SYSTEMS AND METHODS FOR SECURED HARDWARE SECURITY MODULE COMMUNICATION WITH WEB SERVICE HOSTS

US 20150358294A1
Filed: 03/18/2015
Published: 12/10/2015
Est. Priority Date: 06/05/2014
Status: Abandoned Application

First Claim

Patent Images

1. A system for secured hardware security module (HSM) communication for cloud-based web services, comprising:

a plurality of HSM service units, wherein each of the HSM service units further comprises;

an HSM virtual machine (VM) running on a host, which in operation, is configured to;

establish a secured communication channel with a web service host over a network;

authenticate the web service host based on credentials provided by the web service host;

offload key management and crypto operations from the web service host to an HSM partition of an HSM adapter once the web service host is authenticated;

provide results of the key management and crypto operations to the web service host via the secured communication channel;

said HSM partition running on the HSM adapter, wherein the HSM partition is configured to perform the key management and crypto operations offloaded from the web service host.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A new approach is proposed that contemplates systems and methods to support security communication between a hardware security module (HSM) and for a plurality of web services hosted in a cloud to offload their key storage, management, and crypto operations to the HSM. Each of a plurality of HSM virtual machines (VMs) establishes a secure communication channel with a web service hosts/server to offload its key management and crypto operations to a HSM partition of the HSM dedicated to support the web service. An HSM managing VM can also be deployed to monitor and manage the operations of the HSM-VMs to support the plurality of web service hosts.

Citations

27 Claims

1. A system for secured hardware security module (HSM) communication for cloud-based web services, comprising:
- a plurality of HSM service units, wherein each of the HSM service units further comprises;
  
  an HSM virtual machine (VM) running on a host, which in operation, is configured to;
  
  establish a secured communication channel with a web service host over a network;
  
  authenticate the web service host based on credentials provided by the web service host;
  
  offload key management and crypto operations from the web service host to an HSM partition of an HSM adapter once the web service host is authenticated;
  
  provide results of the key management and crypto operations to the web service host via the secured communication channel;
  
  said HSM partition running on the HSM adapter, wherein the HSM partition is configured to perform the key management and crypto operations offloaded from the web service host.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The system of claim 1, wherein:
    - the HSM adapter is a multi-chip embedded Federal Information Processing Standards (FIPS) 140-2 Level-3 compliant hardware/firmware cryptographic module including, a security processor configured to enable cryptographic acceleration by performing the crypto operations with hardware accelerators and embedded software implementing security algorithms and key management.
  - 3. The system of claim 1, wherein:
    - the HSM-VM runs Security Enhanced Linux.
  - 4. The system of claim 1, wherein:
    - the HSM-VM in each of the HSM service units has a one-to-one correspondence with the HSM partition in the same HSM service unit, wherein the HSM partition interacts with and allows access only from the HSM-VM in the HSM service unit.
  - 5. The system of claim 1, wherein:
    - the HSM-VM offloads the crypto operations to an x86 Advanced Encryption Standard (AES) engine running on the HSM partition for performance optimization.
  - 6. The system of claim 1, wherein:
    - the HSM-VM further includes a secured communication server configured to establish the secured communication channel between the HSM-VM and the web service host via provided Transport Layer Security (TLS) and/or Secure Sockets Layer (SSL) functions to allow the web service host secured access to the HSM partition.
  - 7. The system of claim 6, wherein:
    - the secured communication server is a TurboSSL accelerated thin server.
  - 8. The system of claim 6, wherein:
    - the secured communication server is configured to adopt certificate-based mutual authentication to establish the secured communication channel between the HSM-VM and the web service host.
  - 9. The system of claim 6, wherein:
    - the secured communication server is configured to accept and authenticate the credentials provided by the web service host and only allow the web service host to issue non-privileged requests until the credentials are authenticated.
  - 10. The system of claim 9, wherein:
    - the credentials include a certificate issued by a trusted certificate authority (CA) during a request to create the HSM service unit.
  - 11. The system of claim 6, wherein:
    - the secured communication server is configured to create multiple secured communication channels having different security strengths with different users based on their types.
  - 12. The system of claim 6, wherein:
    - the secured communication server is configured to establish a secured communication channel between the web service host and a smart card configured to perform a number of the offloaded crypto operations with restrictions on security strength of the secured communication channel.
  - 13. The system of claim 6, wherein:
    - the secured communication server is configured to utilize one or more libraries provided by the HSM-VM to offload requests and responses for the key management and crypto operations to the HSM partition via the secured communication channel.
  - 14. The system of claim 6, wherein:
    - the secured communication server is configured to accept and apply configuration parameters of the secured communication channel in the form of a configuration file.
  - 15. The system of claim 1, further comprising:
    - a trusted platform module (TPM) running on the HSM adaptor, wherein the TPM is configured to provide a pair of persistent keys certified and installed during production of the HSM adapter, wherein the pair of keys cannot be read, modified or zeroized by any other party.
  - 16. The system of claim 15, wherein:
    - the TPM is configured to utilize the pair of keys to develop a local certification authority (CA) and its certificates to extend authenticity and integrity to the HSM service units including both the HSM-VM and the HSM partition to mitigate impersonation attacks to the system.

