Multi-Level Key Manager

US 20090034734A1
Filed: 07/31/2008
Published: 02/05/2009
Est. Priority Date: 07/31/2007
Status: Abandoned Application

First Claim

Patent Images

1. A cryptographic device for processing classified information having a plurality of different classification levels, the cryptographic device comprising:

a memory holding a plurality of keys outside of an integrated circuit, wherein the plurality of keys are for the plurality of different classification levels;

a cryptographic processor that is part of the integrated circuit, wherein the cryptographic processor uses the plurality of keys to process packets of information that are categorized according to the plurality of different classification levels; and

a key manager, wherein;

the key manager can access a plurality of rules associated with the plurality of different classification levels,the plurality of rules regulate interaction with the plurality of keys,a first rule of the plurality of rules is used by the key manager in a first classification level of the plurality of different classification levels, anda second rule of the plurality of rules is used by the key manager in a second classification level of the plurality of different classification levels.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cryptographic device and method are disclosed for processing different levels of classified information. A memory caches keys for use in a cryptographic processor. The cryptographic processor requests a key associated with a particular classification level when processing a packet of the particular classification level. The cryptographic device confirms that the key and the packet are of the same classification level in a high-assurance manner. Checking header information of the keys one or more times is performed in one embodiment. Some embodiments authenticate the stored key in a high-assurance manner prior to providing the key to the cryptographic device.

93 Citations

View as Search Results

20 Claims

1. A cryptographic device for processing classified information having a plurality of different classification levels, the cryptographic device comprising:
- a memory holding a plurality of keys outside of an integrated circuit, wherein the plurality of keys are for the plurality of different classification levels;
  
  a cryptographic processor that is part of the integrated circuit, wherein the cryptographic processor uses the plurality of keys to process packets of information that are categorized according to the plurality of different classification levels; and
  
  a key manager, wherein;
  
  the key manager can access a plurality of rules associated with the plurality of different classification levels,the plurality of rules regulate interaction with the plurality of keys,a first rule of the plurality of rules is used by the key manager in a first classification level of the plurality of different classification levels, anda second rule of the plurality of rules is used by the key manager in a second classification level of the plurality of different classification levels.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The cryptographic device for processing classified information having the plurality of different classification levels as recited in claim 1, wherein:
    - a first key accessed in the first classification level includes a header that is checked against the first rule, andthe first key includes a coded header that is checked against the first rule.
  - 3. The cryptographic device for processing classified information having the plurality of different classification levels as recited in claim 1, wherein the first and second keys are encrypted in the memory.
  - 4. The cryptographic device for processing classified information having the plurality of different classification levels as recited in claim 1, wherein the plurality of keys are stored in an encrypted state.
  - 5. The cryptographic device for processing classified information having the plurality of different classification levels as recited in claim 1, wherein the key manager further comprises a key decoder, which decrypts the plurality of keys before passing them to the cryptographic processor.
  - 6. The cryptographic device for processing classified information having the plurality of different classification levels as recited in claim 1, further comprising an access controller, wherein the access controller checks that a predetermined state of operation is active while writing the first key to a partition of the memory.

7. A method for processing classified information in a high-assurance manner, the method comprising steps of:
- receiving a request for a first key by a cryptographic processor;
  
  choosing a first rule from a plurality of rules;
  
  retrieving a first sterile key from a memory;
  
  checking the first sterile key with the first rule;
  
  decrypting the first sterile key with a first protection key to produce the first key;
  
  checking the first key with the first rule;
  
  providing the first key to the cryptographic processor if the checking the first sterile key step and the checking the first key step are completed successfully;
  
  receiving a request for a second key by a cryptographic processor;
  
  choosing a second rule from the plurality of rules;
  
  retrieving the second sterile key from the memory;
  
  checking the second sterile key with the second rule;
  
  decrypting the second sterile key with a second protection key to produce a second key;
  
  checking the second key with the second rule; and
  
  providing the second key to the cryptographic processor if the checking the second sterile key step and the checking the second key step are completed successfully.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method for processing classified information in the high-assurance manner as recited in claim 7, further comprising a step of erasing the first and second protection keys to zeroize utility of the first and second keys.
  - 9. The method for processing classified information in the high-assurance manner as recited in claim 7, wherein the cryptographic processor is capable of processing multiple classification levels simultaneously in different packets.
  - 10. The method for processing classified information in the high-assurance manner as recited in claim 7, wherein the first rule requires a classification level of a packet being processed with the cryptographic processor to match the classification level of the first key.
  - 11. The method for processing classified information in the high-assurance manner as recited in claim 7, wherein:
    - the first and second sterile keys are stored in a second integrated circuit, andthe decrypting steps are performed in a first integrated circuit.

12. A cryptographic device for processing information with a plurality of classification levels, the cryptographic device comprising:
- a memory holding a plurality of keys;
  
  a cryptographic processor that uses the plurality of keys to process packets of information that are correlated to the plurality of classification levels; and
  
  a key manager that comprises a rule enforcement circuit and a key decryption circuit, wherein;
  
  the key manager retrieves a first key for a first packet being processed by the cryptographic processor,the first packet is of a first classification level,the first key is associated with the first classification level,the rule enforcement circuit checks that the first key is designated for the first classification level before providing the first key to the cryptographic processor for processing the first packet,the key manager retrieves a second key for a second packet being processed by the cryptographic processor,the second packet is of a second classification level,the second key is associated with the second classification level, andthe rule enforcement circuit checks that the second key is designated for the second classification level before providing the second key to the cryptographic processor for processing the second packet.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The cryptographic device for processing information with the plurality of classification levels as recited in claim 12, wherein at least one of the first and second keys are stored in the memory in an unusable form.
  - 14. The cryptographic device for processing information with the plurality of classification levels as recited in claim 12, wherein the key manager further comprises a key decoder that descrambles the first key before providing the first key to the cryptographic processor.
  - 15. The cryptographic device for processing information with the plurality of classification levels as recited in claim 12, wherein the memory and the cryptographic processor are in different integrated circuit.
  - 16. The cryptographic device for processing information with the plurality of classification levels as recited in claim 12, wherein:
    - the plurality of keys are divided among a plurality of partitions in the memory, andeach classification level has a different partition to logically separate keys of different classification levels.
  - 17. The cryptographic device for processing information with the plurality of classification levels as recited in claim 12, wherein the plurality of classification levels includes a plurality of protection values that are each used to descramble the plurality of keys.
  - 18. The cryptographic device for processing information with the plurality of classification levels as recited in claim 12, wherein the rule enforcement circuit checks the first key twice to confirm that the first classification level of the key matches the first classification level of the packet.
  - 19. The cryptographic device for processing information with the plurality of classification levels as recited in claim 12, wherein the first and second keys are decrypted in the key manager.
  - 20. The cryptographic device for processing information with the plurality of classification levels as recited in claim 12, wherein a header is used to designate the first key for the first classification level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ViaSat Incorporated
Original Assignee
ViaSat Incorporated
Inventors
Shanken, Stuart N., Quintana, Richard L., Andolina, John C., Owens, John R.

Application Number

US12/184,062
Publication Number

US 20090034734A1
Time in Patent Office

Days
Field of Search
US Class Current

380/277
CPC Class Codes

G06F 21/72   in cryptographic circuits

G06F 21/74   operating in dual or compar...

G06F 2221/2113   Multi-level security, e.g. ...

H04L 63/0485   Networking architectures fo...

H04L 63/105   Multiple levels of security

Multi-Level Key Manager

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

93 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Multi-Level Key Manager

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

93 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others