Key management

US 20040039925A1
Filed: 01/21/2003
Published: 02/26/2004
Est. Priority Date: 01/18/2002
Status: Abandoned Application

First Claim

Patent Images

1. A cryptographic key management mechanism operable to initiate the application of a cryptographic key to corresponding complementary data in a cryptographic key module, wherein the cryptographic key management mechanism is configured to:

receive the complementary data;

retrieve information corresponding to an encrypted form of the cryptographic key from a network configuration database; and

dispatch the complementary data and the information corresponding to the encrypted form of the cryptographic key to the cryptographic key module.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a mechanism, method and apparatus for providing cryptographic key management. In one example, a cryptographic key management system (100′) includes a plurality of processing mechanisms (140) for receiving data to be signed according one or more signing cryptographic keys. Each processing mechanism (140) is coupled to one or more respective cryptographic key modules, such as a hardware security module (146) configured to store the cryptographic key(s). A network configuration database (144) is accessible by each processing mechanism (140) and stores information identifying the cryptographic key(s) stored in the cryptographic key modules (146).

Citations

41 Claims

1. A cryptographic key management mechanism operable to initiate the application of a cryptographic key to corresponding complementary data in a cryptographic key module, wherein the cryptographic key management mechanism is configured to:
- receive the complementary data;
  
  retrieve information corresponding to an encrypted form of the cryptographic key from a network configuration database; and
  
  dispatch the complementary data and the information corresponding to the encrypted form of the cryptographic key to the cryptographic key module.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 16, 17, 18, 19)
- - 3. The cryptographic key management mechanism of claim 1, wherein the cryptographic key is a private cryptographic key of a private/public cryptographic key pair.
  - 4. The cryptographic key management mechanism of claim 1, wherein the information corresponding to the encrypted cryptographic key includes the encrypted cryptographic key itself.
  - 5. The cryptographic key management mechanism of claim 1, wherein the information corresponding to the encrypted cryptographic key includes one or more tokens that identify the cryptographic key in the cryptographic key module.
  - 6. The cryptographic key management mechanism of claim 1, wherein the cryptographic key module is a hardware security module.
  - 7. The cryptographic key management mechanism of claim 6, wherein the cryptographic key is encrypted and/or decrypted using a wrapping cryptographic key in the hardware security module.
  - 8. The cryptographic key management mechanism of claim 1, wherein the cryptographic key management mechanism is further configured to maintain at least one configuration version indicator indicating which version of the network configuration database is to be used.
  - 9. The cryptographic key management mechanism of claim 1, wherein the cryptographic key management mechanism is further configured to retrieve the information corresponding to an encrypted form of the cryptographic key from the network configuration database dependent upon a configuration version indicator.
  - 10. An application server including the cryptographic key management mechanism according to claim 1.
  - 11. A program element including program code operable to implement the cryptographic key management mechanism according to claim 1.
  - 12. A computer program product on a carrier medium, said computer program product including the program element of claim 11.
  - 16. A cryptographic key management system for managing cryptographic key distribution and application in a network, including:
    - a plurality of processing mechanisms configured to provide an application server according to claim 10 and operably coupled to at least one associated cryptographic key module; and
      
      a network configuration database operably coupled to the processing mechanisms for storing information corresponding to at least one encrypted cryptographic key.
  - 17. The cryptographic key management system of claim 16, further including an application database operably coupled to the processing mechanisms for storing user information and/or complementary information corresponding to said at least one encrypted cryptographic key.
  - 18. The cryptographic key management system of claim 16, wherein said at least one cryptographic key module includes at least one respective hardware security module.
  - 19. The cryptographic key management system of claim 16, further including a request distribution mechanism configured to distribute messages among the plurality of processing mechanisms.

2. A cryptographic key management mechanism for distributing cryptographic keys in a network, wherein the cryptographic key management mechanism is configured to receive an encrypted cryptographic key from a cryptographic key module and to store information corresponding to the encrypted cryptographic key in a network configuration database.

