Key Generation and Rollover

US 20170331802A1
Filed: 05/08/2017
Published: 11/16/2017
Est. Priority Date: 05/11/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-readable medium having instructions stored thereon that, when executed by a processor, cause the processor to generate and roll over keys for a cloud based identity management system, the generating and rolling over comprising:

generating a key set including a previous key and a previous key expiration time, a current key and a current key expiration time, and a next key and a next key expiration time;

storing the key set in a database table;

storing the key set in a memory cache associated with the database table; and

at the current key expiration time, rolling over the key set, including;

retrieving the key set from the database table,updating the previous key and the previous key expiration time with the current key and the current key expiration time,updating the current key and the current key expiration time with the next key and the next key expiration time,generating a new key and a new key expiration time,updating the next key and the next key expiration time with the new key and the new key expiration time,updating the key set in the database table; and

updating the key set in the memory cache.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Key generation and roll over is provided for a cloud based identity management system. A key set is generated that includes a previous key and expiration time, a current key and expiration time, and a next key and expiration time, and stores the key set in a database table and a memory cache associated with the database table. At the current key expiration time, the key set is rolled over, including retrieving the key set from the database table, updating the previous key and expiration time with the current key and expiration time, updating the current key and expiration time with the next key and expiration time, generating a new key and expiration time, updating the next key and expiration time with the new key and expiration time, and updating the key set in the database table and the memory cache.

56 Citations

View as Search Results

20 Claims

1. A computer-readable medium having instructions stored thereon that, when executed by a processor, cause the processor to generate and roll over keys for a cloud based identity management system, the generating and rolling over comprising:
- generating a key set including a previous key and a previous key expiration time, a current key and a current key expiration time, and a next key and a next key expiration time;
  
  storing the key set in a database table;
  
  storing the key set in a memory cache associated with the database table; and
  
  at the current key expiration time, rolling over the key set, including;
  
  retrieving the key set from the database table,updating the previous key and the previous key expiration time with the current key and the current key expiration time,updating the current key and the current key expiration time with the next key and the next key expiration time,generating a new key and a new key expiration time,updating the next key and the next key expiration time with the new key and the new key expiration time,updating the key set in the database table; and
  
  updating the key set in the memory cache.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-readable medium of claim 1, wherein:
    - the database table is a tenant-specific database table associated with a tenancy identifier;
      
      the memory cache is a tenant-specific memory cache associated with the tenancy identifier; and
      
      during said rolling over the key set, the providing further comprises;
      
      receiving, over a network, a request from a client application to retrieve the key set, the request including the tenancy identifier;
      
      retrieving the key set from the tenant-specific memory cache associated with the tenancy identifier; and
      
      sending the key set to the client.
  - 3. The computer-readable medium of claim 2, wherein the request includes a client identifier, and the providing further comprises:
    - prior to retrieving the key set, determining whether the client identifier is authorized to access the tenant-specific memory cache associated with the tenancy identifier.
  - 4. The computer-readable medium of claim 3, wherein the new key expiration time includes a baseline expiration time and a random delta expiration time.
  - 5. The computer-readable medium of claim 4, wherein the key set is a cloud gate key set, the baseline expiration time is 12 hours and the random delta expiration time is between 1 second and 600 seconds.
  - 6. The computer-readable medium of claim 1, wherein the previous, current and next keys are symmetric keys.
  - 7. The computer-readable medium of claim 1, wherein the previous, current and next keys are asymmetric key pairs that include a first key to encrypt data and a second key to decrypt data.
  - 8. The computer-readable medium of claim 1, wherein during said rolling over the key set, the providing further comprises:
    - prior to retrieving the key set from the database table, obtaining a lock on the key set, the lock providing exclusive access to the key set to prevent multiple threads from performing the rolling over; and
      
      after updating the key set in the database table, updating a last updated time of the current key and releasing the lock on the key set.
  - 9. The computer-readable medium of claim 8, wherein during said rolling over the key set, the providing further comprises:
    - after obtaining the lock on the key set, determining whether to roll over the key set based on a current time, the last updated time of the current key and a predetermined time period.
  - 10. The computer-readable medium of claim 1, wherein during said rolling over the key set, the key set is rolled over when a difference between a current time and a last updated time of the current key is more than a predetermined time period.

