Framework-based cryptographic key recovery system
First Claim
1. A method of providing cryptographic services and key recovery services, comprising the steps of:
- providing a secure key management framework including set of key recovery application program interfaces for use by an application layer code and a set of key recovery service provider interfaces to support plug-in key recovery service provider modules;
using the key recovery application program interfaces to set state and attribute information for use by the key recovery service provider modules and to generate key recovery blocks for confidentiality protected sessions;
issuing, from an application program in a computer, a request for cryptographic services;
processing said request for cryptographic services in a cryptographic module manager of the secure key management framework in said computer;
forwarding said processed request for cryptographic services from said cryptographic module manager to a cryptographic service provider program coupled to said computer;
issuing, from said application program in the computer, a request for key recovery services;
processing said request for key recovery services in a key recovery module manager of said secure key management framework in said computer; and
forwarding said processed request for key recovery services from said key recovery module manager to a key recovery service provider program coupled to said computer.
1 Assignment
0 Petitions
Accused Products
Abstract
A Secure Key Management Framework (SKMF) defines an infrastructure for a complete set of cryptographic services augmented with key recovery enablement. There are three major layers—the application layer invokes the SKMF layer, while the SKMF layer invokes the service provider (SP) layer. The application layer code invokes the cryptographic API and key-recovery API supported by the SKMF. Multiple key recovery mechanisms and cryptographic mechanisms can be implemented as service providers that log-in underneath the framework using the well-defined service provider interfaces provided by the framework. The SKMF implements the supported ATP calls by making appropriate invocations of the service provider modules using the SPIs.
139 Citations
15 Claims
-
1. A method of providing cryptographic services and key recovery services, comprising the steps of:
-
providing a secure key management framework including set of key recovery application program interfaces for use by an application layer code and a set of key recovery service provider interfaces to support plug-in key recovery service provider modules;
using the key recovery application program interfaces to set state and attribute information for use by the key recovery service provider modules and to generate key recovery blocks for confidentiality protected sessions;
issuing, from an application program in a computer, a request for cryptographic services;
processing said request for cryptographic services in a cryptographic module manager of the secure key management framework in said computer;
forwarding said processed request for cryptographic services from said cryptographic module manager to a cryptographic service provider program coupled to said computer;
issuing, from said application program in the computer, a request for key recovery services;
processing said request for key recovery services in a key recovery module manager of said secure key management framework in said computer; and
forwarding said processed request for key recovery services from said key recovery module manager to a key recovery service provider program coupled to said computer. - View Dependent Claims (2, 3)
processing said request for key recovery services in a key recovery policy table and processing said request for key recovery services in a policy enforcement module.
-
-
4. An apparatus for providing cryptographic services and key recovery services, comprising:
-
a secure key management framework including set of key recovery application program interfaces for use by an application layer code and a set of key recovery service provider interfaces to support plug-in key recovery service provider modules;
said key recovery application program interfaces setting state and attribute information for use by the key recovery service provider modules and generating key recovery blocks for confidentiality protected sessions;
means for issuing, from an application program in a computer, a request for cryptographic services;
means for processing said request for cryptographic services in a cryptographic module manager of the secure key management framework in said computer;
means for forwarding said processed request for cryptographic services from said cryptographic services from said cryptographic module manager to a cryptographic service provider program coupled to said computer;
means for issuing, from said application program in the computer, a request for key recovery services;
means for processing said request for key recovery services in a key recovery module manager of said secure key management framework in said computer; and
means for forwarding said processed request for key recovery services from said key recovery module manager to a key recovery service provider program coupled to said computer. - View Dependent Claims (5, 6)
means for processing said request for key recovery services in a key recovery policy table; and
means for processing said request for key recovery services in a policy enforcement module.
-
-
7. An article of manufacture for use in a computer, comprising:
-
a computer useable medium having computer readable program code means embodied therein for providing cryptographic services and key recovery services, the computer readable program code means in said article of manufacture comprising;
computer readable program code means for providing a secure key management framework including set of key recovery application program interfaces for use by an application layer code and a set of key recovery service provider interfaces to support plug-in key recovery service provider modules;
computer readable program code means for using the key recovery application program interfaces to set state and attribute information for use by the key recovery service provider modules and to generate key recovery blocks for confidentiality protected sessions;
computer readable program code means for causing a computer to issue, from an application program in a computer, a request for cryptographic services;
computer readable program code means for causing a computer to process said request for cryptographic services in a cryptographic module manager of the secure key management framework in said computer;
computer readable program code means for causing a computer to forward said processed request for cryptographic services from said cryptographic module manager to a cryptographic service provider program coupled to said computer;
computer readable program code means for causing a computer to issue, from said application program in the computer, a request for key recovery services;
computer readable program code means for causing a computer to process said request for key recovery services in a key recovery module manager of said secure key management framework in said computer; and
computer readable program code means for causing a computer to forward said processed request for key recovery services from said key recovery module manager to a key recovery service provider program coupled to said computer. - View Dependent Claims (8, 9)
processing said request for key recovery services in a key recovery policy table and processing said request for key recovery services in a policy enforcement module.
-
-
10. A method of providing key recovery services, comprising the steps of:
-
providing a secure key management framework including set of key recovery application program interfaces for use by an application layer code and a set of key recovery service provider interfaces to support plug-in key recovery service provider modules;
using the key recovery application program interfaces to set state and attribute information for use by the key recovery service provider modules and to generate key recovery blocks for confidentiality protected sessions;
issuing a request for cryptographic services;
processing said request for cryptographic services in the secure key management framework in a computer;
forwarding said processed request for cryptographic services to a cryptographic service provider program coupled to said computer;
issuing a request for key recovery services;
processing said request for key recovery services in said secure key management framework in said computer; and
forwarding said processed request for key recovery services to a key recovery service provider program coupled to said computer.
-
-
11. A method of providing cryptographic key recovery services, comprising the steps of:
-
providing a secure key management framework including set of key recovery application program interfaces for use by an application layer code and a set of key recovery service provider interfaces to support plug-in key recovery service provider modules;
using the key recovery application program interfaces to set state and attribute information for use by the key recovery service provider modules and to generate key recovery blocks for confidentiality protected sessions;
issuing, from an application program in a computer, a request for key recovery services;
processing said request for key recovery services in a key recovery module manager of the secure key management framework in said computer; and
forwarding said processed request for key recovery services from said key recovery module manager to a key recovery service provider program coupled to said computer. - View Dependent Claims (12, 13, 14, 15)
processing said request for key recovery services in a key recovery policy table and processing said request for key recovery services in a policy enforcement module.
-
-
13. The method of claim 11 in which said step of processing said request for key recovery services in a key recovery module manager further comprises:
-
said key recovery module manager supporting a set of key recovery APIs (KR-APIs) for use by application layer code;
said KR-APIs being used to set state and attribute information for use by key recovery service providers and to generate and validate the key recovery blocks for confidentiality protected sessions.
-
-
14. The method of claim 11 in which said step of processing said request for key recovery services in a key recovery module manager further comprises:
said key recovery module manager supporting a set of key recovery SPIs (KR-SPIs) to support plug-in key recovery service provider modules.
-
15. The method of claim 11 in which said step of processing said request for key recovery services in a key recovery module manager further comprises:
said key recovery module manager including a static key recovery enablement policy table and an enforcement module that ensures that all cryptographic associations abide by the key recovery enablement policy.
Specification