Key management system
First Claim
1. A method for cryptographic key management using a network device that is operative to perform actions, comprising:
- registering at least one administrator that is authorized to create a plurality of keys;
generating at least one key based on at least one key parameter provided by the at least one administrator;
generating at least one key manager and at least one key request user, wherein the at least one administrator links the at least one key manager and the at least one key request user to the at least one key;
activating the at least one key based on data provided by at least two key holders, wherein the provided data includes at least a password provided by each key holder and at least a portion of keying data provided by each key holder, wherein the at least portion of keying data is based on at least one of seeding data, or entropy data;
storing the at least one key on at least one key exchange server that is separate from the network device; and
responsive to a request for the at least one key from a key request user, perform further actions including;
authenticating the key request user that is associated with the request based on at least a portion of the request and at least a portion of a security profile associated with the requested key;
validating the key request based on the at least one key parameter of at least a portion of the key request; and
providing the requested key based on the key request to the key request user over the network; and
responsive to a request to rotate at least one current key, perform further actions, including;
rotating the at least one key to generate at least one new current key, wherein the at least one rotated key is encrypted and decrypted by the new current key; and
linking the current key to a plurality of previously rotated keys, wherein each of the plurality of previously rotated keys is encrypted and decrypted by the rotated key that came before it.
2 Assignments
0 Petitions
Accused Products
Abstract
Embodiments are directed towards enabling cryptographic key management without disrupting cryptographic operations. Embodiments may be employed to generate cryptographic keys based on at least one key parameter that may be provided by an administrator. The administrator may generate key managers and key request users that may be linked to particular cryptographic keys. The cryptographic keys may be stored on key exchange servers separate from the key management server. Responsive to a request for a cryptographic key, the key exchange servers may authenticate the key request user associated with the request. The key request may be validated based on at least one key parameter and a portion of the key request. The key exchange server may generate the requested cryptographic keys providing them to the key request user over the network.
42 Citations
26 Claims
-
1. A method for cryptographic key management using a network device that is operative to perform actions, comprising:
-
registering at least one administrator that is authorized to create a plurality of keys; generating at least one key based on at least one key parameter provided by the at least one administrator; generating at least one key manager and at least one key request user, wherein the at least one administrator links the at least one key manager and the at least one key request user to the at least one key; activating the at least one key based on data provided by at least two key holders, wherein the provided data includes at least a password provided by each key holder and at least a portion of keying data provided by each key holder, wherein the at least portion of keying data is based on at least one of seeding data, or entropy data; storing the at least one key on at least one key exchange server that is separate from the network device; and responsive to a request for the at least one key from a key request user, perform further actions including; authenticating the key request user that is associated with the request based on at least a portion of the request and at least a portion of a security profile associated with the requested key; validating the key request based on the at least one key parameter of at least a portion of the key request; and providing the requested key based on the key request to the key request user over the network; and responsive to a request to rotate at least one current key, perform further actions, including; rotating the at least one key to generate at least one new current key, wherein the at least one rotated key is encrypted and decrypted by the new current key; and linking the current key to a plurality of previously rotated keys, wherein each of the plurality of previously rotated keys is encrypted and decrypted by the rotated key that came before it. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system arranged for cryptographic key management over a network, comprising:
a server device, including; a transceiver that is operative to communicate over the network; a memory that is operative to store at least instructions; and a processor device that is operative to execute instructions that enable actions, including; registering at least one administrator that is authorized to create a plurality of keys; generating at least one key based on at least one key parameter provided by the at least one administrator; generating at least one key manager and at least one key request user, wherein the at least one administrator links the at least one key manager and the at least one key request user to the at least one key; activating the at least one key based on data provided by at least two key holders, wherein the provided data includes at least a password provided by each key holder and at least a portion of keying data provided by each key holder, wherein the at least portion of keying data is based on at least one of seeding data, or entropy data; storing the at least one key on at least one key exchange server that is separate from the network device; and responsive to a request for the at least one key from a key request user, enabling further actions including; authenticating the key request user that is associated with the request based on at least a portion of the request and at least a portion of a security profile associated with the requested key; validating the key request based on the at least one key parameter of at least a portion of the key request; providing the requested key based on the key request to the key request user over the network; and responsive to a request to rotate at least one current key, perform further actions, including; rotating the at least one key to generate at least one new current key, wherein the at least one rotated key is encrypted and decrypted by the new current key; and linking the current key to a plurality of previously rotated keys, wherein each of the plurality of previously rotated keys is encrypted and decrypted by the rotated key that came before it; and a client device, comprising, a transceiver that is operative to communicate over the network; a memory that is operative to store at least instructions; and a processor device that is operative to execute instructions that enable actions, including; providing the request for the at least one key; and receiving a response from the server device that includes the requested key. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. A network device that is operative for cryptographic key management, comprising:
-
a transceiver that is operative to communicate over a network; a memory that is operative to store at least instructions; and a processor device that is operative to execute instructions that enable actions, including; registering at least one administrator that is authorized to create a plurality of keys; generating at least one key based on at least one key parameter provided by the at least one administrator; generating at least one key manager and at least one key request user, wherein the at least one administrator links the at least one key manager and the at least one key request user to the at least one key; activating the at least one key based on data provided by at least two key holders, wherein the provided data includes at least a password provided by each key holder and at least a portion of keying data provided by each key holder, wherein the at least portion of keying data is based on at least one of seeding data, or entropy data; storing the at least one key on at least one key exchange server that is separate from the network device; and responsive to a request for the at least one key from a key request user, enabling further actions including; authenticating the key request user that is associated with the request based on at least a portion of the request and at least a portion of a security profile associated with the requested key; validating the key request based on the at least one key parameter of at least a portion of the key request; and providing the requested key based on the key request to the key request user over the network; and responsive to a request to rotate at least one current key, perform further actions, including; rotating the at least one key to generate at least one new current key, wherein the at least one rotated key is encrypted and decrypted by the new current key; and linking the current key to a plurality of previously rotated keys, wherein each of the plurality of previously rotated keys is encrypted and decrypted by the rotated key that came before it. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. A processor readable non-transitive storage media that includes instructions for cryptographic key management using a network device, wherein execution of the instructions by a processor device enables actions, comprising:
-
registering at least one administrator that is authorized to create a plurality of keys; generating at least one key based on at least one key parameter provided by the at least one administrator; generating at least one key manager and at least one key request user, wherein the at least one administrator links the at least one key manager and the at least one key request user to the at least one key; activating the at least one key based on data provided by at least two key holders, wherein the provided data includes at least a password provided by each key holder and at least a portion of keying data provided by each key holder, wherein the at least portion of keying data is based on at least one of seeding data, or entropy data; storing the at least one key on at least one key exchange server that is separate from the network device; and responsive to a request for the at least one key from a key request user, enabling further actions including; authenticating the key request user that is associated with the request based on at least a portion of the request and at least a portion of a security profile associated with the requested key; validating the key request based on the at least one key parameter of at least a portion of the key request; and providing the requested key based on the key request to the key request user over the network; and responsive to a request to rotate at least one current key, perform further actions, including; rotating the at least one key to generate at least one new current key, wherein the at least one rotated key is encrypted and decrypted by the new current key; and linking the current key to a plurality of previously rotated keys, wherein each of the plurality of previously rotated keys is encrypted and decrypted by the rotated key that came before it. - View Dependent Claims (22, 23, 24, 25, 26)
-
Specification