Methods, devices, and media for secure key management in a non-secured, distributed, virtualized environment with applications to cloud-computing security and management

US 8,625,802 B2
Filed: 06/15/2011
Issued: 01/07/2014
Est. Priority Date: 06/16/2010
Status: Active Grant

First Claim

Patent Images

1. A method for secure key management, the method comprising the steps of:

(a) receiving an encryption request for protecting an original key at a first encryption location in a network computing-environment;

(b) initially encrypting said original key with a first location-specific secure-key, said first location-specific secure-key located at a second encryption location, to create a location-specific initially-encrypted key; and

(c) finally encrypting said location-specific initially-encrypted key with a second location-specific secure-key, said second location-specific secure-key located at a third encryption location, to create a finally-encrypted key which may then be used in any way in a cipher-location;

wherein said locations are regions of memory located in computing devices operationally connected to said network computing-environment; and

wherein each of said location-specific secure-keys is protected from compromise by any owner of other location-specific secure keys using an appropriate technique in respective said locations.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention discloses methods, devices, and media for secure key management in a non-secured, distributed, virtualized environment with applications to cloud-computing security and management. Methods include the steps of: receiving an encryption request for protecting an original key at a first encryption location in a network computing-environment; initially encrypting the original key with a first location-specific secure-key, located at a second encryption location, to create a location-specific initially-encrypted key; and finally encrypting the location-specific initially-encrypted key with a second location-specific secure-key, located at a third encryption location, to create a finally-encrypted key which may then be used in any way in a cipher-location; wherein the locations are regions of memory located in computing devices operationally connected to the network computing-environment; and wherein each of the location-specific secure-keys is protected from compromise by any owner of other location-specific secure keys using an appropriate technique in the respective locations.

68 Citations

View as Search Results

26 Claims

1. A method for secure key management, the method comprising the steps of:
- (a) receiving an encryption request for protecting an original key at a first encryption location in a network computing-environment;
  
  (b) initially encrypting said original key with a first location-specific secure-key, said first location-specific secure-key located at a second encryption location, to create a location-specific initially-encrypted key; and
  
  (c) finally encrypting said location-specific initially-encrypted key with a second location-specific secure-key, said second location-specific secure-key located at a third encryption location, to create a finally-encrypted key which may then be used in any way in a cipher-location;
  
  wherein said locations are regions of memory located in computing devices operationally connected to said network computing-environment; and
  
  wherein each of said location-specific secure-keys is protected from compromise by any owner of other location-specific secure keys using an appropriate technique in respective said locations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein said step of initially encrypting is performed by transferring said original key to said second encryption location.
  - 3. The method of claim 1, wherein said step of finally encrypting is performed by transferring said location-specific initially-encrypted key to said third encryption location.
  - 4. The method of claim 1, wherein said step of initially encrypting is performed by transferring said first location-specific secure-key to said first encryption location.
  - 5. The method of claim 1, wherein said step of finally encrypting is performed by transferring said second location-specific secure-key to said first encryption location or said second encryption location.
  - 6. The method of claim 1, wherein at least two of said first encryption location, said second encryption location, and said third encryption location are the same location.
  - 7. The method of claim 1, wherein said step of encrypting is performed iteratively at subsequent encryption locations using subsequent location-specific secure-keys to create location-specific intermediately-encrypted keys, and wherein said finally-encrypted key is a final result of said location-specific intermediately-encrypted keys.
  - 8. The method of claim 1, wherein said appropriate technique is selected from the group consisting of:
    - forbidding transfer of any said secure-key from its respective said location, allowing transfer of any said secure-key only after homomorphic encryption, allowing transfer of any said secure-key only after applying an encryption process which allows said secure-key to be used securely without its original value becoming freely-accessible, and allowing transfer of any said secure-key for caching or storage only after encryption.
  - 9. The method of claim 1, the method further comprising the steps of:
    - (d) upon receiving a decryption request for decrypting said finally-encrypted key at said cipher location, initially decrypting said finally-encrypted key with said second location-specific secure-key to create a location-specific initially-decrypted key; and
      
      (e) finally decrypting said location-specific initially-decrypted key with said first location-specific secure-key to generate a finally-decrypted key which is said original key.
  - 10. The method of claim 1, wherein said step of initially decrypting is performed by transferring said finally-encrypted key to said second encryption location.
  - 11. The method of claim 1, wherein said step of finally decrypting is performed by transferring said location-specific initially-decrypted key to said first encryption location.
  - 12. The method of claim 1, wherein said step of initially decrypting is performed by transferring said second location-specific secure-key to said cipher location.
  - 13. The method of claim 1, wherein said step of finally decrypting is performed by transferring said first location-specific secure-key to said cipher location or said second location.
  - 14. The method of claim 9, wherein said step of decrypting is performed iteratively at subsequent decryption locations using subsequent location-specific secure-keys to create location-specific intermediately-decrypted keys, and wherein said finally-decrypted key is a final result of said location-specific intermediately-decrypted keys.
  - 15. The method of claim 1, the method further comprising the step of:
    - (d) upon receiving a decryption request for decrypting said finally-encrypted key at said cipher location, locating said location-specific secure-keys in entity locations other than said cipher location, wherein said entity locations are maintained by at least two respective legal entities for controlling said location-specific secure-keys, whereby said step of locating facilitates fulfilling said decryption request.

