Cryptographic key backup and escrow system
First Claim
1. In a networked computer system, a method for verifying an encrypted cryptographic key, comprising:
- (a) providing a lower-level cryptographic key;
(b) providing a higher-level cryptographic key having an encryption portion and a verification portion;
(c) utilizing the encryption portion of the higher-level cryptographic key, encrypting the lower-level cryptographic key;
(d) utilizing the verification portion of the higher-level cryptographic key, generating a verification tag for storing with the encrypted lower-level cryptographic key; and
(e) utilizing the verification portion of the higher-level cryptographic key, verifying the integrity of the encrypted lower-level cryptographic key by examining the verification tag stored with the encrypted lower-level cryptographic key.
3 Assignments
0 Petitions
Accused Products
Abstract
A system for securely storing application keys is comprised of a database system, a peripheral hardware security module and cryptographic keys, wherein cryptographic keys comprise application keys, intermediate keys and a master key. Application keys are grouped according to characteristic and are associated with a particular intermediate key, which is utilized to scramble and descramble application keys within the associated group. Intermediate keys are associated with the master key, which is utilized to scramble and descramble the intermediate keys. Scrambling and descrambling of keys is performed within the peripheral hardware security module.
171 Citations
46 Claims
-
1. In a networked computer system, a method for verifying an encrypted cryptographic key, comprising:
-
(a) providing a lower-level cryptographic key;
(b) providing a higher-level cryptographic key having an encryption portion and a verification portion;
(c) utilizing the encryption portion of the higher-level cryptographic key, encrypting the lower-level cryptographic key;
(d) utilizing the verification portion of the higher-level cryptographic key, generating a verification tag for storing with the encrypted lower-level cryptographic key; and
(e) utilizing the verification portion of the higher-level cryptographic key, verifying the integrity of the encrypted lower-level cryptographic key by examining the verification tag stored with the encrypted lower-level cryptographic key. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. In a key management system, a method of accessing at least a portion of an encrypted cryptographic key, comprising:
-
(a) providing a lower-level cryptographic key and a higher-level cryptographic key, at least the lower-level cryptographic key having an encryption portion and a verification portion;
(b) utilizing at least a first portion of the higher-level cryptographic key, encrypting the encryption portion and verification portion of the lower-level cryptographic key, wherein the encryption portion is encrypted independently of the verification portion; and
(c) utilizing the at least first portion of the higher-level cryptographic key, decrypting the encrypted verification portion of the lower-level cryptographic key independently of decrypting the encrypted encryption portion of the lower-level cryptographic key. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. In a networked computer system, a method for managing stored cryptographic keys, comprising:
-
(a) receiving a plurality of lower-level cryptographic keys and higher-level cryptographic keys and storing them in a database system;
(b) in the database system, organizing the lower-level cryptographic keys into groups according to a defined characteristic;
(c) after organizing the keys, receiving a new lower-level cryptographic key and sorting the new lower-level cryptographic key into groups according to a corresponding characteristic of the new lower-level cryptographic key; and
(d) designating a separate higher-level cryptographic key for performing scrambling and descrambling processes on lower-level cryptographic keys within each group. - View Dependent Claims (21, 22, 23, 24, 25, 26)
-
-
27. In a networked computer system, a method for managing and maintaining security of cryptographic keys, comprising:
-
(a) providing a lower-level cryptographic key and a higher-level cryptographic key;
(b) utilizing the higher-level cryptographic key to encrypt the lower-level cryptographic key; and
(c) rotating the higher-level cryptographic key, wherein rotating includes refreshing the higher-level cryptographic key, decrypting the lower-level cryptographic key with the higher-level cryptographic key and re-encrypting the lower-level cryptographic key with the new higher-level cryptographic key without altering the clear form of the lower-level cryptographic key. - View Dependent Claims (28, 29, 30, 31)
-
-
32. A secure key escrow system for application keys within a networked computer system, comprising:
-
(a) a collection of key data, the key data including a plurality of application keys, at least one level of intermediate keys and a master key, the application keys for use in facilitating secure communication in the networked computer system, wherein each application key is encrypted using a key from the lowest of the at least one level of intermediate keys, and each key in the highest of the at least one level of intermediate keys is encrypted using the master key;
(b) a cryptographic key database system that stores the encrypted application keys and each key from at least the lowest level of intermediate keys;
(c) a server computer communicatively connected into the networked computer system and arranged to provide application keys from the database system to other computers in the networked computer system; and
(d) a peripheral hardware security module communicatively connected to the server computer that encrypts each application key using a key from the lowest level of the at least one level of intermediate keys and encrypts each intermediate key from the highest level of the at least one level of intermediate keys with the master key. - View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41)
-
-
42. A method for operating a secure key escrow system for application keys within a networked computer system, comprising:
-
(a) collecting key data, the key data including a plurality of application keys, at least one level of intermediate keys and a master key, the application keys for use in facilitating secure communication in the networked computer system, wherein each application key is encrypted using a key from the lowest of the at least one level of intermediate keys, and each key in the highest of the at least one level of intermediate keys is encrypted using the master key;
(b) utilizing a cryptographic key database system, storing encrypted application keys and each key from at least the lowest level of intermediate keys in;
(c) utilizing a server computer communicatively connected with the networked computer system, providing application keys from the database system to other computers in the networked computer system; and
(d) utilizing a peripheral hardware security module communicatively connected to the server computer, encrypting each application key using a key from the lowest level of the at least one level of intermediate keys and encrypting each intermediate key from the highest level of the at least one level of intermediate keys with the master key. - View Dependent Claims (43, 44, 45, 46)
-
Specification