
    - selecting, by the computing device, the second cryptographic key generation mode includes selecting cryptographic key generation by a remote computing server,generating the cryptographic key includes generating the cryptographic key at the remote computing server, andin response to successfully generating the cryptographic key at the remote computing server, the remote computing server transmits, via a network, the cryptographic key to the computing device.
  - 13. The method of claim 1, wherein:
    - selecting, by the computing device, the second cryptographic key generation mode includes selecting cryptographic key generation by an external computing device, the external computing device being in operable communication with the computing device via a local communication network,generating the cryptographic key includes generating the cryptographic key at the external computing device, andin response to successfully generating the cryptographic key at the external computing device, the external computing device transmits, via the local communication network, the cryptographic key to the computing device.
  - 14. The method of claim 1, wherein:
    - generating the cryptographic key includes;
      
      generating, by a hardware random number generator of the computing device, a random number to be used as a seed for generating the cryptographic key.
  - 15. The method of claim 5, wherein:
    - a generation of the cryptographic key generation request is triggered in response configuring the computing device for use as a secondary authentication device in a multi-factor authentication of a user.
  - 16. The method of claim 1, wherein:
    - generating the cryptographic key includes generating an asymmetric cryptographic key pair including a private cryptographic key and a public cryptographic key defining a private/public cryptographic key pair, andthe method further comprises;
      
      storing, at the computing device, the private cryptographic key of the private/public cryptographic key pair; and
      
      transmitting the public cryptographic key of the private/public cryptographic key pair to a remote multi-factor authentication service.
  - 17. The method of claim 1, wherein:
    - generating the cryptographic key includes generating a symmetric cryptographic key, andthe method further comprises;
      
      storing, at the computing device, a copy of the symmetric cryptographic key; and
      
      transmitting a copy of the symmetric cryptographic key of the to a remote multi-factor authentication service.
  - 18. The method of claim 1, further comprising:
    - during an instantiation of a cryptographic key management system on the computing device, performing the self-assessment of capabilities of the computing device by a device capability profiler of the cryptographic key management system.

19. A method for cryptographic key storage, the method comprising:
- configuring a computing device to;
  
  (a) select a cryptographic key storage mode among a plurality of cryptographic key storage modes, wherein the plurality of cryptographic key storage modes includes, at least, a first cryptographic key storage mode and a second cryptographic key storage mode, wherein the first and second cryptographic key storage modes are different, and(b) execute a cryptographic key storage according to the selected cryptographic key storage mode;
  
  performing, by the computing device, a self-assessment of capabilities of the computing device to store a cryptographic key that is useable by the computing device, wherein the self-assessment indicates a level of cryptographic key storage of a plurality of levels of cryptographic key storage, wherein performing the self-assessment by the computing device includes;
  
  analyzing hardware compute storage capabilities and/or software storage features of the computing device, andusing results of the analyzing to generate a cryptographic key storage capability level of the computing device; and
  
  identifying a minimum-security capability threshold, wherein;
  
  (i) when the cryptographic key storage capability level satisfies the minimum-security capability threshold, selecting by the computing device the first cryptographic key storage mode, and(ii) when the cryptographic key storage capability level does not satisfy the minimum-security capability threshold, selecting by the computing device the second cryptographic key storage mode; and
  
  storing the cryptographic key according to the selected cryptographic key storage mode.

20. A system for cryptographic key generation and storage with a limited computing device, the system comprising:
- a multi-factor authentication service;
  
  a cryptographic key management system, wherein the cryptographic key management system enables a computing device to dynamically select a cryptographic key generation mode and a cryptographic key storage mode;
  
  a device capability profiler that tests and analyzes attributes and cryptographic key generation and storage capabilities of the computing device to determine capabilities of the computing device for generating and storing a cryptographic key, wherein;
  
  (i) during an instantiation of the key management system on the computing device, determining a cryptographic key capability level among a plurality of cryptographic key capability levels of the computing device;
  
  (ii) using a key generation request to determine a minimum cryptographic key capability level threshold, wherein the key generation request includes the minimum cryptographic key capability level threshold;
  
  (iii) when the cryptographic key capability level satisfies the minimum cryptographic key capability level threshold, selecting by the computing device a first cryptographic key generation and storage mode, wherein the first cryptographic key generation mode comprises generating and/or storing a cryptographic key using the computing device;
  
  (iv) when the cryptographic key capability level does not satisfy the minimum cryptographic key capability level threshold, selecting by the computing device the second cryptographic key generation and storage mode, wherein the second cryptographic key generation mode comprises generating and/or storing the cryptographic key using a remote computing device; and
  
  (v) generating and storing the cryptographic key according to the selected cryptographic key storage mode.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Duo Security Incorporated (Cisco Systems, Inc.)
Inventors
Oberheide, Jon, Song, Douglas
Primary Examiner(s)
Smithers, Matthew

Application Number

US15/689,912
Publication Number

US 20180006812A1
Time in Patent Office

287 Days
Field of Search
US Class Current
CPC Class Codes

H04L 9/0861   Generation of secret inform...

H04L 9/0869   involving random numbers or...

H04L 9/0877   using additional device, e....

H04L 9/0897   involving additional device...

System and methods for opportunistic cryptographic key management on an electronic device

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and methods for opportunistic cryptographic key management on an electronic device

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links