Key management system

US 8,712,044 B2
Filed: 03/15/2013
Issued: 04/29/2014
Est. Priority Date: 06/29/2012
Status: Active Grant

First Claim

Patent Images

1. A method for cryptographic key management using a network device that is operative to perform actions, comprising:

registering at least one administrator that is authorized to create a plurality of keys;

generating at least one key based on at least one key parameter provided by the at least one administrator;

generating at least one key manager and at least one key request user, wherein the at least one administrator links the at least one key manager and the at least one key request user to the at least one key;

activating the at least one key based on data provided by at least two key holders, wherein the provided data includes at least a password provided by each key holder and at least a portion of keying data provided by each key holder, wherein the at least portion of keying data is based on at least one of seeding data, or entropy data;

storing the at least one key on at least one key exchange server that is separate from the network device; and

responsive to a request for the at least one key from a key request user, perform further actions including;

authenticating the key request user that is associated with the request based on at least a portion of the request and at least a portion of a security profile associated with the requested key;

validating the key request based on the at least one key parameter of at least a portion of the key request; and

providing the requested key based on the key request to the key request user over the network; and

responsive to a request to rotate at least one current key, perform further actions, including;

rotating the at least one key to generate at least one new current key, wherein the at least one rotated key is encrypted and decrypted by the new current key; and

linking the current key to a plurality of previously rotated keys, wherein each of the plurality of previously rotated keys is encrypted and decrypted by the rotated key that came before it.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed towards enabling cryptographic key management without disrupting cryptographic operations. Embodiments may be employed to generate cryptographic keys based on at least one key parameter that may be provided by an administrator. The administrator may generate key managers and key request users that may be linked to particular cryptographic keys. The cryptographic keys may be stored on key exchange servers separate from the key management server. Responsive to a request for a cryptographic key, the key exchange servers may authenticate the key request user associated with the request. The key request may be validated based on at least one key parameter and a portion of the key request. The key exchange server may generate the requested cryptographic keys providing them to the key request user over the network.

42 Citations

View as Search Results

26 Claims

1. A method for cryptographic key management using a network device that is operative to perform actions, comprising:
- registering at least one administrator that is authorized to create a plurality of keys;
  
  generating at least one key based on at least one key parameter provided by the at least one administrator;
  
  generating at least one key manager and at least one key request user, wherein the at least one administrator links the at least one key manager and the at least one key request user to the at least one key;
  
  activating the at least one key based on data provided by at least two key holders, wherein the provided data includes at least a password provided by each key holder and at least a portion of keying data provided by each key holder, wherein the at least portion of keying data is based on at least one of seeding data, or entropy data;
  
  storing the at least one key on at least one key exchange server that is separate from the network device; and
  
  responsive to a request for the at least one key from a key request user, perform further actions including;
  
  authenticating the key request user that is associated with the request based on at least a portion of the request and at least a portion of a security profile associated with the requested key;
  
  validating the key request based on the at least one key parameter of at least a portion of the key request; and
  
  providing the requested key based on the key request to the key request user over the network; and
  
  responsive to a request to rotate at least one current key, perform further actions, including;
  
  rotating the at least one key to generate at least one new current key, wherein the at least one rotated key is encrypted and decrypted by the new current key; and
  
  linking the current key to a plurality of previously rotated keys, wherein each of the plurality of previously rotated keys is encrypted and decrypted by the rotated key that came before it.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising, responsive to a request from a user to store at least one provided key, storing the at least one provided key on at least one key exchange server.
  - 3. The method of claim 1, wherein storing the at least one key on the at least one key exchange server, further comprises, storing at least a portion of user information used to generate the at least one key manager and the at least one key request user in a user account database, wherein the user account database is replicatable over the network for storing on the at least one key exchange server.
  - 4. The method of claim 1, wherein storing the at least one key on the at least one key exchange server, further comprises, storing at least a portion of user information used to generate the at least one key in a key record database, wherein the key record database is replicatable over the network for storing on the at least one key exchange server.
  - 5. The method of claim 1, wherein storing the at least one key on the at least one key exchange server, further comprises, disabling the key exchange server from responding to a key request from the at least one administrator.
  - 6. The method of claim 1, wherein the request for the at least one key, further comprises, providing the request for the at least one key to the at least one key exchange server separate from the network device.
  - 7. The method of claim 1, further comprising, in response to a request for one of a portion of a random data or a one-time pad, employing the at least one key exchange server to generate the requested portion of random data or the requested one-time pad and provide it over the network to the at least one key request user.

