Master key generation and distribution for storage area network devices
US-2015019870-A1 · Jan 15, 2015 · US
Zero-knowledge key escrow
US11818264B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11818264-B2 |
| Application number | US-202117354391-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 22, 2021 |
| Priority date | Apr 24, 2019 |
| Publication date | Nov 14, 2023 |
| Grant date | Nov 14, 2023 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Disclosed are various embodiments for implementing a key escrow system without disclosure of a client's encryption key to third parties. An encryption key is split into a plurality of key segments pursuant to a shared secret protocol. A plurality of peer client devices are then identified. Each peer client device in the plurality of peer client devices is then verified and the respective one of the plurality of key segments are sent to a respective one of the plurality of peer client devices. A response is then received from each respective one of the plurality of peer client devices, the response confirming receipt of the respective one of the plurality of key segments. A list identifying the plurality of peer client devices is finally provided to a key escrow service, the list comprising key-value pairs that identify each respective one of the plurality of peer client devices and the respective one of the plurality of key segments.
First claim
Opening claim text (preview).
Therefore, the following is claimed: 1. A system, comprising: a first client device comprising a processor and a memory; and machine readable instructions stored in the memory that, when executed by the processor, cause the first client device to at least: receive a first version of an encrypted key segment from a second client device, the first version of the encrypted key segment being a key segment of the second client device encrypted with a first public key associated with the first client device; decrypt the first version of the encrypted key segment using a first private key associated with the first public key to generate the key segment; verify the key segment using a second public key associated with the second client device; encrypt the key segment with the first public key to regenerate the first version of the encrypted key segment in response to verification of the key segment; and send a regenerated first version of the encrypted key segment to a key escrow service. 2. The system of claim 1 , wherein the machine-readable instructions, when executed by the processor, further cause the first client device to at least receive the second public key from the second client device. 3. The system of claim 1 , wherein the machine-readable instructions, when executed by the processor, further cause the first client device to at least: request the second public key from the key escrow service; and receive the second public key from the key escrow service. 4. The system of claim 1 , wherein the machine-readable instructions, when executed by the processor, further cause the first client device to at least send a client identifier to the key escrow service. 5. The system of claim 1 , wherein the machine-readable instructions, when executed by the processor, further cause the first client device to at least send a copy of the first public key to the key escrow service. 6. The system of claim 1 , wherein the key segment is one of a plurality of key segments generated using a shared secret protocol that allows for an encryption key to be reconstructed from a subset of the plurality of key segments. 7. A method, comprising: receiving, by a first client device, a first version of an encrypted key segment from a second client device, the first version of the encrypted key segment being a key segment of the second client device encrypted with a first public key associated with the first client device; decrypting, by the first client device, the first version of the encrypted key segment using a first private key associated with the first public key to generate the key segment; verifying, by the first client device, the key segment using a second public key associated with the second client device; encrypting, by the first client device, the key segment with the first public key to regenerate the first version of the encrypted key segment in response to verifying the key segment; and sending, by the first client device, a regenerated first version of the encrypted key segment to a key escrow service. 8. The method of claim 7 , further comprising receiving, by the first client device, the second public key from the second client device. 9. The method of claim 7 , further comprising: requesting, by the first client device, the second public key from the key escrow service; and receiving, by the first client device, the second public key from the key escrow service. 10. The method of claim 7 , further comprising sending, by the first client device, a client identifier to the key escrow service. 11. The method of claim 7 , further comprising sending, by the first client device, a copy of the first public key to the key escrow service. 12. The method of claim 7 , wherein the key segment is one of a plurality of key segments generated using a shared secret protocol that allows for an encryption key to be reconstructed from a subset of the plurality of key segments. 13. A non-transitory, computer-readable medium comprising machine-readable instructions that, when executed by a processor of a first client device, cause the first client device to at least: receive a first version of an encrypted key segment from a second client device, the first version of the encrypted key segment being a key segment of the second client device encrypted with a first public key associated with the first client device; decrypt the first version of the encrypted key segment using a first private key associated with the first public key to generate the key segment; verify the key segment using a second public key associated with the second client device; encrypt the key segment with the first public key to regenerate the encrypted key segment in response to verification of the key segment; and send a regenerated first version of the encrypted key segment to a key escrow service. 14. The non-transitory, computer-readable medium of claim 13 , wherein the machine-readable instructions, when executed by the processor, further cause the first client device to at least receive the second public key from the second client device. 15. The non-transitory, computer-readable medium of claim 13 , wherein the machine-readable instructions, when executed by the processor, further cause the first client device to at least: request the second public key from the key escrow service; and receive the second public key from the key escrow service. 16. The non-transitory, computer-readable medium of claim 13 , wherein the machine-readable instructions, when executed by the processor, further cause the first client device to at least send a client identifier to the key escrow service. 17. The non-transitory, computer-readable medium of claim 13 , wherein the machine-readable instructions, when executed by the processor, further cause the first client device to at least send a copy of the first public key to the key escrow service. 18. The non-transitory, computer-readable medium of claim 13 , wherein the key segment is one of a plurality of key segments generated using a shared secret protocol that allows for an encryption key to be reconstructed from a subset of the plurality of key segments.
Assignees
Inventors
Classifications
- H04L9/0894Primary
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title
Tools and structures for managing or administering access control systems · CPC title
- H04L9/085Primary
Secret sharing or secret splitting, e.g. threshold schemes · CPC title
using a plurality of keys or algorithms · CPC title
using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11818264B2 cover?
- Disclosed are various embodiments for implementing a key escrow system without disclosure of a client's encryption key to third parties. An encryption key is split into a plurality of key segments pursuant to a shared secret protocol. A plurality of peer client devices are then identified. Each peer client device in the plurality of peer client devices is then verified and the respective one of…
- Who is the assignee on this patent?
- Vmware Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/0894. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Nov 14 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).