Method for managing cryptographic information

US 8,213,620 B1
Filed: 11/17/2008
Issued: 07/03/2012
Est. Priority Date: 11/17/2008
Status: Active Grant

First Claim

Patent Images

1. A machine implemented method, comprising:

executing an agent at a first encryption device and a second encryption device for communicating with a centralized key manager (CKM) for sending and receiving encryption key objects in a same format while using different encryption key types for encrypting information, where the format of the encryption key objects used by the agent and the CKM to communicate includes an encryption key format identifying a format for wrapping encryption key objects by the CKM and a plurality of attributes of the encryption key objects used by the CKM to process the encryption key objects;

storing configuration information regarding the first encryption device and the second encryption device by the CKM for processing encryption key objects received from the first encryption device and the second encryption device;

wherein the configuration information includes a key sharing group label based on which the encryption key objects are replicated by the CKM and shared between other entities;

policies that define encryption key management for the first encryption device and the second encryption device; and

format information for presenting the encryption key objects to the first encryption device and the second encryption device;

inserting a key sharing group label by the CKM in an encryption key object received by the CKM from the first encryption device, based on which the received encryption key object is replicated a certain number of times and shared;

wrapping the encryption key object by the CKM based on the configuration information stored for the first encryption device;

wherein the wrapped encryption key object includes encrypted key content and an indicator indicating a format of the wrapped encryption key object; and

storing the wrapped encryption key object by the CKM using a format defined by the configuration information;

wherein the encryption key object is received from the first encryption device over a secure connection using a first encryption level; and

the CKM encrypts content of the encryption key object using a second encryption level, the second encryption level being higher than the first encryption level.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method for distributing encryption keys stored by a centralized key manager, operationally coupled to a first encryption device and the second encryption device is provided. The first encryption device and the second encryption device may request the CKM to provide the stored encryption keys in different formats and each encryption device may use a different encryption format to encrypt information. If the encryption devices are authorized to receive the stored encryption keys, then the CKM prepares the requested keys in different formats and provides them to the encryption devices.

90 Citations

View as Search Results

19 Claims

1. A machine implemented method, comprising:
- executing an agent at a first encryption device and a second encryption device for communicating with a centralized key manager (CKM) for sending and receiving encryption key objects in a same format while using different encryption key types for encrypting information, where the format of the encryption key objects used by the agent and the CKM to communicate includes an encryption key format identifying a format for wrapping encryption key objects by the CKM and a plurality of attributes of the encryption key objects used by the CKM to process the encryption key objects;
  
  storing configuration information regarding the first encryption device and the second encryption device by the CKM for processing encryption key objects received from the first encryption device and the second encryption device;
  
  wherein the configuration information includes a key sharing group label based on which the encryption key objects are replicated by the CKM and shared between other entities;
  
  policies that define encryption key management for the first encryption device and the second encryption device; and
  
  format information for presenting the encryption key objects to the first encryption device and the second encryption device;
  
  inserting a key sharing group label by the CKM in an encryption key object received by the CKM from the first encryption device, based on which the received encryption key object is replicated a certain number of times and shared;
  
  wrapping the encryption key object by the CKM based on the configuration information stored for the first encryption device;
  
  wherein the wrapped encryption key object includes encrypted key content and an indicator indicating a format of the wrapped encryption key object; and
  
  storing the wrapped encryption key object by the CKM using a format defined by the configuration information;
  
  wherein the encryption key object is received from the first encryption device over a secure connection using a first encryption level; and
  
  the CKM encrypts content of the encryption key object using a second encryption level, the second encryption level being higher than the first encryption level.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the first encryption device and the second encryption device are enrolled with the CKM using an enrollment process during which the CKM obtains the configuration information regarding the first encryption device and the second encryption device.
  - 3. The method of claim 2, wherein the enrollment process is initiated based on Internet Protocol addresses of the first encryption device and the second encryption device.
  - 4. The method of claim 1, wherein some of the plurality of attributes is identified as a primary attribute maintained by the CKM, such that each primary attribute has a unique value used by the CKM to search a data structure storing encryption key objects.
  - 5. The method of claim 1, wherein the first encryption device and the second encryption device are coupled to a storage system and encrypt data before data is stored by the storage system.
  - 6. The method of claim 5, wherein the encryption key objects received from the first encryption device and the second encryption device includes encryption keys to encrypt the data.