8. A system arranged for cryptographic key management over a network, comprising:
- a server device, including;
  
  a transceiver that is operative to communicate over the network;
  
  a memory that is operative to store at least instructions; and
  
  a processor device that is operative to execute instructions that enable actions, including;
  
  registering at least one administrator that is authorized to create a plurality of keys;
  
  generating at least one key based on at least one key parameter provided by the at least one administrator;
  
  generating at least one key manager and at least one key request user, wherein the at least one administrator links the at least one key manager and the at least one key request user to the at least one key;
  
  activating the at least one key based on data provided by at least two key holders, wherein the provided data includes at least a password provided by each key holder and at least a portion of keying data provided by each key holder, wherein the at least portion of keying data is based on at least one of seeding data, or entropy data;
  
  storing the at least one key on at least one key exchange server that is separate from the network device; and
  
  responsive to a request for the at least one key from a key request user, enabling further actions including;
  
  authenticating the key request user that is associated with the request based on at least a portion of the request and at least a portion of a security profile associated with the requested key;
  
  validating the key request based on the at least one key parameter of at least a portion of the key request;
  
  providing the requested key based on the key request to the key request user over the network; and
  
  responsive to a request to rotate at least one current key, perform further actions, including;
  
  rotating the at least one key to generate at least one new current key, wherein the at least one rotated key is encrypted and decrypted by the new current key; and
  
  linking the current key to a plurality of previously rotated keys, wherein each of the plurality of previously rotated keys is encrypted and decrypted by the rotated key that came before it; and
  
  a client device, comprising,a transceiver that is operative to communicate over the network;
  
  a memory that is operative to store at least instructions; and
  
  a processor device that is operative to execute instructions that enable actions, including;
  
  providing the request for the at least one key; and
  
  receiving a response from the server device that includes the requested key.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, further comprising, responsive to a request from a user to store at least one provided key, storing the at least one provided key on at least one key exchange server.
  - 10. The system of claim 8, wherein storing the at least one key on the at least one key exchange server, further comprises, storing at least a portion of user information used to generate the at least one key manager and the at least one key request user in a user account database, wherein the user account database is replicatable over the network for storing on the at least one key exchange server.
  - 11. The system of claim 8, wherein storing the at least one key on the at least one key exchange server, further comprises, storing at least a portion of user information used to generate the at least one key in a key record database, wherein the key record database is replicatable over the network for storing on the at least one key exchange server.
  - 12. The system of claim 8, wherein storing the at least one key on the at least one key exchange server, further comprises, disabling the key exchange server from responding to a key request from the at least one administrator.
  - 13. The system of claim 8, wherein the request for the at least one key, further comprises, providing the request for the at least one key to the at least one key exchange server separate from the network device.
  - 14. The system of claim 8, further comprising, in response to a request for one of a portion of a random data or a one-time pad, employing the at least one key exchange server to generate the requested portion of random data or the requested one-time pad and provide it over the network to the at least one key request user.

15. A network device that is operative for cryptographic key management, comprising:
- a transceiver that is operative to communicate over a network;
  
  a memory that is operative to store at least instructions; and
  
  a processor device that is operative to execute instructions that enable actions, including;
  
  registering at least one administrator that is authorized to create a plurality of keys;
  
  generating at least one key based on at least one key parameter provided by the at least one administrator;
  
  generating at least one key manager and at least one key request user, wherein the at least one administrator links the at least one key manager and the at least one key request user to the at least one key;
  
  activating the at least one key based on data provided by at least two key holders, wherein the provided data includes at least a password provided by each key holder and at least a portion of keying data provided by each key holder, wherein the at least portion of keying data is based on at least one of seeding data, or entropy data;
  
  storing the at least one key on at least one key exchange server that is separate from the network device; and
  
  responsive to a request for the at least one key from a key request user, enabling further actions including;
  
  authenticating the key request user that is associated with the request based on at least a portion of the request and at least a portion of a security profile associated with the requested key;
  
  validating the key request based on the at least one key parameter of at least a portion of the key request; and
  
  providing the requested key based on the key request to the key request user over the network; and
  
  responsive to a request to rotate at least one current key, perform further actions, including;
  
