Automated key management system

US 8,295,492 B2
Filed: 06/23/2006
Issued: 10/23/2012
Est. Priority Date: 06/27/2005
Status: Active Grant

First Claim

Patent Images

1. A key management agent system in a computer network, the system comprising:

a centralized key control system that automatically generates and distributes asymmetric cryptographic keys for use by software applications in the computer network, the key control system including a key management server computer;

an administrative server interface, providing a user interface to the key management agent system, that is communicatively connected to the key control system;

at least one key management agent disposed on a computing machine communicatively connected to the key control system and arranged to receive at least one of the asymmetric cryptographic keys directly from the key control system wherein the at least one asymmetric key is identified by a key label, with the key label for use in rotation of asymmetric keys for encryption and in rotation of asymmetric keys for authentication; and

at least one key store communicatively connected to the key management agent and automatically loaded with the at least one asymmetric cryptographic keys as directed by the key control system,wherein the key management system provides for rotation and distribution of asymmetric cryptographic keys by having the administrative server interface instruct the key management server of the key control system to generate a new cryptographic key and to distribute the new cryptographic key to at least one of the key management agents with a message to only set the new cryptographic key as current once the new cryptographic key has been successfully received by all necessary key management agents.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for automated cryptographic key management comprises a key control system, a key management agent system, and a key system application program interface. A method for automated cryptographic key management is also disclosed. The method comprises the automatic generation of cryptographic keys by the key control system and distribution of such keys by the key control system to the key management agent system.

114 Citations

View as Search Results

20 Claims

1. A key management agent system in a computer network, the system comprising:
- a centralized key control system that automatically generates and distributes asymmetric cryptographic keys for use by software applications in the computer network, the key control system including a key management server computer;
  
  an administrative server interface, providing a user interface to the key management agent system, that is communicatively connected to the key control system;
  
  at least one key management agent disposed on a computing machine communicatively connected to the key control system and arranged to receive at least one of the asymmetric cryptographic keys directly from the key control system wherein the at least one asymmetric key is identified by a key label, with the key label for use in rotation of asymmetric keys for encryption and in rotation of asymmetric keys for authentication; and
  
  at least one key store communicatively connected to the key management agent and automatically loaded with the at least one asymmetric cryptographic keys as directed by the key control system,wherein the key management system provides for rotation and distribution of asymmetric cryptographic keys by having the administrative server interface instruct the key management server of the key control system to generate a new cryptographic key and to distribute the new cryptographic key to at least one of the key management agents with a message to only set the new cryptographic key as current once the new cryptographic key has been successfully received by all necessary key management agents.
- View Dependent Claims (2)
- - 2. The key management agent system as claimed in claim 1, wherein the key store of the key management agent system is adapted to be read by an application program interface of at least one of the software applications.

3. A key control system for cryptographic asymmetric application keys for use within an automated key management system comprising at least one key management agent, the key control system comprising:
- a collection of key data, the key data including a plurality of asymmetric cryptographic application keys for use in facilitating secure communication in the automated key management system,a cryptographic key database system for storing at least a portion of the key data including encrypted asymmetric application keys,a key management server computer communicatively connected within the automated key management system and arranged to automatically generate an asymmetric application key and store the asymmetric application key in the cryptographic key database system, wherein the asymmetric application key is identified by a key label, with the key label for use in rotation of asymmetric keys for encryption and in rotation of asymmetric keys for authentication, anda message to only set the asymmetric application key as current once the asymmetric application key has been successfully received by all necessary key management agents.
- View Dependent Claims (4)
- - 4. The key control system as claimed in claim 3, the key control system further comprising:
    - a secure hardware device communicatively connected into the automated key management system for storing one or more master keys that are used to scramble or descramble asymmetric application keys or intermediate keys to asymmetric application keys.

5. A method of distributing asymmetric cryptographic keys automatically by a key control system in an automated key management system, the method comprising:
- at the key control system, receiving instructions from an administrative interface to distribute an asymmetric cryptographic key to a key management agent, wherein the asymmetric cryptographic key is identified by a key label, with the key label for use in rotation of asymmetric keys for encryption and in rotation of asymmetric keys for authentication;
  
  automatically distributing without manual intervention the asymmetric cryptographic key to the key management agent via a secure interface; and
  
  automatically loading, without manual intervention, the asymmetric cryptographic key into a key store for independent retrieval by an application programming interface of an unrelated software application, andinstructing the key management agent by the key control system to only set the asymmetric cryptographic key as current once all necessary key management agents have successfully received the asymmetric cryptographic key.
- View Dependent Claims (6)
- - 6. The method as claimed in claim 5, further comprising:
    - receiving instructions by the key control system from an administrative interface to generate asymmetric cryptographic keys.

