1. Technical Field
The present invention relates in general to the field of computers, and in particular to intranet networks. Still more particularly, the present invention relates to a method and system for allowing a user on a backup client device on an enterprise's intranet to access a backup admin key from a backup server on the intranet.
2. Description of the Related Art
Early modern computers were stand-alone. As such, maintaining security for data on the computer was simple, since all that was necessary was to take steps to ensure that only authorized persons were allowed physical access to the computer. However, computers soon began “talking” to each other over networks, including Local Area Networks (LANs) and Wide Area Networks (WANs), including the Internet. A LAN that uses the Internet's Transmission Control Protocol/Internet Protocol (TCP/IP) standard has come to be called an “intranet.”
Since only authorized users should be given access to an intranet and its resources, many enterprises use a Client Security Software (CSS) system, such as depicted in FIG. 1 as CSS system 100. CSS system 100 includes a Trusted Protected Module (TPM) chipset 102, which sits inside a client computer (not shown) that is attached to an intranet (not shown). TPM chipset 102 has stored on it, and accessible only within TPM chipset 102, a Storage Root Key (SRK) 104. (Note that unless noted otherwise, the term “key” is understood to mean a private key in a public/private encryption key pair.)
SRK 104 is used to encrypt an admin key 106, which can be stored encrypted in any volatile or non-volatile memory in the client computer. Admin key 106, when decrypted, can be used to encrypt/decrypt other keys used by a user, including a user logon key 108, a user storage key 110, and a user signature key 112 key, which are (respectively) keys required for a user to wirelessly log on to an intranet, to store data in a mass storage resource connected with the intranet, and to digitally sign transmissions on the intranet.
As noted above, the TPM chipset 102 is physically within the client computer. If the TPM chipset 102 should become unavailable to the user of that client computer, then the user will be unable to utilize the intranet, since there will be no way for the user to decrypt and use the admin key 106. For example, consider the scenario in which a user has enabled the CSS system 100 on his laptop, and he wishes to log onto his company's intranet. Just as he is preparing to do so, his laptop screen cracks. While the user can offload all of his data, including his encrypted (by SRK 104) admin key 106, onto another (backup) computer, the CSS data is inaccessible without the SRK 104 that is stored in and available to only the broken laptop.
What is needed, therefore, is a method and system that allows a user to access his admin key if he is unable to access the SRK that encrypted that admin key.