Cryptographic key distribution
First Claim
1. A computer-implemented method comprising:
- storing, in a first hardware security module, a fleet key that is replicated across a fleet of hardware security modules, and a domain key that is replicated across a subset of hardware security modules in the fleet of hardware security modules;
receiving encrypted cryptographic material, the encrypted cryptographic material encrypted with the domain key and then the fleet key;
decrypting a first portion of the encrypted cryptographic material with at least the fleet key and the domain key;
distributing updated cryptographic material that is cryptographically protected with the fleet key to the fleet of hardware security modules, the first hardware security module being able to access the updated cryptographic material as a result of being able to access the domain key and at least one other hardware security module not being able to access the updated cryptographic material as a result of not being able to access the domain key and storing the update cryptographic material; and
distributing the updated cryptographic material that is cryptographically protected with the fleet key to a second hardware security module outside the fleet of hardware security modules, where the second hardware security module maintains the updated cryptographic material as a backup for the fleet of hardware security modules, the second hardware security module unable to access the updated cryptographic material in plaintext form as a result of the second hardware security module lacking access to the domain key.
1 Assignment
0 Petitions
Accused Products
Abstract
An HSM management hub coordinates the distribution and synchronization of cryptographic material across a fleet of connected hardware security modules (“HSMs”). Cryptographic material is exchanged between HSMs in the fleet in a cryptographically protected format. In some examples, the cryptographic material is encrypted using a common fleet key maintained by the HSMs in the fleet. In other examples, the cryptographic material is protected using asymmetric cryptographic keys that are associated with the members of the HSM fleet. The HSM management hub may be used to divide the HSM fleet into subdomains by providing domain keys to subsets of HSMs within the HSM fleet. Cryptographic information that is encrypted with particular domain keys can be distributed across the entire HSM fleet, and restricted to use by authorized HSMs that are in possession of the particular domain keys.
-
Citations
20 Claims
-
1. A computer-implemented method comprising:
-
storing, in a first hardware security module, a fleet key that is replicated across a fleet of hardware security modules, and a domain key that is replicated across a subset of hardware security modules in the fleet of hardware security modules; receiving encrypted cryptographic material, the encrypted cryptographic material encrypted with the domain key and then the fleet key; decrypting a first portion of the encrypted cryptographic material with at least the fleet key and the domain key; distributing updated cryptographic material that is cryptographically protected with the fleet key to the fleet of hardware security modules, the first hardware security module being able to access the updated cryptographic material as a result of being able to access the domain key and at least one other hardware security module not being able to access the updated cryptographic material as a result of not being able to access the domain key and storing the update cryptographic material; and distributing the updated cryptographic material that is cryptographically protected with the fleet key to a second hardware security module outside the fleet of hardware security modules, where the second hardware security module maintains the updated cryptographic material as a backup for the fleet of hardware security modules, the second hardware security module unable to access the updated cryptographic material in plaintext form as a result of the second hardware security module lacking access to the domain key. - View Dependent Claims (2, 3, 4)
-
-
5. A system, comprising:
-
one or more processors; and memory storing computer-executable instructions that, if executed, cause the system to; synchronize cryptographic material between hardware security modules that are arranged in a fleet of hardware security modules at least by; retaining a fleet key that is replicated across the fleet of hardware security modules, and a first domain key that is replicated across a subset of hardware security modules in the fleet of hardware security modules; receiving the cryptographic material in an encrypted format, the cryptographic material encrypted with the fleet key, a first portion of the cryptographic material encrypted with the first domain key; decrypting the cryptographic material with the fleet key and the first domain key; distributing updated cryptographic material in a form that is cryptographically protected with the fleet key to the fleet of hardware security modules, the updated cryptographic material being accessible to a first hardware security module in the fleet of hardware security modules with access to the fleet key and inaccessible to at least one other hardware security module in the fleet of hardware security modules without access to the fleet key, the at least one other hardware security module maintaining the updated cryptographic material as a backup; distributing the updated cryptographic material to at least one hardware security module outside the fleet of hardware security modules; and using a second hardware security module in the fleet of hardware security modules to backup an encrypted version of the updated cryptographic material to be stored on the second hardware security module, the encrypted version of the updated cryptographic material encrypted with the first domain key in a way that prevents the second hardware security module from being able to access the cryptographic material in a plaintext form as a result of the second hardware security module not being able to access the first domain key. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable storage medium storing thereon executable instructions that, as a result of being executed by one or more processors of a hardware security module, cause the hardware security module to at least:
-
retain a fleet key that is replicated across a fleet of hardware security modules, and a domain key that is replicated across a set of hardware security modules in the fleet of hardware security modules; receive cryptographic material in an encrypted format, the cryptographic material encrypted with the fleet key, a first portion of the cryptographic material encrypted with the domain key, the cryptographic material provided to the hardware security module by a hardware security module management hub that is in communication with the fleet of hardware security modules and based at least in part on the hardware security module retaining the domain key; decrypt the cryptographic material in the encrypted format with the fleet key and then decrypt the first portion of the cryptographic material in the encrypted format with the domain key to produce a cryptographic key; perform a cryptographic operation using the cryptographic key; receive updated cryptographic material from the hardware security module management hub, the updated cryptographic material being an update to the cryptographic material and the hardware security module management hub also providing the updated cryptographic material to at least one other hardware security module outside of the fleet of hardware security modules; and provide the updated cryptographic material to the fleet of hardware security modules, a first hardware security module of the fleet of hardware security modules able to obtain the updated cryptographic material in plaintext form and a second hardware security module of the fleet of hardware security modules lacking access to the domain key, the updated cryptographic material in a form that is cryptographically protected with the fleet key and the domain key thereby preventing the second hardware security module from obtaining the updated cryptographic material in plaintext form. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification