Automatic and dynamic selection of cryptographic modules for different security contexts within a computer network

US 10,325,109 B2
Filed: 09/14/2017
Issued: 06/18/2019
Est. Priority Date: 09/14/2017
Status: Active Grant

First Claim

Patent Images

1. A method for securing data, the method comprising:

receiving, by a management program, identification of a selected cryptographic security module, wherein the selected cryptographic security module is graphically selected by an authorized operator via a graphic user interface, and wherein the selected cryptographic security module contains unique individual symbols that contain references to functions within the selected cryptographic security module, and wherein the selected cryptographic security module is selected from a plurality of mutually exclusive cryptographic security modules;

based on the received identification of the selected cryptographic security module, generating, by the management program, a global configuration file, wherein the global configuration file comprises a field specifying the selected cryptographic security module, and wherein the global configuration file is digitally signed, by the management program, using a private key with a certificate that has been signed in a correct certificate chain, and wherein the global configuration file is in secure/multipurpose internet mail extensions format for digitally signed documents; and

transmitting, by the management program, a notification to an agent program on a client computer, wherein the notification informs the agent program of the generated global configuration file stored in the database, and wherein the notification directs the agent program to enforce the selected cryptographic security module on the client computer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An embodiment of the invention may include a method, computer program product, and system for securing data. The embodiment may include receiving, by a management program, identification of a selected cryptographic security module. The selected cryptographic security module is graphically selected by an authorized operator via a graphic user interface. The selected cryptographic security module contains unique individual symbols that contain references to functions and is selected from a plurality of mutually exclusive cryptographic security modules. Based on the received identification of the selected cryptographic security module, the embodiment may include generating, by the management program, a global configuration file. The embodiment may include transmitting, by the management program, a notification to an agent program on a client computer. The notification informs the agent program of the generated global configuration file and directs the agent program to enforce the selected cryptographic security module on the client computer.

40 Citations

View as Search Results

17 Claims

1. A method for securing data, the method comprising:
- receiving, by a management program, identification of a selected cryptographic security module, wherein the selected cryptographic security module is graphically selected by an authorized operator via a graphic user interface, and wherein the selected cryptographic security module contains unique individual symbols that contain references to functions within the selected cryptographic security module, and wherein the selected cryptographic security module is selected from a plurality of mutually exclusive cryptographic security modules;
  
  based on the received identification of the selected cryptographic security module, generating, by the management program, a global configuration file, wherein the global configuration file comprises a field specifying the selected cryptographic security module, and wherein the global configuration file is digitally signed, by the management program, using a private key with a certificate that has been signed in a correct certificate chain, and wherein the global configuration file is in secure/multipurpose internet mail extensions format for digitally signed documents; and
  
  transmitting, by the management program, a notification to an agent program on a client computer, wherein the notification informs the agent program of the generated global configuration file stored in the database, and wherein the notification directs the agent program to enforce the selected cryptographic security module on the client computer.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein selection and identification of the selected cryptographic security module may be passed as a command line argument within a command line interface.
  - 3. The method of claim 1, wherein enforcing the selected cryptographic security module comprises:
    - downloading the generated global configuration file to a local file system on the client computer;
      
      validating the generated global configuration file via a trusted certificate chain; and
      
      loading the selected cryptographic security module on the client computer.
  - 4. The method of claim 3, wherein loading the selected cryptographic security module includes loading the unique individual symbols that contain references to functions within the selected cryptographic security module.
  - 5. The method of claim 1, wherein the notification is implemented via a user datagram protocol message.
  - 6. The method of claim 1, wherein the global configuration file is stored within a database, and wherein the database contains the plurality of mutually exclusive cryptographic security modules.

