Key management system and method

US 8,340,299 B2
Filed: 07/28/2010
Issued: 12/25/2012
Est. Priority Date: 07/08/2002
Status: Active Grant

First Claim

Patent Images

1. A method of cryptographically processing data in a cryptographic system using an asymmetric key exchange, comprising:

receiving, at a cryptographic accelerator device, a first key encryption key;

storing an encrypted private key for a host processor in a data memory, wherein the private key is encrypted with the first key encrypted key;

receiving, in the cryptographic accelerator device, encrypted session information from an external device, wherein the session information is encrypted using a public key for the host processor;

decrypting, in the cryptographic accelerator device, the stored encrypted private key for the host processor using the first key encryption key;

decrypting, in the cryptographic accelerator device, the encrypted session information using the private key for the host processor;

generating, in the cryptographic accelerator device, a set of cryptographic keys for a session between the external device and the host processor using the session information;

encrypting, in the cryptographic accelerator device, the set of cryptographic keys using the private key for the host processor; and

transmitting, by the cryptographic system, the encrypted set of cryptographic keys for the session to the external device.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are disclosed for providing secured data transmission and for managing cryptographic keys. One embodiment of the invention provides secure key management when separate devices are used for generating and utilizing the keys. One embodiment of the invention provides secure storage of keys stored in an unsecured database. One embodiment of the invention provides key security in conjunction with high speed decryption and encryption, without degrading the performance of the data network.

66 Citations

View as Search Results

18 Claims

1. A method of cryptographically processing data in a cryptographic system using an asymmetric key exchange, comprising:
- receiving, at a cryptographic accelerator device, a first key encryption key;
  
  storing an encrypted private key for a host processor in a data memory, wherein the private key is encrypted with the first key encrypted key;
  
  receiving, in the cryptographic accelerator device, encrypted session information from an external device, wherein the session information is encrypted using a public key for the host processor;
  
  decrypting, in the cryptographic accelerator device, the stored encrypted private key for the host processor using the first key encryption key;
  
  decrypting, in the cryptographic accelerator device, the encrypted session information using the private key for the host processor;
  
  generating, in the cryptographic accelerator device, a set of cryptographic keys for a session between the external device and the host processor using the session information;
  
  encrypting, in the cryptographic accelerator device, the set of cryptographic keys using the private key for the host processor; and
  
  transmitting, by the cryptographic system, the encrypted set of cryptographic keys for the session to the external device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - authenticating, by a security module in the cryptographic system, the cryptographic accelerator device.
  - 3. The method of claim 2, wherein the first encryption key is encrypted using a public key of the cryptographic accelerator.
  - 4. The method of claim 1, further comprising:
    - encrypting, in the cryptographic accelerator, the set of cryptographic keys for the session using a second key encryption key to generate a second set of encrypted cryptographic keys for the session;
      
      associating the second set of encrypted cryptographic keys for the session with an identifier; and
      
      storing the second set of encrypted cryptographic keys and the identifier in the data memory.
  - 5. The method of claim 4, further comprising:
    - during the session, receiving, in the cryptographic accelerator device, a message having a plurality of packets;
      
      retrieving the second set of encrypted cryptographic keys for the session;
      
      decrypting the second set of encrypted cryptographic keys using the second key encryption key; and
      
      cryptographically processing the plurality of packets using the second set of cryptographic keys.
  - 6. The method of claim 4, wherein the plurality of packets are encrypted and wherein cryptographically processing the plurality of packets includes decrypting the plurality of packets using the second set of cryptographic keys.
  - 7. The method of claim 4, wherein cryptographically processing the plurality of packets includes encrypting the plurality of packets using the second set of cryptographic keys.
  - 8. The method of claim 1, further comprising:
    - generating the first encryption key in a security module.
  - 9. The method of claim 4, further comprising:
    - during the session, receiving a message having a plurality of packets and the second set of encrypted session keys;
      
      decrypting the second set of encrypted cryptographic keys using the second key encryption key; and
      
      cryptographically processing the plurality of packets using the second set of cryptographic keys.
  - 10. The method of claim 1, wherein the data memory is external to the cryptographic system.
  - 11. The method of claim 1, further comprising:
    - updating the first key encryption key using an asymmetric key exchange.

12. A cryptographic system for cryptographically processing data, comprising:
- a security module configured to encrypt a private key for a host processor;
  
  a storage device configured to store the encrypted private key for the host processor; and
  
  a cryptographic accelerator, coupled to the security module and the storage device, the cryptographic accelerator configured to receive encrypted session information from an external device, to decrypt the encrypted session information, to generate a set of cryptographic keys for a session between the host processor and the external device, and to encrypt the set of cryptographic keys using a private key for the host processor, wherein the encrypted set of cryptographic keys are transmitted to the external device.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The cryptographic system of claim 12, wherein the cryptographic accelerator is further configured to generate a second set of encrypted cryptographic keys for the session using a second key encryption key.
  - 14. The cryptographic system of claim 13, further comprising:
    - a second cryptographic accelerator configured to receive a message having a plurality of packets during the session, to decrypt the second set of encrypted cryptographic keys using the second key encryption key, and to cryptographically process the plurality of packets using the second set of cryptographic keys.
  - 15. The cryptographic system of claim 13, wherein the cryptographic accelerator is further configured to receive a message having a plurality of packets during the session, to decrypt the second set of encrypted cryptographic keys using the second key encryption key, and to cryptographically process the plurality of packets using the second set of cryptographic keys.
  - 16. The cryptographic system of claim 13, wherein the storage device is further configured to store the second set of encrypted cryptographic keys for the session.
  - 17. The cryptographic system of claim 12, wherein the host processor is a server.
  - 18. The cryptographic system of claim 16, wherein the external device is a client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Buer, Mark L., Tardo, Joseph J.
Primary Examiner(s)
Orgad, Edan
Assistant Examiner(s)
JACKSON, JENISE E

Application Number

US12/845,638
Publication Number

US 20100290624A1
Time in Patent Office

881 Days
Field of Search

380/277, 380/278, 380/281, 713/171
US Class Current

380/277
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/606   by securing the transmissio...

G06F 21/72   in cryptographic circuits

H04L 2463/062   applying encryption of the ...

H04L 63/0485   Networking architectures fo...

H04L 63/164   at the network layer

H04L 9/0822   using key encryption key

H04L 9/083   involving central third par...

H04L 9/0894   Escrow, recovery or storing...

Key management system and method

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

66 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Key management system and method

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links