Multikey support for multiple office system

US 8,379,865 B2
Filed: 10/29/2007
Issued: 02/19/2013
Est. Priority Date: 10/27/2006
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a central security platform, including a database of multikey records, including a first multikey having one or more associated policies;

a plurality of satellite security platforms, coupled to the central security platform, at least one of the plurality of satellite security platforms including;

a secure item;

a respective instance of the first multikey, said instance being derived from said first multikey and inheriting at least one policy of said first multikey; and

an encryption engine, wherein, in operation, the encryption engine uses the respective instance of the first multikey to encrypt or decrypt the secure item;

wherein the central security platform further includes a multikey administrative engine, and wherein, in operation, changes made to the one or more associated policies by the multikey administrative engine automatically result in identical changes to policies associated with the respective instance of the first multikey at each of the plurality of satellite platforms.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A novel approach is proposed for centralized administration of a multikey for a plurality of clients at a set of remote office/branch offices (ROBOs). A multikey having a set of properties, permissions, and policies is first associated with a secure item present at one or more of the ROBOs. A set of respective instances of the multikey are then generated for the ROBOs having the secure item, and the set of properties, permissions, and policies are associated with each of the respective instances of the multikey automatically. The instances of the multikey are then provided to the set of ROBOs for the encryption or decryption of the secure item present at the ROBOs.

103 Citations

View as Search Results

25 Claims

1. A system comprising:
- a central security platform, including a database of multikey records, including a first multikey having one or more associated policies;
  
  a plurality of satellite security platforms, coupled to the central security platform, at least one of the plurality of satellite security platforms including;
  
  a secure item;
  
  a respective instance of the first multikey, said instance being derived from said first multikey and inheriting at least one policy of said first multikey; and
  
  an encryption engine, wherein, in operation, the encryption engine uses the respective instance of the first multikey to encrypt or decrypt the secure item;
  
  wherein the central security platform further includes a multikey administrative engine, and wherein, in operation, changes made to the one or more associated policies by the multikey administrative engine automatically result in identical changes to policies associated with the respective instance of the first multikey at each of the plurality of satellite platforms.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein the central security platform further includes a multikey administrative engine, and wherein, in operation, the multikey administrative engine facilitates management of the first multikey as a single key.
  - 3. The system of claim 1, further comprising a network interface through which the respective instance of the first multikey is sent to each of the satellite security platforms.
  - 4. The system of claim 1, wherein a satellite security platform of the plurality of satellite security platforms includes a satellite security module, wherein the respective instance of the first multikey of the satellite security platform is a first instance of the first multikey, and wherein, in operation, the satellite security module:
    - receives a second instance of the first multikey, wherein said second instance is derived from said first multikey and inherits at least one policy of said first multikey;
      
      decrypts the secure item using the first instance of the first multikey;
      
      encrypts the secure item using the second instance of the first multikey.
  - 5. The system of claim 1, wherein the secure item is a first secure item, and wherein:
    - the database of multikey records further includes a second multikey;
      
      a subplurality of satellite security platforms further include;
      
      a second secure item;
      
      a respective instance of the second multikey, wherein said second instance is derived from said second multikey and inherits at least one policy of said second multikey;
      
      wherein, in operation, the encryption engine uses the respective instance of the second multikey to encrypt or decrypt the second secure item.

6. A system comprising:
- a first database, including a multikey record, coupled to the administrative interface;
  
  a replication engine coupled to the first database;
  
  a multikey instance array, coupled to the replication engine;
  
  an interface coupled to the second database;
  
  wherein, in operation, the replication engine;
  
  uses a multikey associated with the multikey record and having one or more policies associated with said multikey and information associated with a remote location to derive from the multikey an instance of the multikey, wherein the instance of the multikey is associated with the remote location;
  
  adds the instance of the multikey to the multikey instance array; and
  
  associates at least one of said one or more policies with said instance of the multikey;
  
  wherein, in operation, the interface transmits the instance of the multikey to the associated remote location;
  
