SYSTEMS AND METHODS FOR SECURED COMMUNICATION HARDWARE SECURITY MODULE AND NETWORK-ENABLED DEVICES

US 20150358313A1
Filed: 08/18/2015
Published: 12/10/2015
Est. Priority Date: 06/05/2014
Status: Abandoned Application

First Claim

Patent Images

1. A system for secured communication with a plurality of network-enabled devices, comprising:

said plurality of network-enabled devices each configured to;

establish a secured communication channel with a hardware security module (HSM) over a network;

offload its key management and crypto operations to the HSM once the network-enabled device is authenticated by the HSM;

said HSM having a plurality of HSM service units, wherein each of the HSM service units is configured to;

authenticate one of the network-enabled devices based on credentials provided by the network-enabled device over the secured communication channel;

process the key management and crypto operations offloaded from the network-enabled device once it is authenticated;

communicate results of the key management and crypto operations back to the network-enabled device via the secured communication channel.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A new approach is proposed that contemplates systems and methods to support security communication between a hardware security module (HSM) and a plurality of network-enabled devices to offload their key storage, management, and crypto operations to the HSM. The HSM includes a plurality of HSM service units, each configured to authenticate one of the network-enabled devices based on its credentials and process the key management and crypto operations offloaded from the network-enabled device once it is authenticated. The HSM service unit also communicates results of the key management and crypto operations back to the network-enabled device via the secured communication channel.

Citations

25 Claims

1. A system for secured communication with a plurality of network-enabled devices, comprising:
- said plurality of network-enabled devices each configured to;
  
  establish a secured communication channel with a hardware security module (HSM) over a network;
  
  offload its key management and crypto operations to the HSM once the network-enabled device is authenticated by the HSM;
  
  said HSM having a plurality of HSM service units, wherein each of the HSM service units is configured to;
  
  authenticate one of the network-enabled devices based on credentials provided by the network-enabled device over the secured communication channel;
  
  process the key management and crypto operations offloaded from the network-enabled device once it is authenticated;
  
  communicate results of the key management and crypto operations back to the network-enabled device via the secured communication channel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1, wherein:
    - the HSM includes a multi-chip embedded Federal Information Processing Standards (FIPS) 140-2 Level-3 compliant hardware/firmware cryptographic module including, a security processor configured to enable cryptographic acceleration by performing the crypto operations with hardware accelerators and embedded software implementing security algorithms and key management.
  - 3. The system of claim 1, wherein:
    - each HSM service unit has a one-to-one correspondence with the network-enabled device it serves, wherein the HSM service unit communicates with and serves only that network-enabled device.
  - 4. The system of claim 1, wherein:
    - each HSM service unit is configured to communicate with and serve more than one network-enabled devices.
  - 5. The system of claim 4, wherein:
    - the HSM service unit is configured to establish multiple secured communication channels having different security strengths with different network-enabled devices based on their types.
  - 6. The system of claim 1, wherein:
    - communication over the secured communication channel is encrypted under AES.
  - 7. The system of claim 1, further comprising:
    - a thin client or server utilized to establish the secured communication channel between the HSM service unit and the network-enabled device.
  - 8. The system of claim 1, wherein:
    - each HSM service unit comprises an HSM virtual machine (HSM-VM) running on a host, wherein the HSM-VM is created from an VM image transferred from the network-enabled device served by the HSM service unit and is configured to maintain the secured communication channel between the HSM service unit and the network-enabled device.
  - 9. The system of claim 1, wherein:
    - each HSM service unit is configured to establish the secured communication channel between a module of the HSM service unit and the network-enabled device, wherein the module is configured to perform a number of the offloaded crypto operations with restrictions on security strength of the secured communication channel.
  - 10. The system of claim 1, wherein:
    - each HSM service unit is configured to adopt mutual authentication based on pre-configured and pre-loaded keys and/or certificates to establish the secured communication channel between the HSM service unit and the network-enabled device.
  - 11. The system of claim 1, wherein:
    - each HSM service unit is configured to accept and authenticate the credentials provided by the network-enabled device and only allow the network-enabled device to issue non-privileged requests until its credentials are authenticated.
  - 12. The system of claim 11, wherein:
    - the credentials include pre-configured and pre-loaded keys and/or a certificate issued by a trusted certificate authority (CA).
  - 13. The system of claim 1, wherein:
    - each HSM service unit comprises an HSM partition of the HSM, wherein the HSM partition is configured to perform the key management and crypto operations offloaded by the network-enabled device served by the HSM service unit.
  - 14. The system of claim 13, wherein:
    - the HSM partition serving the network-enabled device is configured to accept a plurality of encryption/decryption keys from the network-enabled device for performing the offloaded crypto operations.
  - 15. The system of claim 14, wherein:
    - the HSM partition serving the network-enabled device is configured to maintain a plurality of encryption/decryption keys in a key store of the HSM partition, wherein the key store is not accessible by the HSM service units serving other network-enabled devices.

