Dynamic distributed key system and method for identity management, authentication servers, data security and preventing man-in-the-middle attacks

US 9,166,782 B2
Filed: 04/25/2007
Issued: 10/20/2015
Est. Priority Date: 04/25/2006
Status: Active Grant

First Claim

Patent Images

1. A method of encrypting a communication between a first source computer and a second destination computer, wherein said source and destination computers are each provided respectively with first and second private distributed keys, each associated with a first and second unique private key identifier, wherein a key storage server is provided with said first and second private distributed keys, each associated with said first and second unique private key identifiers, said method comprising:

i) providing said key storage server, said key storage server being provided with said first and second private distributed keys, each associated with said first and second unique private key identifiers;

ii) said source computer sending a first request to said key storage server for a session key;

iii) said key storage server identifying said source computer and locating its associated first private distributed key;

iv) said key storage server generating a unique session key for the session in question, identified by a unique session identifier;

v) said key storage server encrypting the session key with said source computer'"'"'s first private distributed key and sending the encrypted session key, with a session identifier, to said source computer;

vi) said source computer using said source computer'"'"'s first private distributed key to decrypt the session key and using the session key to encrypt said communication, which is sent to the destination computer along with said session identifier;

vii) said destination computer receiving the encrypted communication and session identifier and sending a second request to said key storage server for the session key associated with said session identifier;

viii) said key storage server determining from the session identifier whether it has the corresponding session key, and whether it has said destination computer'"'"'s private distributed key;

ix) if said key storage server determines from the session identifier that it has the corresponding session key, and has said destination computer'"'"'s private distributed key, said key storage server encrypting the session key with said destination computer'"'"'s private distributed key and communicating it to said destination computer; and

x) said destination computer then decrypting the session key using its second private distributed key and decrypting said communication using the decrypted session key;

wherein to distribute private keys the server performs an encryption application comprising receiving a device-specific identifier from a new device, generating a unique application key and unique starting offset from the device-specific identifier, encrypting a private key with said unique key and sending said encrypted private key to the new device; and

wherein key segments that have yet to be created are compared by comparing key segments ahead of the last offset to authenticate a user.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A distributed key encryption system and method is provided in which a key storage server provides a session key to the source and destination computers by encrypting the session key with unique distributed private keys that are associated with the respective source and destination computers by unique private key identifiers The destination computer then decrypts the encrypted session key using it'"'"'s distributed private key and then decrypts the communication using the decrypted session key.

21 Citations

View as Search Results

13 Claims

1. A method of encrypting a communication between a first source computer and a second destination computer, wherein said source and destination computers are each provided respectively with first and second private distributed keys, each associated with a first and second unique private key identifier, wherein a key storage server is provided with said first and second private distributed keys, each associated with said first and second unique private key identifiers, said method comprising:
- i) providing said key storage server, said key storage server being provided with said first and second private distributed keys, each associated with said first and second unique private key identifiers;
  
  ii) said source computer sending a first request to said key storage server for a session key;
  
  iii) said key storage server identifying said source computer and locating its associated first private distributed key;
  
  iv) said key storage server generating a unique session key for the session in question, identified by a unique session identifier;
  
  v) said key storage server encrypting the session key with said source computer'"'"'s first private distributed key and sending the encrypted session key, with a session identifier, to said source computer;
  
  vi) said source computer using said source computer'"'"'s first private distributed key to decrypt the session key and using the session key to encrypt said communication, which is sent to the destination computer along with said session identifier;
  
  vii) said destination computer receiving the encrypted communication and session identifier and sending a second request to said key storage server for the session key associated with said session identifier;
  
  viii) said key storage server determining from the session identifier whether it has the corresponding session key, and whether it has said destination computer'"'"'s private distributed key;
  
  ix) if said key storage server determines from the session identifier that it has the corresponding session key, and has said destination computer'"'"'s private distributed key, said key storage server encrypting the session key with said destination computer'"'"'s private distributed key and communicating it to said destination computer; and
  
  x) said destination computer then decrypting the session key using its second private distributed key and decrypting said communication using the decrypted session key;
  
  wherein to distribute private keys the server performs an encryption application comprising receiving a device-specific identifier from a new device, generating a unique application key and unique starting offset from the device-specific identifier, encrypting a private key with said unique key and sending said encrypted private key to the new device; and
  
  wherein key segments that have yet to be created are compared by comparing key segments ahead of the last offset to authenticate a user.

