KEY CREATION AND ROTATION FOR DATA ENCRYPTION

US 20130163753A1
Filed: 12/07/2012
Published: 06/27/2013
Est. Priority Date: 12/08/2011
Status: Active Grant

First Claim

Patent Images

1. A method for cryptographic processing of data using a network device that is operative to perform actions, comprising:

responsive to receiving a request o rotate at least one current key, performing further actions, including;

generating at least one transitional key by encrypting at least one current key using at least one system key;

generating at least one new key based on at least one determined key parameter;

activating at least one new key based on data provided by at least one key holder;

generating at least one new current key based on at least one activated key, wherein the new current key is stored at least in volatile memory; and

encrypting at least one transitional key using at least one new current key and storing it in at least one key array.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed towards enabling cryptographic key rotation without disrupting cryptographic operations. If key rotation is initiated, a transitional key may be generated by encrypting the current key with a built-in system key. A new key may be generated based one at least one determined key parameter. Next, the new key may be activated by the one or more key holders. If the new key is activated, it may be designated as the new current key. The new current key may be employed to encrypt the transitional key and store it in a key array. Each additional rotated key may be stored in the key array after it is encrypted by the current cryptographic key. Further, in response to a submission of an unencrypted query value, one or more encrypted values that correspond to a determined number of rotated cryptographic keys are generated.

Citations

21 Claims

1. A method for cryptographic processing of data using a network device that is operative to perform actions, comprising:
- responsive to receiving a request o rotate at least one current key, performing further actions, including;
  
  generating at least one transitional key by encrypting at least one current key using at least one system key;
  
  generating at least one new key based on at least one determined key parameter;
  
  activating at least one new key based on data provided by at least one key holder;
  
  generating at least one new current key based on at least one activated key, wherein the new current key is stored at least in volatile memory; and
  
  encrypting at least one transitional key using at least one new current key and storing it in at least one key array.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein activating at least one new key further comprises, receiving at least a portion of keying data from at least one key holder, wherein at least one key holder activates at least portion of keying data using at least one password that corresponds to at least portion of keying data.
  - 3. The method of claim 1, wherein storing at least one transitional key in at least one key array further comprises, linking the previous current key with at least one new current key.
  - 4. The method of claim 1, further comprising:
    - if at least one encrypted data packet is received from at least one client device, iterating through at least one key array performing further actions, including;
      
      retrieving at least one other key from at least one key array based on at least one key array index;
      
      decrypting at least one encrypted data packet using at least one other key;
      
      if at least one identifier included in the decrypted data packet identifies at least one other key, sending at least a portion of the decrypted data to at least one client device; and
      
      if at least one identifier included in the decrypted data packet identifies a different key, advance at least one key array index to the next eligible and available key in at least one key array.
  - 5. The method of claim 1, further comprising:
    - receiving at least one password from at least one key holder;
      
      retrieving each un-activated key that is associated with at least one key holder; and
      
      validating at least a portion of keying data associated with each an-activated key using at least one password.
  - 6. The method claim 1, further comprising:
    - receiving at least one request from at least one client device that includes at least one query value and at least one key name;
      
      retrieving at least one key, wherein at least one retrieved key is associated with at least one key name;
      
      encrypting at least one query value to generate at least one encrypted query value, wherein at least one encrypted query value is generated for each retrieved key; and
      
      returning at least one encrypted query value to the client device.
  - 7. The method of claim 1, further comprising, storing at least one current key and at least one rotated key in a cache that is m volatile memory.

8. A network device for cryptographic processing of data over a network, comprising:
- a transceiver component for communicating over a network;
  
  a memory component for storing instructions and data; and
  
  a processor component that executes instructions that enable actions, including;
  
  responsive to receiving a request to rotate at least one current key, performing further actions, including;
  
  generating at least one transitional key by encrypting at least one current key using at least one system key;
  
  generating at least one new key based on at least one determined key parameter;
  
  activating at least one new key based on data provided by at least one key holder;
  
  generating at least one new current key based on at least one activated key, wherein the new current key is stored at least in volatile memory; and
  