11. A method for generating and rolling over keys for a cloud based identity management system, the method comprising:
- generating a key set including a previous key and a previous key expiration time, a current key and a current key expiration time, and a next key and a next key expiration time;
  
  storing the key set in a database table;
  
  storing the key set in a memory cache associated with the database table; and
  
  at the current key expiration time, rolling over the key set, including;
  
  retrieving the key set from the database table,updating the previous key and the previous key expiration time with the current key and the current key expiration time,updating the current key and the current key expiration time with the next key and the next key expiration time,generating a new key and a new key expiration time,updating the next key and the next key expiration time with the new key and the new key expiration time,updating the key set in the database table; and
  
  updating the key set in the memory cache.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein:
    - the database table is a tenant-specific database table associated with a tenancy identifier;
      
      the memory cache is a tenant-specific memory cache associated with the tenancy identifier; and
      
      during said rolling over the key set, the providing further comprises;
      
      receiving, over a network, a request from a client application to retrieve the key set, the request including a client identifier and the tenancy identifier;
      
      determining whether the client identifier is authorized to access the tenant-specific memory cache associated with the tenancy identifier;
      
      if the client identifier is authorized;
      
      retrieving the key set from the tenant-specific memory cache associated with the tenancy identifier; and
      
      sending the key set to the client.
  - 13. The method of claim 11, wherein:
    - the key set is a cloud gate key set;
      
      the new key expiration time includes a baseline expiration time and a random delta expiration time;
      
      the baseline expiration time is 12 hours; and
      
      the random delta expiration time is between 1 second and 600 seconds.
  - 14. The method of claim 11, wherein, during said rolling over the key set, the providing further comprises:
    - prior to retrieving the key set from the database table, obtaining a lock on the key set, the lock providing exclusive access to the key set to prevent multiple threads from performing the rolling over;
      
      after obtaining the lock on the key set, determining whether to roll over the key set based on a current time, the last updated time of the current key and a predetermined time period; and
      
      after updating the key set in the database table, updating a last updated time of the current key and releasing the lock on the key set.
  - 15. The method of claim 14, wherein during said rolling over the key set, the key set is rolled over when a difference between a current time and a last updated time of the current key is more than a predetermined time period.

16. A system comprising a server, coupled to a network, including a processor coupled to a memory storing instructions that, when executed by the processor, cause the processor to generate and roll over keys for a cloud based identity management system, the generating and rolling over comprising:
- generating a key set including a previous key and a previous key expiration time, a current key and a current key expiration time, and a next key and a next key expiration time;
  
  storing the key set in a database table;
  
  storing the key set in a memory cache associated with the database table; and
  
  at the current key expiration time, rolling over the key set, including;
  
  retrieving the key set from the database table,updating the previous key and the previous key expiration time with the current key and the current key expiration time,updating the current key and the current key expiration time with the next key and the next key expiration time,generating a new key and a new key expiration time,updating the next key and the next key expiration time with the new key and the new key expiration time,updating the key set in the database table; and
  
  updating the key set in the memory cache.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein:
    - the database table is a tenant-specific database table associated with a tenancy identifier;
      
      the memory cache is a tenant-specific memory cache associated with the tenancy identifier; and
      
      during said rolling over the key set, the providing further comprises;
      
      receiving, over a network, a request from a client application to retrieve the key set, the request including a client identifier and the tenancy identifier;
      
      determining whether the client identifier is authorized to access the tenant-specific memory cache associated with the tenancy identifier;
      
      if the client identifier is authorized;
      
      retrieving the key set from the tenant-specific memory cache associated with the tenancy identifier; and
      
      sending the key set to the client.
  - 18. The system of claim 16, wherein:
    - the key set is a cloud gate key set;
      
      the new key expiration time includes a baseline expiration time and a random expiration time;
      
      the baseline expiration time is 12 hours; and
      
      the random delta expiration time is between 1 second and 600 seconds.
  - 19. The system of claim 16, wherein, during said rolling over the key set, the providing further comprises:
    - prior to retrieving the key set from the database table, obtaining a lock on the key set, the lock providing exclusive access to the key set to prevent multiple threads from performing the rolling over;
      
      after obtaining the lock on the key set, determining whether to roll over the key set based on a current time, the last updated time of the current key and a predetermined time period; and
      
      after updating the key set in the database table, updating a last updated time of the current key and releasing the lock on the key set.
  - 20. The system of claim 19, wherein during said rolling over the key set, the key set is rolled over when a difference between a current time and a last updated time of the current key is more than a predetermined time period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Keshava, Rakesh, Katti, Sreedhar, Vepa, Sirish, Lander, Vadim, Mishra, Prateek

Granted Patent

US 10,581,820 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/068   using time-dependent keys, ...

H04L 63/0815   providing single-sign-on or...

H04L 63/102   Entity profiles

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

Key Generation and Rollover

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

56 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Key Generation and Rollover

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links