KEY CREATION AND ROTATION FOR DATA ENCRYPTION
First Claim
1. A method for cryptographic processing of data using a network device that is operative to perform actions, comprising:
- responsive to receiving a request to rotate at least one current key, performing further actions, including;
generating at least one transitional key by encrypting the at least one current key using at least one system key;
generating at least one new key based on at least one determined key parameter;
activating the at least one new key based on data provided by at least two key holders, wherein the provided data includes at least a password provided by each key holder and a portion of keying data provided by each key holder, wherein the at least portion of keying data is based on at least one of seeding data, or entropy data;
generating at least one new current key based on the at least one activated key, wherein the at least one new current key is stored at least in volatile memory; and
encrypting the at least one transitional key using the at least one new current key and storing it in at least one key array.
3 Assignments
0 Petitions
Accused Products
Abstract
Embodiments are directed towards enabling cryptographic key rotation without disrupting cryptographic operations. If key rotation is initiated, a transitional key may be generated by encrypting the current key with a built-in system key. A new key may be generated based one at least one determined key parameter. Next, the new key may be activated by the one or more key holders. If the new key is activated, it may be designated as the new current key. The new current key may be employed to encrypt the transitional key and store it in a key array. Each additional rotated key may be stored in the key array after it is encrypted by the current cryptographic key. Further, in response to a submission of an unencrypted query value, one or more encrypted values that correspond to a determined number of rotated cryptographic keys are generated.
-
Citations
30 Claims
-
1. A method for cryptographic processing of data using a network device that is operative to perform actions, comprising:
responsive to receiving a request to rotate at least one current key, performing further actions, including; generating at least one transitional key by encrypting the at least one current key using at least one system key; generating at least one new key based on at least one determined key parameter; activating the at least one new key based on data provided by at least two key holders, wherein the provided data includes at least a password provided by each key holder and a portion of keying data provided by each key holder, wherein the at least portion of keying data is based on at least one of seeding data, or entropy data; generating at least one new current key based on the at least one activated key, wherein the at least one new current key is stored at least in volatile memory; and encrypting the at least one transitional key using the at least one new current key and storing it in at least one key array. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
9. A network device for cryptographic processing of data over a network, comprising:
-
a transceiver component for communicating over a network; a memory component for storing instructions and data; and a processor component that executes instructions that enable actions, including; responsive to receiving a request to rotate at least one current key, performing further actions, including; generating at least one transitional key by encrypting the at least one current key using at least one system key; generating at least one new key based on at least one determined key parameter; activating the at least one new key based on data provided by at least two key holders, wherein the provided data includes at least a password provided by each key holder and a portion of keying data provided by each key holder, wherein the at least portion of keying data is based on at least one of seeding data, or entropy data; generating at least one new current key based on the at least one activated key, wherein the at least one new current key is stored at least in volatile memory; and encrypting the at least one transitional key using the at least one new current key and storing it in at least one key array. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A processor readable non-transitive storage media that includes instructions for cryptographic processing of data using a network device that includes a plurality of components and is operative to execute the instructions to perform actions, comprising:
responsive to receiving a request to rotate at least one current key, performing further actions, including; generating at least one transitional key by encrypting at least one current key using at least one system key; generating at least one new key based on at least one determined key parameter; activating the at least one new key based on data provided by at least two key holders, wherein the provided data includes at least a password provided by each key holder and a portion of keying provided by each key holder, wherein the at least portion of keying data is based on at least one of seeding data, or entropy data; generating at least one new current key based on the at least one activated key, wherein the at least one new current key is stored at least in volatile memory; and encrypting the at least one transitional key using the at least one new current key and storing it in at least one key array. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
24. A system arranged for cryptographic processing of data, comprising:
-
a server device, including; a transceiver device that is operative to communicate over the network; a memory device that is operative to store at least instructions; and a processor device that is operative to execute instructions that enable actions, including; responsive to receiving a request to rotate at least one current key, enabling further actions, including; generating at least one transitional key by encrypting at least one current key using at least one system key; generating at least one new key based on at least one determined key parameter; activating the at least one new key based on data provided by at least two key holders, wherein the provided data includes at least a password provided by each key holder and a portion of keying data provided by each key holder, wherein the at least portion of keying data is based on at least one of seeding data, or entropy data; generating at least one new current key based on the at least one activated key, wherein the at least one new current key is stored at least in volatile memory; and encrypting the at least one transitional key using the at least one new current key and storing it in at least one key array; and a client device, comprising, a transceiver device that is operative to communicate over the network; a memory device that is operative to store at least instructions; and a processor device that is operative to execute instructions that enable actions, including, at least one of providing at least a portion of the data provided by the at least one key holder, or providing the request to rotate the at least one current key. - View Dependent Claims (25, 26, 27, 28, 29, 30)
-
Specification