Key export techniques
First Claim
Patent Images
1. A computer-implemented method, comprising:
- selecting a first cryptographic key with an expiration that matches a lifetime specified in a request;
providing, in response to the request, an encrypted second cryptographic key generated by encrypting a second cryptographic key using the first cryptographic key; and
after providing the encrypted second cryptographic key, performing one or more operations to lose information to prevent an ability to obtain the second cryptographic key until another request that includes the encrypted second cryptographic key is later obtained.
1 Assignment
0 Petitions
Accused Products
Abstract
A computer system performs cryptographic operations as a service. The computer system is configured to allow users of the service to maintain control of their respective cryptographic material. The computer system uses inaccessible cryptographic material to encrypt a user'"'"'s cryptographic material in a token that is then provided to the user. The user is unable to access a plaintext copy of the cryptographic material in the token, but can provide the token back to the service to cause the service to decrypt and use the cryptographic material.
-
Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
selecting a first cryptographic key with an expiration that matches a lifetime specified in a request; providing, in response to the request, an encrypted second cryptographic key generated by encrypting a second cryptographic key using the first cryptographic key; and after providing the encrypted second cryptographic key, performing one or more operations to lose information to prevent an ability to obtain the second cryptographic key until another request that includes the encrypted second cryptographic key is later obtained. - View Dependent Claims (2, 3, 4)
-
-
5. A system, comprising memory to store instructions that, as a result of execution by one or more processors, cause the system to:
-
encrypt a cryptographic key using cryptographic material inaccessible outside of a set of hardware devices that each provide hardware protection of the cryptographic material, the cryptographic material including an expiration corresponding to a time after which the cryptographic material becomes inaccessible, the expiration matching a lifetime specified in a request; provide the encrypted cryptographic key; and lose access to information to cause the system to be unable to obtain copies of the cryptographic key until another request that includes the encrypted cryptographic key is later obtained. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable storage medium comprising executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
-
obtain a key token comprising an encrypted copy of a first cryptographic key and information usable to identify a second cryptographic key including an expiration that matches a lifetime specified in a request; cause access to information usable to determine the first cryptographic key to be lost after the key token is generated until another request that includes the key token is later obtained; and if the second cryptographic key has not expired, derive the first cryptographic key from the key token and use the derived first cryptographic key to perform one or more cryptographic operations. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification