SESSION NEGOTIATIONS
First Claim
Patent Images
1. A computer-implemented method, comprising:
- under the control of one or more computer systems configured with executable instructions,at a first security module of a plurality of security modules;
receiving, from an operator device, a first request for a session key;
in response to the first request, using a domain key to encrypt one or more session keys and information usable to identify the operator device, the domain key accessible to each of the plurality of security modules;
providing the one or more session keys and encrypted one or more session keys to the operator device; and
at a second security module of the plurality of security modules;
receiving, from the operator device, a second request to perform a cryptographic operation, the second request including an encrypted session key from the encrypted one or more session keys and a digital signature generated based at least in part on the session key;
using the domain key to decrypt the encrypted session key and the information usable to identify the operator device;
verifying that the operator device matches the information usable to identify the operator deviceusing the session key to verify the digital signature; and
as a result of verifying the digital signature and verifying that the operator device matches the information usable to identify the operator device, performing the requested cryptographic operation;
using the session key to encrypt a result of performing the requested cryptographic operation; and
providing the encrypted result to the operator device.
1 Assignment
0 Petitions
Accused Products
Abstract
A plurality of devices are each operable to provide information that is usable for to prove authorization with any of the other devices. The devices may have common access to a cryptographic key. A device may use the cryptographic key to encrypt a session key and provide both the session key and the encrypted session key. Requests to any of the devices can include the encrypted session key and a digital signature generated using the session key. In this manner, a device that receives the request can decrypt the session key and use the decrypted session key to verify the digital signature.
10 Citations
18 Claims
-
1. A computer-implemented method, comprising:
under the control of one or more computer systems configured with executable instructions, at a first security module of a plurality of security modules; receiving, from an operator device, a first request for a session key; in response to the first request, using a domain key to encrypt one or more session keys and information usable to identify the operator device, the domain key accessible to each of the plurality of security modules; providing the one or more session keys and encrypted one or more session keys to the operator device; and at a second security module of the plurality of security modules; receiving, from the operator device, a second request to perform a cryptographic operation, the second request including an encrypted session key from the encrypted one or more session keys and a digital signature generated based at least in part on the session key; using the domain key to decrypt the encrypted session key and the information usable to identify the operator device; verifying that the operator device matches the information usable to identify the operator device using the session key to verify the digital signature; and as a result of verifying the digital signature and verifying that the operator device matches the information usable to identify the operator device, performing the requested cryptographic operation; using the session key to encrypt a result of performing the requested cryptographic operation; and providing the encrypted result to the operator device. - View Dependent Claims (2, 3, 4, 5, 6)
-
7. A computer-implemented method, comprising:
under the control of one or more computer systems configured with executable instructions, at a first device, receiving a request to perform a cryptographic operation, the request including; a first key encrypted based at least in part on a second key that is shared among a plurality of devices that includes the first device; and information generated based at least in part on the first key in plaintext form; and authentication information generated based at least in part on the first key at the first device, in response to the request to perform the cryptographic operation; using the second key to decrypt the encrypted first key; using the first key to verify the authentication information; determining, based at least in part on the first key, the information, and the authentication information, whether to perform the cryptographic operation; and performing the cryptographic operation when said determining results in a determination to perform the cryptographic operation. - View Dependent Claims (8, 9, 10, 11, 12)
-
13. A system, comprising:
a plurality of devices, each device of the plurality of devices configured with; one or more processors; and memory including instructions that, when executed by the one or more processors, provide the device an ability to; generate, based at least in part on a first key accessible to each of the plurality of devices, information that is usable, by another device of the plurality of devices lacking access to the first key, for causing any device of the plurality of devices to provide a result of performance of one or more requested cryptographic operations; and provide the generated information to the other device. - View Dependent Claims (14, 15, 16, 17, 18)
Specification