METHODS AND DEVICES FOR SECURING KEYS FOR A NONSECURED, DISTRIBUTED ENVIRONMENT WITH APPLICATIONS TO VIRTUALIZATION AND CLOUD-COMPUTING SECURITY AND MANAGEMENT

US 20150143111A1
Filed: 11/28/2012
Published: 05/21/2015
Est. Priority Date: 11/28/2011
Status: Active Grant

First Claim

Patent Images

1. A method for securing keys for a non-secure computing-environment, the method comprising the steps of:

(a) providing a security-key framework which is adapted, upon receiving an encryption request for protecting a secret item in the computing-environment, for repetitively encrypting, either iteratively, in parallel, or in combination thereof, said secret item with each of a set of N location-specific secure-keys, wherein each said location-specific secure-key of said set corresponds to a respective encryption location, to create an encrypted item;

wherein said locations are regions of memory located in computing resources operationally connected to the computing-environment; and

(b) concealing through encryption at least one said location-specific secure-key such that said step of concealing is configured;

(i) to prevent said at least one location-specific secure-key from ever being known in an unconcealed form on any computing resource in any computing-environment during said encrypting; and

(ii) to allow useful mathematical operations, wherein said useful mathematical operations include at least one operation selected from the group consisting of;

XOR, addition, subtraction, multiplication, division, modular addition, modular subtraction, modular multiplication, modular division, and combinations thereof, performed as part of said encrypting and said step of concealing, to be performed while said at least one location-specific secure-key is in its concealed form.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention discloses methods and devices for securing keys for a non-secure computing-environment. Methods include the steps of: providing a security-key framework which is adapted, upon receiving an encryption request for protecting a secret item, for repetitively encrypting the secret item with each of a set of N location-specific secure-keys, wherein each location-specific secure-key corresponds to a respective encryption location, to create an encrypted item; wherein the locations are regions of memory located in computing resources operationally connected to the computing-environment; and concealing through encryption at least one location-specific secure-key such that the concealing is configured: to prevent at least one location-specific secure-key from ever being known in an unconcealed form on any computing resource in any computing-environment during the encrypting; and to allow mathematical operations, performed as part of the encrypting and concealing, to be performed while at least one location-specific secure-key is in its concealed form.

Citations

15 Claims

1. A method for securing keys for a non-secure computing-environment, the method comprising the steps of:
- (a) providing a security-key framework which is adapted, upon receiving an encryption request for protecting a secret item in the computing-environment, for repetitively encrypting, either iteratively, in parallel, or in combination thereof, said secret item with each of a set of N location-specific secure-keys, wherein each said location-specific secure-key of said set corresponds to a respective encryption location, to create an encrypted item;
  
  wherein said locations are regions of memory located in computing resources operationally connected to the computing-environment; and
  
  (b) concealing through encryption at least one said location-specific secure-key such that said step of concealing is configured;
  
  (i) to prevent said at least one location-specific secure-key from ever being known in an unconcealed form on any computing resource in any computing-environment during said encrypting; and
  
  (ii) to allow useful mathematical operations, wherein said useful mathematical operations include at least one operation selected from the group consisting of;
  
  XOR, addition, subtraction, multiplication, division, modular addition, modular subtraction, modular multiplication, modular division, and combinations thereof, performed as part of said encrypting and said step of concealing, to be performed while said at least one location-specific secure-key is in its concealed form.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein said step of concealing includes at least one technique selected from the group consisting of:
    - key splitting, key joining, blinding, homomorphic encryption, and any encryption technique known in the art.
  - 3. The method of claim 1, wherein said security-key framework is further adapted, upon receiving a decryption request for said encrypted item, for repetitively decrypting, either iteratively, in parallel, or in combination thereof, said encrypted item with each of said set of N location-specific secure-keys;
    - and wherein said step of concealing is further configured;
      
      (iii) to prevent said at least one location-specific secure-key from ever being known in unconcealed form on any computing resource in any computing-environment during said decrypting; and
      
      (iv) to allow useful mathematical operations, wherein said useful mathematical operations include at least one operation selected from the group consisting of;
      
      XOR, addition, subtraction, multiplication, division, modular addition, modular subtraction, modular multiplication, modular division, and combinations thereof, performed as part of said decrypting and said step of concealing, to be performed while said at least one location-specific secure-key is in its concealed form.
  - 4. The method of claim 3, the method further comprising the step of:
    - (c) prior to said encrypting or subsequent to said decrypting, exchanging said secret item with an authorized requester while said secret item remains unknown to said security-key framework, thereby providing a secure, virtualized key-management system.
  - 5. The method of claim 1, wherein said encrypting and said step of concealing can be performed on any element of a collection of computing resources operationally connected to the computing-environment, wherein said step of concealing is performed differently on each said element, thereby preventing leakage of a concealed key from one said element from compromising any other said element.

6. A device for securing keys for a non-secure computing-environment, the device comprising:
- (a) a server including;
  
  (i) a CPU for performing computational operations;
  
  (ii) a memory module for storing data; and
  
  (iii) a network connection for communicating across a network; and
  
  (b) a protection module, residing on said server, configured for;
  
  (i) providing a security-key framework which is adapted, upon receiving an encryption request for protecting a secret item in the computing-environment, for repetitively y encrypting, either iteratively, in parallel, or in combination thereof, said secret item with each of a set of N location-specific secure-keys, wherein each said location-specific secure-key of said set corresponds to a respective encryption location, to create an encrypted item;
  
  wherein said locations are regions of memory located in computing resources operationally connected to the computing-environment; and
  
  (ii) concealing through encryption at least one said location-specific secure key such that said concealing is configured;
  
  (A) to prevent said at least one location-specific secure-key from ever being known in an unconcealed form on any computing resource in any computing-environment during said encrypting; and
  
