Data management system and method for a limited capacity cryptographic storage unit
First Claim
1. Data management system for interfacing to a portable limited capacity cryptographic storage unit comprising:
- a cryptographic data manager adapted to the portable limited capacity cryptographic storage unit; and
a data overflow storage device, operatively coupled to the cryptographic data manager, wherein the cryptographic data manager stores cryptographic data from the limited capacity storage unit in the data overflow storage device based on a limited capacity storage unit update condition.
7 Assignments
0 Petitions
Accused Products
Abstract
A data management system and method for a limited cryptographic storage unit, such as a smartcard or other hardware token, includes a cryptographic data manager that interfaces with the limited capacity cryptographic storage unit and a data overflow memory coupled to the cryptographic data manager. The cryptographic data manager stores cryptographic data, such as decryption private keys or other secret cryptographic data, in the overflow memory from the limited capacity cryptographic storage unit based on a limited capacity storage unit data update condition. The cryptographic data manager may serve as a secondary cryptographic data manager that receives the cryptographic data from an original cryptographic data storage device, or primary storage device such as a server that generates the cryptographic data, that stores a history of the cryptographic data.
105 Citations
49 Claims
-
1. Data management system for interfacing to a portable limited capacity cryptographic storage unit comprising:
-
a cryptographic data manager adapted to the portable limited capacity cryptographic storage unit; and
a data overflow storage device, operatively coupled to the cryptographic data manager, wherein the cryptographic data manager stores cryptographic data from the limited capacity storage unit in the data overflow storage device based on a limited capacity storage unit update condition. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
a data router operatively coupled to receive new data for storage in the limited capacity cryptographic storage unit, and an encryptor/decryptor operatively coupled to the data router, wherein the data router routes the new data to the limited capacity cryptographic storage unit and wherein the encryptor encrypts data sent to the overflow storage unit and the decryptor decrypts the new data prior to being stored in the limited capacity cryptographic storage unit.
-
-
13. The data management system of claim 1 wherein the limited capacity cryptographic storage unit stores first cryptographic key identification data and wherein the overflow storage unit stores second cryptographic key identification data.
-
14. The data management system of claim 13 including a selector, operatively responsive to the first and second cryptographic key identification data, that selects stored cryptographic data from either the limited capacity cryptographic storage unit or from the overflow storage unit, based on the identification data.
-
15. The data management system of claim 14 including a data decryptor, operatively coupled to the selector, wherein the data decryptor decrypts received encrypted data using the selected stored cryptographic data.
-
16. The data management system of claim 15 wherein cryptographic data includes decryption private key data and wherein the limited capacity cryptographic data storage unit and overflow unit includes decryption private key history data to facilitate decryption of received data encrypted using a non-current public encryption key.
-
17. The data management system of claim 12 wherein the encryptor encrypts key data from the data router using a symmetric key stored in the limited capacity cryptographic data storage unit.
-
18. The data management system of claim 17 wherein the key data includes decryption private key data removed from the limited capacity cryptographic storage unit.
-
19. The data management system of claim 12 wherein the encryptor encrypts key data from the data router using a symmetric key.
-
20. The data management system of claim 1 wherein the cryptographic data manager temporarily stores new data to be stored in the limited capacity cryptographic data storage unit until sufficient space is available in the limited capacity cryptographic data storage unit.
-
21. The data management system of claim 1 wherein the cryptographic data is latest previous decryption key history data.
-
22. The data management system of claim 1 wherein the cryptographic data is Nth previous cryptographic data from a stored history of cryptographic data, where N is a number of cryptographic keys stored by the limited capacity cryptographic storage unit.
-
23. The data management system of claim 1 wherein the limited capacity cryptographic storage unit stores cryptographic data in a first in first out (FIFO) manner.
-
24. The data management system of claim 23 wherein the cryptographic data manager provides memory size data of the limited capacity cryptographic storage unit for a primary key history data manager.
-
25. The data management system of claim 24 wherein the primary key history data manager obtains at least one of a plurality of non-current decryption private keys based on the memory data.
-
26. Data management system for interfacing to a portable limited capacity cryptographic storage unit comprising:
-
a receiver other than the portable limited capacity cryptographic storage unit that receives new data for storage in the portable limited capacity cryptographic storage unit; and
a data router operatively coupled to the receiver wherein the data router routes cryptographic data to a data overflow storage device based on a portable limited capacity storage unit data update condition. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
an encryptor/decryptor operatively coupled to the data router, wherein the data router routes the new data to the limited capacity cryptographic storage unit and wherein the encryptor encrypts data sent to the overflow storage unit and the decryptor decrypts the new data prior to being stored in the limited capacity cryptographic storage unit.
-
-
34. The data management system of claim 26 wherein the limited capacity cryptographic storage unit stores first decryption private key identification data and wherein the overflow storage unit stores second decryption private key identification data.
-
35. The data management system of claim 34 including a selector, operatively responsive to the first and second decryption private key identification data, that selects stored cryptographic data from either the limited capacity cryptographic storage unit or from the overflow storage unit, based on the identification data.
-
36. The data management system of claim 35 including a data decryptor, operatively coupled to the selector, wherein the data decryptor decrypts received encrypted data using the selected stored cryptographic data.
-
37. The data management system of claim 36 wherein cryptographic data includes decryption private key data and wherein the limited capacity cryptographic data storage unit and overflow unit includes decryption private key history data to facilitate decryption of received data encrypted using a non-current public encryption key.
-
38. The data management system of claim 33 wherein the encryptor encrypts key data from the data router using a symmetric key stored in the limited capacity cryptographic data storage unit.
-
39. Data management system for interfacing to a portable limited capacity cryptographic storage unit comprising:
-
a receiver other than the portable limited capacity cryptographic storage unit that receives new data for storage in the portable limited capacity cryptographic storage unit;
a data router operatively coupled to the receiver wherein the data router routes cryptographic data to a data overflow storage device based on a portable limited capacity storage unit data update condition; and
a primary key history data manager, operatively coupled to the receiver, that provides new cryptographic key data to the receiver for storage on the limited capacity cryptographic storage unit and maintains a decryption key history associated with a given portable limited capacity cryptographic storage unit. - View Dependent Claims (40)
-
-
41. Data management method for interfacing to a portable limited capacity cryptographic storage unit comprising the steps of:
-
determining a portable limited capacity storage unit data update condition; and
storing cryptographic data in the data overflow storage device received from the portable limited capacity cryptographic storage unit based on the portable limited capacity storage unit data update condition. - View Dependent Claims (42, 43, 44, 45, 46, 47)
receiving new data for storage in the limited capacity cryptographic storage unit, routing the new data to the limited capacity cryptographic storage unit encrypting data sent to an overflow storage unit; and
decrypting the new data prior to being stored in the limited capacity cryptographic storage unit.
-
-
47. The data management method of claim 41 including selecting stored cryptographic data from either the limited capacity cryptographic storage unit or from the overflow storage unit, based on key identification data.
-
48. Data management method for a limited capacity cryptographic storage unit comprising:
-
receiving new data for storage in the limited capacity cryptographic storage unit;
routing cryptographic data to a data overflow storage device based on a limited capacity storage unit data update condition;
providing new cryptographic key data to the receiver for storage on the limited capacity cryptographic storage unit; and
maintaining a decryption key history associated with a given limited capacity cryptographic storage unit. - View Dependent Claims (49)
-
Specification