Kaspersky Lab patents its technology for easy and secure recovery of encrypted data

Kaspersky Lab announces that its experts have developed and patented an advanced technology to recover passwords and encryption keys on mobile devices. Patent No. 2481632, issued by Rospatent, describes a method that almost eliminates any possibility of data compromise.

Encryption is an extremely safe method of protecting confidential data protection, which is widely used by both corporations and personal users. However, there is a disadvantage in its application: people forget and lose the passwords to access encrypted data. On the one hand this highlights the perils of losing passwords – if a password cannot be restored, the encrypted data also remains inaccessible. On the other hand, a recoverable password increases the risk of valuable data being compromised. Keep in mind that the methods used by vendors to protect backup copies may contain vulnerabilities which could allow unauthorized access to secret data.

As a result, consumers usually have to choose the lesser of two evils. Either use extremely well-protected solutions that do not forgive any human error and do not allow password recovery, or place your trust in the reliability of your vendor’s IT infrastructure if it allows password recovery.

Kaspersky Lab sought to avoid this compromise by developing its own technology to recover passwords and encryption keys on mobile devices.

Three independent factors

In order to recover passwords and keys for encrypted data, the Kaspersky Lab patented technology uses three independent factors: user ID, a mobile device ID and a random number.

When the user first installs mobile security solution, the authentication system asks for an email address. The technology identifies the hash addresses (the sequence of symbols that is received by converting the alphanumeric email address using a special algorithm). In addition, it creates a unique ID for the device based on its hardware characteristics and finally generates a random number. After registration, the encrypted random number together with the hashed email address and the device ID is transmitted to Kaspersky Lab’s servers.

The random number is used by the product in order to provide a "defense of the defense". The technology uses a special data encryption key. The key itself also needs to be protected by encryption to ensure its safety. Usually the key is protected by a user password. Whenever a user enters the password, the key is decrypted first and only then comes the turn of the information encrypted with it. Therefore, if the password is lost or forgotten, the information is almost impossible to decrypt. The patented technology can store two copies of keys on the device: the primary copy is encrypted with the help of the user password and the backup copy is encrypted using the previously generated random number.

If the user of the device loses or forgets the password, the special password recovery service asks for the email address. The service identifies the hashed address and checks it against its own hash database previously collected from all users with this technology integrated in their mobile security solutions. If a match is found, the system sends the unique number specified by the user during registration to that email address, together with instructions for creating a new password. Technology uses this unique number to decrypt the backup key which in its turn allows the user to access the data stored on the device.

As a result, Kaspersky Lab specialists were able to develop a data recovery algorithm which is convenient and at the same time secure, since none of the parties involved in this process has access to all the data required to decrypt the secret information. Kaspersky Lab stores neither the password backups nor any copies of keys, nor even any personal customer data on its servers – it keeps only encrypted values of specific information that helps users to access their data. These values are completely useless to cybercriminals.

"No matter how well the key to the safe is protected, if a cybercriminal gains access to that key, he gains access to the safe. However, if you split the key into the components and hide them in different parts of the world, cybercriminals are likely to go and look for another safe that is easier to crack. Our technology works in a similar way: it ‘hides’ the elements necessary to access sensitive data in different places and under different conditions. When the users need it, these elements can ‘come together’ in a single place. This takes no special effort from the user, but a cybercriminal faces a real struggle to piece together all the different elements of the ‘key’,” said Victor Yablokov, Head of Web & Messaging Development at Kaspersky Lab, one of the creators of the technology.

Kaspersky Lab continues to successfully increase its intellectual property. As of the end of June 2013, the company’s portfolio included over 120 patents issued by patent authorities in the US, Russia, China and Europe. Another 200 patent applications are currently being examined by the patent offices of these countries.