SECURE DISTRIBUTED STORAGE OF ENCRYPTION KEYS

US 20200136822A1
Filed: 10/30/2018
Published: 04/30/2020
Est. Priority Date: 10/30/2018
Status: Active Grant

First Claim

Patent Images

1. A method of cryptographic processing across a network, the method comprising:

securely maintaining, by a computing device, a set of correspondences between encryption keys and key identifiers;

receiving, by the computing device, a cryptographic request from a remote device received across the network, the cryptographic request including credentials, data to be cryptographically processed, and a key identifier to be used for cryptographic processing; and

in response to successfully authenticating the cryptographic request;

obtaining, by the computing device with reference to the set of correspondences, an encryption key corresponding to the key identifier;

cryptographically processing, by the computing device, the received data using the obtained encryption key to generate cryptographically-processed data; and

sending the cryptographically-processed data from the computing device across the network to the remote device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are presented for (a) securely maintaining, by a computing device, a set of correspondences between encryption keys and key identifiers, (b) receiving, by the computing device, a cryptographic request from a remote device received across the network, the cryptographic request including credentials, data to be cryptographically processed, and a key identifier to be used for cryptographic processing, and (c) in response to successfully authenticating the cryptographic request: (1) obtaining, by the computing device with reference to the set of correspondences, an encryption key corresponding to the key identifier, (2) cryptographically processing, by the computing device, the received data using the obtained encryption key to generate cryptographically-processed data, and (3) sending the cryptographically-processed data from the computing device across the network to the remote device. Embodiments are directed to methods, apparatuses, systems, and computer program products for performing these techniques.

Citations

20 Claims

1. A method of cryptographic processing across a network, the method comprising:
- securely maintaining, by a computing device, a set of correspondences between encryption keys and key identifiers;
  
  receiving, by the computing device, a cryptographic request from a remote device received across the network, the cryptographic request including credentials, data to be cryptographically processed, and a key identifier to be used for cryptographic processing; and
  
  in response to successfully authenticating the cryptographic request;
  
  obtaining, by the computing device with reference to the set of correspondences, an encryption key corresponding to the key identifier;
  
  cryptographically processing, by the computing device, the received data using the obtained encryption key to generate cryptographically-processed data; and
  
  sending the cryptographically-processed data from the computing device across the network to the remote device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1,wherein the data to be cryptographically processed is unencrypted;
    - wherein cryptographically processing includes encrypting the data using the obtained encryption key; and
      
      wherein the cryptographically-processed data is encrypted.
  - 3. The method of claim 2 wherein the data to be cryptographically processed is received by the computing device over a secured channel.
  - 4. The method of claim 1,wherein the data to be cryptographically processed is encrypted;
    - wherein cryptographically processing includes decrypting the data using the obtained encryption key; and
      
      wherein the cryptographically-processed data is decrypted.
  - 5. The method of claim 4 wherein sending the cryptographically-processed data from the computing device across the network to the remote device includes sending the decrypted cryptographically-processed data to the remote device over a secured channel.
  - 6. The method of claim 1,wherein the credentials are credentials of the remote device;
    - andwherein the method further comprises, in response to successfully authenticating the cryptographic request, verifying that the remote device identified by the credentials has permission to use the encryption key corresponding to the received key identifier.
  - 7. The method of claim 6,wherein securely maintaining the set of correspondences between encryption keys and key identifiers includes, prior to receiving the cryptographic request from the remote device:
    - receiving a key request from the remote device, the key request including a key identifier from the remote device and credentials of the remote device;
      
      authenticating the credentials of the remote device;
      
      in response to successfully authenticating the credentials of the remote device from the key request, generating the encryption key to be associated with the key identifier from the key request; and
      
      in response to generating the encryption key, storing the encryption key in a secure vault, access to the encryption key within the secure vault requiring the associated key identifier and credentials of the remote device;
      
      wherein obtaining the encryption key corresponding to the key identifier and verifying that the remote device identified by the credentials has permission to use the encryption key includes accessing the secure vault using the key identifier and the credentials from the cryptographic request; and
      
      wherein the encryption key is maintained securely within the computing device without being transmitted over the network.
  - 8. The method of claim 6 wherein obtaining the encryption key corresponding to the key identifier and verifying that the remote device identified by the credentials has permission to use the encryption key includes:
    - sending the key identifier and the credentials of the remote device across a secure channel to a remote key storage server, the remote key storage server storing the encryption key protected by the key identifier and the credentials of the remote device; and
      
      in response to sending the key identifier and the credentials to the remote key storage server, receiving the encryption key across the secure channel.

