SYSTEMS AND METHODS FOR CLOUD-BASED WEB SERVICE SECURITY MANAGEMENT BASEDON HARDWARE SECURITY MODULE

US 20160149877A1
Filed: 06/09/2014
Published: 05/26/2016
Est. Priority Date: 06/05/2014
Status: Abandoned Application

First Claim

Patent Images

1. A system for offloading key storage, management, and crypto operations for cloud-based web services, comprising:

a hardware security module (HSM), comprising one or more HSM partitions, wherein each of the HSM partitions is configured to perform key management and crypto operations for a web service host;

an HSM managing virtual machine (VM) running on a host, which in operation, is configured to create one or more HSM virtual machines (HSM-VMs), wherein each of the HSM-VMs is authenticated by and dedicated to one of the HSM partitions of the HSM in a one-to-one correspondence;

said one or more HSM-VMs running on a host, which in operation, is each configured to;

establish a secured communication channel over a network between the web service host and the HSM-VM to be served by an HSM partition dedicated to the HSM-VM;

receive and provide a request and/or data from the web service host to the HSM partition via the secured communication channel; and

provide results of the key management and crypto operations by the HSM partition back to the web service host via the secured communication channel.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A new approach is proposed that contemplates systems and methods to support security management for a plurality of web services hosted in a cloud at a data center to offload their crypto operations to one or more hardware security modules (HSMs) deployed in the cloud. Each HSM is a high-performance, Federal Information Processing Standards (FIPS) 140-compliant security solution for crypto acceleration of the web services. Each HSM includes multiple partitions, wherein each HSM partition is dedicated to support one of the web service hosts/servers to offload their crypto operations via one of a plurality of HSM virtual machine (VM) over the network. An HSM managing VM can also be deployed to monitor and manage the operations of the HSM-VMs to support a plurality of web services.

Citations

26 Claims

1. A system for offloading key storage, management, and crypto operations for cloud-based web services, comprising:
- a hardware security module (HSM), comprising one or more HSM partitions, wherein each of the HSM partitions is configured to perform key management and crypto operations for a web service host;
  
  an HSM managing virtual machine (VM) running on a host, which in operation, is configured to create one or more HSM virtual machines (HSM-VMs), wherein each of the HSM-VMs is authenticated by and dedicated to one of the HSM partitions of the HSM in a one-to-one correspondence;
  
  said one or more HSM-VMs running on a host, which in operation, is each configured to;
  
  establish a secured communication channel over a network between the web service host and the HSM-VM to be served by an HSM partition dedicated to the HSM-VM;
  
  receive and provide a request and/or data from the web service host to the HSM partition via the secured communication channel; and
  
  provide results of the key management and crypto operations by the HSM partition back to the web service host via the secured communication channel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The system of claim 1, wherein:
    - the HSM is a multi-chip embedded Federal Information Processing Standards (FIPS) 140-compliant hardware/firmware cryptographic module.
  - 3. The system of claim 2, wherein:
    - the HSM includes a security processor configured to enable cryptographic acceleration by performing crypto operations with hardware accelerators and embedded software implementing security algorithms.
  - 4. The system of claim 1, wherein:
    - the key management is for symmetric and/or asymmetric keys.
  - 5. The system of claim 1, wherein:
    - the crypto operations are for cryptographic protocols designed to provide communication security over the Internet.
  - 6. The system of claim 1, wherein:
    - the HSM partition includes one or more crypto acceleration units and a key store to keep one or more of secured authentication credentials, user generated/imported keys, and configurations.
  - 7. The system of claim 6, wherein:
    - the secured authentication credentials, user generated/imported keys, and configurations are only stored in the key store within the HSM partition so that no entity except the HSM partition and the web service host has access to the authentication credentials.
  - 8. The system of claim 1, wherein:
    - the HSM partition supports and requires identity-based authentication for its operation, wherein each identity permits a different set of API calls for different types of commands used to initialize the HSM partition, manage the HSM partition, and/or provide crypto acceleration to the web service host.
  - 9. The system of claim 1, wherein:
    - the HSM managing VM and the HSM-VMs run on a host that is certified under FIPS for performing secured cryptographic operations.
  - 10. The system of claim 1, wherein:
    - the HSM managing VM determines the number of active HSM partitions within the HSM, loads drivers for various devices used to communicate with the HSM partitions, launches and monitors the HSM-VMs dedicated to the HSM partitions, and handles critical/management updates for the various devices.
  - 11. The system of claim 1, wherein:
    - the HSM managing VM comprises a physical function (PF) network driver configured to initialize the physical network adapters used by the HSM-VMs to communicate with their respective web service hosts.
  - 12. The system of claim 1, wherein:
    - the HSM managing VM comprises a physical function (PF) HSM driver configured to setup and initialize the HSM for operating the HSM partitions with the HSM-VMs.
  - 13. The system of claim 1, wherein:
    - each of the HSM-VMs is assigned a unique static secret used to authenticate with its corresponding HSM partition.
  - 14. The system of claim 1, wherein:
    - the web service host is required to authenticate itself over the secured communication channel with the HSM-VM in order to be able to interact with and access the corresponding HSM partition.
  - 15. The system of claim 1, wherein:
    - each of the HSM-VMs runs a Security Enhanced Linux operating system.
  - 16. The system of claim 1, wherein:
    - each of the HSM-VMs comprises a virtual function (VF) network driver configured to interact with a physical network adapter of the host to receive and transmit communications dedicated to the HSM-VM.
  - 17. The system of claim 1, wherein:
    - each of the HSM-VMs comprises a virtual function (VF) HSM driver configured to interact with an HSM partition of the HSM dedicated to the HSM-VM.
  - 18. The system of claim 1, wherein:
    - each of the HSM-VMs comprises a secured communication server configured to establish the secured communication channel between the HSM-VM and the web service host over the network.
  - 19. The system of claim 1, wherein:
    - the HSM-VMs running on the same hypervisor/host are isolated from each other and one HSM-VM cannot access data/communication of any other HSM-VMs.