7. A method for securely transmitting a cryptographic application key from a first computing device to a second computing device using a certificate having an expiration date, the method comprising:
- assessing the expiration date of the certificate of the second computing device,based upon the assessment, generating, by the second computing device, an authentication key pair having a public key and a private key,wrapping the public key in a system certificate request message by the second computing device,transmitting the system certificate request message from the second computing device to the first computing device,sending the system certificate request from the first computing device to a certificate authority,at the first computing device, receiving, from the certificate authority, a signed certificate that comprises the public key signed by the certificate authority,forwarding the signed public key from the first computing device to the second computing device, anddistributing a cryptographic application key from the first computing device to the second computing device using the signed public key to authenticate the distribution, andinstructing to only set the cryptographic application key as current once the cryptographic application key has successfully been received by the second computing device.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The method as claimed in claim 7, wherein assessing the expiration date includes determining that the certificate of the second computing device is due to expire.
  - 9. The method as claimed in claim 8, wherein the assessment is carried out by the first computing device.
  - 10. The method as claimed in claim 7, wherein the first computing device includes a key control system for distributing cryptographic application keys and the second computing device includes a key management agent for receiving cryptographic application keys from the key control system and storing them on the second computing device.
  - 11. The method as claimed in claim 10, further comprising:
    - sending a renew certificate message from the key control system to the key management agent, andreceiving the renew certificate message by the key management agent.
  - 12. The method as claimed in claim 10, further comprising adding the private key of the authentication key pair to an authentication key store.
  - 13. The method as claimed in claim 10, further comprising, upon receiving the certificate:
    - retrieving the private key corresponding to the certificate from the authentication key store,creating a second authentication key store comprising the certificate and the private key, andencrypting the second authentication key store.

14. A method for automatically rotating cryptographic keys in an automatic key management system having a key control system for generating and distributing asymmetric cryptographic keys to a first computing device communicatively connected to a second computing device, the method comprising:
- storing a first cryptographic key having a first key label to a first computing device,storing the first cryptographic key to a second computing device,using the first cryptographic key to facilitate communication between the first and second computing devices,distributing by the key control system a second cryptographic key having a second key label to the first and second computing device,sending a message by the key control system to set the second cryptographic key as current with the second key label attached,replacing the first cryptographic key with the second cryptographic key in the first computing device,maintaining the first cryptographic key at the second computing device, thereby facilitating communication between the first and second computing devices using the first cryptographic key wherein the communication occurs without interruption, until it is determined that the replacement has been successfully completed,andusing the second cryptographic key to facilitate communication between the first and second computing devices upon determining that the first computing device has successfully replaced the first cryptographic key with the second cryptographic key.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The method according to claim 14, wherein the first computing device is a server, mainframe or other computing machine.
  - 16. The method according to claim 14, wherein the second computing device is a server, mainframe or other computing machine.
  - 17. The method as claimed in claim 14, wherein the first and second cryptographic keys are asymmetric.
  - 18. The method as claimed in claim 14, wherein the first and second cryptographic keys are symmetric.
  - 19. The method as claimed in claim 14, wherein the first and second cryptographic keys comprise key labels.

20. A method for automatically rotating cryptographic keys in an automatic key management system, the method comprising:
- providing first and second computing devices, the first computing device including a key control system and the second computing device including a software application installed thereon and a data file, the software application operating independently from the key control system,loading a first cryptographic key having a first key label into the data file in the second computing device,using the first cryptographic key in the software application,after using the first cryptographic key in the software application, automatically distributing without manual intervention a second cryptographic key having a second key label to the second computing device via a secure interface,automatically loading, without manual intervention, the second cryptographic key into the data file for independent retrieval by the software application, andusing the second cryptographic key, as a replacement for the first cryptographic key, in the software application upon determining that the first cryptographic key has been successfully replaced with the second cryptographic key loaded into the data file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Wells Fargo Bank NA (Wells Fargo & Company)
Original Assignee
Wells Fargo Bank NA (Wells Fargo & Company)
Inventors
Suarez, Luis A., Kauer, Neil, Gray, Tim, Badia, David, Ahuja, Vijay
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
Almamun, Abdullah

Application Number

US11/473,665
Publication Number

US 20060291664A1
Time in Patent Office

2,314 Days
Field of Search

380/277, 380/286, 713/189, 713/15, 713/150
US Class Current

380/286
CPC Class Codes

G06F 21/33   using certificates

H04L 2463/102   applying security measure f...

H04L 63/06   for supporting key manageme...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/083   involving central third par...

H04L 9/0891   Revocation or update of sec...

H04L 9/3263   involving certificates, e.g...

Automated key management system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

114 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Automated key management system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

114 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links