Key management system and method

US 7,773,754 B2
Filed: 07/08/2002
Issued: 08/10/2010
Est. Priority Date: 07/08/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method of cryptographically processing data in a host cryptographic system, comprising:

generating, during initialization of the host cryptographic system, a key stream in a cryptographic accelerator using an encryption algorithm and a key encryption key as the encryption key for the encryption algorithm, wherein the key encryption key is shared between the cryptographic accelerator and a security module;

storing the key stream in a data memory of the cryptographic accelerator;

encrypting, at the security module, a cipher key for a session using the key encryption key;

storing the encrypted session cipher key in a database;

receiving, at the host cryptographic system, a message associated with the session;

communicating the message and the encrypted session cipher key to the cryptographic accelerator;

decrypting the encrypted session cipher key using a stream cipher and the stored key stream to obtain the session cipher key; and

using the session cipher key to encrypt or decrypt the message.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are disclosed for providing secured data transmission and for managing cryptographic keys. One embodiment of the invention provides secure key management when separate devices are used for generating and utilizing the keys. One embodiment of the invention provides secure storage of keys stored in an unsecured database. One embodiment of the invention provides key security in conjunction with high speed decryption and encryption, without degrading the performance of the data network.

105 Citations

View as Search Results

20 Claims

1. A method of cryptographically processing data in a host cryptographic system, comprising:
- generating, during initialization of the host cryptographic system, a key stream in a cryptographic accelerator using an encryption algorithm and a key encryption key as the encryption key for the encryption algorithm, wherein the key encryption key is shared between the cryptographic accelerator and a security module;
  
  storing the key stream in a data memory of the cryptographic accelerator;
  
  encrypting, at the security module, a cipher key for a session using the key encryption key;
  
  storing the encrypted session cipher key in a database;
  
  receiving, at the host cryptographic system, a message associated with the session;
  
  communicating the message and the encrypted session cipher key to the cryptographic accelerator;
  
  decrypting the encrypted session cipher key using a stream cipher and the stored key stream to obtain the session cipher key; and
  
  using the session cipher key to encrypt or decrypt the message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 12, 15, 17, 18, 19, 20)
- - 2. The method of claim 1 wherein:
    - the message comprises data encrypted with a public session key; and
      
      the stored encrypted session cipher key comprises a private session key.
  - 3. The method of claim 1:
    - wherein decrypting the encrypted session cipher key is performed by an integrated circuit.
  - 4. The method of claim 3 wherein using the session cipher key to decrypt the message is performed by the integrated circuit.
  - 5. The method of claim 3 wherein using the session cipher key to encrypt the message is performed by the integrated circuit.
  - 6. The method of claim 1 wherein encrypting or decrypting the session cipher key comprises using a symmetric key encryption key, the method further comprising storing the symmetric key encryption key.
  - 7. The method of claim 1 wherein encrypting or decrypting the session cipher key comprises using an asymmetric key encryption key, the method further comprising storing the asymmetric key encryption key.
  - 8. The method of claim 1, wherein decrypting the stored encrypted session cipher key by the stream cipher comprises exclusively-ORing the encrypted session cipher key with the key stream.
  - 12. The method of claim 1, wherein generating further comprises:
    - generating, during initialization of the host cryptographic system, the key stream in the cryptographic accelerator using a block encryption algorithm and the key encryption key as the encryption key for the block encryption algorithm.
  - 15. The method of claim 1, wherein the message comprises a data packet.
  - 17. The method of claim 1, further comprising:
    - encrypting the key encryption key at the security module using a cryptographic accelerator public key;
      
      sending the encrypted key encryption key to the cryptographic accelerator; and
      
      decrypting the key encryption key at the cryptographic accelerator using a cryptographic accelerator private key.
  - 18. The method of claim 17, further comprising:
    - performing mutual authentication between the cryptographic accelerator and the security module prior to exchange of the key encryption key.
  - 19. The method of claim 17, further comprising:
    - generating the key encryption key within the security module.
  - 20. The method of claim 17, further comprising:
    - receiving the key encryption key at the security module prior to exchange of the key encryption key.

9. A security processing host cryptographic system, comprising:
- a security module configured to encrypt a cipher key for a session using a key encryption key;
  
  a database configured to store the encrypted session cipher key; and
  
  a cryptographic accelerator, adapted to receive a message and the encrypted session cipher key,wherein the cryptographic accelerator comprises;
  
  a keystream generator configured to generate, during initialization of the host cryptographic system, a key stream using an encryption algorithm and a key encryption key as the encryption key for the encryption algorithm, wherein the key encryption key is shared between the cryptographic accelerator and the security module;
  
  a data memory configured to store the key stream; and
  
  a stream cipher module configured to decrypt the encrypted session cipher key using the stored key stream to obtain the session cipher key.
- View Dependent Claims (10, 11, 13, 14)
- - 10. The security processing system of claim 9 further comprising a data network for connecting the security module to at least one of the group consisting of the database data memory and the cryptographic accelerator.
  - 11. The security processing system of claim 9 further comprising a data network for connecting the database data memory to at least one of the group consisting of the security module and the cryptographic accelerator.
  - 13. The security processing system of claim 9 further comprising a non-volatile memory for storing the key encryption key.
  - 14. The security processing system of claim 9, wherein the stream cipher is further configured to exclusively-OR the encrypted session cipher key with the stored key stream to obtain the session cipher key.

16. A method for managing cipher keys of a host cryptographic system, comprising the steps of:
- generating a private key;
  
  generating at least one key encryption key of the host cryptographic system;
  
  encrypting the private key using the at least one key encryption key;
  
  sending the at least one key encryption key over a secure channel;
  
  sending the at least one encrypted private key over a secure channel;
  
  storing the at least one encrypted private key that was sent over the secure channel;
  
  decrypting the stored at least one encrypted private key using the at least one key encryption key;
  
  generating at least one session key using the at least one decrypted private key;
  
  encrypting the at least one session key using the at least one key encryption key;
  
  storing the at least one encrypted session key; and
  
  decrypting the stored at least one encrypted session key using the at least one key encryption key to provide a session key to encrypt or decrypt a data packet,wherein all of the above steps are performed by the host cryptographic system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Buer, Mark L., Tardo, Joseph J.
Primary Examiner(s)
Orgad; Edan
Assistant Examiner(s)
Jackson; Jenise E

Application Number

US10/191,365
Publication Number

US 20040005061A1
Time in Patent Office

2,955 Days
Field of Search

713/160, 713/161, 713/170, 713/169, 380/255, 380/277
US Class Current

380/277
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/606   by securing the transmissio...

G06F 21/72   in cryptographic circuits

H04L 2463/062   applying encryption of the ...

H04L 63/0485   Networking architectures fo...

H04L 63/164   at the network layer

H04L 9/0822   using key encryption key

H04L 9/083   involving central third par...

H04L 9/0894   Escrow, recovery or storing...

Key management system and method

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

105 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Key management system and method

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

105 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others