US Patent 8700899 Forward-secure key unlocking for cryptographic devices

A first cryptographic device is configured to determine at least a key for a current epoch and a key for a subsequent epoch, and to transmit the keys for the current and subsequent epochs over a secure channel to a second cryptographic device. The second cryptographic device utilizes the key for the current epoch to decrypt an additional key that was encrypted for storage in a previous epoch, performs at least one cryptographic function using the decrypted additional key, utilizes the key for the subsequent epoch to encrypt the additional key for storage, and erases at least the key for the current epoch and the decrypted additional key. In such an arrangement, the additional key is initially locked under the key for the current epoch, then unlocked to perform the cryptographic function, and then locked again under the key for the subsequent epoch.