Transparently scalable virtual hardware security module
First Claim
1. A computer-implemented method, comprising:
- under the control of a hardware security module (HSM);
obtaining, from a client computer system, a client identity certificate, the client identity certificate being a digital certificate that comprises a client identity public key, the client identity public key associated with a client identity private key;
generating an instance identity certificate, wherein the instance identity certificate comprises an instance identity public key and is digitally signed by a HSM service key and an HSM manufacturer key, the instance identity public key associated with an instance identity private key;
issuing a certificate signing request that includes the instance identity certificate;
establishing a cryptographically protected communication session with the client computer system;
via the cryptographically protected communication session, obtaining a client instance identity certificate (CIIC), wherein validity of the CIIC is verifiable using at least the client identity public key;
using at least the client identity public key to verify that the CIIC is valid and digitally signed using the client identity private key;
generating an instance application certificate, wherein the instance application certificate comprises an instance application public key and is digitally signed by the instance identity private key, the instance application public key associated with an instance application private key;
making the instance application certificate available via the cryptographically protected communication session;
obtaining a client application certificate, wherein the client application certificate comprises a client application public key and is digitally signed by the client identity private key; and
verifying, using at least the client identity public key, the client application certificate is valid and digitally signed using the client identity private key.
1 Assignment
0 Petitions
Accused Products
Abstract
A virtual hardware security module (“HSM”) is used to perform cryptographic operations. The virtual HSM may provision and coordinate requests between one or more HSMs within a fleet of HSMs. A set of cryptographic keys and/or digital certificates may be exchanged between a client and the virtual HSM such that the client and the virtual HSM may communicate with each other via a cryptographically protected communication session. The fleet of HSMs of a virtual HSM may be scaled up or scaled down according to various criteria. Cryptographic key material may be propagated between HSMs of the fleet using a fleet transfer key. Digital certificates may be used to demonstrate that one or more cryptographic keys were generated by a service provider and/or manufacturer.
46 Citations
20 Claims
-
1. A computer-implemented method, comprising:
under the control of a hardware security module (HSM); obtaining, from a client computer system, a client identity certificate, the client identity certificate being a digital certificate that comprises a client identity public key, the client identity public key associated with a client identity private key; generating an instance identity certificate, wherein the instance identity certificate comprises an instance identity public key and is digitally signed by a HSM service key and an HSM manufacturer key, the instance identity public key associated with an instance identity private key; issuing a certificate signing request that includes the instance identity certificate; establishing a cryptographically protected communication session with the client computer system; via the cryptographically protected communication session, obtaining a client instance identity certificate (CIIC), wherein validity of the CIIC is verifiable using at least the client identity public key; using at least the client identity public key to verify that the CIIC is valid and digitally signed using the client identity private key; generating an instance application certificate, wherein the instance application certificate comprises an instance application public key and is digitally signed by the instance identity private key, the instance application public key associated with an instance application private key; making the instance application certificate available via the cryptographically protected communication session; obtaining a client application certificate, wherein the client application certificate comprises a client application public key and is digitally signed by the client identity private key; and verifying, using at least the client identity public key, the client application certificate is valid and digitally signed using the client identity private key. - View Dependent Claims (2, 3, 4)
-
5. A non-transitory computer-readable storage medium storing executable instructions that, as a result of execution by one or more processors of a computer system, cause the computer system to at least:
-
make a client identity certificate available to a virtual hardware security module (HSM), wherein the client identity certificate comprises a client identity public key and is digitally signed by a client identity private key; obtain a certificate signing request including an instance identity certificate, wherein the instance identity certificate comprises an instance identity public key and is digitally signed by an instance identity private key; digitally sign the certificate signing request; provide the digitally signed certificate signing request to the virtual HSM; obtain an instance application certificate, wherein the instance application certificate comprises an instance application public key and is digitally signed by an instance identity private key; and verify, using at least the instance identity public key, the instance application certificate is valid and digitally signed using the instance identity private key. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
-
-
13. A system, comprising:
-
one or more processors; and one or more memories storing instructions that, as a result of execution by the one or more processors, cause the system to; make a client identity certificate available to a virtual hardware security module (HSM), wherein the client identity certificate comprises a client identity public key and is digitally signed by a client identity private key; obtain a certificate signing request including an instance identity certificate, wherein the instance identity certificate comprises an instance identity public key and is digitally signed by an instance identity private key; digitally sign the certificate signing request; provide the digitally signed certificate signing request to the virtual HSM; obtain an instance application certificate, wherein the instance application certificate comprises an instance application public key and is digitally signed by an instance identity private key; and verify, using at least the instance identity public key, the instance application certificate is valid and digitally signed using the instance identity private key. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification