Key generation and rollover

US 10,581,820 B2
Filed: 05/08/2017
Issued: 03/03/2020
Est. Priority Date: 05/11/2016
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium having instructions stored thereon that, when executed by a processor, cause the processor to generate and roll over keys for a key store of a cloud based identity management system that comprises a plurality of services, the generating and rolling over comprising:

generating a key set including a previous key and a previous key expiration time, a current key and a current key expiration time, and a next key and a next key expiration time;

storing the key set in a database table, wherein the database table is a tenant-specific database table associated with a tenancy identifier;

storing the key set in a memory cache associated with the database table, wherein the memory cache is a tenant-specific memory cache associated with the tenancy identifier; and

at the current key expiration time, rolling over the key set to generate a rolled over key set, including;

retrieving the key set from the database table;

updating the previous key and the previous key expiration time with the current key and the current key expiration time;

updating the current key and the current key expiration time with the next key and the next key expiration time;

generating a new key and a new key expiration time;

updating the next key and the next key expiration time with the new key and the new key expiration time;

storing the rolled over key set in the database table;

determining if the key set was successfully rolled over; and

when the key set was determined to be successfully rolled over, storing the rolled over key set in the memory cache;

in response to a request from a client application to retrieve a key set, the request including the tenancy identifier, providing the key set, including the previous key and the previous key expiration time, the current key and the current key expiration time, and the next key and the next key expiration time, to the client application, wherein the client application comprises one of the plurality of services;

when the request from the client application to retrieve the key set is received during the rolling over the key set and before the key set was determined to be successfully rolled over, retrieving the key set from the tenant-specific memory cache associated with the tenancy identifier.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Key generation and roll over is provided for a cloud based identity management system. A key set is generated that includes a previous key and expiration time, a current key and expiration time, and a next key and expiration time, and stores the key set in a database table and a memory cache associated with the database table. At the current key expiration time, the key set is rolled over, including retrieving the key set from the database table, updating the previous key and expiration time with the current key and expiration time, updating the current key and expiration time with the next key and expiration time, generating a new key and expiration time, updating the next key and expiration time with the new key and expiration time, and updating the key set in the database table and the memory cache.

332 Citations

20 Claims

1. A non-transitory computer-readable medium having instructions stored thereon that, when executed by a processor, cause the processor to generate and roll over keys for a key store of a cloud based identity management system that comprises a plurality of services, the generating and rolling over comprising:
- generating a key set including a previous key and a previous key expiration time, a current key and a current key expiration time, and a next key and a next key expiration time;
  
  storing the key set in a database table, wherein the database table is a tenant-specific database table associated with a tenancy identifier;
  
  storing the key set in a memory cache associated with the database table, wherein the memory cache is a tenant-specific memory cache associated with the tenancy identifier; and
  
  at the current key expiration time, rolling over the key set to generate a rolled over key set, including;
  
  retrieving the key set from the database table;
  
  updating the previous key and the previous key expiration time with the current key and the current key expiration time;
  
  updating the current key and the current key expiration time with the next key and the next key expiration time;
  
  generating a new key and a new key expiration time;
  
  updating the next key and the next key expiration time with the new key and the new key expiration time;
  
  storing the rolled over key set in the database table;
  
  determining if the key set was successfully rolled over; and
  
  when the key set was determined to be successfully rolled over, storing the rolled over key set in the memory cache;
  
  in response to a request from a client application to retrieve a key set, the request including the tenancy identifier, providing the key set, including the previous key and the previous key expiration time, the current key and the current key expiration time, and the next key and the next key expiration time, to the client application, wherein the client application comprises one of the plurality of services;
  
