SYSTEMS AND METHODS FOR SECURED KEY MANAGEMENT VIA HARDWARE SECURITY MODULE FOR CLOUD-BASED WEB SERVICES

US 20150358311A1
Filed: 03/24/2015
Published: 12/10/2015
Est. Priority Date: 06/05/2014
Status: Abandoned Application

First Claim

Patent Images

1. A system for secured key management and crypto operations for cloud-based web services, comprising:

a plurality of hardware security module (HSM) service units, wherein each of the HSM service units further comprises;

an HSM virtual machine (VM) running on a host, which in operation, is configured to communicate with a web service host and to offload its key management and crypto operations via a secured communication channel over a network;

an HSM partition running on an HSM adapter, wherein the HSM partition is configured to;

store keys and credentials of the web service host in a key store in an isolated and tamper proof environment on the HSM adapter;

perform the crypto operations offloaded from the web service host using the stored keys and credentials of the web service host;

provide result of the crypto operations to the web service host via the secured communication channel.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A new approach is proposed that contemplates systems and methods to support security management for a plurality of web services hosted in a cloud at a data center to offload their crypto operations to one or more hardware security modules (HSMs) deployed in the cloud. Each HSM is a high-performance, Federal Information Processing Standards (FIPS) 140-compliant security solution for crypto acceleration of the web services. Each HSM includes multiple partitions, wherein each HSM partition is dedicated to support one of the web service hosts/servers to offload their key management and crypto operations via one of a plurality of HSM virtual machine (VM) over the network. An HSM managing VM can also be deployed to monitor and manage the operations of the HSM-VMs to support a plurality of web services.

20 Citations

View as Search Results

35 Claims

1. A system for secured key management and crypto operations for cloud-based web services, comprising:
- a plurality of hardware security module (HSM) service units, wherein each of the HSM service units further comprises;
  
  an HSM virtual machine (VM) running on a host, which in operation, is configured to communicate with a web service host and to offload its key management and crypto operations via a secured communication channel over a network;
  
  an HSM partition running on an HSM adapter, wherein the HSM partition is configured to;
  
  store keys and credentials of the web service host in a key store in an isolated and tamper proof environment on the HSM adapter;
  
  perform the crypto operations offloaded from the web service host using the stored keys and credentials of the web service host;
  
  provide result of the crypto operations to the web service host via the secured communication channel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The system of claim 1, wherein:
    - the HSM adapter is a multi-chip embedded Federal Information Processing Standards (FIPS) 140-compliant hardware/firmware cryptographic module including, a security processor configured to enable cryptographic acceleration by performing the crypto operations with hardware accelerators and embedded software implementing security algorithms.
  - 3. The system of claim 1, wherein:
    - the HSM adapter is configured to support a number of HSM partitions in an active state to each serve a web service host while the rest of the HSM partitions are in an inactive state.
  - 4. The system of claim 1, wherein:
    - the HSM partition in each of the HSM service units has a one-to-one correspondence with the HSM-VM in the same HSM service unit, wherein the HSM partition interacts with and allows access only from the HSM-VM in the HSM service unit.
  - 5. The system of claim 1, wherein:
    - each of the HSM service units requires identity-based authentication for operations by a set of users, wherein the users include both an administrator to create and initialize the HSM service unit with a set of policies and the web service host to login to and access the HSM service unit.
  - 6. The system of claim 5, wherein:
    - the web service host provides the HSM service host with a valid certificate in order to access the HSM service host, wherein the certificate is issued by a trusted certificate authority (CA) and submitted during a request to create the HSM service unit.
  - 7. The system of claim 5, wherein:
    - each of the HSM service units permits a different set of API calls for different types of commands, wherein the types of commands made available by the HSM service unit vary based on the type of user accessing the HSM service unit.
  - 8. The system of claim 1, wherein:
    - the key store is configured to accept and store a plurality of types of objects for authentication and the crypto operations of the web service host in the isolated and tamper proof environment.
  - 9. The system of claim 8, wherein:
    - the objects include one or more of authentication credentials, user generated/imported keys, and certificates of the web service host.
  - 10. The system of claim 8, wherein:
    - the key store is configured to store the objects in an FIPS 140-2 Level 3 certified hardware with nothing being stored anywhere else in the system.
  - 11. The system of claim 8, wherein:
    - the objects are encoded and encrypted via an encryption key before being stored in the key store, wherein the encryption key is unique to the key store.
  - 12. The system of claim 8, wherein:
    - each of the objects stored in the key store is uniquely identified and accessed with a key handler, wherein the key handler forms a global unique identifier for the object along with a unique identifier for the HSM service unit.
  - 13. The system of claim 12, wherein:
    - the unique identifier for the HSM service unit is a string generated with one or more of Appliance Serial Number of the HSM Adapter, MAC address of a network adapter of the host, and domain name of the web service host.
  - 14. The system of claim 8, wherein:
    - the key store is configured to support a plurality of operations on the objects and one or more attributes stored along the objects.
  - 15. The system of claim 8, wherein:
    - the key store is configured to check each of the objects for validity based on its stored attributes before using the object for the crypto operations.
  - 16. The system of claim 8, wherein:
    - the key store is configured to perform consistency checks when an object is created or imported to avoid storing an invalid object in the key store.
  - 17. The system of claim 1, wherein:
    - a set of the plurality of HSM service units are connected together to form an elastic HSM set, which extends and combines their key stores seamlessly to be accessed as one elastic key store.
  - 18. The system of claim 17, wherein:
    - all HSM service units in the elastic HSM set are provided to the web service host as a single logical HSM service unit having the combined key store.
  - 19. The system of claim 17, wherein:
    - the size of the combined key store of the elastic HSM set is increased or decreased dynamically with a supported minimum size by including or removing one or more HSM service units in the elastic HSM set.
  - 20. The system of claim 17, wherein:
    - the elastic HSM set includes one base HSM service unit and one or more extended HSM service units, wherein only the base HSM service unit is exposed to the web service host and the web service host communicates directly only with the base HSM service unit.
  - 21. The system of claim 17, wherein:
    - the elastic HSM set includes one base HSM service unit and one or more extended HSM service units, wherein the web service host communicates with and offloads its key management and crypto operations directly to the extended HSM service units in the elastic HSM set without passing through the base HSM service unit.

