Scalable and Secure Key Management For Cryptographic Data Processing
First Claim
1. A method of secure key handling and cryptographic processing of data, comprising:
- receiving a request in a cryptography engine from an entity to cryptographically process a block of data, the request including a key handle, wherein the key handle includes an authentication tag and an index;
authenticating the requesting entity using the authentication tag;
referencing a plaintext key from a plurality of plaintext keys using the index if the requesting entity is authenticated successfully;
cryptographically processing the block of data using the plaintext key; and
transmitting the processed data.
6 Assignments
0 Petitions
Accused Products
Abstract
A method and system for secure and scalable key management for cryptographic processing of data is described herein. In the method, a General Purpose Cryptographic Engine (GPE) receives key material via a secure channel from a key server and stores the received Key encryption keys (KEKs) and/or plain text keys in a secure key cache. When a request is received from a host to cryptographically process a block of data, the requesting entity is authenticated using an authentication tag included in the request. The GPE retrieves a plaintext key or generate a plaintext using a KEK if the authentication is successful, cryptographically processes the data using the plaintext key and transmits the processed data. The system includes a key server that securely provides encrypted keys and/or key handles to a host and key encryption keys and/or plaintext keys to the GPE.
67 Citations
18 Claims
-
1. A method of secure key handling and cryptographic processing of data, comprising:
-
receiving a request in a cryptography engine from an entity to cryptographically process a block of data, the request including a key handle, wherein the key handle includes an authentication tag and an index; authenticating the requesting entity using the authentication tag; referencing a plaintext key from a plurality of plaintext keys using the index if the requesting entity is authenticated successfully; cryptographically processing the block of data using the plaintext key; and transmitting the processed data. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method of secure and scalable key management and cryptographic processing of data, comprising:
-
receiving a request in a cryptography engine from an entity to cryptographically process a block of data, the request including an encrypted key and an associated key handle, wherein the key handle includes an authentication tag and an index; authenticating the requesting entity using the authentication tag; referencing a first key encryption key from a plurality of stored key encryption keys using index if the requesting entity is authenticated successfully; decrypting the encrypted key using the first key encryption key to generate a plaintext key; cryptographically processing the block of data using the plaintext key; and transmitting the encrypted or decrypted data to the requesting entity. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A general purpose cryptographic engine (GPE) for secure key management and cryptographic processing of data, comprising:
-
a secure memory configured to store a plurality of plaintext keys; a security processing unit coupled to the processor and configured to receive a request from a requesting entity to cryptographically process a block of data, the request including a key handle, wherein the key handle includes an authentication tag and an index that enables retrieval of a plaintext key from the secure memory; and a key manager coupled to the security processing unit and configured to authenticate the requesting entity based on the authentication tag and to retrieve a plaintext key based on the index if the host is authenticated successfully; wherein the security processing unit is further configured to cryptographically process the block of data using the retrieved plaintext key and to transmit the processed data. - View Dependent Claims (12, 13, 14)
-
-
15. A general purpose cryptographic engine (GPE) for secure and scalable key management and cryptographic processing of data, comprising:
-
a secure memory configured to store a plurality of key encryption keys (KEKs); a security processing unit coupled to the processor and configured to receive a request from a requesting entity coupled to the GPE to cryptographically process a block of data, wherein the request includes an encrypted key and a key handle, wherein the key handle includes an authentication tag and an index to enable retrieval of a key encryption key in the secure memory, the key encryption key configured to enable decryption of the encrypted key; and a key manager coupled to the security processing unit and configured to authenticate the requesting entity based on the authentication tag, to retrieve the first key encryption key based on the index if host authentication is successful and decrypt the encrypted key using the first key encryption key to generate a plaintext key; wherein the security processing unit is configured to cryptographically process the block of data using the plaintext key to generate processed data and to transmit the processed data. - View Dependent Claims (16, 17, 18)
-
Specification