System, method and apparatus for cryptography key management for mobile devices

The invention claimed is: 1. A method comprising binding encryption and decryption keys using a unique user identifier (UID), a unique device identifier (UDID), and a user password (Pswd) to a client mobile device in an enterprise cryptography key management system, wherein binding the encryption and decryption keys comprises: requesting the UDID from the client mobile device by the cryptography key management system; receiving a hashed unique device identifier H(UDID) encrypted by the Pswd by the cryptography key management system from a key management application module included on the client mobile device; and associating the H(UDID) with the user account, comprising: decrypting the encrypted H(UDID) by the cryptography key management system using the Pswd; if decryption fails, then terminating communication with the client mobile device; and if the decryption is successful, then validating integrity of the decrypted H(UDID) by comparing the H(UDID) sent by the key management application module with other H(UDID)s in the cryptography key management system to ensure that the H(UDID) is unique for the client mobile device; and registering a cryptography/data recovery key for the associated client mobile device with the enterprise using the cryptography/data recovery key, the UID, the H(UDID), and a unique key identifier (KeyID), wherein registering the cryptography/data recovery key for the associated client mobile device with the enterprise comprises, upon validating that the H(UDID) exists for the UID: storing the data recovery key and the KeyID associated with the UDID by the cryptography key management system, encrypting the KeyID using a symmetric cryptography key derived from the Pswd to obtain a password-encrypted KeyID and sending the password-encrypted KeyID to the key management application module by the cryptography key management system, and decrypting the password-encrypted KeyID using a symmetric cryptography key derived from the password to obtain the KeyID and storing the obtained KeyID by the key management application module. 2. The method of claim 1 , wherein binding the encryption and decryption keys using the UID, the UDID, and the Pswd further comprises: creating a new user account using the UID and a default password (DPswd) in an inactive state in the cryptography key management system by an administrator; communicating the UID and the DPswd to an intended user using a secure communication medium by the administrator; logging into the cryptography key management system using the UID and the DPswd via the client mobile device by the intended user upon authenticating the DPswd by the cryptography key management system; changing the DPswd to a new password (NewPswd) by the intended user; sending the NewPswd that is encrypted by a cryptography key derived from the DPswd to the cryptography key management system; and replacing the DPswd with the NewPswd if the NewPswd satisfies enterprise password security requirements. 3. The method of claim 2 , wherein the cryptography/data recovery key is selected from a group consisting of a symmetric cryptography key and an asymmetric cryptography key. 4. The method of claim 2 , wherein sending the H(UDID) obtained using the UDID associated with the client mobile device to the cryptography key management system by a key management application module and associating the H(UDID) with the user account comprises: hashing the UDID of the client mobile device to create the H(UDID); encrypting the H(UDID) using the Pswd: sending the password encrypted H(UDID) of the client mobile device along with the UID to the cryptography key management system by the key management application module; and on successful validation, associating the H(UDID) with the user account in a secure key database. 5. The method of claim 4 , wherein sending the password encrypted H(UDID) of the client mobile device along with the UID to the cryptography key management system by the key management application module comprises: obtaining the UDID from the client mobile device; forming the hash of the UDID by using a hash algorithm; sending the password encrypted H(UDID) along with the UID to the cryptography key management system over a secure communication channel; authenticating the H(UDID) sent by the key management application module; if authentication fails, then terminating communication with the client mobile device; and if the authentication is successful, then allowing a desired operation requested by the intended user. 6. The method of claim 2 , wherein registering the cryptography/data recovery key for the associated client mobile device with the enterprise using the cryptography/data recovery key, the UID, the H(UDID), and the KeyID further comprises: requesting the UID, the cryptography/data recovery key, and the Pswd upon connecting the client mobile device by the key management application module from an intended user; determining the UDID associated with the client mobile device by the key management application module; hashing the UDID by the key management application module to create the H(UDID); encrypting the H(UDID) along with the cryptography/data recovery key using a symmetric cryptography key derived from the Pswd; sending the encrypted H(UDID) along with the UID and the cryptography/data recovery key to the cryptography key management system by the key management application module; passing the UID and requesting the stored Pswd; returning the Pswd associated with the UID upon validating the passed UID by the cryptography key management system; decrypting the H(UDID) and the cryptography/data recovery key using the returned Pswd; if decryption is unsuccessful, then stopping the registering of the data recovery key; if decryption is successful, then establishing a mutual authentication; generating a KeyID and passing the H(UDID), the data recovery key, and the KeyID. 7. The method of claim 6 , wherein decrypting the H(UDID) and the cryptography/data recovery key using the returned Pswd upon successful validation of the UID by the key management system comprises: determining whether the encrypted H(UDID) and the cryptography/data recovery key can be decrypted using a symmetric cryptography key derived from the returned Pswd; and in response to a determination that the encrypted H(UID) and the cryptography/data recovery key can be decrypted, decrypting H(UDID) and the cryptography/data recovery key using a symmetric cryptography key derived from the returned Pswd. 8. A method comprising changing a user password (Pswd) in a cryptography key management system via a client mobile device using a unique user identifier (UID), a unique device identifier (UDID), a unique key identifier, a current password (Pswd), and a new password (NewPswd), the method further comprising: requesting the UID, the Pswd and the NewPswd from an intended user via the client mobile device; determining the UDID associated with the client mobile device; hashing the UDID (H(UDID)) by a key management application module included on the client mobile device; encrypting the hashed UDID and the NewPswd using a symmetric cryptography key derived from the Pswd to obtain a password-encrypted H(UDID) and an encrypted NewPswd; sending the password-encrypted H(UDID) and the encrypted NewPswd to the cryptography key management system by the key management application module and requesting a change in the Pswd; connecting the key management application module to a secure key database via a valid user role by the cryptography key management system upon a successful validation of the UID and returning the Pswd for the UID to the cryptography key management system by the secure key database; de