  when the request from the client application to retrieve the key set is received during the rolling over the key set and before the key set was determined to be successfully rolled over, retrieving the key set from the tenant-specific memory cache associated with the tenancy identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-readable medium of claim 1, wherein:
    - the plurality of services comprise a Cloud Gate service and a Single Sign On (SSO) service that creates symmetric keys to encrypt/decrypt Hypertext Transfer Protocol (HTTP) cookies.
  - 3. The computer-readable medium of claim 1, wherein the request includes a client identifier, and the generating and rolling over further comprises:
    - prior to retrieving the key set, determining whether the client identifier is authorized to access the tenant-specific memory cache associated with the tenancy identifier.
  - 4. The computer-readable medium of claim 1, wherein the new key expiration time includes a baseline expiration time and a random delta expiration time.
  - 5. The computer-readable medium of claim 4, wherein the key set is a cloud gate key set, the baseline expiration time is 12 hours and the random delta expiration time is between 1 second and 600 seconds.
  - 6. The computer-readable medium of claim 1, wherein the previous, current and next keys are symmetric keys.
  - 7. The computer-readable medium of claim 1, wherein the previous, current and next keys are asymmetric key pairs that include a first key to encrypt data and a second key to decrypt data.
  - 8. The computer-readable medium of claim 1, wherein during said rolling over the key set, the generating and rolling over further comprises:
    - prior to retrieving the key set from the database table, obtaining a lock on the key set, the lock providing exclusive access to the key set to prevent multiple threads from performing the rolling over; and
      
      after updating the key set in the database table, updating a last updated time of the current key and releasing the lock on the key set.
  - 9. The computer-readable medium of claim 8, wherein during said rolling over the key set, the generating and rolling over further comprises:
    - after obtaining the lock on the key set, determining whether to roll over the key set based on a current time, the last updated time of the current key and a predetermined time period.
  - 10. The computer-readable medium of claim 1, wherein during said rolling over the key set, the key set is rolled over when a difference between a current time and a last updated time of the current key is more than a predetermined time period.

11. A method for generating and rolling over keys for a key store of a cloud based identity management system that comprises a plurality of services, the method comprising:
- generating a key set including a previous key and a previous key expiration time, a current key and a current key expiration time, and a next key and a next key expiration time;
  
  storing the key set in a database table, wherein the database table is a tenant-specific database table associated with a tenancy identifier;
  
  storing the key set in a memory cache associated with the database table, wherein the memory cache is a tenant-specific memory cache associated with the tenancy identifier; and
  
  at the current key expiration time, rolling over the key set to generate a rolled over key set, including;
  
  retrieving the key set from the database table;
  
  updating the previous key and the previous key expiration time with the current key and the current key expiration time;
  
  updating the current key and the current key expiration time with the next key and the next key expiration time;
  
  generating a new key and a new key expiration time;
  
  updating the next key and the next key expiration time with the new key and the new key expiration time;
  
  storing the rolled over key set in the database table;
  
  determining if the key set was successfully rolled over; and
  
  when the key set was determined to be successfully rolled over, storing the rolled over key set in the memory cache;
  
  in response to a request from a client application to retrieve a key set, the request including the tenancy identifier, providing the key set, including the previous key and the previous key expiration time, the current key and the current key expiration time, and the next key and the next key expiration time, to the client application, wherein the client application comprises one of the plurality of services;
  
  when the request from the client application to retrieve the key set is received during the rolling over the key set and before the key set was determined to be successfully rolled over, retrieving the key set from the tenant-specific memory cache associated with the tenancy identifier.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein:
    - the plurality of services comprise a Cloud Gate service and a Single Sign On (SSO) service that creates symmetric keys to encrypt/decrypt Hypertext Transfer Protocol (HTTP) cookies;
      
      during said rolling over the key set, further comprising;
      
      receiving, over a network, the request from the client application to retrieve the key set, the request including a client identifier and the tenancy identifier;
      
      determining whether the client identifier is authorized to access the tenant-specific memory cache associated with the tenancy identifier;
      
      if the client identifier is authorized;
      
      retrieving the key set from the tenant-specific memory cache associated with the tenancy identifier.
  - 13. The method of claim 11, wherein:
    - the key set is a cloud gate key set;
      
      the new key expiration time includes a baseline expiration time and a random delta expiration time;
      
      the baseline expiration time is 12 hours; and
      
      the random delta expiration time is between 1 second and 600 seconds.
  - 14. The method of claim 11, wherein, during said rolling over the key set, further comprising:
    - prior to retrieving the key set from the database table, obtaining a lock on the key set, the lock providing exclusive access to the key set to prevent multiple threads from performing the rolling over;
      
      after obtaining the lock on the key set, determining whether to roll over the key set based on a current time, a last updated time of the current key and a predetermined time period; and
      
      after updating the key set in the database table, updating the last updated time of the current key and releasing the lock on the key set.
  - 15. The method of claim 14, wherein during said rolling over the key set, the key set is rolled over when a difference between a current time and the last updated time of the current key is more than a predetermined time period.

