METHOD AND SYSTEM FOR PROVISION OF CRYPTOGRAPHIC SERVICES

US 20120131354A1
Filed: 06/22/2010
Published: 05/24/2012
Est. Priority Date: 06/22/2009
Status: Active Grant

First Claim

Patent Images

1. An encryption service system comprising:

a. an application programming interface (API) for receiving encryption/decryption requests from one or more calling applications, each request comprising information identifying an encryption/decryption operation to be performed on specified data, and for sending output data in response to the corresponding encryption/decryption requests; and

b. a cryptographic server for determining, for each request, an encryption policy to be applied to the encryption/decryption operation, and for generating said corresponding output data by applying the encryption/decryption operation to the specified data according to the determined encryption policy.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An encryption service system comprises an API for receiving requests from one or more calling applications. Each request comprises information identifying the operations to be performed on data to be processed and information identifying the origin and target of the data. The encryption service system further comprises a cryptographic server for processing the requests and determining, for each request, an encryption policy to be applied.

129 Citations

63 Claims

1. An encryption service system comprising:
- a. an application programming interface (API) for receiving encryption/decryption requests from one or more calling applications, each request comprising information identifying an encryption/decryption operation to be performed on specified data, and for sending output data in response to the corresponding encryption/decryption requests; and
  
  b. a cryptographic server for determining, for each request, an encryption policy to be applied to the encryption/decryption operation, and for generating said corresponding output data by applying the encryption/decryption operation to the specified data according to the determined encryption policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 2. The system of claim 1, wherein each request identifies an origin of the data, and the encryption policy is determined at least in part on the basis of the identity of the origin.
  - 3. The system of claim 1, wherein each request identifies a target of the data, and the encryption policy is determined at least in part on the basis of the identity of the target.
  - 4. The system of claim 1, wherein the encryption policy is determined at least in part on the basis of the operation to be performed.
  - 5. The system of claim 1, wherein the requests do not specify an encryption key and/or mechanism for the performance of the encryption/decryption operation.
  - 6. The system of claim 1, wherein the specified data is included within each request.
  - 7. The system of claim 1, wherein the operation is an encryption operation, and the encrypted output data comprises managed data.
  - 8. The system of claim 7, wherein the output data identifies an encryption key and cryptographic mechanism.
  - 9. The system of claim 1, wherein the operation is an encryption operation, and the encrypted output data comprises unmanaged data.
  - 10. The system of claim 9, wherein the cryptographic server defines a policy for decryption of the encrypted output data.
  - 11. The system of claim 1, further comprising a key server operable to receive a key request from the cryptographic server and to reply with an encrypted key.
  - 12. The system of claim 11, wherein the key server is operable to reply with a key encryption key for the encrypted key.
  - 13. The system of claim 11, wherein the key server is operable to receive a key load command from the cryptographic server, and to load a specified key in response thereto.
  - 14. The system of claim 11, wherein the key server is operable to send a query command to the cryptographic server.
  - 15. The system of claim 14, wherein the query command comprises a command to test if a specified key is being used or is resident at the cryptographic server.
  - 16. The system of claim 14, wherein the query command comprises a command to test if a specified cryptographic engine is resident at the cryptographic server.
  - 17. The system of claim 11, wherein the key server is operable to send an action command to the cryptographic server.
  - 18. The system of claim 17, wherein the action command comprises a command to purge a specified key from the cryptographic server.
  - 19. The system of claim 17, wherein the action command comprises a command to force a change of a key.
  - 20. The system of claim 1, wherein the cryptographic server is operable to receive a pre-fetch request from one of said calling applications through the API and to load a defined set of keys into a local key store in response thereto.
  - 21. The system of claim 20, wherein the set of keys is defined by a specified list of encryption/decryption operations to perform.
  - 22. The system of claim 20, wherein the defined set of keys are grouped and identified by an ID token of the corresponding calling application.
  - 23. The encryption service system of claim 1, wherein the API is operable to allow a calling application to log on prior to requesting encryption/decryption services.
  - 24. The encryption service system of claim 23, wherein the cryptographic server is operable to generate an ID token for each said calling application that has logged on.
  - 25. The encryption service system of claim 24, wherein the API is operable to append the generated ID token to an ID token chain of the calling application.
  - 26. The encryption service system of claim 24, wherein the ID token includes an expiry parameter, and the API is further operable to request the calling application to renew the ID token upon expiry of the ID token.
  - 27. The system of claim 20, wherein the defined set of keys are cleared from local store when the corresponding calling application has logged off.

28. An encryption service system comprising:
- a. an application programming interface (API) for receiving encryption/decryption requests from one or more calling applications, each request comprising information identifying an encryption/decryption operation to be performed on specified data;
  
  b. a cryptographic server for processing the requests; and
  
  c. a key server operable to receive a key request from the cryptographic server and to reply with an encrypted key;
  
  wherein the cryptographic server is operable to receive a pre-fetch request from one of said calling applications through the API and to load a defined set of keys from the key server into a local key store in response thereto

29. (canceled)

