Automated key management system

US 20060291664A1
Filed: 06/23/2006
Published: 12/28/2006
Est. Priority Date: 06/27/2005
Status: Active Grant

First Claim

Patent Images

1. A key management agent system in a computer network, the system comprising:

a centralized key control system that automatically generates and distributes asymmetric cryptographic keys for use by software applications in the computer network, the key control system including a key management server computer;

an administrative server interface, providing a user interface to the key management agent system, that is communicatively connected to the key control system;

at least one key management agent communicatively connected to the key control system and arranged to receive at least one of the asymmetric cryptographic keys directly from the key control system; and

at least one key store communicatively connected to the key management agent and automatically loaded with the at least one asymmetric cryptographic keys as directed by the key control system.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for automated cryptographic key management comprises a key control system, a key management agent system, and a key system application program interface. A method for automated cryptographic key management is also disclosed. The method comprises the automatic generation of cryptographic keys by the key control system and distribution of such keys by the key control system to the key management agent system.

Citations

21 Claims

1. A key management agent system in a computer network, the system comprising:
- a centralized key control system that automatically generates and distributes asymmetric cryptographic keys for use by software applications in the computer network, the key control system including a key management server computer;
  
  an administrative server interface, providing a user interface to the key management agent system, that is communicatively connected to the key control system;
  
  at least one key management agent communicatively connected to the key control system and arranged to receive at least one of the asymmetric cryptographic keys directly from the key control system; and
  
  at least one key store communicatively connected to the key management agent and automatically loaded with the at least one asymmetric cryptographic keys as directed by the key control system.
- View Dependent Claims (2)
- - 2. The key management agent system as claimed in claim 1, wherein the key store of the key management agent system is adapted to be read by an application program interface of at least one of the software applications.

3. A key control system for cryptographic asymmetric application keys for use within an automated key management system, the key control system comprising:
- a collection of key data, the key data including a plurality of asymmetric cryptographic application keys for use in facilitating secure communication in the automated key management system, a cryptographic key database system for storing at least a portion of the key data including encrypted asymmetric application keys, and a key management server computer communicatively connected within the automated key management system and arranged to automatically generate an asymmetric application key and store the asymmetric application key in the cryptographic key database system.
- View Dependent Claims (4)
- - 4. The key control system as claimed in claim 3, the key control system further comprising:
    - a secure hardware device communicatively connected into the automated key management system for storing one or more master keys that are used to scramble or descramble asymmetric application keys or intermediate keys to asymmetric application keys.

5. A method of distributing asymmetric cryptographic keys automatically by a key control system in an automated key management system, the method comprising:
- at the key control system, receiving instructions from an administrative interface to distribute an asymmetric cryptographic key to a key management agent;
  
  automatically distributing without manual intervention the asymmetric cryptographic key to the key management agent via a secure interface; and
  
  automatically loading, without manual intervention, the asymmetric cryptographic key into a key store for independent retrieval by an application programming interface of an unrelated software application.
- View Dependent Claims (6)
- - 6. The method as claimed in claim 5, further comprising:
    - receiving instructions by the key control system from an administrative interface to generate asymmetric cryptographic keys.

7. A method for securely transmitting a cryptographic application key from a first computing device to a second computing device using a certificate having an expiration date, the method comprising:
- assessing the expiration date of the certificate of the second computing device, based upon the assessment, generating, by the second computing device, an authentication key pair having a public key and a private key, wrapping the public key in a system certificate request message by the second computing device, transmitting the system certificate request message from the second computing device to the first computing device, sending the system certificate request from the first computing device to a certificate authority, at the first computing device, receiving, from the certificate authority, a signed certificate that comprises the public key signed by the certificate authority, forwarding the signed public key from the first computing device to the second computing device, and distributing a cryptographic application key from the first computing device to the second computing device using the signed public key to authenticate the distribution.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The method as claimed in claim 7, wherein assessing the expiration date includes determining that the certificate of the second computing device is due to expire.
  - 9. The method as claimed in claim 7, wherein the first computing device includes a key control system for distributing cryptographic application keys and the second computing device includes a key management agent for receiving cryptographic application keys from the key control system and storing them on the second computing device.
  - 10. The method as claimed in claim 9, further comprising:
    - sending a renew certificate message from the key control system to the key management agent, and receiving the renew certificate message by the key management agent.
  - 11. The method as claimed in claim 9, further comprising adding the private key of the authentication key pair to an authentication key store.
  - 12. The method as claimed in claim 8, wherein the assessment is carried out by the first computing device.
  - 13. The method as claimed in claim 9, further comprising, upon receiving the certificate:
    - retrieving the private key corresponding to the certificate from the authentication key store, creating a second authentication key store comprising the certificate and the private key, and encrypting the second authentication key store.

14. A method for automatically rotating cryptographic keys in an automatic key management system having a first computing device communicatively connected to a second computing device, the method comprising:
- storing a first cryptographic key to a first computing device, storing the first cryptographic key to a second computing device, using the first cryptographic key to facilitate communication between the first and second computing devices, distributing a second cryptographic key to the first and second computing device, replacing the first cryptographic key with the second cryptographic key in the first computing device, maintaining the first cryptographic key at the second computing device, thereby facilitating communication between the first and second computing devices using the first cryptographic key, until it is determined that the replacement has been successfully completed, and using the second cryptographic key to facilitate communication between the first and second computing devices upon determining that the first computing device has successfully replaced the first cryptographic key with the second cryptographic key.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method according to claim 14, wherein the first computing device is a server, mainframe or other computing machine.
  - 16. The method according to claim 14, wherein the second computing device is a server, mainframe or other computing machine.
  - 17. The method as claimed in claim 14, wherein the communication occurs without interruption.
  - 18. The method as claimed in claim 14, wherein the first and second cryptographic keys are asymmetric.
  - 19. The method as claimed in claim 14, wherein the first and second cryptographic keys are symmetric.
  - 20. The method as claimed in claim 14, wherein the first and second cryptographic keys comprise key labels.

21. A method for automatically rotating cryptographic keys in an automatic key management system, the method comprising:
- providing first and second computing devices, the first computing device including a key control system and the second computing device including a software application installed thereon and a data file, the software application operating independently from the key control system, loading a first cryptographic key into the data file in the second computing device, using the first cryptographic key in the software application, after using the first cryptographic key in the software application, automatically distributing without manual intervention a second cryptographic key to the second computing device via a secure interface, automatically loading, without manual intervention, the second cryptographic key into the data file for independent retrieval by the software application, and using the second cryptographic key, as a replacement for the first cryptographic key, in the software application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Wells Fargo Bank NA (Wells Fargo & Company)
Original Assignee
Wachovia Corporation (Wells Fargo & Company)
Inventors
Suarez, Luis A., Gray, Tim, Kauer, Neil, Badia, David, Ahuja, Vijay

Granted Patent

US 8,295,492 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/286
CPC Class Codes

G06F 21/33   using certificates

H04L 2463/102   applying security measure f...

H04L 63/06   for supporting key manageme...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/083   involving central third par...

H04L 9/0891   Revocation or update of sec...

H04L 9/3263   involving certificates, e.g...

Automated key management system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Automated key management system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links