17. A method for secured hardware security module (HSM) communication for cloud-based web services, comprising:
- establishing a secured communication channel between a web service host and a hardware security module (HSM) virtual machine (VM) created on a host, wherein the HSM-VM is dedicated to an HSM partition of an HSM adapter in a one-to-one correspondence;
  
  authenticating the web service host based on credentials provided by the web service host;
  
  offloading key management and crypto operations from the web service host to the HSM partition once the web service host is authenticated;
  
  performing the key management and crypto operations offloaded from the web service host via the HSM partition;
  
  providing results of the key management and crypto operations to the web service host via the secured communication channel.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 18. The method of claim 17, further comprising:
    - offloading the crypto operations to an x86 Advanced Encryption Standard (AES) engine running on the HSM partition for performance optimization.
  - 19. The method of claim 17, further comprising:
    - establishing the secured communication channel with the web service host via provided Transport Layer Security (TLS) and/or Secure Sockets Layer (SSL) functions to allow the web service host secured access to the HSM partition.
  - 20. The method of claim 17, further comprising:
    - adopting certificate-based mutual authentication to establish the secured communication channel with the web service host.
  - 21. The method of claim 17, further comprising:
    - accepting and authenticating the credentials provided by the web service host and only allows the web service host to issue non-privileged requests until the credentials are authenticated, wherein the credentials include a certificate issued by a trusted certificate authority (CA) during a request to create the HSM partition.
  - 22. The method of claim 17, further comprising:
    - creating multiple secured communication channels having different security strengths with different users based on their types.
  - 23. The method of claim 17, further comprising:
    - establishing a secured communication channel between the web service host and a smart card configured to perform a number of the offloaded crypto operations with restrictions on security strength of the secured communication channel.
  - 24. The method of claim 17, further comprising:
    - utilizing one or more libraries to offload requests and responses for the key management and crypto operations to the HSM partition via the secured communication channel.
  - 25. The method of claim 17, further comprising:
    - accepting and applying configuration parameters of the secured communication channel in the form of a configuration file.
  - 26. The method of claim 17, further comprising:
    - providing a pair of persistent keys certified and installed during production of the HSM adapter, wherein the pair of keys cannot be read, modified or zeroized by any other party.
  - 27. The method of claim 26, further comprising:
    - utilizing the pair of keys to develop a local certification authority (CA) and its certificates to extend authenticity and integrity to the HSM partition to mitigate impersonation attacks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cavium, LLC (Marvell Technology Group Limited)
Original Assignee
Cavium, LLC (Marvell Technology Group Limited)
Inventors
KANCHARLA, Phanikumar, MANAPRAGADA, Ram Kumar

Application Number

US14/662,012
Publication Number

US 20150358294A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/335   for accessing specific reso...

G06F 21/602   Providing cryptographic fac...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/04   for providing a confidentia...

H04L 63/0485   Networking architectures fo...

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

H04L 9/321   involving a third party or ...

H04L 9/3268   using certificate validatio...

SYSTEMS AND METHODS FOR SECURED HARDWARE SECURITY MODULE COMMUNICATION WITH WEB SERVICE HOSTS

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR SECURED HARDWARE SECURITY MODULE COMMUNICATION WITH WEB SERVICE HOSTS

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links