Automated validation and execution of cryptographic key and certificate deployment and distribution

US 8,422,686 B2
Filed: 06/19/2008
Issued: 04/16/2013
Est. Priority Date: 06/19/2008
Status: Active Grant

First Claim

Patent Images

1. A method for implementing automated validation and execution of cryptographic key and certificate deployment and distribution utilizing a computer processor, the method comprising:

configuring the computer processor to provide one or more keys and automatically generate one or more keys on demand during deployment;

providing one or more key deployment points;

distributing the one or more keys to the one or more key deployment points in an automated manner based on a pattern-based mapping of each of the one or more keys to be distributed to each of the one or more key deployment points;

automatically adding and removing the key deployment points in response to the distribution of the one or more keys, wherein the key deployment changes are implemented by;

creating a desired deployment matrix based on the union of the desired deployment source and the current deployment source and on the union of the desired deployment destination and the current deployment destination; and

automatically updating the one or more keys in response to the distribution of the one or more keys, wherein updating the one or more keys is at least partly based on a previous distribution of each of said one or more keys.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for automated validation and execution of cryptographic key and certificate deployment and distribution includes providing one or more keys; providing one or more key deployment points; and distributing the one or more keys to the one or more key deployment points in an automated manner based on a matrix or pattern mapping of each of the one or more keys to be distributed to each of the one or more key deployment points.

22 Citations

View as Search Results

25 Claims

1. A method for implementing automated validation and execution of cryptographic key and certificate deployment and distribution utilizing a computer processor, the method comprising:
- configuring the computer processor to provide one or more keys and automatically generate one or more keys on demand during deployment;
  
  providing one or more key deployment points;
  
  distributing the one or more keys to the one or more key deployment points in an automated manner based on a pattern-based mapping of each of the one or more keys to be distributed to each of the one or more key deployment points;
  
  automatically adding and removing the key deployment points in response to the distribution of the one or more keys, wherein the key deployment changes are implemented by;
  
  creating a desired deployment matrix based on the union of the desired deployment source and the current deployment source and on the union of the desired deployment destination and the current deployment destination; and
  
  automatically updating the one or more keys in response to the distribution of the one or more keys, wherein updating the one or more keys is at least partly based on a previous distribution of each of said one or more keys.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein a certificate is attached to certain ones of the one or more keys, and the key deployment is changed automatically by a requirement of an application.
  - 3. The method of claim 1, wherein mapping of each of the one or more keys to be distributed to each of the one or more key deployment points comprises creating a matrix that indicates to which of the one or more key deployment points each of the one or more keys are to be mapped to.
  - 4. The method of claim 1, wherein distributing the one or more keys to the one or more key deployment points in an automated manner is performed using one or more deployment patterns, wherein each deployment contains three parts:
    - deployment source, deployment destination and the deployment pattern that represents a deployment requirement of the distribution of the one or more keys to the one or more key deployment points.
  - 5. The method of claim 4, wherein at least one of the deployment patterns includes each pattern of the group comprising secret shared, secret unique, private and public shared, private and public key unique, private shared, public shared, and private unique public shared.
  - 6. The method of claim 4, wherein new deployment patterns can be added to existing ones of the deployment patterns or can be created with a composition of existing ones of the deployment patterns.
  - 7. The method of claim 1, further comprising validating the distributing of the one or more keys to the one or more key deployment points against one or more rules.
  - 8. The method of claim 1, further comprising validating the distributing of the one or more keys using the deployment matrix as a checking function to verify that what is found in a key deployment point is what is expected or supposed to be in the key deployment point.
  - 9. The method of claim 1, further comprising modifying the distributing of the one or more keys to the one or more key deployment points by modifying at least one of the one or more keys, by modifying at least one of the one or more key deployment points, and/or by modifying the mapping of each of the one or more keys to be distributed to each of the one or more key deployment points.
  - 10. The method of claim 1, further comprising using an algorithm of a delta calculation of a deployment matrix to determine the changes a key lifecycle manager must make to bring the key deployment points to be set up with the appropriate keys and/or certificates after a change of policy or after a change by an administrator.