13. A computer program product on a carrier medium, said computer program product including program code operable to:
- retrieve an encrypted cryptographic key from a cryptographic key module; and
  
  store information corresponding to the encrypted cryptographic key in a network configuration database.
- View Dependent Claims (15)
- - 15. The computer program product of claim 13, wherein the carrier medium includes a one of the following set of media:
    - a radio-frequency signal, an optical signal, an electronic signal, a magnetic disc or tape, solid-state memory, an optical disc, a magneto-optical disc, a compact disc and a digital versatile disc.

14. A computer program product on a carrier medium, said computer program product including program code operable to:
- retrieve complementary data associated with a cryptographic key;
  
  retrieve information corresponding to an encrypted form of the cryptographic key from a network configuration database; and
  
  dispatch the complementary data and the information corresponding to the encrypted form of the cryptographic key to a cryptographic key module.

20. A method of distributing cryptographic keys in a network, including receiving an encrypted cryptographic key from a cryptographic key module;
- and storing information corresponding to the encrypted cryptographic key in a network configuration database.
- View Dependent Claims (21, 22, 23)
- - 21. The method of claim 20, wherein storing information corresponding to the encrypted cryptographic key includes storing the encrypted cryptographic key itself.
  - 22. The method of claim 20, wherein storing information corresponding to the encrypted cryptographic key includes storing one or more tokens that identify the cryptographic key in the cryptographic key module.
  - 23. The method of claim 20, including updating a configuration version indicator in the network configuration database.

24. A method of initiating the application of a cryptographic key to corresponding complementary data in a cryptographic key module, including:
- receiving the complementary data;
  
  retrieving information corresponding to an encrypted form of the cryptographic key from a network configuration database; and
  
  dispatching the complementary data and the information corresponding to the encrypted form of the cryptographic key to the cryptographic key module.
- View Dependent Claims (25, 26, 27)
- - 25. The method of claim 24, wherein retrieving information corresponding to the encrypted form of the cryptographic key includes retrieving the encrypted cryptographic key from the network configuration database.
  - 26. The method of claim 24, wherein retrieving information corresponding to the encrypted form of the cryptographic key includes retrieving an identifier that identifies the cryptographic key in the cryptographic key module.
  - 27. The method of claim 24, wherein retrieving the information corresponding to the encrypted form of the cryptographic key from the network configuration database is dependant upon a configuration version indicator.

28. A network configuration database configured to store information corresponding to encrypted forms of one or more cryptographic keys in a cryptographic key management system.
- View Dependent Claims (29, 30, 31, 32, 33)
- - 29. The network configuration database of claim 28, wherein the cryptographic keys are private cryptographic keys of private/public cryptographic keys pairs.
  - 30. The network configuration database of claim 28, wherein the information corresponding to the encrypted cryptographic key includes the encrypted cryptographic key itself.
  - 31. The network configuration database of claim 28, wherein the information corresponding to the encrypted cryptographic key includes one or more tokens that identify cryptographic keys in cryptographic key modules.
  - 32. The network configuration database of claim 28, wherein the cryptographic keys are encrypted using a wrapping cryptographic key accessible by a plurality of hardware security modules.
  - 33. The network configuration database of claim 28, further including one or more version configurations.

34. A cryptographic key management system for certifying data received in a message from a message source, each message including an identifier identifying a signer and a digital signature, the cryptographic key management system including:
- a plurality of data processing mechanisms each operably coupled to at least one respective hardware security module;
  
  a network configuration database operably coupled to each of the data processing mechanisms, the network configuration database storing information corresponding to at least one private cryptographic key stored by one or more of the hardware security modules;
  
  an application database storing public encryption cryptographic keys operably coupled to each of the data processing mechanisms; and
  
  a request distribution mechanism operable to dispatch the data to be signed to a selected one of the data processing mechanisms according to load balancing criteria;
  
  wherein the selected data processing mechanism is operable to verify the digital signature by decrypting the digital signature using a public encryption cryptographic key stored in the application database corresponding to the signer, and conditional on the signature being valid, to dispatch the data to be certified to a respective hardware security module for signing in the respective hardware security module using a certifying private cryptographic key.

