SYSTEMS AND METHODS FOR HARDWARE SECURITY MODULE AS CERTIFICATE AUTHORITY FOR NETWORK-ENABLED DEVICES

US 20160028551A1
Filed: 09/09/2015
Published: 01/28/2016
Est. Priority Date: 06/05/2014
Status: Abandoned Application

First Claim

Patent Images

1. A system, comprising:

a hardware security module (HSM) comprisinga trusted local certificate authority (CA) running on the HSM, wherein the trusted local CA is configured to issue a certificate to each of a plurality of network-enabled devices for authentication;

a plurality of HSM service units running on the HSM, wherein each of the HSM service units is configured to process key management and crypto operations offloaded from the network-enabled device once it is authenticated;

said plurality of network-enabled devices each configured toaccept its certificate for authentication from the trusted local CA;

establish a secured communication channel with the HSM over a network and present the certificate to the HSM in a request for authentication;

offload its key management and crypto operations to one of the HSM service units over the secured communication channel once the network-enabled device is authenticated.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A new approach is proposed that contemplates systems and methods to support a trusted local certificate authority (CA) running on a hardware security module (HSM), wherein the trusted local CA is configured to issue a certificate to each of a plurality of network-enabled devices for authentication. The HSM further includes a plurality of HSM service units each configured to process key management and crypto operations offloaded from each of the network-enabled devices once it is authenticated. Each of the network-enabled devices is configured to accept its certificate for authentication from the trusted local CA, establish a secured communication channel with the HSM over a network and present the certificate to the HSM in a request for authentication, and offload its key management and crypto operations to one of the HSM service units once the network-enabled device is authenticated.

19 Citations

View as Search Results

28 Claims

1. A system, comprising:
- a hardware security module (HSM) comprisinga trusted local certificate authority (CA) running on the HSM, wherein the trusted local CA is configured to issue a certificate to each of a plurality of network-enabled devices for authentication;
  
  a plurality of HSM service units running on the HSM, wherein each of the HSM service units is configured to process key management and crypto operations offloaded from the network-enabled device once it is authenticated;
  
  said plurality of network-enabled devices each configured toaccept its certificate for authentication from the trusted local CA;
  
  establish a secured communication channel with the HSM over a network and present the certificate to the HSM in a request for authentication;
  
  offload its key management and crypto operations to one of the HSM service units over the secured communication channel once the network-enabled device is authenticated.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1, wherein:
    - the HSM includes a multi-chip embedded Federal Information Processing Standards (FIPS) 140-2 Level-3 compliant hardware/firmware cryptographic module including, a security processor configured to enable cryptographic acceleration by performing the crypto operations with hardware accelerators and embedded software implementing security algorithms and key management.
  - 3. The system of claim 1, wherein:
    - the certificate to the network-enabled device includes one or more of identification or serial number of the HSM, role and privilege of the network-enabled device, domain name of the HSM, and purpose of the certificate.
  - 4. The system of claim 1, wherein:
    - the HSM further includes a HSM managing VM configured toauthenticate the network-enabled device via the certificate issued by the trusted local CA;
      
      create the HSM service unit to serve the key management and crypto operations of the network-enabled device once it is authenticated.
  - 5. The system of claim 4, wherein:
    - the HSM managing VM is configured to adopt mutual authentication between the HSM service unit and the network-enabled device based on the certificate issued by the local CA.
  - 6. The system of claim 1, wherein:
    - the HSM is configured to allow only the network-enabled device to issue non-privileged requests until its certificate is authenticated.
  - 7. The system of claim 1, wherein:
    - the local CA is configured to generate the certificate using a pair of certified persistent (public and private) keys, wherein this certified key pair cannot be read, modified or zeroized by any other party to mitigate impersonation attacks to the HSM.
  - 8. The system of claim 7, wherein:
    - the network-enabled device is configured to utilize the certified pair of persistent keys to establish a secured communication channel with the HSM.
  - 9. The system of claim 1, wherein:
    - the local CA is configured to issue a backup certificate used for backing up and/or cloning the HSM service unit serving the network-enabled device.
  - 10. The system of claim 1, wherein:
    - each HSM service unit has a one-to-one correspondence with the network-enabled device it serves, wherein the HSM service unit communicates with and serves only that network-enabled device.
  - 11. The system of claim 1, wherein:
    - the network-enabled device is configured to utilize a thin client or server to establish the secured communication channel between the HSM service unit and the network-enabled device.
  - 12. The system of claim 1, wherein:
    - communication over the secured communication channel is encrypted under AES.
  - 13. The system of claim 1, wherein:
    - each HSM service unit comprises an HSM partition of the HSM, wherein the HSM partition is configured to perform the key management and crypto operations offloaded by the network-enabled device served by the HSM service unit.
  - 14. The system of claim 13, wherein:
    - the HSM partition serving the network-enabled device is configured to accept a plurality of encryption/decryption keys from the network-enabled device for performing the offloaded crypto operations.
  - 15. The system of claim 14, wherein:
    - the HSM partition serving the network-enabled device is configured to maintain a plurality of encryption/decryption keys in a key store of the HSM partition, wherein the key store is not accessible by the HSM service units serving other network-enabled devices.

