Network attached encryption
First Claim
Patent Images
1. A cryptographic key server suitable for providing cryptographic services to remote devices coupled to said cryptographic key server via a network, said cryptographic key server comprising:
- a secure network interface engine executing on said cryptographic key server, said secure network interface engine operable;
to establish a secure network communication channel with at least one remote device;
to unmarshal secured cryptographic service requests received from said at least one remote device; and
to marshal and transmit secure cryptographic service responses to said at least one remote device; and
a cryptographic service engine executing on said cryptographic key server, said cryptographic service engine being in bi-directional communication with said secure network interface engine, said cryptographic service engine operable to provide cryptographic services requested by said at least one remote device via said secure network interface engine.
4 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus are provided for managing cryptographic keys and performing cryptographic services within server or other computing environments. An appliance functions as a cryptographic key server to secure cryptographic keys and provide cryptographic operations as a network service.
192 Citations
53 Claims
-
1. A cryptographic key server suitable for providing cryptographic services to remote devices coupled to said cryptographic key server via a network, said cryptographic key server comprising:
-
a secure network interface engine executing on said cryptographic key server, said secure network interface engine operable;
to establish a secure network communication channel with at least one remote device;
to unmarshal secured cryptographic service requests received from said at least one remote device; and
to marshal and transmit secure cryptographic service responses to said at least one remote device; and
a cryptographic service engine executing on said cryptographic key server, said cryptographic service engine being in bi-directional communication with said secure network interface engine, said cryptographic service engine operable to provide cryptographic services requested by said at least one remote device via said secure network interface engine. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A cryptographic key server suitable for providing cryptographic services to remote devices coupled to said cryptographic key server via a network, said cryptographic key server comprising:
-
a cryptographic accelerator card bi-directionally coupled to a databus;
a smart card interface device;
a hardware security module bi-directionally coupled to said databus and suitable for secure data; and
and wherein said secure data is accessible only when k-out-of-n smart cards are inserted into said smart card interface device.
-
-
27. An application server capable of hosting a plurality of applications, said application server operable for providing services to a plurality of clients via a network, said application server comprising:
-
a cryptographic application program interface (API), said cryptographic API providing a set of standards by which said plurality of applications can invoke a plurality of cryptographic services, at least one of said plurality of cryptographic services being performed by a remote cryptographic key server; and
a secure network interface engine, said secure network interface engine operable to establish a secure network communication channel with the remote cryptographic key server. - View Dependent Claims (28, 29, 30, 31)
-
-
32. A device capable of executing a plurality of functions and programs, said device comprising:
-
a secure network interface engine executing on said device, said secure network interface engine operable to establish a secure network communication channel with at least one remote cryptographic key server, marshal and transmit secure requests for cryptographic services to said at least one remote cryptographic key server, and receive and unmarshal secure responses to requests for cryptographic services; and
a cryptographic application program interface (API) executing on said device and bi-directionally coupled with said secure network interface engine, said cryptographic API providing a set of standards by which said plurality of functions and programs can call a corresponding plurality of cryptographic services, wherein at least one of said plurality of cryptographic services is performed remotely by said at least one cryptographic key server, said cryptographic API being responsive to a request for said at least one remote cryptographic service to utilize the secure network interface engine to request said cryptographic services.
-
-
33. A computer-implemented method for providing cryptographic key services, said method comprising the acts of:
-
establishing a set of private keys on a networked key server;
establishing a secure network communications channel between a networked device and said networked key server;
receiving a request for cryptographic key services at said networked key server from said networked device via said secure network communications channel;
authenticating said request for cryptographic key services;
determining authorization said request for cryptographic key services; and
performing said request for cryptographic key services at said networked key server utilizing said private keys when said request is authorized. - View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41)
-
-
42. A computer-implemented method for providing networked cryptographic key services, said method comprising the acts of:
-
integrating a cryptographic API within an application server;
exposing cryptographic services to a plurality of applications executing on said application server via said cryptographic API;
establishing a secure network communications channel between said application server and a remote cryptographic key server;
receiving a request for cryptographic services from an application at said cryptographic API;
marshalling said request for cryptographic services for transmission to said cryptographic key server;
transmitting said marshaled request for cryptographic services to said cryptographic key server via said secure network communications channel;
receiving a response to said request via said secure network communications channel;
unmarshalling said response; and
providing a usable response to said requesting application via said cryptographic API.
-
-
43. A method for securing cryptographic keys within a server system, the method comprising the computer-implemented acts of:
-
storing on a key server cryptographic keys used for encrypting data; and
wherein said key server communicates with at least one component of said server system using a secure communications channel.
-
-
44. A method for securing cryptographic keys within a network system, the method comprising the computer-implemented acts of:
-
storing cryptographic keys used for encrypting data on a key server, and wherein said key server is a dedicated network appliance that performs cryptographic operations on behalf of at least one component of said network system. - View Dependent Claims (45, 46, 47)
-
- 48. A cryptographic key server appliance for securing cryptographic keys within a network system, wherein said cryptographic key server stores cryptographic keys and controls access to said stored cryptographic keys.
-
51. A cryptographic appliance for securing sensitive information within a server system, comprising:
-
a data communications bus;
a central processing unit bi-directionally coupled to said data communications bus;
transient memory bi-directionally coupled to said data communications bus;
persistent memory bi-directionally coupled to said data communications bus;
a network I/O device bi-directionally coupled to said data communications bus;
a crypto-accelerator unit bi-directionally coupled to said data communications bus;
a hardware security module; and
a smart card interface coupled to said data communications bus.
-
-
52. A computer-implemented method for providing cryptographic services in a network system, said computer-implemented process comprising the acts of:
-
securely loading cryptographic keys onto a key server;
establishing a secure transport session between a first component of said network system and said key server;
authenticating one or more components of said network including said first component to said key server;
determining authorization of said one or more components of said network including said first component to said key server;
making a request for cryptographic operations from said first component to said key server;
determining whether said request is to be performed by said key server based on results associated with the acts of authenticating and determining authorization;
if said request is authorized, then performing said requested cryptographic operations on said key server; and
providing the results of said requested cryptographic operations from said key server to said first component via said secure transport session.
-
-
53. A method for protecting data in a network system, said computer-implemented method comprising the acts of:
-
providing a network device for intercepting and inspecting data that is en route to an application server, wherein said network device is part of a pre-defined group of cryptographic servers that share a group key and said network device is operable for;
determining whether said data is sensitive data;
encrypting said data to form encrypted data if said data is sensitive, wherein the act of encrypting includes using a group key that is shared by said pre-defined group of cryptographic servers; and
forwarding said encrypted data to said application server;
storing said encrypted data in a storage medium associated with said application server; and
allowing one or more back-end application servers to employ one of said pre-defined group of cryptographic servers to retrieve said encrypted data from said storage medium and decrypt said encrypted data if said one or more back-end application servers is authorized to access said data.
-
Specification