Automatic key management using enterprise user identity management

US 10,454,676 B2
Filed: 06/22/2015
Issued: 10/22/2019
Est. Priority Date: 02/13/2015
Status: Active Grant

First Claim

Patent Images

1. A system, comprised of at least one data processor connected with at least one memory that stores software instructions, where execution of the software instructions by the at least one data processor causes the system to:

form a key pair for a user, the key pair comprising a public key and a private key,wherein the private key is unique to the user,wherein the private key is encrypted to create an encrypted private key using a passphrase comprised of an enterprise password of the user verified by an enterprise directory and comprised of an identification; and

wherein the identification uniquely identifies in the enterprise a user device by which the user accesses the enterprise;

store the private key in the user device;

store the public key in at least one enterprise server for use by the enterprise server;

receiving from a device used by the user an encrypted private key in conjunction with an entered password and an entered user identification;

verify, by a server access function and by using the enterprise directory, that the entered user identification matches an authorized user identification and the entered password matches the enterprise password;

determine by the server access function an identification of the device used by the user to enter the user identification and password;

decrypt by the server access function the encrypted private key received from the device using the identification of the device and the entered password;

compare by the server access function the identification of the device, which is obtained in conjunction with the decrypting of the private key received from the device, with the identification that uniquely identifies the user device in the enterprise; and

grant by the server access function the user access to the at least one enterprise server via the device, in response to the identification of the device matching the identification that uniquely identifies in the enterprise the user device, the user identification being verified by using the enterprise directory, and the entered password being verified by using the enterprise directory to match the enterprise password.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method forms a key pair for a user. The key pair has a public key and a private key that is unique to the user and that is encrypted using a passphrase formed from an enterprise password of the user and an identification that uniquely identifies in the enterprise a device by which the user gains access. The method stores the private key in the user device and stores the public key in an enterprise server that is accessed by the user. The method provides the private key from the user device to a client, such as a SSH client, in conjunction with the password and the identification, decrypts the private key to obtain the decrypted password and the identification, and allows the user to access the enterprise server only if the decrypted password and the identification match the password and the identification provided with the private key.

45 Citations

17 Claims

1. A system, comprised of at least one data processor connected with at least one memory that stores software instructions, where execution of the software instructions by the at least one data processor causes the system to:
- form a key pair for a user, the key pair comprising a public key and a private key,wherein the private key is unique to the user,wherein the private key is encrypted to create an encrypted private key using a passphrase comprised of an enterprise password of the user verified by an enterprise directory and comprised of an identification; and
  
  wherein the identification uniquely identifies in the enterprise a user device by which the user accesses the enterprise;
  
  store the private key in the user device;
  
  store the public key in at least one enterprise server for use by the enterprise server;
  
  receiving from a device used by the user an encrypted private key in conjunction with an entered password and an entered user identification;
  
  verify, by a server access function and by using the enterprise directory, that the entered user identification matches an authorized user identification and the entered password matches the enterprise password;
  
  determine by the server access function an identification of the device used by the user to enter the user identification and password;
  
  decrypt by the server access function the encrypted private key received from the device using the identification of the device and the entered password;
  
  compare by the server access function the identification of the device, which is obtained in conjunction with the decrypting of the private key received from the device, with the identification that uniquely identifies the user device in the enterprise; and
  
  grant by the server access function the user access to the at least one enterprise server via the device, in response to the identification of the device matching the identification that uniquely identifies in the enterprise the user device, the user identification being verified by using the enterprise directory, and the entered password being verified by using the enterprise directory to match the enterprise password.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system as in claim 1, wherein the identification comprises a medium access control (MAC) address of the device.
  - 3. The system as in claim 1, wherein the user accesses the enterprise server via a secure shell (SSH) client that comprises server access function.
  - 4. The system as in claim 3, where execution of the software instructions by the at least one data processor further causes the system to respond to a change in at least one of the enterprise password of the user and the identification that uniquely identifies the user device by forming a new key pair for the user using the changed at least one of the enterprise password and the identification, and storing a resulting new private key in the user device and storing the resulting new public key in the enterprise server.
  - 5. The system as in claim 3, where execution of the software instructions by the at least one data processor further causes the system to respond to a change in a status of the user in the enterprise by identifying from a list of servers those enterprise servers that the user could access, and removing the public key of the user from all enterprise servers in the list.
  - 6. The system as in claim 3, where execution of the software instructions by the at least one data processor further causes the system to store user information comprising at least the encrypted private key, the public key, the identification of the user device, and a list of enterprise servers that are accessible by the user, the user information being associated with an enterprise user identification.