  encrypting at least one transitional key using at least one new current key and storing it in at least one key array.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The network device of claim 8, wherein activating at least one new key further comprises, receiving at least a portion of keying data from at least one key holder, wherein at least one key holder activates at least portion of keying data using at least one password that corresponds to at least portion of keying data.
  - 10. The network device of claim 8, wherein storing at least one transitional key in at least one key array further comprises, linking the previous current key with at least one new current key.
  - 11. The network device of claim 8, further comprising:
    - if at least one encrypted data packet is received from at least one client device, iterating through at least one key array performing further actions, including;
      
      retrieving at least one other key from at least one key array based on at least one key array index;
      
      decrypting at least one encrypted data packet using at least one other key;
      
      if at least one identifier included in the decrypted data packet identifies at least one other key, sending at least a portion of the decrypted data to at least one client device; and
      
      if at least one identifier included in the decrypted data packet identifies a different key, advance at least one key array index to the next eligible and available key in at least one key array.
  - 12. The network device of claim 8, further comprising:
    - receiving at least one password from at least one key holder;
      
      retrieving each un-activated key that is associated with at least one key holder; and
      
      validating at least a portion of keying data associated with each un-activated key using at least one password.
  - 13. The network device of claim 8, further comprising;
    - receiving at least one request from at least one client device that includes at least one query value and at least one key name;
      
      retrieving at least one key, wherein at least one retrieved key is associated with at least one key name;
      
      encrypting at least one query value to generate at least one encrypted query value, wherein at least one encrypted query value is generated for each retrieved key; and
      
      returning at least one encrypted query value to the client device.
  - 14. The network device of claim 8, further comprising, storing at least one current key and at least one rotated key in a cache that is in volatile memory.

15. A processor readable non-transitive storage media that includes instructions for cryptographic processing of data using a network device that includes a plurality of components and is operative to execute the instructions to perform actions, comprising:
- responsive to receiving a request to rotate at least one current key performing further actions, including;
  
  generating at least one transitional key by encrypting at least e current key using at least one system key;
  
  generating at least one new key based on at least one determined key parameter;
  
  activating at least one new key based on data provided by at least one key holder;
  
  generating at least one new current key based on at least one activated key, wherein the new current key is stored at least in volatile memory; and
  
  encrypting at least one transitional key using at least one new current key and storing it in at least one key array.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The media of claim 15, wherein activating at least one new key further comprises, receiving at least a portion of keying data from at least one key holder, wherein at least one key holder activates at least portion of keying data using at least one password that corresponds to at least portion of keying data.
  - 17. The media of claim 15, wherein storing at least one transitional key in at least one key array further comprises, linking the previous current key with at least one new current key.
  - 18. The media of claim 15, further comprising:
    - if at least one encrypted data packet is received from at least one client device, iterating through at least one key array performing farther actions, including;
      
      retrieving at least one other key from at least one key array based on at least one key array index;
      
      decrypting at least one encrypted data packet using at least one other key;
      
      if at least one identifier included in the decrypted data packet identifies at least one other key, sending at least a portion of the decrypted data to at least one client device; and
      
      if at least one identifier included in the decrypted data packet identifies a different key, advance at least one key array index to the next eligible and available key in at least one key array.
  - 19. The media of claim 15, further comprising:
    - receiving at least one password from at least one key holder;
      
      retrieving each unactivated key that is associated with at least one key holder; and
      
      validating at least a portion of keying data associated with each un-activated key using at least one password.
  - 20. The media of claim 15, further comprising:
    - receiving at least one request from at least one client device that includes at least one query value and at least one key name;
      
      retrieving at least one key, wherein at least one retrieved key is associated with at least one key name;
      
      encrypting at least one query value to generate at least one encrypted query value, wherein at least one encrypted query value is generated for each retrieved key; and
      
      returning at least one encrypted query value to the client device.
  - 21. The media of claim 15, further comprising, storing at least one current key and at least one rotated key in a cache that is in volatile memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
KeyNexus, Inc. (StorMagic Limited)
Original Assignee
KeyNexus, Inc. (StorMagic Limited)
Inventors
MacMillan, Jeffrey Earl, Offrey, Jason Arthur

Granted Patent

US 8,774,403 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/44
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

H04L 9/0816   Key establishment, i.e. cry...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/0861   Generation of secret inform...

H04L 9/0891   Revocation or update of sec...

KEY CREATION AND ROTATION FOR DATA ENCRYPTION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

KEY CREATION AND ROTATION FOR DATA ENCRYPTION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links