Private key/public key resource protection scheme

US 10,148,433 B1
Filed: 10/14/2009
Issued: 12/04/2018
Est. Priority Date: 10/14/2009
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

securing a resource with an access control mechanism;

provisioning the secured resource for access by;

identifying a plurality of users for provisioning, wherein the plurality of users may or may not be present for provisioning,identifying any users of the plurality of users having a public key in the provisioning system,identifying any users of the plurality of users having a public key from a public/private key in a directory external to the provisioning system,notifying the users in the plurality of users that do not have the public/private key pair that provisioning is unavailable and instructing the users to generate a key pair for access to the resource, and provide the key pair to an administrator,modifying the plurality of users for provisioning to include only users that have a public/private key pair but not including users without the public/private key pair, to yield a plurality of users that can be provisioned, andconstructing a public key collection of the public keys in the provisioning system and the public keys retrieved from the directory,encrypting the access control mechanism for the plurality of users that can be provisioned, with the plurality of user public keys in the public key collection;

having each of the plurality of user private keys associated with the plurality of user public keys protected by an authentication mechanism, such that the access control mechanism is released to make available the secured resource with the user private key, and the user private key is released by the authentication mechanism; and

in order to add access to the resource to an additional user, decrypting the access control mechanism using an existing private key, adding a new public key of the additional user to the plurality of user public keys, and encrypting the access control mechanism using the plurality of public keys including the new public key of the additional user.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus of enabling access to a resource secured with a shared access control mechanism is provided. The method includes providing a public key and an authentication protected private key for a user. The private key is released to the user after receiving correct authentication. In one embodiment, the authentication may be one or more of a password, pass phrase, biometric, and smart card. The private key may be used to release the shared access control mechanism for the resource. In one embodiment, a plurality of users may have their private key provide access to the shared access control mechanism.

58 Citations

View as Search Results

20 Claims

1. A method comprising:
- securing a resource with an access control mechanism;
  
  provisioning the secured resource for access by;
  
  identifying a plurality of users for provisioning, wherein the plurality of users may or may not be present for provisioning,identifying any users of the plurality of users having a public key in the provisioning system,identifying any users of the plurality of users having a public key from a public/private key in a directory external to the provisioning system,notifying the users in the plurality of users that do not have the public/private key pair that provisioning is unavailable and instructing the users to generate a key pair for access to the resource, and provide the key pair to an administrator,modifying the plurality of users for provisioning to include only users that have a public/private key pair but not including users without the public/private key pair, to yield a plurality of users that can be provisioned, andconstructing a public key collection of the public keys in the provisioning system and the public keys retrieved from the directory,encrypting the access control mechanism for the plurality of users that can be provisioned, with the plurality of user public keys in the public key collection;
  
  having each of the plurality of user private keys associated with the plurality of user public keys protected by an authentication mechanism, such that the access control mechanism is released to make available the secured resource with the user private key, and the user private key is released by the authentication mechanism; and
  
  in order to add access to the resource to an additional user, decrypting the access control mechanism using an existing private key, adding a new public key of the additional user to the plurality of user public keys, and encrypting the access control mechanism using the plurality of public keys including the new public key of the additional user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the authentication mechanism comprises one or more of the following:
    - a biometric, a password, challenge response, and a smart card.
  - 3. The method of claim 2, wherein any of the plurality of authentication mechanisms may be used to release the private key.
  - 4. The method of claim 2, wherein at least two of the available authentication mechanisms are used to release the private key.
  - 5. The method of claim 1, wherein there is another layer of security between the access control mechanism and the protection of the secure resource.
  - 6. The method of claim 1, further comprising:
    - utilizing a second user private key, associated with a second user public key, such that a combination of the user private key and the second user private key are utilized to decrypt the access control mechanism.
  - 7. The method of claim 1, further comprising:
    - encrypting the access control mechanism with a plurality of user public keys in parallel, enabling access to the secure resource to a plurality of users, each user able to decrypt the access control mechanism with the user'"'"'s private key.
  - 8. The method of claim 7, further comprising:
    - generating a recovery user, the recovery user having a public key and a private key, the private key secured by a passcode known to the administrator, such that the administrator can use the recovery user identity to access the secured resource,the administrator comprising one of a human or an automated process.
  - 9. The method of claim 8, wherein the passcode is a one-time passcode.