7. A computer program product for securing data, the computer program product comprising:
- one or more computer-readable tangible storage devices and program instructions stored on at least one of the one or more tangible storage devices, the program instructions comprising;
  
  program instructions to receive, by a management program, identification of a selected cryptographic security module, wherein the selected cryptographic security module is graphically selected by an authorized operator via a graphic user interface, and wherein the selected cryptographic security module contains unique individual symbols that contain references to functions within the selected cryptographic security module, and wherein the selected cryptographic security module is selected from a plurality of mutually exclusive cryptographic security modules;
  
  based on the received identification of the selected cryptographic security module, program instructions to generate, by the management program, a global configuration file, wherein the global configuration file comprises a field specifying the selected cryptographic security module, and wherein the global configuration file is digitally signed, by the management program, using a private key with a certificate that has been signed in a correct certificate chain, and wherein the global configuration file is in secure/multipurpose internet mail extensions format for digitally signed documents; and
  
  program instructions to transmit, by the management program, a notification to an agent program on a client computer, wherein the notification informs the agent program of the generated global configuration file stored in the database, and wherein the notification directs the agent program to enforce the selected cryptographic security module on the client computer.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer program product of claim 7, wherein selection and identification of the selected cryptographic security module may be passed as a command line argument within a command line interface.
  - 9. The computer program product of claim 7, wherein enforcing the selected cryptographic security module comprises:
    - program instructions to download the generated global configuration file to a local file system on the client computer;
      
      program instructions to validate the generated global configuration file via a trusted certificate chain; and
      
      program instructions to load the selected cryptographic security module on the client computer.
  - 10. The computer program product of claim 9, wherein program instructions to load the selected cryptographic security module include loading the unique individual symbols that contain references to functions within the selected cryptographic security module.
  - 11. The computer program product of claim 7, wherein the notification is implemented via a user datagram protocol message.
  - 12. The computer program product of claim 7, wherein the global configuration file is stored within a database, and wherein the database contains the plurality of mutually exclusive cryptographic security modules.

13. A computer system for securing data, the computer system comprising:
- one or more processors, one or more computer-readable memories, one or more computer-readable tangible storage devices, and program instructions stored on at least one of the one or more storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, the program instructions comprising;
  
  program instructions to receive, by a management program, identification of a selected cryptographic security module, wherein the selected cryptographic security module is graphically selected by an authorized operator via a graphic user interface, and wherein the selected cryptographic security module contains unique individual symbols that contain references to functions within the selected cryptographic security module, and wherein the selected cryptographic security module is selected from a plurality of mutually exclusive cryptographic security modules;
  
  based on the received identification of the selected cryptographic security module, program instructions to generate, by the management program, a global configuration file, wherein the global configuration file comprises a field specifying the selected cryptographic security module, and wherein the global configuration file is digitally signed, by the management program, using a private key with a certificate that has been signed in a correct certificate chain, and wherein the global configuration file is in secure/multipurpose internet mail extensions format for digitally signed documents; and
  
  program instructions to transmit, by the management program, a notification to an agent program on a client computer, wherein the notification informs the agent program of the generated global configuration file stored in the database, and wherein the notification directs the agent program to enforce the selected cryptographic security module on the client computer.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computer system of claim 13, wherein selection and identification of the selected cryptographic security module may be passed as a command line argument within a command line interface.
  - 15. The computer system of claim 13, wherein enforcing the selected cryptographic security module comprises:
    - program instructions to download the generated global configuration file to a local file system on the client computer;
      
      program instructions to validate the generated global configuration file via a trusted certificate chain; and
      
      program instructions to load the selected cryptographic security module on the client computer.
  - 16. The computer system of claim 15, wherein program instructions to load the selected cryptographic security module include loading the unique individual symbols that contain references to functions within the selected cryptographic security module.
  - 17. The computer system of claim 13, wherein the notification is implemented via a user datagram protocol message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Gomez Claros, Jose M., McLachlan, Alan W., Schmidt, Andrew R.
Primary Examiner(s)
Zhao, Don G

Application Number

US15/704,082
Publication Number

US 20190080108A1
Time in Patent Office

642 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/27   Replication, distribution o...

G06F 21/31   User authentication

G06F 21/44   Program or device authentic...

G06F 21/55   Detecting local intrusion o...

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06Q 20/105   involving programming of a ...

G06Q 20/382   insuring higher security of...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 2463/082   applying multi-factor authe...

H04L 63/205   involving negotiation or de...

H04L 9/3265   using certificate chains, t...

Automatic and dynamic selection of cryptographic modules for different security contexts within a computer network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic and dynamic selection of cryptographic modules for different security contexts within a computer network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links