Method for key rotation

US 9,774,579 B2
Filed: 06/27/2016
Issued: 09/26/2017
Est. Priority Date: 07/27/2015
Status: Active Grant

First Claim

Patent Images

1. A method for key rotation comprising:

initiating key rotation for a user account of a multi-factor authentication platform;

wherein the authenticating device participates in authentication by generating an authenticating message and signing the authenticating message using a first pre-existing private cryptographic key of a first pre-existing asymmetric key set;

wherein the first pre-existing asymmetric cryptographic key set includes the first pre-existing private cryptographic key and a first pre-existing public cryptographic key;

after initiating the key rotation, generating, at the authenticating device, a second symmetric cryptographic key, wherein the second symmetric cryptographic key is different from the first pre-existing symmetric cryptographic key;

signing, at the authenticating device, the second symmetric cryptographic key with the first pre-existing private cryptographic key;

transmitting, at the authenticating device, the signed second symmetric cryptographic key to the multi-factor authentication platform;

verifying, at the multi-factor authentication platform, the signed second symmetric cryptographic key using the first pre-existing public cryptographic key;

configuring the multi-factor authentication platform and the authenticating device to disable authentication that uses the first pre-existing symmetric cryptographic key; and

configuring the multi-factor authentication platform and the authenticating device to enable authentication that uses the second symmetric cryptographic key.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for key rotation includes initiating key rotation for a user account of a multi-factor authentication platform enabling one-time password authentication using a first symmetric cryptographic key; generating, at an authenticating device, a second symmetric cryptographic key; transmitting, at the authenticating device, the second symmetric cryptographic key to the multi-factor authentication platform; configuring the multi-factor authentication platform and the authenticating device to disable authentication that uses the first symmetric cryptographic key; and configuring the multi-factor authentication platform and the authenticating device to enable authentication that uses the second symmetric cryptographic key.

186 Citations

19 Claims

1. A method for key rotation comprising:
- initiating key rotation for a user account of a multi-factor authentication platform;
  
  wherein the authenticating device participates in authentication by generating an authenticating message and signing the authenticating message using a first pre-existing private cryptographic key of a first pre-existing asymmetric key set;
  
  wherein the first pre-existing asymmetric cryptographic key set includes the first pre-existing private cryptographic key and a first pre-existing public cryptographic key;
  
  after initiating the key rotation, generating, at the authenticating device, a second symmetric cryptographic key, wherein the second symmetric cryptographic key is different from the first pre-existing symmetric cryptographic key;
  
  signing, at the authenticating device, the second symmetric cryptographic key with the first pre-existing private cryptographic key;
  
  transmitting, at the authenticating device, the signed second symmetric cryptographic key to the multi-factor authentication platform;
  
  verifying, at the multi-factor authentication platform, the signed second symmetric cryptographic key using the first pre-existing public cryptographic key;
  
  configuring the multi-factor authentication platform and the authenticating device to disable authentication that uses the first pre-existing symmetric cryptographic key; and
  
  configuring the multi-factor authentication platform and the authenticating device to enable authentication that uses the second symmetric cryptographic key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein initiating key rotation comprises initiating key rotation in response to detection of a compromise of the multi-factor authentication platform.
  - 3. The method of claim 1, wherein initiating key rotation comprises initiating key rotation in response to detection of a compromise of the authenticating device.
  - 4. The method of claim 1, wherein initiating key rotation comprises receiving a key rotation request from a human initiator and evaluating the key rotation request according to a privilege of the human initiator.
  - 5. The method of claim 1, wherein initiating key rotation comprises receiving a key rotation request from an automated security monitoring module in response to detection of suspicious activity associated with symmetric keys accessible to the multi-factor authentication platform.
  - 6. The method of claim 1, wherein initiating key rotation comprises initiating key rotation without receiving an external key rotation request;
    - wherein initiating key rotation further comprises initiating key rotation in response to expiration of a time threshold.
  - 7. The method of claim 1, further comprising:
    - generating, at the authenticating device, a second asymmetric key set;
      
      wherein the second asymmetric key set includes a second private cryptographic key and a second public cryptographic key;
      
      transmitting, at the authenticating device, the second public cryptographic key to the multi-factor authentication platform;
      
      configuring the multi-factor authentication platform and the authenticating device to disable authentication that uses the first asymmetric key set; and
      
      configuring the multi-factor authentication platform and the authenticating device to enable authentication that uses the second asymmetric key set.
  - 8. The method of claim 7, further comprising:
    - signing, at the authenticating device, the second public cryptographic key with the first private cryptographic key;
      
      wherein transmitting the second public cryptographic key comprises transmitting the signed second public cryptographic key; and
      
      verifying, at the multi-factor authentication platform, the signed second public cryptographic key using the first public cryptographic key.