9. A system for cryptographic processing comprising:
- a network;
  
  a client computing device communicatively connected to the network; and
  
  a server computing device communicatively connected to the network, the server computing device configured to;
  
  securely maintain a set of correspondences between encryption keys and key identifiers;
  
  receive a cryptographic request from the client computing device across the network, the cryptographic request including credentials, data to be cryptographically processed, and a key identifier to be used for cryptographic processing; and
  
  in response to successfully authenticating the cryptographic request;
  
  obtain, with reference to the set of correspondences, an encryption key corresponding to the key identifier;
  
  cryptographically process the received data using the obtained encryption key to generate cryptographically-processed data; and
  
  send the cryptographically-processed data across the network to the remote device;
  
  wherein the client computing device is configured to;
  
  send the cryptographic request to the server computing device across the network;
  
  receive the cryptographically-processed data from the server computing device across the network; and
  
  make use of the received cryptographically-processed data.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 10. The system of claim 9,wherein the data to be cryptographically processed is unencrypted;
    - wherein cryptographically processing includes encrypting the data using the obtained encryption key;
      
      wherein the cryptographically-processed data is encrypted; and
      
      wherein making use of the received cryptographically-processed data includes causing the encrypted data to be stored in persistent storage in connection with the key identifier.
  - 11. The system of claim 10 wherein causing the encrypted data to be stored in persistent storage in connection with the key identifier includes storing the encrypted data and the key identifier in persistent storage of the client computing device.
  - 12. The system of claim 10 wherein causing the encrypted data to be stored in persistent storage in connection with the key identifier includes sending a storage request to a remote storage device directing the remote storage device to persistently store the encrypted data and the key identifier.
  - 13. The system of claim 12,wherein the encryption key is stored in a standard key format;
    - andthe key identifier is stored in a format different from the standard key format.
  - 14. The system of claim 10 wherein the client computing device is configured to send the data to be cryptographically processed to the server computing device over a secured channel.
  - 15. The system of claim 9,wherein the data to be cryptographically processed is encrypted;
    - wherein cryptographically processing includes decrypting the data using the obtained encryption key;
      
      wherein the cryptographically-processed data is decrypted; and
      
      wherein making use of the received cryptographically-processed data includes sending the decrypted data to an application that requested access to that data.
  - 16. The system of claim 15 wherein sending the cryptographically-processed data across the network to the client computing device includes sending the decrypted data to the client computing device over a secured channel.
  - 17. The system of claim 9,wherein the credentials are credentials of the client computing device;
    - andwherein the server computing device is further configured to, in response to successfully authenticating the cryptographic request, verify that the client computing device identified by the credentials has permission to use the encryption key corresponding to the received key identifier.
  - 18. The system of claim 17,wherein securely maintaining the set of correspondences between encryption keys and key identifiers includes, prior to receiving the cryptographic request from the client computing device:
    - receiving a key request from the client computing device, the key request including a key identifier from the client computing device and credentials of the client computing device;
      
      authenticating the credentials of the client computing device;
      
      in response to successfully authenticating the credentials of the client computing device from the key request, generating the encryption key to be associated with the key identifier from the key request; and
      
      in response to generating the encryption key, storing the encryption key in a secure vault, access to the encryption key within the secure vault requiring the associated key identifier and credentials of the client computing device;
      
      wherein obtaining the encryption key corresponding to the key identifier and verifying that the client computing device identified by the credentials has permission to use the encryption key includes accessing the secure vault using the key identifier and the credentials from the cryptographic request; and
      
      wherein the encryption key is maintained securely within the server computing device without being transmitted over the network.
  - 19. The system of claim 17 wherein obtaining the encryption key corresponding to the key identifier and verifying that the client computing device identified by the credentials has permission to use the encryption key includes:
    - sending the key identifier and the credentials of the client computing device across a secure channel to a remote key storage server, the remote key storage server storing the encryption key protected by the key identifier and the credentials of the client computing device; and
      
      in response to sending the key identifier and the credentials to the remote key storage server, receiving the encryption key across the secure channel.

20. A computer program product comprising a non-transitory computer-readable storage medium storing a set of instructions, which, when executed by a computing device, cause the computing device to:
- securely maintain a set of correspondences between encryption keys and key identifiers;
  
  receive a cryptographic request from a remote device received across a network, the cryptographic request including credentials, data to be cryptographically processed, and a key identifier to be used for cryptographic processing; and
  
  in response to successfully authenticating the cryptographic request;
  
  obtain, with reference to the set of correspondences, an encryption key corresponding to the key identifier;
  
  cryptographically process the received data using the obtained encryption key to generate cryptographically-processed data; and
  
  send the cryptographically-processed data across the network to the remote device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Villapakkam, Sridhar, Bhagwat, Ajit, Caccavale, Frank S.

Granted Patent

US 11,153,085 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0884   by delegation of authentica...

H04L 67/10   in which an application is ...

H04L 9/0866   involving user or device id...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/32   including means for verifyi...

H04L 9/3247   involving digital signatures

SECURE DISTRIBUTED STORAGE OF ENCRYPTION KEYS

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE DISTRIBUTED STORAGE OF ENCRYPTION KEYS

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links