Automatic key rotation
First Claim
1. A computer-implemented method, under control of one or more electronic computer systems configured with one or more processors and memory including executable instructions, comprising:
- tracking use in cryptographic operations of a cryptographic key identified by a key identifier;
as a result of one or more conditions on the tracked use being fulfilled, at least one of the one or more conditions being that a number of cryptographic operations associated with the cryptographic key exceeds a threshold, and value of the threshold corresponding to the cryptographic key being different from value of threshold corresponding to another cryptographic key;
obtaining an encrypted object from a security module, the encrypted object encrypted using a symmetric key;
decrypting the encrypted object using the symmetric key to obtain a new cryptographic key;
replacing the cryptographic key with the new cryptographic key by associating the new cryptographic key with the key identifier; and
marking the new cryptographic key as active by updating at least one value stored in the security module; and
responding to requests specifying the key identifier using the replaced cryptographic key in at least one decryption operation in response to a decryption request specifying the key identifier.
1 Assignment
0 Petitions
Accused Products
Abstract
Requests submitted to a computer system are evaluated for compliance with policy to ensure data security. Plaintext and associated data are used as inputs into a cipher to produce ciphertext. Whether a result of decrypting the ciphertext can be provided in response to a request is determined based at least in part on evaluation of a policy that itself is based at least in part on the associated data. Other policies include automatic rotation of keys to prevent keys from being used in enough operations to enable cryptographic attacks intended to determine the keys.
222 Citations
14 Claims
-
1. A computer-implemented method, under control of one or more electronic computer systems configured with one or more processors and memory including executable instructions, comprising:
-
tracking use in cryptographic operations of a cryptographic key identified by a key identifier; as a result of one or more conditions on the tracked use being fulfilled, at least one of the one or more conditions being that a number of cryptographic operations associated with the cryptographic key exceeds a threshold, and value of the threshold corresponding to the cryptographic key being different from value of threshold corresponding to another cryptographic key; obtaining an encrypted object from a security module, the encrypted object encrypted using a symmetric key; decrypting the encrypted object using the symmetric key to obtain a new cryptographic key; replacing the cryptographic key with the new cryptographic key by associating the new cryptographic key with the key identifier; and marking the new cryptographic key as active by updating at least one value stored in the security module; and responding to requests specifying the key identifier using the replaced cryptographic key in at least one decryption operation in response to a decryption request specifying the key identifier. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. One or more non-transitory computer-readable storage media comprising instructions that, when executed by one or more processors of a computer system, cause the computer system to:
-
track usage of a key repeatedly used in cryptographic operations involved in responding to requests specifying a key identifier that identifies the key; detect when one or more conditions on the tracked usage require retirement of the key, at least one of the one or more conditions being that the key is associated with exceeding a threshold number of cryptographic operations, and the threshold number allocated to the key indicating a different number from threshold numbers allocated to another set of keys; as a result of detecting the one or more conditions requiring retirement of the key; obtain an encrypted key from a security module, the encrypted key encrypted using a symmetric key; decrypt the encrypted key using the symmetric key to obtain a different key; and indicate the key as retired by causing the key to be unusable for encryption operations though usable for decryption operations; cause the different key to be associated with the key identifier and used in the cryptographic operations involved in responding to the requests that specify the key identifier; and use the key in the decryption operations in response to a decryption request specifying the key identifier. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
-
Specification