16. A method, comprising:
- issuing a certificate to each of a plurality of network-enabled devices for authentication via a trusted local certificate authority (CA) running on a hardware security module (HSM);
  
  accepting the certificate from the trusted local CA by the network-enabled device;
  
  establishing a secured communication channel with the HSM over a network and present the certificate to the HSM in a request for authentication;
  
  authenticating the network-enabled device via the certificate issued by the local CA;
  
  creating a HSM service unit on the HSM to serve key management and crypto operations of the network-enabled device once it is authenticated;
  
  offloading the key management and crypto operations of the network-enabled device to the HSM service unit;
  
  processing the key management and crypto operations offloaded from the network-enabled device by its HSM service unit.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 17. The method of claim 16, wherein:
    - the certificate to the network-enabled device includes one or more of identification or serial number of the HSM, role and privilege of the network-enabled device, domain name of the HSM, and purpose of the certificate.
  - 18. The method of claim 16, further comprising:
    - adopting mutual authentication between the HSM service unit and the network-enabled device based on the certificate issued by the local CA.
  - 19. The method of claim 16, further comprising:
    - allowing only the network-enabled device to issue non-privileged requests until its certificate is authenticated.
  - 20. The method of claim 16, further comprising:
    - generating the certificate using a pair of certified persistent (public and private) keys, wherein this certified key pair cannot be read, modified or zeroized by any other party to mitigate impersonation attacks to the HSM.
  - 21. The method of claim 20, further comprising:
    - utilizing the certified pair of persistent keys to establish a secured communication channel with the HSM.
  - 22. The method of claim 16, further comprising:
    - issuing a backup certificate used for backing up and/or cloning the HSM service unit serving the network-enabled device.
  - 23. The method of claim 16, wherein:
    - the HSM service unit has a one-to-one correspondence with the network-enabled device it serves, wherein the HSM service unit communicates with and serves only that network-enabled device.
  - 24. The method of claim 16, further comprising:
    - utilizing a thin client or server to establish the secured communication channel between the HSM service unit and the network-enabled device.
  - 25. The method of claim 16, further comprising:
    - encrypting communication over the secured communication channel is encrypted under AES.
  - 26. The method of claim 16, further comprising:
    - performing the key management and crypto operations offloaded by the network-enabled device served by the HSM service unit via an HSM partition of the HSM.
  - 27. The method of claim 16, further comprising:
    - accepting a plurality of encryption/decryption keys from the network-enabled device for performing the offloaded crypto operations by the HSM partition serving the network-enabled device.
  - 28. The method of claim 16, further comprising:
    - maintaining a plurality of encryption/decryption keys in a key store of the HSM partition, wherein the key store is not accessible by the HSM service units serving other network-enabled devices via the HSM partition serving the network-enabled device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cavium, LLC (Marvell Technology Group Limited)
Original Assignee
Cavium, LLC (Marvell Technology Group Limited)
Inventors
HUSSAIN, Muhammad Raghib, KANCHARLA, Phanikumar, MANAPRAGADA, Ram Kumar

Application Number

US14/849,027
Publication Number

US 20160028551A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/335   for accessing specific reso...

G06F 21/602   Providing cryptographic fac...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/04   for providing a confidentia...

H04L 63/0485   Networking architectures fo...

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

H04L 9/321   involving a third party or ...

H04L 9/3268   using certificate validatio...

SYSTEMS AND METHODS FOR HARDWARE SECURITY MODULE AS CERTIFICATE AUTHORITY FOR NETWORK-ENABLED DEVICES

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

19 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR HARDWARE SECURITY MODULE AS CERTIFICATE AUTHORITY FOR NETWORK-ENABLED DEVICES

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links