  (B) to allow useful mathematical operations, wherein said useful mathematical operations include at least one operation selected from the group consisting of;
  
  XOR, addition, subtraction, multiplication, division, modular addition, modular subtraction, modular multiplication, modular division, and combinations thereof, performed as part of said encrypting and said concealing, to be performed while said at least one location-specific secure-key is in its concealed form.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The device of claim 6, wherein said step of concealing includes at least one technique selected from the group consisting of:
    - key splitting, key joining, key blinding, homomorphic encryption, and any encryption technique known in the art.
  - 8. The device of claim 6, wherein said security-key framework is further adapted, upon receiving a decryption request for said encrypted item, for repetitively decrypting, either iteratively, in parallel, or in combination thereof, said encrypted item with each of said set of N location-specific secure-keys;
    - and wherein said concealing is further configured;
      
      (C) to prevent said at least one location-specific secure-key from ever being known in unconcealed form on any computing resource in any computing-environment during said decrypting; and
      
      (D) to allow useful mathematical operations, wherein said useful mathematical operations include at least one operation selected from the group consisting of;
      
      XOR, addition, subtraction, multiplication, division, modular addition, modular subtraction, modular multiplication, modular division, and combinations thereof, performed as part of said decrypting and said concealing, to be performed while said at least one location-specific secure-key is in its concealed form.
  - 9. The device of claim 8, wherein said protection module is further configured for:
    - (iii) prior to said encrypting or subsequent to said decrypting, exchanging said secret item with an authorized requester while said secret item remains unknown to said security-key framework, thereby providing a secure, virtualized key-management system.
  - 10. The device of claim 6, wherein said encrypting and said concealing can be performed on any element of a collection of computing resources operationally connected to the computing-environment, wherein said concealing is performed differently on each said element, thereby preventing leakage of a concealed key from one said element from compromising any other said element.

11. A non-transitory computer-readable medium, having computer-readable code embodied on the non-transitory computer-readable medium, the computer-readable code comprising:
- (a) program code for providing a security-key framework which is adapted, upon receiving an encryption request for protecting a secret item in the computing-environment, for repetitively encrypting, either iteratively, parallel, or in combination thereof said secret item with each of a set of N location-specific secure-keys, wherein each said location-specific secure-key of said set corresponds to a respective encryption location, to create an encrypted item;
  
  wherein said locations are regions of memory located in computing resources operationally connected to the computing-environment; and
  
  (b) program code for concealing through encryption at least one said location-specific secure-key such that said concealing is configured;
  
  (i) to prevent said at least one location-specific secure-key from ever being known in an unconcealed form on any computing resource in any computing-environment during said encrypting; and
  
  (ii) to allow useful mathematical operations, wherein said useful mathematical operations include at least one operation selected from the group consisting of;
  
  XOR, addition, subtraction, multiplication, division, modular addition, modular subtraction, modular multiplication, modular division, and combinations thereof, performed as part of said encrypting and said concealing, to be performed while said at least location-specific secure-key is in its concealed form.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer-readable medium of claim 11, wherein said program code for concealing includes at least one technique selected from the group consisting of:
    - key splitting, key joining, key blinding, homomorphic encryption, and any encryption technique known in the art.
  - 13. The computer-readable medium of claim 11, wherein said security-key framework is further adapted, upon receiving a decryption request for said encrypted item, for repetitively decrypting, either iteratively, in parallel, or in combination thereof, said encrypted item with each of said set of N location-specific secure-keys;
    - and wherein said program code for concealing is further configured;
      
      (iii) to prevent said at least one location-specific secure-key from ever being known in unconcealed form on any computing resource in any computing-environment during said decrypting; and
      
      (iv) to allow useful mathematical operations, wherein said useful mathematical operations include at least one operation selected from the group consisting of;
      
      XOR, addition, subtraction, multiplication, division, modular addition, modular subtraction, modular multiplication, modular division, and combinations thereof, performed as part of said decrypting and said concealing, to be performed while said at least one location-specific secure-key is in its concealed form.
  - 14. The computer-readable medium of claim 13, the computer-readable code further comprising:
    - (c) program code for, prior to said encrypting or subsequent to said decrypting, exchanging said secret item with an authorized requester while said secret item remains unknown to said security-key framework, thereby providing a secure, virtualized key-management system.
  - 15. The computer-readable medium of claim 11, wherein said encrypting and said program code for concealing can be performed on any element of a collection of computing resources operationally connected to the computing-environment, wherein said program code for concealing is configured to be performed differently on each said element, thereby preventing leakage of a concealed key from one said element from compromising any other said element.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Porticor Ltd. (Intuit, Inc.)
Original Assignee
Porticor Ltd. (Intuit, Inc.)
Inventors
Parann-Nissany, Gilad, Sheffer, Yaron

Granted Patent

US 9,380,036 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/164
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 21/72   in cryptographic circuits

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2149   Restricted operating enviro...

H04L 2463/062   applying encryption of the ...

H04L 63/06   for supporting key manageme...

H04L 67/10   in which an application is ...

H04L 9/008   involving homomorphic encry...

H04L 9/0822   using key encryption key

H04L 9/085   Secret sharing or secret sp...

H04L 9/0894   Escrow, recovery or storing...

METHODS AND DEVICES FOR SECURING KEYS FOR A NONSECURED, DISTRIBUTED ENVIRONMENT WITH APPLICATIONS TO VIRTUALIZATION AND CLOUD-COMPUTING SECURITY AND MANAGEMENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND DEVICES FOR SECURING KEYS FOR A NONSECURED, DISTRIBUTED ENVIRONMENT WITH APPLICATIONS TO VIRTUALIZATION AND CLOUD-COMPUTING SECURITY AND MANAGEMENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links