Locating cryptographic keys stored in a cache

US 8,494,168 B1
Filed: 04/28/2008
Issued: 07/23/2013
Est. Priority Date: 04/28/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

storing a plurality of cryptographic keys in a cache;

storing a plurality of cryptographic key identifiers in the cache;

associating a cryptographic key identifier of the plurality of cryptographic key identifiers with a cryptographic key of the plurality of cryptographic keys, the cryptographic key identifier being an actual memory address of the cryptographic key inside the cache, the actual memory address being randomly selected;

identifying a location of the cryptographic key using the cryptographic key identifier, the using of the cryptographic key identifier enabling the locating of the cryptographic key without performing of an additional operation;

performing a cryptographic operation with the cryptographic key;

storing a plurality of key packets in the cache, each key packet from the plurality of key packets being associated with the cryptographic key from the plurality of cryptographic keys;

comparing the cryptographic key identifier with a portion of a first key packet stored in the cache to determine if a match exists, the first key packet being associated with the cryptographic key;

retrieving the cryptographic key associated with the cryptographic key identifier from the cache when the match exists;

receiving a second key packet associated with the cryptographic key identifier, the second key packet including another encrypted cryptographic key and the cryptographic key identifier;

decrypting the encrypted cryptographic key to generate a further cryptographic key when the match does not exist; and

storing the further cryptographic key at a location in the cache defined by the cryptographic key identifier.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Example embodiments provide various techniques for locating cryptographic keys stored in a cache. The cryptographic keys are temporarily stored in the cache until retrieved for use in a cryptographic operation. The cryptographic key may be located or found through reference to its cryptographic key identifier. In an example, a particular cryptographic key may be needed for a cryptographic operation. The cache is first searched to locate this cryptographic key. To locate the cryptographic key, the cryptographic key identifier that is associated with this cryptographic key is provided. In turn, the cryptographic key identifier may be used as an address into the cache. The address identifies a location of the cryptographic key within the cache. The cryptographic key may then be retrieved from the cache at the identified address and then used in the cryptographic operation.

Citations

13 Claims

1. A method comprising:
- storing a plurality of cryptographic keys in a cache;
  
  storing a plurality of cryptographic key identifiers in the cache;
  
  associating a cryptographic key identifier of the plurality of cryptographic key identifiers with a cryptographic key of the plurality of cryptographic keys, the cryptographic key identifier being an actual memory address of the cryptographic key inside the cache, the actual memory address being randomly selected;
  
  identifying a location of the cryptographic key using the cryptographic key identifier, the using of the cryptographic key identifier enabling the locating of the cryptographic key without performing of an additional operation;
  
  performing a cryptographic operation with the cryptographic key;
  
  storing a plurality of key packets in the cache, each key packet from the plurality of key packets being associated with the cryptographic key from the plurality of cryptographic keys;
  
  comparing the cryptographic key identifier with a portion of a first key packet stored in the cache to determine if a match exists, the first key packet being associated with the cryptographic key;
  
  retrieving the cryptographic key associated with the cryptographic key identifier from the cache when the match exists;
  
  receiving a second key packet associated with the cryptographic key identifier, the second key packet including another encrypted cryptographic key and the cryptographic key identifier;
  
  decrypting the encrypted cryptographic key to generate a further cryptographic key when the match does not exist; and
  
  storing the further cryptographic key at a location in the cache defined by the cryptographic key identifier.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the further cryptographic key replaces the cryptographic key at the location in the cache.
  - 3. The method of claim 1, further comprising storing a plurality of key signatures in the cache, each key signature from the plurality of key signatures being associated with the cryptographic key from the plurality of cryptographic keys.
  - 4. The method of claim 1, wherein the cryptographic operation is a decryption operation.
  - 5. The method of claim 1, wherein the cryptographic operation is an encryption operation.

