Automated key management system
First Claim
Patent Images
1. A key management agent system in a computer network, the system comprising:
- a centralized key control system that automatically generates and distributes asymmetric cryptographic keys for use by software applications in the computer network, the key control system including a key management server computer;
an administrative server interface, providing a user interface to the key management agent system, that is communicatively connected to the key control system;
at least one key management agent disposed on a computing machine communicatively connected to the key control system and arranged to receive at least one of the asymmetric cryptographic keys directly from the key control system wherein the at least one asymmetric key is identified by a key label, with the key label for use in rotation of asymmetric keys for encryption and in rotation of asymmetric keys for authentication; and
at least one key store communicatively connected to the key management agent and automatically loaded with the at least one asymmetric cryptographic keys as directed by the key control system,wherein the key management system provides for rotation and distribution of asymmetric cryptographic keys by having the administrative server interface instruct the key management server of the key control system to generate a new cryptographic key and to distribute the new cryptographic key to at least one of the key management agents with a message to only set the new cryptographic key as current once the new cryptographic key has been successfully received by all necessary key management agents.
3 Assignments
0 Petitions
Accused Products
Abstract
A system for automated cryptographic key management comprises a key control system, a key management agent system, and a key system application program interface. A method for automated cryptographic key management is also disclosed. The method comprises the automatic generation of cryptographic keys by the key control system and distribution of such keys by the key control system to the key management agent system.
114 Citations
20 Claims
-
1. A key management agent system in a computer network, the system comprising:
-
a centralized key control system that automatically generates and distributes asymmetric cryptographic keys for use by software applications in the computer network, the key control system including a key management server computer; an administrative server interface, providing a user interface to the key management agent system, that is communicatively connected to the key control system; at least one key management agent disposed on a computing machine communicatively connected to the key control system and arranged to receive at least one of the asymmetric cryptographic keys directly from the key control system wherein the at least one asymmetric key is identified by a key label, with the key label for use in rotation of asymmetric keys for encryption and in rotation of asymmetric keys for authentication; and at least one key store communicatively connected to the key management agent and automatically loaded with the at least one asymmetric cryptographic keys as directed by the key control system, wherein the key management system provides for rotation and distribution of asymmetric cryptographic keys by having the administrative server interface instruct the key management server of the key control system to generate a new cryptographic key and to distribute the new cryptographic key to at least one of the key management agents with a message to only set the new cryptographic key as current once the new cryptographic key has been successfully received by all necessary key management agents. - View Dependent Claims (2)
-
-
3. A key control system for cryptographic asymmetric application keys for use within an automated key management system comprising at least one key management agent, the key control system comprising:
-
a collection of key data, the key data including a plurality of asymmetric cryptographic application keys for use in facilitating secure communication in the automated key management system, a cryptographic key database system for storing at least a portion of the key data including encrypted asymmetric application keys, a key management server computer communicatively connected within the automated key management system and arranged to automatically generate an asymmetric application key and store the asymmetric application key in the cryptographic key database system, wherein the asymmetric application key is identified by a key label, with the key label for use in rotation of asymmetric keys for encryption and in rotation of asymmetric keys for authentication, and a message to only set the asymmetric application key as current once the asymmetric application key has been successfully received by all necessary key management agents. - View Dependent Claims (4)
-
-
5. A method of distributing asymmetric cryptographic keys automatically by a key control system in an automated key management system, the method comprising:
-
at the key control system, receiving instructions from an administrative interface to distribute an asymmetric cryptographic key to a key management agent, wherein the asymmetric cryptographic key is identified by a key label, with the key label for use in rotation of asymmetric keys for encryption and in rotation of asymmetric keys for authentication; automatically distributing without manual intervention the asymmetric cryptographic key to the key management agent via a secure interface; and automatically loading, without manual intervention, the asymmetric cryptographic key into a key store for independent retrieval by an application programming interface of an unrelated software application, and instructing the key management agent by the key control system to only set the asymmetric cryptographic key as current once all necessary key management agents have successfully received the asymmetric cryptographic key. - View Dependent Claims (6)
-
-
7. A method for securely transmitting a cryptographic application key from a first computing device to a second computing device using a certificate having an expiration date, the method comprising:
-
assessing the expiration date of the certificate of the second computing device, based upon the assessment, generating, by the second computing device, an authentication key pair having a public key and a private key, wrapping the public key in a system certificate request message by the second computing device, transmitting the system certificate request message from the second computing device to the first computing device, sending the system certificate request from the first computing device to a certificate authority, at the first computing device, receiving, from the certificate authority, a signed certificate that comprises the public key signed by the certificate authority, forwarding the signed public key from the first computing device to the second computing device, and distributing a cryptographic application key from the first computing device to the second computing device using the signed public key to authenticate the distribution, and instructing to only set the cryptographic application key as current once the cryptographic application key has successfully been received by the second computing device. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A method for automatically rotating cryptographic keys in an automatic key management system having a key control system for generating and distributing asymmetric cryptographic keys to a first computing device communicatively connected to a second computing device, the method comprising:
-
storing a first cryptographic key having a first key label to a first computing device, storing the first cryptographic key to a second computing device, using the first cryptographic key to facilitate communication between the first and second computing devices, distributing by the key control system a second cryptographic key having a second key label to the first and second computing device, sending a message by the key control system to set the second cryptographic key as current with the second key label attached, replacing the first cryptographic key with the second cryptographic key in the first computing device, maintaining the first cryptographic key at the second computing device, thereby facilitating communication between the first and second computing devices using the first cryptographic key wherein the communication occurs without interruption, until it is determined that the replacement has been successfully completed, and using the second cryptographic key to facilitate communication between the first and second computing devices upon determining that the first computing device has successfully replaced the first cryptographic key with the second cryptographic key. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. A method for automatically rotating cryptographic keys in an automatic key management system, the method comprising:
-
providing first and second computing devices, the first computing device including a key control system and the second computing device including a software application installed thereon and a data file, the software application operating independently from the key control system, loading a first cryptographic key having a first key label into the data file in the second computing device, using the first cryptographic key in the software application, after using the first cryptographic key in the software application, automatically distributing without manual intervention a second cryptographic key having a second key label to the second computing device via a secure interface, automatically loading, without manual intervention, the second cryptographic key into the data file for independent retrieval by the software application, and using the second cryptographic key, as a replacement for the first cryptographic key, in the software application upon determining that the first cryptographic key has been successfully replaced with the second cryptographic key loaded into the data file.
-
Specification