  wherein the system further includes a multikey administrative engine, and wherein, in operation, changes made to the one or more associated policies automatically result in identical changes to policies associated with the respective instance of the multikey at each remote location.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The system of claim 6, further comprising an administrative interface, wherein, in operation, the administrative interface facilitates management of the multikey record by an administrative agent, and wherein any changes to the multikey record are automatically associated with elements of the multikey instance array.
  - 8. The system of claim 6, wherein the interface is a network interface, further comprising an administrative interface, wherein, in operation, the network interface:
    - receives notification of a potential compromised instance of the multikey at the remote location associated with the instance of the multikey;
      
      forwards the notification to the administrative interface to notify an administrative agent.
  - 9. The system of claim 6, wherein the multikey record is associated with a key-lifetime policy, and wherein the replication engine generates new instances of the multikey in accordance with the key-lifetime policy.
  - 10. The system of claim 6, wherein, in operation, the interface receives notification of a potential compromised instance at the remote location associated with the instance, and, in response to the notification, the replication engine generates a new instance of the multikey to replace the potentially compromised instance, and the interface transmits the new instance to the remote location.
  - 11. The system of claim 6 wherein the multikey record is a first multikey record, and the multikey instance array is a first multikey instance array, wherein:
    - the first database further includes a second multikey record;
      
      the second database further includes a second multikey instance array, wherein, in operation, the replication engine;
      
      uses a second multikey associated with the second multikey record and information associated with a remote location to generate an instance of the second multikey, wherein the instance of the second multikey is associated with the remote location;
      
      adds the instance of the second multikey to the second multikey instance array;
      
      wherein the first multikey instance array and the second multikey instance array have different lengths.

12. A method comprising:
- providing at a central security platform a multikey, having a multikey policy, associated with a secure item;
  
  generating, by deriving from said multikey, for a set of remote satellite security platforms of office/branch offices (ROBOs), a set of respective instances of the multikey;
  
  automatically associating the multikey policy to each of the respective instances of the multikey at the central security platform;
  
  providing, to each of the set of ROBOs, the respective instances of the multikey; and
  
  wherein changes made to the multikey policy at the central security platform automatically result in identical changes to a policy associated with the respective instance of the multikey at each of the set of remote satellite security platforms.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The method of claim 12, further comprising managing the respective set of instances of the multikey as a single key.
  - 14. The method of claim 12, further comprising regenerating the set of respective instances of the multikey in accordance with a key time cycle.
  - 15. The method of claim 12, further comprising:
    - generating, by deriving from said multikey, an instance of the multikey for a ROBO of the set of ROBOs;
      
      automatically associating the multikey policy to the instance of the multikey;
      
      providing the instance of the multikey to the ROBO.
  - 16. The method of claim 12, further comprising:
    - generating, by deriving from said multikey, a new instance of the multikey for a new ROBO;
      
      automatically associating the multikey policy to the new instance of the multikey;
      
      providing the new instance of the multikey to the new ROBO.
  - 17. The method of claim 12, further comprising:
    - receiving a request to reinstantiate a first instance of the set of respective instances of the multikey;
      
      generating, by deriving from said multikey, a second instance to replace the first instance;
      
      automatically associating the multikey policy to the second instance;
      
      providing the second instance to one of the set of ROBOs.
  - 18. The method of claim 17, further comprising, at the one of the set of ROBOS:
    - using the first instance of the set of respective instances to decrypt a security item;
      
      using the second instance to encrypt the security item.

19. A system, comprising:
- a central security platform, comprising;
  
  a multikey database wherein, in operation, stores and manages a multikey with one set of properties, permissions, and policies as a single encryption key, wherein the multikey is associated with a specific secure item;
  
  a multikey administration engine wherein, in operation;
  
  creates and/or replicates an unique instance of the multikey automatically for each of a plurality of satellite security platforms having a data or program containing the specific secure item, each said unique instance being derived from said multikey using information associated with the respective said satellite security platform, wherein said one set of properties, permissions, and policies are associated with said plurality of unique instances of said multikey;
  
  provides the multikey instances unique to each of the plurality of satellite security platforms over a network;
  
  said plurality of satellite security platforms, comprising;
  
  an satellite security module wherein, in operation, encrypts or decrypts the specific secure item in the data or program using the multikey instance via an encryption engine;
  
  wherein, in operation, changes made to said one set of policies by the multikey administrative engine automatically result in identical changes to policies associated with the respective instance of the multikey at each of the plurality of satellite security platforms.