16. A system comprising a server, coupled to a network, including a processor coupled to a memory storing instructions that, when executed by the processor, cause the processor to generate and roll-over keys for a key store of a cloud based identity management system that comprises a plurality of services, the generating and rolling over comprising:
- generating a key set including a previous key and a previous key expiration time, a current key and a current key expiration time, and a next key and a next key expiration time;
  
  storing the key set in a database table, wherein the database table is a tenant-specific database table associated with a tenancy identifier;
  
  storing the key set in a memory cache associated with the database table, wherein the memory cache is a tenant-specific memory cache associated with the tenancy identifier; and
  
  at the current key expiration time, rolling over the key set to generate a rolled over key set, including;
  
  retrieving the key set from the database table;
  
  updating the previous key and the previous key expiration time with the current key and the current key expiration time;
  
  updating the current key and the current key expiration time with the next key and the next key expiration time;
  
  generating a new key and a new key expiration time;
  
  updating the next key and the next key expiration time with the new key and the new key expiration time;
  
  storing the rolled over key set in the database table;
  
  determining if the key set was successfully rolled over; and
  
  when the key set was determined to be successfully rolled over, storing the rolled over key set in the memory cache;
  
  in response to a request from a client application to retrieve a key set, the request including the tenancy identifier, providing the key set, including the previous key and the previous key expiration time, the current key and the current key expiration time, and the next key and the next key expiration time, to the client application, wherein the client application comprises one of the plurality of services;
  
  when the request from the client application to retrieve the key set is received during the rolling over the key set and before the key set was determined to be successfully rolled over, retrieving the key set from the tenant-specific memory cache associated with the tenancy identifier.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein:
    - the plurality of services comprise a Cloud Gate service and a Single Sign On (SSO) service that creates symmetric keys to encrypt/decrypt Hypertext Transfer Protocol (HTTP) cookies;
      
      during said rolling over the key set, further comprising;
      
      receiving, over a network, the request from the client application to retrieve the key set, the request including a client identifier and the tenancy identifier;
      
      determining whether the client identifier is authorized to access the tenant-specific memory cache associated with the tenancy identifier;
      
      if the client identifier is authorized;
      
      retrieving the key set from the tenant-specific memory cache associated with the tenancy identifier.
  - 18. The system of claim 16, wherein:
    - the key set is a cloud gate key set;
      
      the new key expiration time includes a baseline expiration time and a random delta expiration time;
      
      the baseline expiration time is 12 hours; and
      
      the random delta expiration time is between 1 second and 600 seconds.
  - 19. The system of claim 16, wherein, during said rolling over the key set, further comprising:
    - prior to retrieving the key set from the database table, obtaining a lock on the key set, the lock providing exclusive access to the key set to prevent multiple threads from performing the rolling over;
      
      after obtaining the lock on the key set, determining whether to roll over the key set based on a current time, the last updated time of the current key and a predetermined time period; and
      
      after updating the key set in the database table, updating a last updated time of the current key and releasing the lock on the key set.
  - 20. The system of claim 19, wherein during said rolling over the key set, the key set is rolled over when a difference between a current time and a last updated time of the current key is more than a predetermined time period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Keshava, Rakesh, Katti, Sreedhar, Vepa, Sirish, Lander, Vadim, Mishra, Prateek
Primary Examiner(s)
Lagor, Alexander
Assistant Examiner(s)
Mahmoudi, Rodman Alexander

Application Number

US15/589,133
Publication Number

US 20170331802A1
Time in Patent Office

1,030 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/068   using time-dependent keys, ...

H04L 63/0815   providing single-sign-on or...

H04L 63/102   Entity profiles

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

Key generation and rollover

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

332 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Key generation and rollover

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

332 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others