Accessing hosts in a computer network
US-2018152299-A1 · May 31, 2018 · US
Generating ephemeral key pools for sending and receiving secure communications
US11316666B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11316666-B2 |
| Application number | US-201715647576-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 12, 2017 |
| Priority date | Jul 12, 2017 |
| Publication date | Apr 26, 2022 |
| Grant date | Apr 26, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method, system, and non-transitory computer readable medium are described for providing a sender a plurality of ephemeral keys such that a sender and receiver can exchange encrypted communications. Accordingly, a sender may retrieve information, such as a public key and a key identifier, for the first receiver from a local storage. The retrieved information may be used to generate a key-encrypting key that is used to generate a random communication encryption key. The random communication encryption key is used to encrypt a communication, while the key-encrypting key encrypts the random communication key. The encrypted communication and the encrypted random communication key are transmitted to the first receiver.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: determining, by a first device and from a computing resource, that one or more encryption keys to establish secure communication with a second device are not available from the computing resource; in response to the determining, generating, by the first device, a first plurality of asymmetric key pairs comprising a first plurality of private keys and a first plurality of public keys; assigning, by the first device, a unique identifier to each pair of the first plurality of asymmetric key pairs; storing the first plurality of private keys and their assigned unique identifiers in a memory of the first device; transmitting, from the first device, the first plurality of public keys and their assigned unique identifiers to a first server; in response to the determining, generating, by the first device, a second plurality of asymmetric key pairs comprising a second plurality of private keys and a second plurality of public keys; assigning, by the first device, a unique identifier to each pair of the second plurality of asymmetric key pairs; storing the second plurality of private keys and their assigned unique identifiers in the memory; transmitting, from the first device, the second plurality of public keys and their assigned unique identifiers to the second device; receiving, by the first device and from the second device, an encrypted peer-to-peer communication, wherein the encrypted peer-to-peer communication comprises an encrypted symmetric key, a public key associated with the second device, and a first unique identifier corresponding to the public key; recovering, by the first device and using an application identifier associated with an application executing on the first device, the encrypted symmetric key and the first unique identifier from the encrypted peer-to-peer communication; retrieving, based on the first unique identifier, a private key associated with the public key; deriving a key-encrypting key, wherein the key-encrypting key is derived according to a key agreement protocol using the private key associated with the public key, the public key associated with the second device, and the application identifier; decrypting, using the key-encrypting key, the encrypted symmetric key; decrypting, using the symmetric key, the encrypted peer-to-peer communication; and deleting, from the memory and based on the decrypting the encrypted peer-to-peer communication, the private key. 2. The method of claim 1 , further comprising: generating, by the first device, a signature for each of the public keys of the first plurality of asymmetric key pairs; encrypting, by the first device, the first plurality of public keys, their assigned unique identifiers, and the signature for each of the public keys using a public key of the first server; and transmitting, from the first device, the first plurality of encrypted public keys, the encrypted assigned unique identifiers, and the encrypted signature for each of the public keys to the first server. 3. The method of claim 2 , further comprising: encrypting, by the first device and prior to being stored in the memory, each of the first plurality of private keys and their assigned unique identifiers using a local storage key. 4. The method of claim 1 , further comprising: generating, by the first device, a signature for each of the public keys of the second plurality of asymmetric key pairs; calculating, by the first device, a first encryption key, wherein the first encryption key is calculated by inputting a first set of pseudorandom bytes into a key derivation function; encrypting, by the first device, the second plurality of public keys, their assigned unique identifiers, and the signature for each of the public keys using the first encryption key; and transmitting, from the first device, the second plurality of encrypted public keys, the encrypted assigned unique identifiers, and the encrypted signature for each of the public keys to the second device. 5. The method of claim 4 , further comprising: encrypting, by the first device, the first encryption key. 6. The method of claim 5 , further comprising: transmitting, from the first device, the encrypted first encryption key with the second plurality of encrypted public keys, the encrypted assigned unique identifiers, and the encrypted signature for each of the public keys. 7. The method of claim 1 , further comprising: encrypting, by the first device and prior to being stored in the memory, each of the second plurality of private keys and their assigned unique identifiers using a local storage key. 8. The method of claim 1 , further comprising: receiving, at the first device, a third plurality of public keys, a unique identifier for each public key in the third plurality of public keys, and a signature for each of the third plurality of public keys from the second device; validating, at the first device, the signature for each public key in the third plurality of public keys; and storing, at the first device, the third plurality of public keys and the unique identifier for each public key in the third plurality of public keys when the signatures for each public key in the third plurality of public keys are valid. 9. The method of claim 8 , wherein the signature for each public key in the third plurality of public keys comprises a signature chain. 10. The method of claim 1 , wherein the computing resource is one or more of a key distribution center, a secure communication platform, or a cloud service provider, the computing resource comprising one or more servers. 11. A computing device comprising: one or more processors; and memory comprising instructions that, when executed by the one or more processors, cause the computing device to: determine, from a computing resource, that one or more encryption keys to establish secure communication with a second device are not available from the computing resource; in response to the determining, generate a first plurality of asymmetric key pairs comprising a first plurality of private keys and a first plurality of public keys; assign each pair of the first plurality of asymmetric key pairs a unique identifier; store the first plurality of private keys and their assigned unique identifiers; transmit, to a first server, the first plurality of public keys and their assigned unique identifiers; in response to the determining, generate a second plurality of asymmetric key pairs comprising a second plurality of private keys and a second plurality of public keys; assign each pair of the second plurality of asymmetric key pairs a unique identifier; store the second plurality of private keys and their assigned unique identifiers; transmit, to the second device, the second plurality of public keys and their assigned unique identifiers; receive, from the second device, an encrypted peer-to-peer communication, wherein the encrypted peer-to-peer communication comprises an encrypted symmetric key, a public key associated with the second device, and a first unique identifier corresponding to the public key; recover, using an application identifier associated with an application executing on the first device, the encrypted symmetric key and the first unique identifier from the encrypted peer-to-peer communication; retrieve, based on the first unique identifier, a private key associated with the public key; derive a key-encrypting key, wherein the key-encrypting key is derived according to a key agreement protocol using the private key associated with the public key, the public key associated with the second device, and the application identifier; decrypt, using the key-encryp
Assignees
Inventors
Classifications
without using a trusted network node as an anchor · CPC title
involving digital signatures · CPC title
Key management, e.g. using generic bootstrapping architecture [GBA] · CPC title
Randomization, e.g. dummy operations or using noise · CPC title
using a plurality of keys or algorithms · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11316666B2 cover?
- A method, system, and non-transitory computer readable medium are described for providing a sender a plurality of ephemeral keys such that a sender and receiver can exchange encrypted communications. Accordingly, a sender may retrieve information, such as a public key and a key identifier, for the first receiver from a local storage. The retrieved information may be used to generate a key-encry…
- Who is the assignee on this patent?
- Amazon Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0442. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Apr 26 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).