Protected storage for decryption data
US-2023205908-A1 · Jun 29, 2023 · US
Implementing enhanced computer security standard for secure cryptographic key storage using a software-based keystore
US12261950B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12261950-B2 |
| Application number | US-202217589893-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 1, 2022 |
| Priority date | Feb 1, 2022 |
| Publication date | Mar 25, 2025 |
| Grant date | Mar 25, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A client device that is not originally compliant with a particular security standard (e.g., FIPS) is brought into compliance through the addition of a standard-compliant software-based cryptographic library. In order to adapt the cryptographic library to integrate with the hardware-backed keystore, a non-hardware-backed software keystore is used to store keys used by the cryptographic library. Additionally, in order to provide appropriate security for the software keystore, the software keystore (and/or the keypairs within the software keystore) is protected by a password, and the password is in turn protected by the hardware-backed keystore. Thus, to obtain the password needed to obtain a keypair from the software keystore that is in turn needed to use the cryptographic library, a user must authenticate with the operating system, e.g., by providing biometric credentials.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method for obtaining and using a cryptographic keypair within a resource authentication flow on a client device comprising a software keystore and a hardware-backed keystore, the computer-implemented method comprising: receiving a request from a user to access a resource on a remote resource server; receiving data beginning an authentication flow with the remote resource server; obtaining an encrypted form of a software keystore password of the software keystore and a reference to a secure decryption key of a plurality of secure decryption keys of the hardware-backed keystore of the client device, differing secure decryption keys of the plurality of secure decryption keys being useable to decrypt differing software keystore passwords of the software keystore; requesting access to a decrypted form of the software keystore password from the hardware-backed keystore of an operating system of the client device, the access request including the encrypted form of the software keystore password and the reference to the secure decryption key, the access request causing the operating system to verify biometric credentials of the user; responsive to the operating system successfully verifying the biometric credentials of the user, obtaining the decrypted form of the software keystore password from the hardware-backed keystore, the hardware-backed keystore using the secure decryption key to decrypt the encrypted form of the software keystore password; obtaining a keypair of the user from the software keystore using the decrypted form of the software keystore password obtained from the hardware-backed keystore; and using the obtained keypair for secure communication within the authentication flow. 2. A non-transitory computer-readable storage medium storing instructions that when executed by a computer processor perform actions comprising: receiving a request from a user to access a resource on a remote resource server; receiving data beginning an authentication flow with the remote resource server; obtaining an encrypted form of a software keystore password of a software keystore and a reference to a secure decryption key of a plurality of secure decryption keys of a hardware-backed keystore of a client device, differing secure decryption keys of the plurality of secure decryption keys being useable to decrypt differing software keystore passwords of the software keystore, the client device comprising the software keystore and the hardware-backed keystore; requesting access to a decrypted form of the software keystore password from the hardware-backed keystore of an operating system of the client device, the access request including the encrypted form of the software keystore password and the reference to the secure decryption key, the access request causing the operating system to verify biometric credentials of a user of the client device; responsive to the operating system successfully verifying the biometric credentials of the user, obtaining the decrypted form of the software keystore password from the hardware-backed keystore, the hardware-backed keystore using the secure decryption key to decrypt the encrypted form of the software keystore password; obtaining a keypair of the user from the software keystore using the decrypted form of the software keystore password obtained from the hardware-backed keystore, and using the obtained keypair for secure communication within the authentication flow. 3. The non-transitory computer-readable storage medium of claim 2 , the actions further comprising: receiving a request from the user to access a resource on a remote resource server; receiving data from the remote resource server beginning an authentication flow; and using the obtained keypair for secure communication within the authentication flow. 4. The non-transitory computer-readable storage medium of claim 2 , the actions further comprising: obtaining the reference to the secure decryption key, wherein: the access request includes the reference to the secure decryption key, and the hardware-backed keystore uses the secure decryption key to decrypt the encrypted form of the software keystore password. 5. The non-transitory computer-readable storage medium of claim 2 , wherein the credentials are biometric credentials.
Assignees
Inventors
Classifications
- H04L9/0894Primary
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title
Biological data, e.g. fingerprint, voice or retina (network architectures or network communication protocols for supporting authentication of entities using biometrical features in a packet data network H04L63/0861) · CPC title
using key encryption key · CPC title
using a predetermined code, e.g. password, passphrase or PIN (network architectures or network communication protocols for supporting authentication of entities using passwords in a packet data network H04L63/083) · CPC title
- H04L9/0861Primary
Generation of secret information including derivation or calculation of cryptographic keys or passwords · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12261950B2 cover?
- A client device that is not originally compliant with a particular security standard (e.g., FIPS) is brought into compliance through the addition of a standard-compliant software-based cryptographic library. In order to adapt the cryptographic library to integrate with the hardware-backed keystore, a non-hardware-backed software keystore is used to store keys used by the cryptographic library. …
- Who is the assignee on this patent?
- Okta Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/0894. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 25 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).