2. A method of encrypting a communication between a first source computer and a second destination computer, wherein said source and destination computers are each provided respectively with first and second private distributed keys, each associated with a first and second unique private key identifier, wherein a key storage server is provided with said first and second private distributed keys, each associated with said first and second unique private key identifiers, said method comprising:
- i) providing said key storage server, said key storage server being provided with said first and second private distributed keys, each associated with said first and second unique private key identifiers;
  
  ii) said source computer sending a first request to said key storage server for a session key;
  
  iii) said key storage server identifying said source computer and locating its associated first private distributed key;
  
  iv) said key storage server generating a unique session key for the session in question, identified by a unique session identifier;
  
  v) said key storage server encrypting the session key with said source computer'"'"'s first private distributed key and sending the encrypted session key, with a session identifier, to said source computer;
  
  vi) said source computer using said source computer'"'"'s first private distributed key to decrypt the session key and using the session key to encrypt said communication, which is sent to the destination computer along with said session identifier;
  
  vii) said destination computer receiving the encrypted communication and session identifier and sending a second request to said key storage server for the session key associated with said session identifier;
  
  viii) said key storage server determining from the session identifier whether it has the corresponding session key, and whether it has said destination computer'"'"'s private distributed key;
  
  ix) if said key storage server determines from the session identifier that it has the corresponding session key, and has said destination computer'"'"'s private distributed key, said key storage server encrypting the session key with said destination computer'"'"'s private distributed key and communicating it to said destination computer; and
  
  x) said destination computer then decrypting the session key using its second private distributed key and decrypting said communication using the decrypted session key;
  
  wherein to distribute private keys the server performs an encryption application comprising receiving a device-specific identifier from a new device, generating a unique application key and unique starting offset from the device-specific identifier, encrypting a private key with said unique key and sending said encrypted private key to the new device; and
  
  wherein hacking is detected when, if a copy of a key is made, the offsets do not match between the legitimate key and the stolen key.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 3. The method of claim 2 wherein said session key is encapsulated with an authentication key.
  - 4. The method of claim 3 wherein said authentication key is Whitenoise.
  - 5. The method of claim 2 wherein a hardware-specific identifier is used as a seed and offset to generate a device-specific key.
  - 6. The method of claim 2 wherein said private distributed keys are Whitenoise-produced keys.
  - 7. The method of claim 6 wherein the Whitenoise distributed private key is used as an AES session key generator.
  - 8. The method of claim 2 wherein, when the encryption application is initiated by the new device the application key uses the device-specific identifier to decrypt the private key.
  - 9. The method of claim 2, wherein data is encrypted in the key of the destination computer in a streaming fashion.
  - 10. The method of claim 2 wherein the session key is encrypted with a pre-distributed AES private key, and said AES-encrypted session key is then double encrypted with a pre-distributed AES or WN authentication key to double encrypt the session key.
  - 11. The method of claim 2 wherein a user account is revoked when hacking is detected.
  - 12. The method of claim 2 wherein said distributed key is used as a random number generator to generate further distributed keys or session keys.
  - 13. The method of claim 2 wherein a distributed key is used to perturb a pre-distributed key schedule at an endpoint in order to create unique new keys.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Andre Jacques Brisson, Stephen Laurence Boren
Original Assignee
Andre Jacques Brisson, Stephen Laurence Boren
Inventors
Boren, Stephen Laurence, Brisson, Andre Jacques
Primary Examiner(s)
McNally, Michael S
Assistant Examiner(s)
Johnson, Carlton

Application Number

US12/297,884
Publication Number

US 20090106551A1
Time in Patent Office

3,100 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 9/0822   using key encryption key

H04L 9/083   involving central third par...

H04L 9/321   involving a third party or ...

H04L 9/3226   using a predetermined code,...

Dynamic distributed key system and method for identity management, authentication servers, data security and preventing man-in-the-middle attacks

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic distributed key system and method for identity management, authentication servers, data security and preventing man-in-the-middle attacks

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links