Automatic Key Management Using Enterprise User Identity Management

US 20160241558A1
Filed: 02/13/2015
Published: 08/18/2016
Est. Priority Date: 02/13/2015
Status: Active Grant

First Claim

Patent Images

1. A method implemented by at least one data processor, comprising:

forming a key pair for a user, the key pair comprising a public key and a private key that is unique to the user and that is encrypted using a passphrase comprised of an enterprise password of the user and an identification that uniquely identifies in the enterprise a user device by which the user accesses the enterprise, where the encrypted private key is comprised of the passphrase;

storing the encrypted private key in the user device and storing the public key in at least one enterprise server that is accessed by the user via the user device and a server access function;

subsequently, when the user accesses the enterprise server, providing the encrypted private key, that was stored in the user device, from the user device to the server access function in conjunction with the password and the identification that uniquely identifies in the enterprise the user device by which the user accesses the enterprise;

decrypting at the server access function the encrypted private key using the provided password and the identification that uniquely identifies in the enterprise the user device to obtain from the decrypted private key the password and the identification that uniquely identifies in the enterprise the user device;

comparing the provided password and the identification that uniquely identifies in the enterprise the user device with the password and the identification that uniquely identifies in the enterprise the user device that are obtained from the decrypted private key; and

granting the user access to the enterprise server via the user device and the server access function only if the provided password and the identification that uniquely identifies in the enterprise the user device matches with the password and the identification that uniquely identifies in the enterprise the user device that are obtained from the decrypted private key.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method forms a key pair for a user. The key pair has a public key and a private key that is unique to the user and that is encrypted using a passphrase formed from an enterprise password of the user and an identification that uniquely identifies in the enterprise a device by which the user gains access. The method stores the private key in the user device and stores the public key in an enterprise server that is accessed by the user. The method provides the private key from the user device to a client, such as a SSH client, in conjunction with the password and the identification, decrypts the private key to obtain the decrypted password and the identification, and allows the user to access the enterprise server only if the decrypted password and the identification match the password and the identification provided with the private key.

29 Citations

View as Search Results

23 Claims

1. A method implemented by at least one data processor, comprising:
- forming a key pair for a user, the key pair comprising a public key and a private key that is unique to the user and that is encrypted using a passphrase comprised of an enterprise password of the user and an identification that uniquely identifies in the enterprise a user device by which the user accesses the enterprise, where the encrypted private key is comprised of the passphrase;
  
  storing the encrypted private key in the user device and storing the public key in at least one enterprise server that is accessed by the user via the user device and a server access function;
  
  subsequently, when the user accesses the enterprise server, providing the encrypted private key, that was stored in the user device, from the user device to the server access function in conjunction with the password and the identification that uniquely identifies in the enterprise the user device by which the user accesses the enterprise;
  
  decrypting at the server access function the encrypted private key using the provided password and the identification that uniquely identifies in the enterprise the user device to obtain from the decrypted private key the password and the identification that uniquely identifies in the enterprise the user device;
  
  comparing the provided password and the identification that uniquely identifies in the enterprise the user device with the password and the identification that uniquely identifies in the enterprise the user device that are obtained from the decrypted private key; and
  
  granting the user access to the enterprise server via the user device and the server access function only if the provided password and the identification that uniquely identifies in the enterprise the user device matches with the password and the identification that uniquely identifies in the enterprise the user device that are obtained from the decrypted private key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 21, 22, 23)
- - 2. The method as in claim 1, wherein the identification that uniquely identifies in the enterprise the user device by which the user accesses the enterprise comprises a medium access control (MAC) address of the user device.
  - 3. The method as in claim 1, wherein the server access function is comprised of a secure shell (SSH) client.
  - 4. The method as in claim 1, wherein the server access function is comprised of a jump server.
  - 5. The method as in claim 1, further comprising, in response to a change in at least one of the enterprise password of the user and the identification that uniquely identifies the user device, forming a new key pair for the user using the changed at least one of the enterprise password and the identification, and storing a resulting new private key in the user device and storing the resulting new public key in the enterprise server.
  - 6. The method as in claim 1, further comprising, in response to a change in a status of the user in the enterprise, identifying from a list of servers those enterprise servers that the user could access, and removing the public key of the user from all enterprise servers in the list.
  - 7. The method of claim 1, further comprising storing in a memory user information comprising at least the encrypted private key, the public key, the identification of the user device, and a list of enterprise servers that are accessible by the user, the user information being associated with an enterprise user identification.
  - 21. The method of claim 1, where the user device accesses the at least one enterprise server via a SSH protocol connection.
  - 22. The method of claim 1, where the user device accesses the at least one enterprise server via an HTTPS protocol connection.
  - 23. The method of claim 1, where there are a plurality of enterprise servers that are accessible by the user via the user device and the server access function, and where the step of storing stores the public key in each individual one of the plurality of enterprise servers that are accessible by the user via the user device and the server access function.

8-20. -20. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Adam, Constantin M., Hernandez, Milton H., Sreedhar, Vugranam C., Vivekanandan, Prema

Granted Patent

US 10,348,727 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/045   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/0876   based on the identity of th...

H04L 63/168   above the transport layer

H04L 67/08   specially adapted for termi...

Automatic Key Management Using Enterprise User Identity Management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

29 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic Key Management Using Enterprise User Identity Management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links