35. A method of signing data received in a message from a message source in a network, the message including an identifier identifying a signer and a digital signature, the method including:
- dispatching the message from a request distribution mechanism to a selected one of a plurality of data processing mechanisms according to load balancing criteria;
  
  receiving the message at the selected data processing mechanism, the selected data processing mechanism being operably coupled to at least one hardware security module;
  
  verifying that the digital signature belongs to the signer by checking the digital signature using a public cryptographic key corresponding to the identifier identifying the signer held in an application database, conditional that there is such a public cryptographic key;
  
  determining a private cryptographic key to use for signing content of the message, conditional that the digital signature is positively verified;
  
  accessing a network configuration database to determine information corresponding to the private cryptographic key to be used for signing; and
  
  dispatching the data to be signed and the information corresponding to the private cryptographic key to a respective hardware security module for signing in the hardware security module using the private cryptographic key.

36. A key manager for initiating the application of a key to corresponding complementary data in a key module, wherein the key manager comprises:
- means for receiving the complementary data;
  
  means for retrieving information corresponding to an encrypted form of the key from a network configuration database; and
  
  means for dispatching the complementary data and the information corresponding to the encrypted form of the key to the key module.

37. A key manager for distributing keys in a network, wherein the key manager comprises means for receiving an encrypted key from a key module and means for storing information corresponding to the encrypted key in a network configuration database.

38. A method of distributing keys in a network, including:
- the step of receiving an encrypted key from a key module; and
  
  the step of storing information corresponding to the encrypted key in a configuration database.

39. A method of initiating the application of a key to corresponding complementary data in a key module, including:
- the step of receiving the complementary data;
  
  the step of retrieving information corresponding to an encrypted form of the key from a database; and
  
  the step of dispatching the complementary data and the information corresponding to the encrypted form of the key to the key module.

40. A key management system for certifying data received in a message from a message source, each message including an identifier identifying a signer and a digital signature, the key management system including:
- a plurality of data processing means each coupled to at least one respective hardware security module means;
  
  a configuration database means operably coupled to each of the data processing means, the configuration database means storing information corresponding to at least one private key stored by one or more of the hardware security module means;
  
  an application database means storing public encryption keys operably coupled to each of the data processing means; and
  
  a request distribution means for dispatching the data to be signed to a selected one of the data processing means according to load balancing criteria;
  
  wherein the selected data processing means is operable to verify the digital signature by decrypting the digital signature using a public encryption key stored in the application database means corresponding to the signer, and conditional on the signature being valid, to dispatch the data to be certified to a respective hardware security module means for signing in the respective hardware security module means using a certifying private key.

41. A method of signing data received in a message from a message source in a network, the message including an identifier identifying a signer and a digital signature, the method including:
- the step of dispatching the message from a request distribution means to a selected one of a plurality of data processing means according to load balancing criteria;
  
  the step of receiving the message at the selected data processing means, the selected data processing means being operably coupled to at least one hardware security module;
  
  the step of verifying that the digital signature belongs to the signer by checking the digital signature using a public key corresponding to the identifier identifying the signer held in an application database, conditional that there is such a public key;
  
  the step of determining a private key to use for signing content of the message, conditional that the digital signature is positively verified;
  
  the step of accessing a configuration database to determine information corresponding to the private key to be used for signing; and
  
  the step of dispatching the data to be signed and the information corresponding to the private key to a respective hardware security module for signing in the hardware security module using the private key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Craig Mcmillan, David Turvey, Simon Birt
Original Assignee
Craig Mcmillan, David Turvey, Simon Birt
Inventors
McMillan, Craig, Birt, Simon, Turvey, David

Application Number

US10/348,209
Publication Number

US 20040039925A1
Time in Patent Office

Days
Field of Search
US Class Current

713/189
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/60   Digital content management,...

H04L 2209/80   Wireless

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0897   involving additional device...

Key management

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Key management

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links