30. A method of providing an encryption service comprising:
- a. receiving, at an application programming interface (API), encryption/decryption requests from one or more calling applications, each request comprising information identifying an encryption/decryption operation to be performed on specified input data;
  
  b. determining, at the cryptographic server, for each request, an encryption policy to be applied to the encryption/decryption operation;
  
  c. at the cryptographic server, for each request, performing the requested encryption/decryption operation on the input data according to the determined encryption policy, to generate corresponding output data; and
  
  d. outputting the corresponding output data at the application programming interface (API).
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56)
- - 31. The method of claim 30, wherein the requests include information identifying an origin of the data, and the encryption policy is determined at least in part on the basis of the identity of the origin.
  - 32. The method of claim 30, wherein the requests include information identifying a target of the data, and the encryption policy is determined at least in part on the basis of the identity of the target.
  - 33. The method of claim 30, wherein the encryption policy is determined at least in part on the basis of the operation to be performed
  - 34. The method of claim 30, wherein the requests do not specify an encryption key and/or mechanism for the performance of the encryption/decryption operation.
  - 35. The method of claim 30, wherein the input data is included within each request.
  - 36. The method of claim 30, wherein the operation is an encryption operation, and the encrypted output data comprises managed data.
  - 37. The method of claim 36, wherein the output data includes an encryption key and cryptographic mechanism identification.
  - 38. The method of claim 30, wherein the operation is an encryption operation, and the encrypted output data comprises unmanaged data.
  - 39. The method of claim 38, wherein the cryptographic server defines a policy for decryption of the encrypted output data.
  - 40. The method of claim 30, further comprising receiving, at a key server, a key request from the cryptographic server and replying with an encrypted key.
  - 41. The method of claim 40, wherein the key server replies with a key encryption key for the encrypted key.
  - 42. The method of claim 40, further comprising receiving, at the key server, a key load command from the cryptographic server, and loading a specified key in response thereto.
  - 43. The method of claim 40, further comprising sending, from the key server, a query command to the cryptographic server.
  - 44. The method of claim 43, wherein the query command comprises a command to test if a specified key is being used or is resident at the cryptographic server.
  - 45. The method of claim 44, wherein the query command comprises a command to test if a specified cryptographic engine is resident at the cryptographic server.
  - 46. The method of claim 40, further comprising sending, from the key server, an action command to the cryptographic server.
  - 47. The method of claim 46, wherein the action command comprises a command to purge a specified key from the cryptographic server.
  - 48. The method of claim 46, wherein the action command comprises a command to force a change of a key.
  - 49. The method of claim 40, further comprising receiving, at the cryptographic server from one of said calling applications, a pre-fetch request and loading a defined set of keys into a local key store in response thereto.
  - 50. The method of claim 49 wherein the set of keys is defined by a specified list of encryption/decryption operations to perform.
  - 51. The method of claim 49, wherein the defined set of keys are grouped and flagged by an ID token of the corresponding calling application.
  - 52. The method of claim 40, further comprising a calling application logging on to the cryptographic server prior to requesting encryption services.
  - 53. The method of claim 52, further comprising generating, at the cryptographic server, an ID token for each said calling application that has logged on.
  - 54. The method of claim 53, further comprising appending, by the API, the generated ID token to an ID token chain of the calling application.
  - 55. The method of claim 53, wherein the ID token includes an expiry parameter, and the API requests the calling application to renew ID token upon expiry of the ID token.
  - 56. The method of claim 49, including clearing the defined set of keys from the local store when the corresponding calling application has logged off.

57. A method of providing an encryption service comprising:
- a. receiving, at an application programming interface (API), encryption/decryption requests from one or more calling applications, each request comprising information identifying the operations to be performed on specified data;
  
  b. processing the requests at a cryptographic server; and
  
  c. receiving a key request from the cryptographic server at a key server, and sending an encrypted key from the key server to the cryptographic server in reply thereto;
  
  wherein the method includes receiving a pre-fetch request from one of said calling applications through the API and loading a defined set of keys from the key server into a local key store in response thereto.

58-61. -61. (canceled)

62. A non-transitory computer readable medium having instructions stored thereon which, when executed by a computer processor, cause the processor to perform a method comprising:
- a. receiving, at an application programming interface (API), encryption/decryption requests from one or more calling applications, each request comprising information identifying an encryption/decryption operation to be performed on specified input data;
  
  b. determining, at the cryptographic server, for each request, an encryption policy to be applied to the encryption/decryption operation;
  
  c. at the cryptographic server, for each request, performing the requested encryption/decryption operation on the input data according to the determined encryption policy, to generate corresponding output data; and
  
  d. outputting the corresponding output data at the application programming interface (API).

63. A non-transitory computer readable medium having instructions stored thereon which, when executed by a computer processor, cause the processor to perform a method comprising:
- a. receiving, at an application programming interface (API), encryption/decryption requests from one or more calling applications, each request comprising information identifying the operations to be performed on specified data;
  
  b. processing the requests at a cryptographic server; and
  
  c. receiving a key request from the cryptographic server at a key server, and sending an encrypted key from the key server to the cryptographic server in reply thereto;
  
  wherein the method includes receiving a pre-fetch request from one of said calling applications through the API and loading a defined set of keys from the key server into a local key store in response thereto.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Barclays Execution Services Ltd. (Barclays PLC)
Original Assignee
Barclays Bank PLC (Barclays PLC)
Inventors
French, George

Granted Patent

US 9,530,011 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/189
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/20   for managing network securi...

H04L 9/088   Usage controlling of secret...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3271   using challenge-response

H04L 9/50   using hash chains, e.g. blo...

METHOD AND SYSTEM FOR PROVISION OF CRYPTOGRAPHIC SERVICES

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

129 Citations

63 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR PROVISION OF CRYPTOGRAPHIC SERVICES

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

129 Citations

63 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links