16. A method for secured communication with a plurality of network-enabled devices, comprising:
- establishing a secured communication channel between one of the network-enabled devices a hardware security module (HSM) over a network;
  
  authenticating the network-enabled device based on its credentials provided over the secured communication channel;
  
  offloading key management and crypto operations of the network-enabled device to one of a plurality of HSM service units of the HSM once the network-enabled device is authenticated by the HSM;
  
  processing the key management and crypto operations offloaded from the network-enabled device by its HSM service unit;
  
  communicating results of the key management and crypto operations back to the network-enabled device via the secured communication channel.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 17. The method of claim 16, further comprising:
    - establishing multiple secured communication channels having different security strengths with different network-enabled devices based on their types.
  - 18. The method of claim 16, further comprising:
    - utilizing a thin client or server to establish the secured communication channel between the HSM and the network-enabled device.
  - 19. The method of claim 16, further comprising:
    - creating an HSM virtual machine (HSM-VM) from an VM image transferred from the network-enabled device served by the HSM service unit, wherein the HSM-VM is configured to establish and maintain the secured communication channel between the HSM service unit and the network-enabled device.
  - 20. The method of claim 16, further comprising:
    - establishing the secured communication channel between a module of the HSM service unit and the network-enabled device, wherein the module is configured to perform a number of the offloaded crypto operations with restrictions on security strength of the secured communication channel.
  - 21. The method of claim 16, further comprising:
    - adopting mutual authentication based on pre-configured and pre-loaded keys and/or certificates to establish the secured communication channel between the HSM service unit and the network-enabled device.
  - 22. The method of claim 16, further comprising:
    - accepting and authenticating the credentials provided by the network-enabled device and only allow the network-enabled device to issue non-privileged requests until its credentials are authenticated.
  - 23. The method of claim 16, further comprising:
    - performing the key management and crypto operations offloaded by the network-enabled device served by the HSM service unit via a HSM partition of the HSM.
  - 24. The method of claim 23, further comprising:
    - accepting a plurality of encryption/decryption keys from the network-enabled device for performing the offloaded crypto operations by the HSM partition serving the network-enabled device.
  - 25. The method of claim 24, further comprising:
    - maintaining a plurality of encryption/decryption keys in a key store of the HSM partition serving the network-enabled device, wherein the key store is not accessible by the HSM service units serving other network-enabled devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cavium, LLC (Marvell Technology Group Limited)
Original Assignee
Cavium, LLC (Marvell Technology Group Limited)
Inventors
HUSSAIN, Muhammad Raghib, KANCHARLA, Phanikumar, MANAPRAGADA, Ram Kumar

Application Number

US14/829,233
Publication Number

US 20150358313A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/335   for accessing specific reso...

G06F 21/602   Providing cryptographic fac...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/04   for providing a confidentia...

H04L 63/0485   Networking architectures fo...

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

H04L 9/321   involving a third party or ...

H04L 9/3268   using certificate validatio...

SYSTEMS AND METHODS FOR SECURED COMMUNICATION HARDWARE SECURITY MODULE AND NETWORK-ENABLED DEVICES

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR SECURED COMMUNICATION HARDWARE SECURITY MODULE AND NETWORK-ENABLED DEVICES

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links