TRUSTED DATA PROCESSING IN THE PUBLIC CLOUD
1 Assignment
0 Petitions
Accused Products
Abstract
Generally, this disclosure describes a system and method for trusted data processing in the public cloud. A system may include a cloud server including a trusted execution environment, the cloud server one of a plurality of cloud servers, a cloud storage device coupled to the cloud server, and a RKM server including a key server module, the RKM server configured to sign the key server module using a private key and a gateway server configured to provide the signed key server module to the cloud server, the trusted execution environment configured to verify the key server module using a public key related to the private key and to launch the key server module, the key server module configured to establish a secure communication channel between the gateway server and the key server module, and the gateway server configured to provide a cryptographic key to the key server module via the secure communication channel.
70 Citations
37 Claims
-
1-17. -17. (canceled)
-
18. A system comprising:
-
a cloud server comprising a first trusted execution environment, the cloud server one of a plurality of cloud servers configured to perform data processing operations for a plurality of clients; a cloud storage device coupled to the cloud server; a root key management (“
RKM”
) server comprising a key server module, the RKM server configured to sign the key server module using a first private key; anda gateway server configured to provide the signed key server module to the cloud server, the first trusted execution environment configured to verify the key server module using a first public key related to the first private key and to launch the key server module if the key server module verifies, the key server module configured to establish a first secure communication channel between the gateway server and the key server module, and the gateway server configured to provide a first cryptographic key to the key server module via the first secure communication channel. - View Dependent Claims (19, 20, 21, 22, 23)
-
-
24. A method comprising:
-
providing a key server module from a root key management (“
RKM”
) server to a cloud server of a plurality of cloud servers configured to perform data processing operations for a plurality of clients, the cloud server coupled to a cloud storage device, the key server module signed using a first private key;verifying the key server module using a first public key related to the first private key; launching the key server module in a first trusted execution environment in the cloud server if the key server module verifies; establishing a first secure communication channel between a gateway server and the key server module; and providing a first cryptographic key from the gateway server to the key server module via the first secure communication channel, the first cryptographic key configured to decrypt a block of encrypted data. - View Dependent Claims (25, 26, 27, 28, 29, 30)
-
-
31. A system comprising one or more storage mediums having stored thereon, individually or in combination, instructions that when executed by one or more processors result in the following operations comprising:
-
providing a key server module from a root key management (“
RKM”
) server to a cloud server of a plurality of cloud servers configured to perform data processing operations for a plurality of clients, the cloud server coupled to a cloud storage device, the key server module signed using a first private key;verifying the key server module using a first public key related to the first private key; launching the key server module in a first trusted execution environment in the cloud server if the key server module verifies; establishing a first secure communication channel between a gateway server and the key server module; and providing a first cryptographic key from the gateway server to the key server module via the first secure communication channel, the first cryptographic key configured to decrypt a block of encrypted data. - View Dependent Claims (32, 33, 34, 35, 36, 37)
-
Specification