22. A method for secured key management and crypto operations for cloud-based web services, comprising:
- communicating with a web service host and offloading its key management and crypto operations to an HSM service host via a secured communication channel over a network;
  
  storing keys and credentials of the web service host in a key store of an HSM partition of the HSM service host in an isolated and tamper proof environment on an HSM adapter;
  
  performing the crypto operations offloaded from the web service host by the HSM partition using stored keys and credentials of the web service host;
  
  providing result of the crypto operations to the web service host via the secured communication channel.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 23. The method of claim 22, further comprising:
    - requiring identity-based authentication for operations by a set of users, wherein the users include both an administrator to create and initialize the HSM service host with a set of policies and the web service host to login to and access the HSM service host.
  - 24. The method of claim 22, further comprising:
    - providing a valid certificate of the in order to access the HSM service host, wherein the certificate is issued by a trusted certificate authority (CA) during a request to create the HSM service host.
  - 25. The method of claim 22, further comprising:
    - permitting a different set of API calls for different types of commands, wherein the types of commands made available by the HSM service host vary based on the type of user accessing the HSM service host.
  - 26. The method of claim 22, further comprising:
    - accepting and storing a plurality of types of objects in the key store for authentication and the crypto operations of the web service host in the isolated and tamper proof environment, wherein the objects include one or more of authentication credentials, user generated/imported keys, and certificates of the web service host.
  - 27. The method of claim 26, further comprising:
    - storing the objects in an FIPS 140-2 Level 3 certified hardware with nothing being stored anywhere else.
  - 28. The method of claim 26, further comprising:
    - encoding and encrypting the objects via an encryption key before storing the objects in the key store, wherein the encryption key is unique to the key store.
  - 29. The method of claim 26, further comprising:
    - uniquely identifying and accessing each of the objects stored in the key store with a key handler, wherein the key handler forms a global unique identifier for the object along with a unique identifier for the HSM service host.
  - 30. The method of claim 26, further comprising:
    - supporting a plurality of operations on the objects and one or more attributes stored along the objects.
  - 31. The method of claim 26, further comprising:
    - checking each of the objects for validity based on its stored attributes before using the object for the crypto operations.
  - 32. The method of claim 26, further comprising:
    - forming an elastic HSM set by connecting a set of HSM service units together, which extends and combines the key stores of the HSM service units seamlessly to be accessed as one elastic key store.
  - 33. The method of claim 32, further comprising:
    - increasing or decreasing the size of the combined key store of the elastic HSM set dynamically with a supported minimum size by including or removing one or more HSM service units in the elastic HSM set.
  - 34. The method of claim 32, further comprising:
    - exposing only a base HSM service unit of the elastic HSM set to the web service host and the web service host communicates directly only with the base HSM service unit.
  - 35. The method of claim 32, further comprising:
    - enabling the web service host to communicate with and offload its key management and crypto operations directly to one or more extended HSM service units in the elastic HSM set without passing through a base HSM service unit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cavium, LLC (Marvell Technology Group Limited)
Original Assignee
Cavium, LLC (Marvell Technology Group Limited)
Inventors
KANCHARLA, Phanikumar, MANAPRAGADA, Ram Kumar

Application Number

US14/667,238
Publication Number

US 20150358311A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/335   for accessing specific reso...

G06F 21/602   Providing cryptographic fac...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/04   for providing a confidentia...

H04L 63/0485   Networking architectures fo...

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

H04L 9/321   involving a third party or ...

H04L 9/3268   using certificate validatio...

SYSTEMS AND METHODS FOR SECURED KEY MANAGEMENT VIA HARDWARE SECURITY MODULE FOR CLOUD-BASED WEB SERVICES

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR SECURED KEY MANAGEMENT VIA HARDWARE SECURITY MODULE FOR CLOUD-BASED WEB SERVICES

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links