16. A device for secure key management, the device comprising:
- (a) a server including;
  
  (i) a CPU for performing computational operations;
  
  (ii) a memory module for storing data; and
  
  (iii) a network connection for communicating across a network; and
  
  (b) a protection module, residing on said server, configured for;
  
  (i) receiving an encryption request for protecting an original key at a first encryption location in a network computing-environment;
  
  (ii) initially encrypting, on any computing device operationally connected to said network computing-environment, said original key with a first location-specific secure-key, said first location-specific secure-key located at a second encryption location, to create a location-specific initially-encrypted key; and
  
  (iii) finally encrypting, on any computing device operationally connected to said network computing-environment, said location-specific initially-encrypted key with a second location-specific secure-key, said second location-specific secure-key located at a third encryption location, to create a finally-encrypted key which may then be used in any way in a cipher-location;
  
  wherein said locations are regions of memory located in computing devices operationally connected to said network computing-environment; and
  
  wherein each of said location-specific secure-keys is protected from compromise by any owner of other location-specific secure keys using an appropriate technique in respective said locations.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 17. The device of claim 16, wherein said initially encrypting is performed by transferring said original key to said second encryption location.
  - 18. The device of claim 16, wherein said finally encrypting is performed by transferring said location-specific initially-encrypted key to said third encryption location.
  - 19. The device of claim 16, wherein said initially encrypting is performed by transferring said first location-specific secure-key to said first encryption location.
  - 20. The device of claim 16, wherein said finally encrypting is performed by transferring said second location-specific secure-key to said first encryption location or said second encryption location.
  - 21. The device of claim 16, wherein at least two of said first encryption location, said second encryption location, and said third encryption location are the same location.
  - 22. The device of claim 16, wherein said encrypting is performed iteratively at subsequent encryption locations using subsequent location-specific secure-keys to create location-specific intermediately-encrypted keys, and wherein said finally-encrypted key is a final result of said location-specific intermediately-encrypted keys.
  - 23. The device of claim 16, wherein said appropriate technique is selected from the group consisting of:
    - forbidding transfer of any said secure-key from its respective said location, allowing transfer of any said secure-key only after homomorphic encryption, allowing transfer of any said secure-key only after applying an encryption process which allows said secure-key to be used securely without its original value becoming freely-accessible, and allowing transfer of any said secure-key for caching or storage only after encryption.
  - 24. The device of claim 16, wherein said protection module is further configured for:
    - (iv) upon receiving a decryption request for decrypting said finally-encrypted key at said cipher location, initially decrypting said finally-encrypted key with said second location-specific secure-key to create a location-specific initially-decrypted key; and
      
      (v) finally decrypting said location-specific initially-decrypted key with said first location-specific secure-key to generate a finally-decrypted key which is said original key.
  - 25. The device of claim 16, wherein said protection module is further configured for:
    - (iv) upon receiving a decryption request for decrypting said finally-encrypted key at said cipher location, locating said location-specific secure-keys in entity locations other than said cipher location, wherein said entity locations are maintained by at least two respective legal entities for controlling said location-specific secure-keys, whereby said locating facilitates fulfilling said decryption request.

26. A computer-readable storage medium having computer-readable code embodied on the computer-readable storage medium, the computer-readable code comprising:
- (a) program code for receiving an encryption request for protecting an original key at a first encryption location in a network computing-environment;
  
  (b) program code for initially encrypting said original key with a first location-specific secure-key, said first location-specific secure-key located at a second encryption location, to create a location-specific initially-encrypted key; and
  
  (c) program code for finally encrypting said location-specific initially-encrypted key with a second location-specific secure-key, said second location-specific secure-key located at a third encryption location, to create a finally-encrypted key which may then be used in any way in a cipher-location; and
  
  wherein said locations are regions of memory located in computing devices operationally connected to said network computing-environment; and
  
  wherein each of said location-specific secure-keys is protected from compromise by any owner of other location-specific secure keys using an appropriate technique in respective said locations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Porticor Ltd. (Intuit, Inc.)
Original Assignee
Porticor Ltd. (Intuit, Inc.)
Inventors
Parann-Nissany, Gilad
Primary Examiner(s)
NGUYEN, THU HA T

Application Number

US13/160,535
Publication Number

US 20110311055A1
Time in Patent Office

937 Days
Field of Search

380/227, 380/278, 380/279, 713/171, 726/36
US Class Current

380/278
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/604   Tools and structures for ma...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2149   Restricted operating enviro...

H04L 2463/062   applying encryption of the ...

H04L 63/0478   applying multiple layers of...

H04L 63/06   for supporting key manageme...

H04L 9/0822   using key encryption key

H04L 9/0872   using geo-location informat...

H04L 9/0894   Escrow, recovery or storing...

Methods, devices, and media for secure key management in a non-secured, distributed, virtualized environment with applications to cloud-computing security and management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

68 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

Methods, devices, and media for secure key management in a non-secured, distributed, virtualized environment with applications to cloud-computing security and management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others