Key management system and method
First Claim
Patent Images
1. A method of cryptographically processing data in a host cryptographic system, comprising:
- generating, during initialization of the host cryptographic system, a key stream in a cryptographic accelerator using an encryption algorithm and a key encryption key as the encryption key for the encryption algorithm, wherein the key encryption key is shared between the cryptographic accelerator and a security module;
storing the key stream in a data memory of the cryptographic accelerator;
encrypting, at the security module, a cipher key for a session using the key encryption key;
storing the encrypted session cipher key in a database;
receiving, at the host cryptographic system, a message associated with the session;
communicating the message and the encrypted session cipher key to the cryptographic accelerator;
decrypting the encrypted session cipher key using a stream cipher and the stored key stream to obtain the session cipher key; and
using the session cipher key to encrypt or decrypt the message.
5 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems are disclosed for providing secured data transmission and for managing cryptographic keys. One embodiment of the invention provides secure key management when separate devices are used for generating and utilizing the keys. One embodiment of the invention provides secure storage of keys stored in an unsecured database. One embodiment of the invention provides key security in conjunction with high speed decryption and encryption, without degrading the performance of the data network.
105 Citations
20 Claims
-
1. A method of cryptographically processing data in a host cryptographic system, comprising:
-
generating, during initialization of the host cryptographic system, a key stream in a cryptographic accelerator using an encryption algorithm and a key encryption key as the encryption key for the encryption algorithm, wherein the key encryption key is shared between the cryptographic accelerator and a security module; storing the key stream in a data memory of the cryptographic accelerator; encrypting, at the security module, a cipher key for a session using the key encryption key; storing the encrypted session cipher key in a database; receiving, at the host cryptographic system, a message associated with the session; communicating the message and the encrypted session cipher key to the cryptographic accelerator; decrypting the encrypted session cipher key using a stream cipher and the stored key stream to obtain the session cipher key; and using the session cipher key to encrypt or decrypt the message. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 12, 15, 17, 18, 19, 20)
-
-
9. A security processing host cryptographic system, comprising:
-
a security module configured to encrypt a cipher key for a session using a key encryption key; a database configured to store the encrypted session cipher key; and a cryptographic accelerator, adapted to receive a message and the encrypted session cipher key, wherein the cryptographic accelerator comprises; a keystream generator configured to generate, during initialization of the host cryptographic system, a key stream using an encryption algorithm and a key encryption key as the encryption key for the encryption algorithm, wherein the key encryption key is shared between the cryptographic accelerator and the security module; a data memory configured to store the key stream; and a stream cipher module configured to decrypt the encrypted session cipher key using the stored key stream to obtain the session cipher key. - View Dependent Claims (10, 11, 13, 14)
-
-
16. A method for managing cipher keys of a host cryptographic system, comprising the steps of:
-
generating a private key; generating at least one key encryption key of the host cryptographic system; encrypting the private key using the at least one key encryption key; sending the at least one key encryption key over a secure channel; sending the at least one encrypted private key over a secure channel; storing the at least one encrypted private key that was sent over the secure channel; decrypting the stored at least one encrypted private key using the at least one key encryption key; generating at least one session key using the at least one decrypted private key; encrypting the at least one session key using the at least one key encryption key; storing the at least one encrypted session key; and decrypting the stored at least one encrypted session key using the at least one key encryption key to provide a session key to encrypt or decrypt a data packet, wherein all of the above steps are performed by the host cryptographic system.
-
Specification