Mutual authentication with symmetric secrets and signatures
US-9258117-B1 · Feb 9, 2016 · US
System and method for rotating client security keys
US9843446B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9843446-B2 |
| Application number | US-201414513938-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 14, 2014 |
| Priority date | Oct 14, 2014 |
| Publication date | Dec 12, 2017 |
| Grant date | Dec 12, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems, methods, and non-transitory computer-readable storage media for rotating security keys for an online synchronized content management system client. A client having a first security key as an active security key may send a request to a server for a new security key as a replacement for the first security key. The server may receive the request and generate a candidate security key. The server can issue the candidate security key to the client device. After receiving the candidate security key, the client may send a key receipt confirmation message to the server. In response to the confirmation message, the server may mark the candidate key as the new security key for the client and discard the client's old security key. The server may send an acknowledgment message to the client device. In response, the client may also mark the candidate key as its new active key.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: sending, to a server from a client device having a first security key as an active security key, a request for a second security key as a replacement for the first security key, wherein the request is encrypted with the first security key; receiving a candidate security key from the server; embedding, before the candidate security key is activated on the client device, the candidate security key in a key receipt confirmation message prior to sending the key receipt confirmation message to the server; sending the key receipt confirmation message to the server, wherein the key receipt confirmation is encrypted with the candidate security key and the first security key; receiving, at the client device, an acknowledgment message from the server that the candidate security key is activated on the server; marking the candidate security key as the active security key; and when a predetermined time period elapses after sending the key receipt confirmation message without receiving the acknowledgment message, resending the key receipt confirmation message to the server. 2. The method of claim 1 , wherein the server is an online synchronized content management system. 3. The method of claim 1 , wherein communication between the client device and the server is encrypted with the active security key. 4. The method of claim 3 , wherein the communication comprises synchronizing a content item between the client device and the server. 5. The method of claim 1 , further comprising: upon receiving the candidate security key, storing the candidate security key on the client device. 6. The method of claim 1 , further comprising: discarding the first security key after marking the candidate security key as the active security key. 7. The method of claim 1 , further comprising: prior to sending the request: sending, from the client device to the server, an operation request associated with the first security key; and receiving a message from the server, the message indicating that the first security key has expired. 8. The method of claim 1 , wherein sending the request is triggered by a timer in the client device, the timer periodically triggering the client device to renew the active security key. 9. The method of claim 1 , further comprising: after receiving the candidate security key, receiving an additional candidate security key from the server; and discarding the additional candidate without sending an additional key receipt confirmation message to the server. 10. A system comprising: a processor; and a non-transitory computer-readable storage medium storing instructions which, when executed by the processor, cause the processor to perform operations comprising: sending, to a server from a client device having a first key as an active security key, a key renewal request, wherein the request is encrypted with the first security key; receiving a second key from the server; embedding, before the second key is activated on the client device, the second key in a key receipt confirmation message prior to sending the key receipt confirmation message to the server; storing the second key; sending the key receipt confirmation message to the server, wherein the key receipt conformation message is encrypted with the second key and the first key; receiving, at the client device, an acknowledgment message from the server that the second key has been activated on the server; upon receiving the acknowledgment message that the second security key has been activated on the server, renewing the active security key of the client device by replacing the first key with the second key, and when a predetermined time period elapses after sending the key receipt confirmation message without receiving the acknowledgment message, resending the key receipt confirmation message to the server. 11. The system of claim 10 , wherein communication between the client device and the server is encrypted using the active security key. 12. The system of claim 10 , wherein the confirmation message further contains the first key. 13. A non-transitory computer-readable storage medium storing instructions which, when executed by a processor, cause the processor to perform operations comprising: receiving, at a server from a client device, a request for a new security key; generating a candidate security key; sending the candidate security key to the client device; receiving a key receipt confirmation message from the client device, wherein the key receipt conformation message is encrypted with a current security key of the client device and the candidate security key before the candidate security key is activated on the client device; marking, on the server, the candidate security key as the new security key for the client device; sending an acknowledgment message to the client device that the candidate security key is activated on the server; and when a predetermined time period elapses after sending the key receipt confirmation message without receiving the acknowledgment message, resending the key receipt confirmation message to the server. 14. The non-transitory computer-readable storage medium of claim 13 , storing additional instructions which, when executed by the processor, cause the processor to perform further operations comprising: after receiving the key receipt confirmation message, retiring an old security key associated with the client device. 15. The non-transitory computer-readable storage medium of claim 13 , storing additional instructions which, when executed by the processor, cause the processor to perform further operations comprising: prior to receiving the request: receiving, at the server from the client device, an operation request associated with an expired security key; sending an expired security key notification to the client device; and denying the client device any further service until the request for the new security key is received from the client device. 16. The non-transitory computer-readable storage medium of claim 13 , storing additional instructions which, when executed by the processor, cause the processor to perform further operations comprising: after receiving the key receipt confirmation message, determining whether the key receipt confirmation message contains the candidate security key. 17. The non-transitory computer-readable storage medium of claim 13 , wherein the request is a first request and the candidate security key is a first candidate security key, the non-transitory computer-readable storage medium storing additional instructions which, when executed by the processor, cause the processor to perform further operations comprising: receiving a second request for the new security key; generating a second candidate security key different from the first candidate security key; and sending the second candidate security key to the client device.
Assignees
Inventors
Classifications
wherein the data content is protected, e.g. by encrypting or encapsulating the payload · CPC title
Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) (network architectures or network communication protocols for key distribution in a packet data network H04L63/062) · CPC title
using time-dependent keys, e.g. periodically changing keys (cryptographic mechanisms or cryptographic arrangements for controlling usage of secret information H04L9/088) · CPC title
Key distribution {or management, e.g. generation, sharing or updating, of cryptographic keys or passwords (network architectures or network communication protocols for supporting key management in a packet data network H04L63/06)} · CPC title
Transmitting and receiving encryption devices synchronised or initially set up in a particular manner · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9843446B2 cover?
- Systems, methods, and non-transitory computer-readable storage media for rotating security keys for an online synchronized content management system client. A client having a first security key as an active security key may send a request to a server for a new security key as a replacement for the first security key. The server may receive the request and generate a candidate security key. The …
- Who is the assignee on this patent?
- Dropbox Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/0891. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Dec 12 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).