Secret sharing scheme with required shared key(s)
US-2018013557-A1 · Jan 11, 2018 · US
Authentication credential protection method and system
US12158945B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12158945-B2 |
| Application number | US-202117371712-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 9, 2021 |
| Priority date | Jul 31, 2019 |
| Publication date | Dec 3, 2024 |
| Grant date | Dec 3, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
This application provides an authentication credential protection method and system. The protection method includes the following steps: generating authentication secret information based on a lock screen password and hardware secret information of a first device; randomly generating, by the first device, a symmetric key, and using the symmetric key as an encryption key for the authentication secret information; splitting the encryption key into at least two first key segments by using a multi-party data splitting algorithm, where one of the at least two first key segments is stored on the first device; and sending, by the first device, another first key segment to a trusted device. In the foregoing technical solution, the authentication secret information is generated by using the lock screen password and the hardware secret information, increasing information complexity. In addition, different trusted devices are used to store the split key segments, improving security of the encryption key.
First claim
Opening claim text (preview).
What is claimed is: 1. An authentication credential protection method, comprising: generating authentication secret information by combining a lock screen password and hardware secret information of a first device; randomly generating, by the first device, a symmetric key; encrypting the authentication secret information using the symmetric key as an encryption key for the authentication secret information; storing the encrypted authentication secret information on the first device; splitting the encryption key into at least two first key segments by using a splitting algorithm, wherein one of the at least two first key segments is stored on the first device; and sending, by the first device, another of the at least two first key segments to a trusted device different than the first device. 2. The authentication credential protection method according to claim 1 , wherein the splitting algorithm comprises a secure multi-party data splitting algorithm. 3. The authentication credential protection method according to claim 1 , wherein the trusted device comprises a second device and a third device, and the at least two first key segments include three first key segments, and the sending, by the first device, the another one of the at least two first key segments to the trusted device comprises: sending, by the first device, two key segments of the three first key segments to the second device and the third device in a one-to-one correspondence for storage. 4. The authentication credential protection method according to claim 1 , wherein the trusted device comprises a second device, and the at least two first key segment includes two first key segments and wherein sending, by the first device, the other one of the at least two first key segments to the trusted device comprises: sending, by the first device, one of the at least two first key segments to the second device. 5. The authentication credential protection method according to claim 1 , wherein the first device is connected to the trusted device through a secure channel. 6. The authentication credential protection method according to claim 5 , wherein the method further comprises: performing user identity information authentication on the trusted device, and after user identity information is determined, receiving a first one of the at least two first key segments sent by the first device. 7. The authentication credential protection method according to claim 1 wherein the method further comprises: performing secure multi-party computation between the trusted device and the first device by using the at least two first key segments respectively stored on the trusted device and the first device as key division input to the secure multi-party computation, and decrypting the encrypted authentication secret information on the first device. 8. The authentication credential protection method according to claim 7 , wherein the method further comprises: before performing the multi-party computation, performing the user identity information authentication on the trusted device, and after the user identity information is determined, performing the secure multi-party computation between the trusted device and the first device by using the at least two first key segments respectively stored on the trusted device and the first device as the key division input to the secure multi-party computation. 9. The authentication credential protection method according to claim 7 , wherein the method further comprises: resetting the lock screen password, and generating new authentication secret information based on the reset lock screen password and the hardware secret information of the first device. 10. The authentication credential protection method according to claim 9 , wherein the method further comprises: randomly generating, by the first device, a new symmetric key, and using the new symmetric key as a new encryption key for the new authentication secret information; and comparing the authentication secret information obtained through decryption of the encrypted authentication secret information with authentication secret information stored in a Trusted Execution Environment (TEE), and when the authentication secret information obtained through decryption of the encrypted authentication secret information and the authentication secret information stored in the TEE match, replacing the authentication secret information obtained through decryption of the encrypted authentication secret information with the authentication secret information in the TEE. 11. The authentication credential protection method according to claim 10 , wherein the method further comprises: splitting a new encryption key into at least two second key segments by using the splitting algorithm, wherein one of the at least two second key segments is stored on the first device; and sending, by the first device, an other one of the at least two second key segments to the trusted device. 12. An authentication credential protection system, comprising: a first device, comprising a first processing module, configured to: generate first authentication secret information by combining a lock screen password and hardware secret information of a first device; randomly generate a symmetric key; use the symmetric key as an encryption key for the first authentication secret information to encrypt the first authentication secret information; and split the encryption key into at least two first key segments by using a splitting algorithm; a first storage module, configured to store the encrypted first authentication secret information and one key segment of the at least two first key segments; and a first communications module, configured to send an other key segment of the at least two first key segments to a trusted device different than the first device; and wherein the trusted device is configured to receive and store the one key segment of the at least two first key segments sent by the first device. 13. The authentication credential protection system according to claim 12 , wherein the splitting algorithm comprises a secure multi-party data splitting algorithm. 14. The authentication credential protection system according to claim 12 , wherein: the trusted device comprises a second device and a third device, and the at least two second key segments include three first key segments; the first communications module is configured to send two of the three key segments to the second device and the third device in a one-to-one correspondence for storage. 15. The authentication credential protection system according to claim 12 , wherein the trusted device comprises a second communications module, and the first communications module is connected to the second communications module through a secure channel. 16. The authentication credential protection system according to claim 15 , wherein the trusted device comprises: an authentication module, configured to authenticate user identity information; and the second communications module is further configured to: after the user identity information is determined, receive a first one of the at least two key segments sent by the first device. 17. The authentication credential protection system according to claim 12 , wherein the trusted device comprises a second processing module; the first processing module and the second processing module perform secure multi-party computation of Advanced Encryption Standard (MPC_AES) between the trusted device and the first device by using the at least two key segm
Assignees
Inventors
Classifications
Secure multiparty computation, e.g. millionaire problem · CPC title
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title
involving random numbers or seeds · CPC title
Secret sharing or secret splitting, e.g. threshold schemes · CPC title
- G06F21/602Primary
Providing cryptographic facilities or services · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12158945B2 cover?
- This application provides an authentication credential protection method and system. The protection method includes the following steps: generating authentication secret information based on a lock screen password and hardware secret information of a first device; randomly generating, by the first device, a symmetric key, and using the symmetric key as an encryption key for the authentication s…
- Who is the assignee on this patent?
- Huawei Tech Co Ltd
- What technology area does this patent fall under?
- Primary CPC classification G06F21/602. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Dec 03 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).