20. A method for offloading key storage, management, and crypto operations for cloud-based web services, comprising:
- creating one or more virtual machines (VMs) on a host, wherein each of the VMs is authenticated and dedicated to one of a plurality of partitions of a hardware security module (HSM) in a one-to-one correspondence;
  
  establishing a secured communication channel over a network between a web service host and a VM to be served by an HSM partition dedicated to the VM;
  
  receiving and providing a request and/or data from the web service host to the HSM partition by the VM via the secured communication channel;
  
  performing key management and crypto operations via the dedicated HSM partition for the web service host; and
  
  providing results of the key management and crypto operations back to the web service host via the secured communication channel.
- View Dependent Claims (21, 22, 23, 24, 25, 26)
- - 21. The method of claim 20, further comprising:
    - storing secured authentication credentials, user generated/imported keys, and configurations only in a key store within the HSM partition so that no entity except the HSM partition and the web service host has access to the authentication credentials.
  - 22. The method of claim 20, further comprising:
    - supporting and requiring identity-based authentication for operation of the HSM partition, wherein each identity permits a different set of API calls for different types of commands used to initialize the HSM partition, manage the HSM partition, and/or provide crypto acceleration to the web service host.
  - 23. The method of claim 20, further comprising:
    - determining number of active HSM partitions within the HSM, loading drivers for various devices used to communicate with the HSM partitions, launching and monitoring the VMs dedicated to the HSM partitions, and handling critical/management updates for the various devices.
  - 24. The method of claim 20, further comprising:
    - assigning each of the VMs a unique static secret used to authenticate itself with its corresponding HSM partition.
  - 25. The method of claim 20, further comprising:
    - requiring the web service host to authenticate itself over the secured communication channel with the VM in order to be able to interact with and access the corresponding HSM partition.
  - 26. The method of claim 20, further comprising:
    - isolating the VMs running on the same hypervisor/host from each other so that one VM cannot access data/communication of any other VMs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cavium, LLC (Marvell Technology Group Limited)
Original Assignee
Cavium, LLC (Marvell Technology Group Limited)
Inventors
KANCHARLA, Phanikumar, MANAPRAGADA, Ram Kumar

Application Number

US14/299,739
Publication Number

US 20160149877A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/00   Security arrangements for p...

G06F 21/602   Providing cryptographic fac...

G06F 21/86   Secure or tamper-resistant ...

G06F 2221/2115   Third party

G06F 9/45558   Hypervisor-specific managem...

H04L 2209/127   Trusted platform modules [TPM]

H04L 63/0485   Networking architectures fo...

H04L 63/062   for key distribution, e.g. ...

H04L 63/168   above the transport layer

H04L 67/02   based on web technology, e....

H04L 9/0897   involving additional device...

H04L 9/3234   involving additional secure...

SYSTEMS AND METHODS FOR CLOUD-BASED WEB SERVICE SECURITY MANAGEMENT BASEDON HARDWARE SECURITY MODULE

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR CLOUD-BASED WEB SERVICE SECURITY MANAGEMENT BASEDON HARDWARE SECURITY MODULE

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links