Distributed encryption key management
First Claim
1. A computer-implemented method of managing secure objects for a plurality of host computers, comprising:
- assigning each host computer to at least one host class, each host class associated with a secure function requiring a secure object to be performed;
receiving a first request from each host computer;
in response to receiving each first request, determining a secure identifier associated with each host class assigned to the host computer from which the first request was received, each secure identifier associated with one or more secure objects for performing the respective secure function, and sending each determined secure identifier and each associated secure object to the host computer in response to the request; and
in response to an update in the one or more secure objects associated with a specified secure identifier, sending information regarding the update to each host computer in a respective host class,wherein each host computer is able to perform a respective secure function based on the secure identifier associated with the secure function, independent of the update to the one or more secure objects associated with the secure identifier.
1 Assignment
0 Petitions
Accused Products
Abstract
Secure information is managed for each host or machine in an electronic environment using a series of key identifiers that each represent one or more secure keys, passwords, or other secure information. Applications and services needing access to the secure information can specify the key identifier, for example, and the secure information currently associated with that identifier can be determined without any change to the code or manual input or exposure of the secure information on the respective device. Functionality such as encryption key management and rotation are inaccessible and transparent to the user. In a networked or distributed environment, the key identifiers can be associated with host classes such that at startup any host in a class can obtain the necessary secure information. Updates and key rotation can be performed in a similar fashion by pushing updates to host classes transparent to a user, application, or service.
27 Citations
33 Claims
-
1. A computer-implemented method of managing secure objects for a plurality of host computers, comprising:
-
assigning each host computer to at least one host class, each host class associated with a secure function requiring a secure object to be performed; receiving a first request from each host computer;
in response to receiving each first request, determining a secure identifier associated with each host class assigned to the host computer from which the first request was received, each secure identifier associated with one or more secure objects for performing the respective secure function, and sending each determined secure identifier and each associated secure object to the host computer in response to the request; andin response to an update in the one or more secure objects associated with a specified secure identifier, sending information regarding the update to each host computer in a respective host class, wherein each host computer is able to perform a respective secure function based on the secure identifier associated with the secure function, independent of the update to the one or more secure objects associated with the secure identifier. - View Dependent Claims (2, 3, 26, 27)
-
-
4. A computer-implemented method of managing secure objects for a plurality of host computers, comprising:
-
assigning each host computer to at least one host class, each host class being associated with at least one secure function; storing a secure identifier for each host class, each secure identifier being associated with at least one secure object for use in performing one of the secure functions; and in response to an update in the at least one secure object associated with a selected one of the secure identifiers, sending information regarding the update to each host computer in the respective host class, wherein each secure function is able to be performed by one of the host computers in an associated host class by specifying the respective secure identifier, independent of a change in the at least one secure object associated with the secure identifier. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 28)
-
-
14. A computer-implemented method of managing secure objects for a plurality of host computers, comprising:
-
receiving a request to a computer system from a host computer that is assigned to at least one host class, each host class being associated with at least one secure function; determining at least one secure identifier associated with each identified host class assigned to the host computer from which the request was received, each secure identifier associated with at least one secure object to be used to perform a secure function by a member of the identified host class; and sending the at least one secure identifier and each associated secure object to the host computer in response to the request, wherein the host computer is able to receive each secure object to perform each respective secure function based on each host class to which the host computer belongs. - View Dependent Claims (15, 16, 17, 18, 29)
-
-
19. A system for managing secure objects for a plurality of host computers, comprising:
-
a processor; and a memory device including instructions that, when executed by the processor, cause the processor to; assign each host computer to at least one host class, each host class being associated with at least one secure function; store at least one secure identifier for each host class, each secure identifier being associated with at least one secure object configured to be used to perform one of the secure functions; and receive a request from one of the host computers; determine at least one secure identifier associated with each identified host class assigned to the host computer from which the request was received, each secure identifier associated with at least one secure object to be used to perform a secure function by a member of the identified host class; and send the at least one secure identifier and each associated secure object to the host computer in response to the request, wherein the host computer is able to receive each secure object needed to perform each respective secure function based on the host classes to which the host computer belongs. - View Dependent Claims (20, 21, 22, 23, 30, 31)
-
-
24. A computer program product embedded in a non-transitory computer-readable medium including processor-executable instructions for managing secure objects for a plurality of host computers, comprising:
-
program code for assigning each host computer to at least one host class, each host class being associated with at least one secure function; program code for storing at least one secure identifier for each host class, each secure identifier being associated with at least one secure object configured to be used to perform one of the secure functions; and program code for receiving a request from one of the host computers; program code for determining at least one secure identifier associated with each identified host class assigned to the host computer from which the request was received, each secure identifier associated with at least one secure object to be used to perform a secure function by a member of the identified host class; and program code for sending the at least one secure identifier and each associated secure object to the host computer in response to the request, wherein the host computer is able to receive each secure object needed to perform each respective secure function based on the host classes to which the host computer belongs. - View Dependent Claims (25, 32, 33)
-
Specification