10. An apparatus comprising:
- a secured resource protected by an access control mechanism;
  
  a first processor implementing a crypto-logic designed to provision the secured resource, the first processor comprising;
  
  a provisioning logic to identify a first plurality of users for provisioning,the provisioning logic further to collect a first one or more public keys from within the provisioning logic and a second one or more public keys from a directory for at least one of the first plurality of users,the first processor further to modify the first plurality of users to include only users that have a public/private key pair to yield a plurality of users that can be provisioned, and notifying the keyless users that provisioning is unavailable and instructing the users to generate a key pair, and providing the key pair to an administrator;
  
  a second processor implementing key construction/release logic to enable a user in the plurality of users that can be provisioned to release a protected private key, associated with the user public key, when a user is successfully authenticated, the private key used to decrypt the access control mechanism and thereby provide access to the secured resource;
  
  the first processor to enable addition of a new user to the access control mechanism by decrypting the access control mechanism using a provisioned private key, and parallel encrypting the access control mechanism with an updated plurality of user public keys including the public key of the new user.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The apparatus of claim 10, wherein the authentication mechanism comprises one or more of the following:
    - a biometric, a password, challenge response, and a smart card.
  - 12. The apparatus of claim 11, wherein any of the plurality of authentication mechanisms may be used to release the private key.
  - 13. The apparatus of claim 11, wherein at least two of the available authentication mechanisms are used to release the private key.
  - 14. The apparatus of claim 11, wherein there is another layer of security between the access control mechanism and the protection of the secure resource.
  - 15. The apparatus of claim 10, further comprising:
    - the key construction/release logic requiring release of a second user private key, associated with a second user public key, such that a combination of the user private key and the second user private key are utilized to decrypt the access control mechanism.
  - 16. The apparatus of claim 10, further comprising:
    - the crypto-logic encrypting the access control mechanism with a plurality of user public keys in parallel, enabling access to the secure resource to a plurality of users, each user utilizing a secured private key to access the resource.
  - 17. The apparatus of claim 16, further comprising:
    - the first processor implementing a recovery user logic to generate a recovery user, the recovery user having a recovery public key and a private key, the recovery private key secured by a passcode known to the administrator;
      
      the administrator comprising one of a human or an automated process; and
      
      the crypto-logic to include the recovery public key, such that the administrator can use the recovery private key to access the secured resource.
  - 18. The apparatus of claim 17, wherein the passcode is a one-time passcode.

19. A method comprising:
- identifying a plurality of users, wherein the plurality of users need not be present, to be provisioned for access to a secured resource;
  
  for each user in the plurality of users, determining whether there is a public key in a provisioning system, when the user does not have the public key in the provisioning system, determining whether the user has the public key in an external directory system, and when the user does not have the public key in the external directory system, identifying the user as a keyless user;
  
  obtaining at least one public key/private key pair for one or more users of the plurality of users to be provisioned for access to the secured resource, from the provisioning system and the external directory system;
  
  modifying the first plurality of users to include only users that have a public/private key pair to yield a plurality of users that can be provisioned;
  
  notifying the keyless user that provisioning is unavailable, and instructing the keyless user to generate a key pair, and to provide their newly generated key pair to an administrator, wherein the private key of the key pair is provided as a protected key; and
  
  encrypting an access mechanism to the secured resource using parallel encryption including the at least one public key for the plurality of users that can be provisioned.
- View Dependent Claims (20)
- - 20. The method of claim 19, further comprising:
    - including in the encryption chain a recovery user public key, the recovery user public key having an associated recovery user private key secured with a one-time passcode, the one-time passcode providing an administrator a one-time use decryption access to the resource; and
      
      enabling the administrator to generate a new recovery user after using the one-time use decryption access to the resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Digitalpersona Corporation (Assa Abloy AB)
Original Assignee
Digitalpersona Corporation (Assa Abloy AB)
Inventors
Lozin, Kirill, Menchenin, Sergei
Primary Examiner(s)
Lanier, Benjamin E

Application Number

US12/579,288
Time in Patent Office

3,338 Days
Field of Search

713182-184, 713193
US Class Current
CPC Class Codes

G06F 21/30   Authentication, i.e. establ...

G06F 21/31   User authentication

G06F 21/6218   to a system of files or obj...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/088   Usage controlling of secret...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

H04L 9/3226   using a predetermined code,...

Private key/public key resource protection scheme

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

58 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Private key/public key resource protection scheme

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links