7. A computer program product embodied on a non-transitory computer-readable medium in which a computer program is stored that, when being executed by a computer, is configured to provide instructions to control or carry out:
- forming a key pair for a user, the key pair comprising a public key and a private key,wherein the private key is unique to the user,wherein the private key is encrypted to create an encrypted private key using a passphrase comprised of an enterprise password of the user verified by an enterprise directory and comprised of an identification; and
  
  wherein the identification uniquely identifies in the enterprise a user device by which the user accesses the enterprise; and
  
  storing the private key in the user device;
  
  storing the public key in at least one enterprise server for use by the enterprise server;
  
  receiving from a device used by the user an encrypted private key in conjunction with an entered password and an entered user identification;
  
  verifying, by a server access function and by using the enterprise directory, that the entered user identification matches an authorized user identification and the entered password matches the enterprise password;
  
  determining by the server access function an identification of the device used by the user to enter the user identification and password;
  
  decrypting by the server access function the encrypted private key received from the device using the identification of the device and the entered password;
  
  comparing by the server access function the identification of the device, which is obtained in conjunction with the decrypting of the private key received from the device, with the identification that uniquely identifies the user device in the enterprise; and
  
  granting by the server access function the user access to the at least one enterprise server via the device, in response to the identification of the device matching the identification that uniquely identifies in the enterprise the user device, the user identification being verified by using the enterprise directory, and the entered password being verified by using the enterprise directory to match the enterprise password.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The computer program product as in claim 7, wherein the identification comprises a medium access control (MAC) address of the device.
  - 9. The computer program product as in claim 7, wherein the user accesses the enterprise server via a secure shell (SSH) client that comprises server access function.
  - 10. The computer program product of claim 7, where execution of the software instructions further results in performing operations comprising:
    - in response to a change in at least one of the enterprise password of the user and the identification that uniquely identifies the user device, forming a new key pair for the user using the changed at least one of the enterprise password and the identification, and storing a resulting new private key in the user device and storing the resulting new public key in the enterprise server; and
      
      in response to a change in a status of the user in the enterprise, identifying from a list of servers those enterprise servers that the user could access, and removing the public key of the user from all enterprise servers in the list.
  - 11. The computer program product of claim 7, where execution of the software instructions further results in performing an operation that comprises storing in a memory user information comprising at least the encrypted private key, the public key, the identification of the device, and a list of enterprise servers that are accessible by the user, the user information being associated with an enterprise user identification.

12. A method, comprising:
- forming a key pair for a user, the key pair comprising a public key and a private key,wherein the private key is unique to the user,wherein the private key is encrypted to create an encrypted private key using a passphrase comprised of an enterprise password of the user verified by an enterprise directory and comprised of an identification; and
  
  wherein the identification uniquely identifies in the enterprise a user device by which the user accesses the enterprise;
  
  storing the private key in the user device;
  
  storing the public key in at least one enterprise server for use by the enterprise server;
  
  receiving from a device used by the user an encrypted private key in conjunction with an entered password and an entered user identification;
  
  verifying, by a server access function and by using the enterprise directory, that the entered user identification matches an authorized user identification and the entered password matches the enterprise password;
  
  determining by the server access function an identification of the device used by the user to enter the user identification and password;
  
  decrypting by the server access function the encrypted private key received from the device using the identification of the device and the entered password;
  
  comparing by the server access function the identification of the device, which is obtained in conjunction with the decrypting of the private key received from the device, with the identification that uniquely identifies the user device in the enterprise; and
  
  granting by the server access function the user access to the at least one enterprise server via the device, in response to the identification of the device matching the identification that uniquely identifies in the enterprise the user device, the user identification being verified by using the enterprise directory, and the entered password being verified by using the enterprise directory to match the enterprise password.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method as in claim 12, wherein the identification comprises a medium access control (MAC) address of the device.
  - 14. The method as in claim 12, wherein the user accesses the enterprise server via a secure shell (SSH) client that comprises server access function.
  - 15. The method as in claim 14, further comprising responding to a change in at least one of the enterprise password of the user and the identification that uniquely identifies the user device by forming a new key pair for the user using the changed at least one of the enterprise password and the identification, and storing a resulting new private key in the user device and storing the resulting new public key in the enterprise server.
  - 16. The method as in claim 14, further comprising responding to a change in a status of the user in the enterprise by identifying from a list of servers those enterprise servers that the user could access, and removing the public key of the user from all enterprise servers in the list.
  - 17. The method as in claim 14, further comprising storing user information comprising at least the encrypted private key, the public key, the identification of the user device, and a list of enterprise servers that are accessible by the user, the user information being associated with an enterprise user identification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Adam, Constantin M., Hernandez, Milton H., Sreedhar, Vugranam C., Vivekanandan, Prema
Primary Examiner(s)
King, John B
Assistant Examiner(s)
Dhruv, Darshan I

Application Number

US14/746,051
Publication Number

US 20160241397A1
Time in Patent Office

1,583 Days
Field of Search
US Class Current
CPC Class Codes

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0863   involving passwords or one-...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3226   using a predetermined code,...

Automatic key management using enterprise user identity management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

45 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic key management using enterprise user identity management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links