Cryptographic key management for imported cryptographic keys
First Claim
Patent Images
1. A computer-implemented method, comprising:
- under the control of one or more computer systems of a cryptographic key management service provided by a computing resource service provider, the one or more computer systems configured with executable instructions;
receiving, from a client device, a request to import a customer cryptographic key from the client device;
generating a cryptographic key pair, the cryptographic key pair comprising a public cryptographic key and a private cryptographic key;
utilizing a domain cryptographic key to encrypt the private cryptographic key, resulting in an import key token;
providing the import key token and the public cryptographic key to the client device;
receiving, from the client device, the import key token and an encrypted customer cryptographic key, the encrypted customer cryptographic key being the customer cryptographic key encrypted using the public cryptographic key;
using the domain cryptographic key to decrypt the import key token to obtain the private cryptographic key;
decrypting, using the private cryptographic key, the encrypted customer cryptographic key to obtain the customer cryptographic key;
encrypting, using the domain cryptographic key, the customer cryptographic key to generate an encrypted key token; and
causing one or more cryptographic operations to be performed using the encrypted key token.
1 Assignment
0 Petitions
Accused Products
Abstract
A cryptographic key management service receives a request to import a first cryptographic key. In response to the request, the service creates a public cryptographic key and a private cryptographic key. The private cryptographic key is encrypted using a second cryptographic key to create an import key token. The import key token and the public cryptographic key are provided in response to the request. The service receives an encrypted first cryptographic key, which the service decrypts using the private cryptographic key to obtain the first cryptographic key. The service stores the first cryptographic key and enables its use for the performance of cryptographic operations.
243 Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
under the control of one or more computer systems of a cryptographic key management service provided by a computing resource service provider, the one or more computer systems configured with executable instructions; receiving, from a client device, a request to import a customer cryptographic key from the client device; generating a cryptographic key pair, the cryptographic key pair comprising a public cryptographic key and a private cryptographic key; utilizing a domain cryptographic key to encrypt the private cryptographic key, resulting in an import key token; providing the import key token and the public cryptographic key to the client device; receiving, from the client device, the import key token and an encrypted customer cryptographic key, the encrypted customer cryptographic key being the customer cryptographic key encrypted using the public cryptographic key; using the domain cryptographic key to decrypt the import key token to obtain the private cryptographic key; decrypting, using the private cryptographic key, the encrypted customer cryptographic key to obtain the customer cryptographic key; encrypting, using the domain cryptographic key, the customer cryptographic key to generate an encrypted key token; and causing one or more cryptographic operations to be performed using the encrypted key token. - View Dependent Claims (2, 3, 4, 20)
-
-
5. A system, comprising:
-
one or more processors of a cryptographic key management service; and memory including instructions that, as a result of being executed by the one or more processors of the cryptographic key management service, cause the system to; receive, from a client device, a request to import a first cryptographic key from the client device; create a cryptographic key pair comprising a public cryptographic key and a private cryptographic key; utilize a domain cryptographic key to encrypt the private cryptographic key to generate an import key token; provide the import key token and the public cryptographic key to the client device; receive, from the client device, the import key token and an encrypted first cryptographic key, the encrypted first cryptographic key being the first cryptographic key encrypted using the public cryptographic key; utilize the domain cryptographic key to decrypt the import key token and utilize the import key token to derive information for decrypting the encrypted first cryptographic key, the information for decrypting the encrypted first cryptographic key comprising the private cryptographic key; decrypt, using the private cryptographic key, the encrypted first cryptographic key to obtain the first cryptographic key; encrypt, using the domain cryptographic key, the first cryptographic key to generate an encrypted key token; and cause one or more cryptographic operations to be performed using the first cryptographic key. - View Dependent Claims (6, 7, 8, 9, 10, 11)
-
-
12. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system of a cryptographic key management service, cause the computer system to at least:
-
generate, in response to a request from a client device to import a customer key from the client device, first cryptographic information and second cryptographic information, the first cryptographic information comprising a private cryptographic key and the second cryptographic information comprising a public cryptographic key; generate, based at least in part on the first cryptographic information and a domain cryptographic key, an import key token by utilizing the domain cryptographic key to encrypt the first cryptographic information; provide the import key token and the second cryptographic information to the client device in response to the request; obtain, from the client device, an encrypted customer key and the import key token, the encrypted customer key being the customer key encrypted using the second cryptographic information; derive, from the import key token, the first cryptographic information to obtain at least the private cryptographic key by using the domain cryptographic key to decrypt the import key token; use the first cryptographic information to decrypt the encrypted customer key to obtain the customer key; use the domain cryptographic key to obtain an encrypted key token by encrypting the customer key with the domain cryptographic key; and store the encrypted key token for performance of cryptographic operations using the customer key. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
Specification