7. A machine implemented method, comprising:
- registering a first encryption device that uses a first format to encrypt data and a second encryption device that uses a second format to encrypt data with a centralized key manager (CKM) that manages encryption key objects for the first encryption device and the second encryption device each executing an agent for communicating with the CKM for sending and receiving the encryption key objects in a same format while using the first format and the second format to encrypt data, where each encryption key object includes an encryption key format identifying a format for storing encryption key objects by the CKM;
  
  storing configuration information regarding the first encryption device and the second encryption device for processing encryption key objects received from the first encryption device and the second encryption device by the CKM,wherein the configuration information includes (i) a key sharing group label based on which a stored encryption key object is replicated a certain number of times and shared by the CKM with other entities;
  
  (ii) information regarding a type of key that the CKM uses to encrypt encryption key content received from the first encryption device and the second encryption device;
  
  (iii) policies that define key management for the first encryption device and the second encryption device; and
  
  (iv) format information for presenting an encryption key object to the first encryption device and the second encryption device;
  
  inserting the key sharing group label by the CKM in an encryption key object received by the CKM from each of the first encryption device and the second encryption device;
  
  wrapping the encryption key object received from the first encryption device and the second encryption device by the CKM, based on the configuration information stored for the first encryption device and the second encryption device;
  
  storing the encryption key objects received from the first encryption device and the second encryption device, in different formats by the CKM;
  
  wherein the encryption key objects from the first encryption device and the second encryption key device are received over a secure connection using a first encryption level; and
  
  the CKM encrypts content of the encryption key objects using a second encryption level, the second encryption level being higher than the first encryption level.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein each encryption object includes a key version number indicating a number of times an encryption object has been modified.
  - 9. The method of claim 7, wherein each encryption key object includes a plurality of attributes that are used by the CKM for processing encryption key objects that are received from the first encryption device and the second encryption device.
  - 10. The method of claim 9, wherein some of the plurality of attributes is identified as a primary attribute maintained by the CKM, such that each primary attribute has a unique value used by the CKM to search a data structure storing encryption key objects.
  - 11. The method of claim 7, wherein the first encryption device and the second encryption device are coupled to a storage system and encrypt data before data is stored by the storage system.
  - 12. The method of claim 7, wherein the encryption key objects received from the first encryption device and the second encryption device includes encryption keys to encrypt the data.

13. A machine implemented method, comprising:
- receiving a first encryption object from a first encryption device coupled to a centralized key manager (CKM), where the first encryption object includes an encryption key format identifying a format for wrapping the first encryption key object; and
  
  a plurality of attributes of the first encryption key object used by the CKM to process the encryption key object;
  
  receiving a second encryption object from a second encryption device coupled to the CKM centralized key manager (CKM) where the second encryption object includes an encryption key format identifying a format for wrapping the second encryption key object; and
  
  a plurality of attributes of the second encryption key object used by the CKM to process the second encryption key object;
  
  wherein the first encryption device and the second encryption device each execute an agent to communicate with the CKM in a same format while using different encryption key types for encrypting information before it is stored by a storage server;
  
  inserting a first key sharing group label by the CKM in the first encryption key object based on configuration information of the first encryption device maintained by the CKM;
  
  wherein the first key sharing group label is used to determine replication of the first encryption key object for a certain number of times and sharing with any other entity;
  
  inserting a second key sharing group label by the CKM in the second encryption key object based on configuration information of the second encryption device maintained by the CKM;
  
  wherein the second key sharing group label is used to determine replication of the second encryption key object for a certain number of times and sharing with any other entity;
  
  wrapping the first encryption key object by the CKM based on the configuration information stored for the first encryption device;
  
  wherein the wrapped encryption key object includes encrypted key content and an indicator indicating a format of the wrapped first encryption key object;
  
  wrapping the second encryption key object by the CKM based on the configuration information stored for the second encryption device;
  
  wherein the wrapped encryption key object includes encrypted key content and an indicator indicating a format of the wrapped second encryption key object;
  
  transmitting the first encryption key object by the CKM to a recipient authorized to receive the first encryption key object in the first format; and
  
  transmitting the second encryption key object by the CKM to a recipient authorized to receive the second encryption key object in the second format;
  
  wherein the first encryption key object is received over a secure connection using a first encryption level; and
  
  the CKM encrypts content of the first encryption key object using a second encryption level, where the second encryption level is higher than the first encryption level.
- View Dependent Claims (14, 15, 16, 18, 19)
- - 14. The method of claim 13, wherein the first encryption device and the second encryption device are enrolled with the CKM for storing and retrieving encryption key objects.
  - 15. The method of claim 13, wherein in response to a request from the first encryption device, the CKM presents the first encryption key object in the first format to another CKM that presents the first encryption key object to another encryption device in a format that is different from the first format.
  - 16. The method of claim 13, wherein some of the plurality of attributes of the first encryption key object are identified as a primary attribute having a unique value.
  - 18. The method of claim 13, wherein the first encryption device and the second encryption device are coupled to a storage system and encrypt data before data is stored by the storage system.
  - 19. The method of claim 18, wherein the first encryption key object includes an encryption key that is used by the first encryption key device to encrypt the data.

17. The method of 16, wherein the primary attribute is used by the CKM to search for the first encryption key object when stored and maintained by the CKM.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
NetApp, Inc.
Inventors
Sussland, Robert J., Kavuri, Ravi, Agarwal, Gaurav
Primary Examiner(s)
Colin, Carl
Assistant Examiner(s)
Zaidi, Syed

Application Number

US12/272,162
Time in Patent Office

1,324 Days
Field of Search

380/278
US Class Current

380/278
CPC Class Codes

H04L 9/083 involving central third par...

H04L 9/0894 Escrow, recovery or storing...

Method for managing cryptographic information

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

90 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Method for managing cryptographic information

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others