11. A computer program product, comprising:
- computer readable computer program code stored on a non-transient computer readable storage medium for implementing automated validation and execution of cryptographic key and certificate deployment and distribution; and
  
  instructions for causing a computer toprovide one or more keys;
  
  provide one or more key deployment points; and
  
  distribute the one or more keys to the one or more key deployment points in an automated manner based on a mapping of each of the one or more keys to be distributed to each of the one or more key deployment points;
  
  create a desired deployment matrix based on the union of the desired deployment source and the current deployment source and on the union of the desired deployment destination and the current deployment destination;
  
  subtract the current deployment matrix from the desired deployment matrix; and
  
  automatically update the one or more keys in response to the distribution of the one or more keys, at least partly based on a previous distribution of each of said one or more keys.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The computer program product of claim 11, wherein a certificate is attached to certain ones of the one or more keys, and the key deployment is changed automatically by a requirement of an application.
  - 13. The computer program product of claim 11, wherein mapping of each of the one or more keys to be distributed to each of the one or more key deployment points comprises creating a matrix that indicates to which of the one or more key deployment points each of the one or more keys are to be mapped to.
  - 14. The computer program product of claim 11, wherein distributing the one or more keys to the one or more key deployment points in an automated manner is performed using one or more deployment patterns, wherein each deployment pattern represents a deployment pattern of the distribution of the one or more keys to the one or more key deployment points.
  - 15. The computer program product of claim 14, wherein the deployment patterns are from the group comprising secret shared, secret unique, private and public key shared, private and public key unique, private shared, public shared, private unique public shared.
  - 16. The computer program product of claim 14, wherein new deployment patterns are created by composing existing ones of the deployment patterns.
  - 17. The computer program product of claim 11, further comprising validating the distributing of the one or more keys to the one or more key deployment points against one or more rules.
  - 18. The computer program product of claim 11, further comprising modifying the distributing of the one or more keys to the one or more key deployment points by modifying at least one of the one or more keys, by modifying at least one of the one or more key deployment points, and/or by modifying the mapping of each of the one or more keys to be distributed to each of the one or more key deployment points.

19. A system for implementing automated validation and execution of cryptographic key and certificate deployment and distribution, comprising:
- a computing network including a processing device in communication with one or more computer memory storage devices, the computing network being configured to implement a method for automated validation and execution of cryptographic key and certificate deployment and distribution, the method including;
  
  providing one or more keys;
  
  providing one or more key deployment points; and
  
  distributing the one or more keys to the one or more key deployment points in an automated manner based on a mapping of each of the one or more keys to be distributed to each of the one or more key deployment points, wherein each of the one or more keys does not appear more than once in the same key deployment point;
  
  creating a desired deployment matrix based on the union of the desired deployment source and the current deployment source and on the union of the desired deployment destination and the current deployment destination; and
  
  automatically updating the one or more keys in response to the distribution of the one or more keys, wherein updating the one or more keys comprises removing the one or more keys from at least one of the one or more key deployment points based at least partly on a previous distribution of keys.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The system of claim 19, wherein a certificate is attached to certain ones of the one or more keys.
  - 21. The system of claim 19, wherein mapping of each of the one or more keys to be distributed to each of the other one or more key deployment points comprises creating a matrix that indicates to which of the one or more key deployment points each of the one or more keys are to be mapped to.
  - 22. The system of claim 19, wherein distributing the one or more keys to the one or more key deployment points in an automated manner is performed using one or more deployment patterns, wherein each deployment pattern represents a deployment pattern of the distribution of the one or more keys to the one or more key deployment points.
  - 23. The system of claim 22, wherein the patterns are from the group comprising secret shared, secret unique, private and public key shared, private and public key unique, private shared, public shared, private unique public shared.
  - 24. The system of claim 19, further comprising validating the distributing of the one or more keys to the one or more key deployment points against one or more rules.
  - 25. The system of claim 19, further comprising modifying the distributing of the one or more keys to the one or more key deployment points by modifying at least one of the one or more keys, by modifying at least one of the one or more key deployment points, and/or by modifying the mapping of each of the one or more keys to be distributed to each of the one or more key deployment points.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Cachin, Christian, Haas, Robert, Hahn, Timothy J., Hu, Xiaoyu, Iliadis, Ilias, Pawlitzek, Rene, Peck, John T.
Primary Examiner(s)
Simitoski, Michael
Assistant Examiner(s)
Shayanfar, Ali

Application Number

US12/142,009
Publication Number

US 20090316907A1
Time in Patent Office

1,762 Days
Field of Search

380/278
US Class Current

380/278
CPC Class Codes

H04L 9/083 involving central third par...

H04L 9/0891 Revocation or update of sec...

Automated validation and execution of cryptographic key and certificate deployment and distribution

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Automated validation and execution of cryptographic key and certificate deployment and distribution

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links