9. A method for key rotation comprising:
- initiating key rotation for a user account of a multi-factor authentication platform;
  
  wherein the authenticating device participates in authentication by generating an authenticating message and signing the authenticating message using a first pre-existing private cryptographic key of a first pre-existing asymmetric key set;
  
  wherein the first pre-existing asymmetric cryptographic key set includes the first pre-existing private cryptographic key and a first pre-existing public cryptographic key;
  
  after initiating the key rotation, generating, at the multi-factor authentication platform, a second symmetric cryptographic key;
  
  signing, at the multi-factor authentication platform, the second symmetric cryptographic key with the first pre-existing public cryptographic key;
  
  transmitting, at the multi-factor authentication platform, the signed second symmetric cryptographic key to the authenticating device;
  
  verifying, at the authenticating device, the signed second symmetric cryptographic key using the first pre-existing private cryptographic key;
  
  configuring the multi-factor authentication platform and the authenticating device to disable authentication that uses the first pre-existing symmetric cryptographic key; and
  
  configuring the multi-factor authentication platform and the authenticating device to enable authentication that uses the second symmetric cryptographic key.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 10. The method of claim 9, wherein initiating key rotation comprises initiating key rotation in response to detection of a compromise of the multi-factor authentication platform.
  - 11. The method of claim 9, wherein initiating key rotation comprises initiating key rotation in response to detection of a compromise of the authenticating device.
  - 12. The method of claim 9, wherein initiating key rotation comprises receiving a key rotation request from a human initiator and evaluating the key rotation request according to a privilege of the human initiator.
  - 13. The method of claim 9, wherein initiating key rotation comprises receiving a key rotation request from an automated security monitoring module in response to detection of suspicious activity associated with symmetric keys accessible to the multi-factor authentication platform.
  - 14. The method of claim 9, wherein initiating key rotation comprises initiating key rotation without receiving an external key rotation request;
    - wherein initiating key rotation further comprises initiating key rotation in response to expiration of a time threshold.
  - 15. The method of claim 9, further comprising encrypting, at the multi-factor authentication platform, the second symmetric cryptographic key with the first public cryptographic key;
    - wherein verifying, at the authenticating device, the signed second symmetric cryptographic key using the first private cryptographic key further comprises decrypting, at the authenticating device, the second symmetric cryptographic key using the first private cryptographic key.
  - 16. The method of claim 9, further comprising:
    - generating, at the multi-factor authentication platform, a second asymmetric key set;
      
      wherein the second asymmetric key set includes a second private cryptographic key and a second public cryptographic key;
      
      transmitting, at the multi-factor authentication platform, the second private cryptographic key to the authenticating device;
      
      configuring the multi-factor authentication platform and the authenticating device to disable authentication that uses the first asymmetric key set; and
      
      configuring the multi-factor authentication platform and the authenticating device to enable authentication that uses the second asymmetric key set.
  - 17. The method of claim 16, further comprising:
    - signing, at the multi-factor authentication platform, the second private cryptographic key with the first public cryptographic key;
      
      wherein transmitting the second private cryptographic key comprises transmitting the signed second private cryptographic key; and
      
      verifying, at the authenticating device, the signed second private cryptographic key using the first private cryptographic key.
  - 18. The method of claim 17, further comprising encrypting, at the multi-factor authentication platform, the second private cryptographic key with the first public cryptographic key;
    - wherein verifying, at the authenticating device, the signed second private cryptographic key using the first private cryptographic key further comprises decrypting, at the authenticating device, the second private cryptographic key using the first private cryptographic key.

19. A method for key rotation comprising:
- initiating key rotation for a user account of a multi-factor authentication platform, wherein initiating key rotation comprises initiating key rotation in response to detection of a compromise of the multi-factor authentication platform;
  
  wherein the authenticating device participates in authentication by generating an authenticating message and signing the authenticating message using a first private cryptographic key of a first asymmetric key set;
  
  wherein the first asymmetric key set includes the first private cryptographic key and a first public cryptographic key;
  
  generating, at the authenticating device, a second symmetric cryptographic key;
  
  signing, at the authenticating device, the second symmetric cryptographic key with the first private cryptographic key;
  
  transmitting, at the authenticating device, the signed second symmetric cryptographic key to the multi-factor authentication platform;
  
  verifying, at the multi-factor authentication platform, the signed second symmetric cryptographic key using the first public cryptographic key;
  
  configuring the multi-factor authentication platform and the authenticating device to disable authentication that uses the first symmetric cryptographic key; and
  
  configuring the multi-factor authentication platform and the authenticating device to enable authentication that uses the second symmetric cryptographic key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Duo Security Incorporated (Cisco Systems, Inc.)
Inventors
Oberheide, Jon, Goodman, Adam
Primary Examiner(s)
HOFFMAN, BRANDON S

Application Number

US15/193,533
Publication Number

US 20170034141A1
Time in Patent Office

456 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/068   using time-dependent keys, ...

H04L 63/083   using passwords cryptograph...

H04L 9/0863   involving passwords or one-...

H04L 9/0891   Revocation or update of sec...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3228   One-time or temporary data,...

Method for key rotation

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

186 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method for key rotation

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

186 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links