20. A method, comprising:
- providing at a central security platform a multikey, having a set of properties, permissions, and policies, associated with a secure item;
  
  generating, by deriving from said multikey, for a set of satellite security platforms at remote office/branch offices (ROBOs) having the secure item, a set of respective instances of the multikey;
  
  associating the multikey policy to each of the respective instances of the multikey automatically;
  
  providing, to each of the set of ROBOs, the respective instances of the multikey; and
  
  making changes to the multikey policy, wherein changes made to the multikey policy at the central security platform automatically result in identical changes to policies associated with the respective instances of the multikey at each of the set of ROBOs.
- View Dependent Claims (21, 22, 23)
- - 21. The method of claim 20, further comprising:
    - encrypting or decrypting the secure item at a ROBO using the respective multikey instance unique to the ROBO;
      
      enabling access or modification of the set of properties, permissions, and policies of the multikey with respect to the multikey instance unique to the ROBO;
      
      associating changes to the set of properties, permissions, and policies of the multikey automatically with respect to the set of multikey instances.
  - 22. The method of claim 20, further comprising:
    - accepting a notification of a potentially compromised instance of the multikey at a ROBO;
      
      generating, by deriving from the multikey, a new instance of the multikey to replace the potentially compromised instance of the multikey at the ROBO;
      
      maintaining both the new instance of the multikey and the potentially compromised instance of the multikey for a period of time at the ROBO;
      
      generating a new multikey and generating, by deriving from the multikey, a new set of multikey instances for key rotation at the set of ROBOs.
  - 23. The method of claim 20, further comprising:
    - assigning an unique location identifier to each of the set of ROBO;
      
      associating the unique location identifier to the instance of the multikey at the ROBO;
      
      using the same unique location identifier for a new device or component added to the ROBO.

24. A system comprising:
- a central security platform that, in operation, defines, disseminates, and enforces one or more policies associated with a multikey for a database over a plurality of distributed satellite security platforms;
  
  said plurality of satellite security platforms, coupled to the central security platform, at least one of the plurality of satellite security platforms, including;
  
  a secure item;
  
  a respective instance derived from the multikey;
  
  an encryption engine, wherein, in operation, the encryption engine uses the respective instance of the multikey to encrypt or decrypt the secure item based on the one or more associated policies inherited by the respective instance from the multikey;
  
  wherein the central security platform further includes a multikey administrative engine, and wherein, in operation, changes made to the one or more associated policies by the multikey administrative engine automatically result in identical changes to policies associated with the respective instance of the multikey at each of the plurality of satellite security platforms.

25. A method comprising:
- defining, disseminating, and enforcing for a centralized security platform one or more policies associated with a multikey for a database;
  
  providing the multikey over a plurality of distributed satellite security platforms, wherein at least one of the plurality of satellite security platforms maintains a secure item;
  
  instantiating an instance derived from the multikey at the at least one of the plurality of distributed satellite security platforms;
  
  associating one or more of said policies with the derived instance;
  
  using the respective instance of the multikey to encrypt or decrypt the secure item based on the one or more associated policies; and
  
  making changes to the one or more associated policies at the central security platform, wherein said changes automatically result in identical changes to policies associated with the respective instance of the first multikey at each of the plurality of satellite platforms.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Thales DIS CPL USA, Inc. (Thales SA)
Original Assignee
SafeNet Incorporated (Thales SA)
Inventors
Frindell, Alan H., Hill, Dan, Gopalakrishnan, Venkitachalam, Laqtib, Abdesalam, Murray, Eric
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Hailu, Teshome

Application Number

US11/927,228
Publication Number

US 20080130880A1
Time in Patent Office

1,940 Days
Field of Search

380/279
US Class Current

380/279
CPC Class Codes

G06Q 10/10   Office automation; Time man...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/20   for managing network securi...

H04L 9/083   involving central third par...

H04L 9/14   using a plurality of keys o...

Multikey support for multiple office system

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

103 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Multikey support for multiple office system

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links