Automatic key management using enterprise user identity management
First Claim
1. A system, comprised of at least one data processor connected with at least one memory that stores software instructions, where execution of the software instructions by the at least one data processor causes the system to:
- form a key pair for a user, the key pair comprising a public key and a private key,wherein the private key is unique to the user,wherein the private key is encrypted to create an encrypted private key using a passphrase comprised of an enterprise password of the user verified by an enterprise directory and comprised of an identification; and
wherein the identification uniquely identifies in the enterprise a user device by which the user accesses the enterprise;
store the private key in the user device;
store the public key in at least one enterprise server for use by the enterprise server;
receiving from a device used by the user an encrypted private key in conjunction with an entered password and an entered user identification;
verify, by a server access function and by using the enterprise directory, that the entered user identification matches an authorized user identification and the entered password matches the enterprise password;
determine by the server access function an identification of the device used by the user to enter the user identification and password;
decrypt by the server access function the encrypted private key received from the device using the identification of the device and the entered password;
compare by the server access function the identification of the device, which is obtained in conjunction with the decrypting of the private key received from the device, with the identification that uniquely identifies the user device in the enterprise; and
grant by the server access function the user access to the at least one enterprise server via the device, in response to the identification of the device matching the identification that uniquely identifies in the enterprise the user device, the user identification being verified by using the enterprise directory, and the entered password being verified by using the enterprise directory to match the enterprise password.
2 Assignments
0 Petitions
Accused Products
Abstract
A method forms a key pair for a user. The key pair has a public key and a private key that is unique to the user and that is encrypted using a passphrase formed from an enterprise password of the user and an identification that uniquely identifies in the enterprise a device by which the user gains access. The method stores the private key in the user device and stores the public key in an enterprise server that is accessed by the user. The method provides the private key from the user device to a client, such as a SSH client, in conjunction with the password and the identification, decrypts the private key to obtain the decrypted password and the identification, and allows the user to access the enterprise server only if the decrypted password and the identification match the password and the identification provided with the private key.
45 Citations
17 Claims
-
1. A system, comprised of at least one data processor connected with at least one memory that stores software instructions, where execution of the software instructions by the at least one data processor causes the system to:
-
form a key pair for a user, the key pair comprising a public key and a private key, wherein the private key is unique to the user, wherein the private key is encrypted to create an encrypted private key using a passphrase comprised of an enterprise password of the user verified by an enterprise directory and comprised of an identification; and wherein the identification uniquely identifies in the enterprise a user device by which the user accesses the enterprise; store the private key in the user device; store the public key in at least one enterprise server for use by the enterprise server; receiving from a device used by the user an encrypted private key in conjunction with an entered password and an entered user identification; verify, by a server access function and by using the enterprise directory, that the entered user identification matches an authorized user identification and the entered password matches the enterprise password; determine by the server access function an identification of the device used by the user to enter the user identification and password; decrypt by the server access function the encrypted private key received from the device using the identification of the device and the entered password; compare by the server access function the identification of the device, which is obtained in conjunction with the decrypting of the private key received from the device, with the identification that uniquely identifies the user device in the enterprise; and grant by the server access function the user access to the at least one enterprise server via the device, in response to the identification of the device matching the identification that uniquely identifies in the enterprise the user device, the user identification being verified by using the enterprise directory, and the entered password being verified by using the enterprise directory to match the enterprise password. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer program product embodied on a non-transitory computer-readable medium in which a computer program is stored that, when being executed by a computer, is configured to provide instructions to control or carry out:
-
forming a key pair for a user, the key pair comprising a public key and a private key, wherein the private key is unique to the user, wherein the private key is encrypted to create an encrypted private key using a passphrase comprised of an enterprise password of the user verified by an enterprise directory and comprised of an identification; and wherein the identification uniquely identifies in the enterprise a user device by which the user accesses the enterprise; and storing the private key in the user device; storing the public key in at least one enterprise server for use by the enterprise server; receiving from a device used by the user an encrypted private key in conjunction with an entered password and an entered user identification; verifying, by a server access function and by using the enterprise directory, that the entered user identification matches an authorized user identification and the entered password matches the enterprise password; determining by the server access function an identification of the device used by the user to enter the user identification and password; decrypting by the server access function the encrypted private key received from the device using the identification of the device and the entered password; comparing by the server access function the identification of the device, which is obtained in conjunction with the decrypting of the private key received from the device, with the identification that uniquely identifies the user device in the enterprise; and granting by the server access function the user access to the at least one enterprise server via the device, in response to the identification of the device matching the identification that uniquely identifies in the enterprise the user device, the user identification being verified by using the enterprise directory, and the entered password being verified by using the enterprise directory to match the enterprise password. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A method, comprising:
-
forming a key pair for a user, the key pair comprising a public key and a private key, wherein the private key is unique to the user, wherein the private key is encrypted to create an encrypted private key using a passphrase comprised of an enterprise password of the user verified by an enterprise directory and comprised of an identification; and wherein the identification uniquely identifies in the enterprise a user device by which the user accesses the enterprise; storing the private key in the user device; storing the public key in at least one enterprise server for use by the enterprise server; receiving from a device used by the user an encrypted private key in conjunction with an entered password and an entered user identification; verifying, by a server access function and by using the enterprise directory, that the entered user identification matches an authorized user identification and the entered password matches the enterprise password; determining by the server access function an identification of the device used by the user to enter the user identification and password; decrypting by the server access function the encrypted private key received from the device using the identification of the device and the entered password; comparing by the server access function the identification of the device, which is obtained in conjunction with the decrypting of the private key received from the device, with the identification that uniquely identifies the user device in the enterprise; and granting by the server access function the user access to the at least one enterprise server via the device, in response to the identification of the device matching the identification that uniquely identifies in the enterprise the user device, the user identification being verified by using the enterprise directory, and the entered password being verified by using the enterprise directory to match the enterprise password. - View Dependent Claims (13, 14, 15, 16, 17)
-
Specification