Key management
First Claim
1. A cryptographic key management mechanism operable to initiate the application of a cryptographic key to corresponding complementary data in a cryptographic key module, wherein the cryptographic key management mechanism is configured to:
- receive the complementary data;
retrieve information corresponding to an encrypted form of the cryptographic key from a network configuration database; and
dispatch the complementary data and the information corresponding to the encrypted form of the cryptographic key to the cryptographic key module.
0 Assignments
0 Petitions
Accused Products
Abstract
Disclosed is a mechanism, method and apparatus for providing cryptographic key management. In one example, a cryptographic key management system (100′) includes a plurality of processing mechanisms (140) for receiving data to be signed according one or more signing cryptographic keys. Each processing mechanism (140) is coupled to one or more respective cryptographic key modules, such as a hardware security module (146) configured to store the cryptographic key(s). A network configuration database (144) is accessible by each processing mechanism (140) and stores information identifying the cryptographic key(s) stored in the cryptographic key modules (146).
-
Citations
41 Claims
-
1. A cryptographic key management mechanism operable to initiate the application of a cryptographic key to corresponding complementary data in a cryptographic key module, wherein the cryptographic key management mechanism is configured to:
-
receive the complementary data;
retrieve information corresponding to an encrypted form of the cryptographic key from a network configuration database; and
dispatch the complementary data and the information corresponding to the encrypted form of the cryptographic key to the cryptographic key module. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 16, 17, 18, 19)
-
-
2. A cryptographic key management mechanism for distributing cryptographic keys in a network, wherein the cryptographic key management mechanism is configured to receive an encrypted cryptographic key from a cryptographic key module and to store information corresponding to the encrypted cryptographic key in a network configuration database.
-
13. A computer program product on a carrier medium, said computer program product including program code operable to:
-
retrieve an encrypted cryptographic key from a cryptographic key module; and
store information corresponding to the encrypted cryptographic key in a network configuration database. - View Dependent Claims (15)
-
-
14. A computer program product on a carrier medium, said computer program product including program code operable to:
-
retrieve complementary data associated with a cryptographic key;
retrieve information corresponding to an encrypted form of the cryptographic key from a network configuration database; and
dispatch the complementary data and the information corresponding to the encrypted form of the cryptographic key to a cryptographic key module.
-
-
20. A method of distributing cryptographic keys in a network, including
receiving an encrypted cryptographic key from a cryptographic key module; - and
storing information corresponding to the encrypted cryptographic key in a network configuration database. - View Dependent Claims (21, 22, 23)
- and
-
24. A method of initiating the application of a cryptographic key to corresponding complementary data in a cryptographic key module, including:
-
receiving the complementary data;
retrieving information corresponding to an encrypted form of the cryptographic key from a network configuration database; and
dispatching the complementary data and the information corresponding to the encrypted form of the cryptographic key to the cryptographic key module. - View Dependent Claims (25, 26, 27)
-
- 28. A network configuration database configured to store information corresponding to encrypted forms of one or more cryptographic keys in a cryptographic key management system.
-
34. A cryptographic key management system for certifying data received in a message from a message source, each message including an identifier identifying a signer and a digital signature, the cryptographic key management system including:
-
a plurality of data processing mechanisms each operably coupled to at least one respective hardware security module;
a network configuration database operably coupled to each of the data processing mechanisms, the network configuration database storing information corresponding to at least one private cryptographic key stored by one or more of the hardware security modules;
an application database storing public encryption cryptographic keys operably coupled to each of the data processing mechanisms; and
a request distribution mechanism operable to dispatch the data to be signed to a selected one of the data processing mechanisms according to load balancing criteria;
wherein the selected data processing mechanism is operable to verify the digital signature by decrypting the digital signature using a public encryption cryptographic key stored in the application database corresponding to the signer, and conditional on the signature being valid, to dispatch the data to be certified to a respective hardware security module for signing in the respective hardware security module using a certifying private cryptographic key.
-
-
35. A method of signing data received in a message from a message source in a network, the message including an identifier identifying a signer and a digital signature, the method including:
-
dispatching the message from a request distribution mechanism to a selected one of a plurality of data processing mechanisms according to load balancing criteria;
receiving the message at the selected data processing mechanism, the selected data processing mechanism being operably coupled to at least one hardware security module;
verifying that the digital signature belongs to the signer by checking the digital signature using a public cryptographic key corresponding to the identifier identifying the signer held in an application database, conditional that there is such a public cryptographic key;
determining a private cryptographic key to use for signing content of the message, conditional that the digital signature is positively verified;
accessing a network configuration database to determine information corresponding to the private cryptographic key to be used for signing; and
dispatching the data to be signed and the information corresponding to the private cryptographic key to a respective hardware security module for signing in the hardware security module using the private cryptographic key.
-
-
36. A key manager for initiating the application of a key to corresponding complementary data in a key module, wherein the key manager comprises:
-
means for receiving the complementary data;
means for retrieving information corresponding to an encrypted form of the key from a network configuration database; and
means for dispatching the complementary data and the information corresponding to the encrypted form of the key to the key module.
-
-
37. A key manager for distributing keys in a network, wherein the key manager comprises means for receiving an encrypted key from a key module and means for storing information corresponding to the encrypted key in a network configuration database.
-
38. A method of distributing keys in a network, including:
-
the step of receiving an encrypted key from a key module; and
the step of storing information corresponding to the encrypted key in a configuration database.
-
-
39. A method of initiating the application of a key to corresponding complementary data in a key module, including:
-
the step of receiving the complementary data;
the step of retrieving information corresponding to an encrypted form of the key from a database; and
the step of dispatching the complementary data and the information corresponding to the encrypted form of the key to the key module.
-
-
40. A key management system for certifying data received in a message from a message source, each message including an identifier identifying a signer and a digital signature, the key management system including:
-
a plurality of data processing means each coupled to at least one respective hardware security module means;
a configuration database means operably coupled to each of the data processing means, the configuration database means storing information corresponding to at least one private key stored by one or more of the hardware security module means;
an application database means storing public encryption keys operably coupled to each of the data processing means; and
a request distribution means for dispatching the data to be signed to a selected one of the data processing means according to load balancing criteria;
wherein the selected data processing means is operable to verify the digital signature by decrypting the digital signature using a public encryption key stored in the application database means corresponding to the signer, and conditional on the signature being valid, to dispatch the data to be certified to a respective hardware security module means for signing in the respective hardware security module means using a certifying private key.
-
-
41. A method of signing data received in a message from a message source in a network, the message including an identifier identifying a signer and a digital signature, the method including:
-
the step of dispatching the message from a request distribution means to a selected one of a plurality of data processing means according to load balancing criteria;
the step of receiving the message at the selected data processing means, the selected data processing means being operably coupled to at least one hardware security module;
the step of verifying that the digital signature belongs to the signer by checking the digital signature using a public key corresponding to the identifier identifying the signer held in an application database, conditional that there is such a public key;
the step of determining a private key to use for signing content of the message, conditional that the digital signature is positively verified;
the step of accessing a configuration database to determine information corresponding to the private key to be used for signing; and
the step of dispatching the data to be signed and the information corresponding to the private key to a respective hardware security module for signing in the hardware security module using the private key.
-
Specification