6. A method comprising:
- receiving a first key packet that includes a cryptographic key;
  
  locating a second key packet stored in the cache using the cryptographic key identifier, the cryptographic key identifier being an actual memory address of the cryptographic key inside the cache, the actual memory address being randomly selected;
  
  retrieving the second key packet located at the memory address from the cache;
  
  comparing the first key packet with the second key packet;
  
  retrieving the cryptographic key using the cryptographic key identifier when the first key packet matches the second key packet, the cryptographic key being associated with the second key packet, the using of the cryptographic key identifier enabling the locating of the cryptographic key without performing of an additional operation;
  
  performing a cryptographic operation using the cryptographic key;
  
  wherein the first key packet further includes an encrypted cryptographic key;
  
  decrypting the encrypted cryptographic key to generate a further cryptographic key when the first key packet is distinct from the second key packet; and
  
  storing the first key packet and the further cryptographic key in the cache at the memory address defined by the cryptographic key identifier.
- View Dependent Claims (7, 8, 9)
- - 7. The method of claim 6, wherein the first key packet further includes a key signature, the method further comprising storing the key signature at the memory address defined by the cryptographic key identifier.
  - 8. The method of claim 6, wherein the first key packet further comprises one or more of an encrypted cryptographic key, an encrypted signing key or a key signature.
  - 9. The method of claim 6, wherein a portion of the first key packet is compared with a portion of the second key packet.

10. A computing device comprising:
- at least one processor; and
  
  a non-transitory machine-readable medium in communication with the at least one processor, the machine-readable medium being configured to store a storage encryption processing module and a cache, the cache being configured to store a plurality of cryptographic keys and being further configured to store a plurality of cryptographic key identifiers, associating a cryptographic key identifier of the plurality of cryptographic key identifiers with a cryptographic key of the plurality of cryptographic keys, the cryptographic key identifier being an actual memory address of the cryptographic key inside the cache, the actual memory address being randomly selected, the storage encryption processing module being executed by the at least one processor to cause following operations to be performed, comprising;
  
  identifying a location of a cryptographic key using the cryptographic key identifier, the using of the cryptographic key identifier enabling the locating of the cryptographic key without performing of an additional operation; and
  
  performing a cryptographic operation with the cryptographic key;
  
  wherein the cache is further configured to store a plurality of key packets, each key packet from the plurality of key packets being associated with the cryptographic key from the plurality of cryptographic keys, the operations further comprising;
  
  comparing the cryptographic key identifier with a portion of a first key packet stored in the cache to determine if a match exists, the first key packet being associated with the cryptographic key; and
  
  retrieving the cryptographic key associated with the cryptographic key identifier from the cache when the match exists;
  
  receiving a second key packet associated with the cryptographic key identifier, the second key packet including another encrypted cryptographic key and the cryptographic key identifier;
  
  decrypting the encrypted cryptographic key to generate a further cryptographic key when the match does not exist; and
  
  replacing the cryptographic key stored in the cache with the further cryptographic key.
- View Dependent Claims (11, 12, 13)
- - 11. The computing device of claim 10, wherein the computing device is a network switch that enables connectivity to a client computing device.
  - 12. The computing device of claim 11, wherein the network switch is a Fibre Channel switch that enables connectivity to a Fibre Channel storage device.
  - 13. The computing device of claim 10, wherein the computing device is an Internet Computer System Interface (iSCSI) gateway that is in communication with an iSCSI client, and wherein the iSCSI gateway enables connectivity between the iSCSI client and a Fibre Channel storage device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
NetApp, Inc.
Inventors
Tolfmans, Joakim
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
JHAVERI, JAYESH M

Application Number

US12/110,631
Time in Patent Office

1,912 Days
Field of Search

380 44- 47, 380277-286, 713150-194
US Class Current

380/277
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/79   in semiconductor storage me...

H04L 9/0816   Key establishment, i.e. cry...

H04L 9/0819   Key transport or distributi...

H04L 9/0822   using key encryption key

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

Locating cryptographic keys stored in a cache

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Locating cryptographic keys stored in a cache

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links