VIRTUALIZATION OF CRYPTOGRAPHIC KEYS

US 20130058478A1
Filed: 10/19/2012
Published: 03/07/2013
Est. Priority Date: 08/31/2009
Status: Active Grant

First Claim

Patent Images

1. A computer program product for virtualizing cryptographic keys in a virtual computing environment having a hierarchy comprising a host and one or more layers of guests, wherein a layer corresponds to a virtualization level, the computer program product comprising:

a non-transitory storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for performing a method comprising;

obtaining, by a processor, a cryptographic key; and

generating a virtual cryptographic key using an operation, the cryptographic key and a mask, wherein the mask used is dependent on the virtualization level of a guest for which the virtual cryptographic key is being generated.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cryptographic key is virtualized to provide a virtual cryptographic key. To virtualize the key, an operation, such as an exclusive OR operation, is used with the key and a mask. The virtual key is usable by a guest of a virtual environment in cryptographic operations.

6 Citations

View as Search Results

20 Claims

1. A computer program product for virtualizing cryptographic keys in a virtual computing environment having a hierarchy comprising a host and one or more layers of guests, wherein a layer corresponds to a virtualization level, the computer program product comprising:
- a non-transitory storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for performing a method comprising;
  
  obtaining, by a processor, a cryptographic key; and
  
  generating a virtual cryptographic key using an operation, the cryptographic key and a mask, wherein the mask used is dependent on the virtualization level of a guest for which the virtual cryptographic key is being generated.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer program product of claim 1, wherein the operation comprises an exclusive OR operation, and wherein the generating comprises performing an exclusive OR operation between the cryptographic key and the mask to provide the virtual cryptographic key.
  - 3. The computer program product of claim 1, wherein based on a first level of virtualization for the guest, the mask comprises a mask generated for that guest.
  - 4. The computer program product of claim 1, wherein based on the virtualization level being greater than 1, the mask is a resulting mask obtained from performing one or more exclusive OR operations on a plurality of masks, wherein the plurality of masks comprises a number of masks, the number being dependent on the virtualization level.
  - 5. The computer program product of claim 1, wherein the virtual cryptographic key is a virtual master key, and the method further comprises creating a virtual verification pattern usable to validate the virtual master key.
  - 6. The computer program product of claim 5, wherein the creating comprises using another operation, a verification pattern and another mask to create the virtual verification pattern.
  - 7. The computer program product of claim 6, wherein the another operation comprises an exclusive OR operation, and the another mask is the same as the mask.
  - 8. The computer program product of claim 6, wherein at least one of the another operation and the another mask is different from the operation and the mask, respectively.
  - 9. The computer program product of claim 6, wherein the method further comprises using the virtual verification pattern to validate the virtual master key, the using comprising:
    - obtaining an encrypted key, encrypted with the virtual master key, and the virtual verification pattern as part of a request for a cryptographic operation issued by the guest; and
      
      comparing the virtual verification pattern obtained as part of the request with another virtual verification pattern generated for the guest, wherein a match of the virtual verification pattern and the another virtual verification pattern indicate the encrypted key may be used in the cryptographic operation.
  - 10. The computer program product of claim 1, wherein the mask is a unique number that is unique for a lifespan of the guest using the virtual cryptographic key.

11. A computer system for virtualizing cryptographic keys in a virtual computing environment having a hierarchy comprising a host and one or more layers of guests, wherein a layer corresponds to a virtualization level, the computer system comprising:
- a memory; and
  
  a processor in communications with the memory, wherein the computer system is configured to perform a method, said method comprising;
  
  obtaining a cryptographic key; and
  
  generating a virtual cryptographic key using an operation, the cryptographic key and a mask, wherein the mask used is dependent on the virtualization level of a guest for which the virtual cryptographic key is being generated.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The computer system of claim 11, wherein the operation comprises an exclusive OR operation, and wherein the generating comprises performing an exclusive OR operation between the cryptographic key and the mask to provide the virtual cryptographic key.
  - 13. The computer system of claim 11, wherein based on a first level of virtualization for the guest, the mask comprises a mask generated for that guest.
  - 14. The computer system of claim 11, wherein based on the virtualization level being greater than 1, the mask is a resulting mask obtained from performing one or more exclusive OR operations on a plurality of masks, wherein the plurality of masks comprises a number of masks, the number being dependent on the virtualization level.
  - 15. The computer system of claim 11, wherein the virtual cryptographic key is a virtual master key, and the method further comprises creating a virtual verification pattern usable to validate the virtual master key.
  - 16. The computer system of claim 15, wherein the creating comprises using another operation, a verification pattern and another mask to create the virtual verification pattern.
  - 17. The computer system of claim 15, wherein the method further comprises using the virtual verification pattern to validate the virtual master key, the using comprising:
    - obtaining an encrypted key, encrypted with the virtual master key, and the virtual verification pattern as part of a request for a cryptographic operation issued by the guest; and
      
      comparing the virtual verification pattern obtained as part of the request with another virtual verification pattern generated for the guest, wherein a match of the virtual verification pattern and the another virtual verification pattern indicate the encrypted key may be used in the cryptographic operation.

18. A method of virtualizing cryptographic keys in a virtual computing environment having a hierarchy comprising a host and one or more layers of guests, wherein a layer corresponds to a virtualization level, said method comprising:
- obtaining, by a processor, a cryptographic key; and
  
  generating, by the processor, a virtual cryptographic key using an operation, the cryptographic key and a mask, wherein the mask used is dependent on the virtualization level of a guest for which the virtual cryptographic key is being generated.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, wherein the operation comprises an exclusive OR operation, and wherein the generating comprises performing an exclusive OR operation between the cryptographic key and the mask to provide the virtual cryptographic key.
  - 20. The method of claim 18, further comprising creating a virtual verification pattern usable to validate the virtual cryptographic key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Yeh, Phil C.

Granted Patent

US 8,798,267 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/44
CPC Class Codes

G06F 2009/45566   Nested virtual machines

G06F 21/53   by executing in a restricte...

G06F 21/602   Providing cryptographic fac...

VIRTUALIZATION OF CRYPTOGRAPHIC KEYS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

6 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

VIRTUALIZATION OF CRYPTOGRAPHIC KEYS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links