  rotating the at least one key to generate at least one new current key, wherein the at least one rotated key is encrypted and decrypted by the new current key; and
  
  linking the current key to a plurality of previously rotated keys, wherein each of the plurality of previously rotated keys is encrypted and decrypted by the rotated key that came before it.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The network device of claim 15, further comprising, responsive to a request from a user to store at least one provided key, storing the at least one provided key on at least one key exchange server.
  - 17. The network device of claim 15, wherein storing the at least one key on the at least one key exchange server, further comprises, storing at least a portion of user information used to generate the at least one key manager and the at least one key request user in a user account database, wherein the user account database is replicatable over the network for storing on the at least one key exchange server.
  - 18. The network device of claim 15, wherein storing the at least one key on the at least one key exchange server, further comprises, storing at least a portion of user information used to generate the at least one key in a key record database, wherein the key record database is replicatable over the network for storing on the at least one key exchange server.
  - 19. The network device of claim 15, wherein the request for the at least one key, further comprises, providing the request for the at least one key to the at least one key exchange server separate from the network device.
  - 20. The network device of claim 15, further comprising, in response to a request for a portion of random data, employing the at least one key exchange server to generate the portion of random data and provide it over the network to the at least one key request user.

21. A processor readable non-transitive storage media that includes instructions for cryptographic key management using a network device, wherein execution of the instructions by a processor device enables actions, comprising:
- registering at least one administrator that is authorized to create a plurality of keys;
  
  generating at least one key based on at least one key parameter provided by the at least one administrator;
  
  generating at least one key manager and at least one key request user, wherein the at least one administrator links the at least one key manager and the at least one key request user to the at least one key;
  
  activating the at least one key based on data provided by at least two key holders, wherein the provided data includes at least a password provided by each key holder and at least a portion of keying data provided by each key holder, wherein the at least portion of keying data is based on at least one of seeding data, or entropy data;
  
  storing the at least one key on at least one key exchange server that is separate from the network device; and
  
  responsive to a request for the at least one key from a key request user, enabling further actions including;
  
  authenticating the key request user that is associated with the request based on at least a portion of the request and at least a portion of a security profile associated with the requested key;
  
  validating the key request based on the at least one key parameter of at least a portion of the key request; and
  
  providing the requested key based on the key request to the key request user over the network; and
  
  responsive to a request to rotate at least one current key, perform further actions, including;
  
  rotating the at least one key to generate at least one new current key, wherein the at least one rotated key is encrypted and decrypted by the new current key; and
  
  linking the current key to a plurality of previously rotated keys, wherein each of the plurality of previously rotated keys is encrypted and decrypted by the rotated key that came before it.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The media of claim 21, further comprising, responsive to a request from a user to store at least one provided key, storing the at least one provided key on at least one key exchange server.
  - 23. The media of claim 21, wherein storing the at least one key on the at least one key exchange server, further comprises, storing at least a portion of user information used to generate the at least one key manager and the at least one key request user in a user account database, wherein the user account database is replicatable over the network for storing on the at least one key exchange server.
  - 24. The media of claim 21, wherein storing the at least one key on the at least one key exchange server, further comprises, storing at least a portion of user information used to generate the at least one key in a key record database, wherein the key record database is replicatable over the network for storing on the at least one key exchange server.
  - 25. The media of claim 21, wherein storing the at least one key on the at least one key exchange server, further comprises, disabling the key exchange server from responding to a key request from the at least one administrator.
  - 26. The media of claim 21, wherein the request for the at least one key, further comprises, providing the request for the at least one key to the at least one key exchange server separate from the network device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
KeyNexus, Inc. (StorMagic Limited)
Original Assignee
KeyNexus, Inc. (StorMagic Limited)
Inventors
MacMillan, Jeffrey Earl, Offrey, Jason Arthur
Primary Examiner(s)
Siddiqi, Mohammad A

Application Number

US13/831,618
Publication Number

US 20140003608A1
Time in Patent Office

410 Days
Field of Search

370/44, 370/277, 370/278, 713/171, 380/44, 380/277, 380/278, 380/283, 380/45
US Class Current

380/44
CPC Class Codes

H04L 9/083   involving central third par...

H04L 9/0861   Generation of secret inform...

H04L 9/0891   Revocation or update of sec...

H04L 9/3239   involving non-keyed hash fu...

Key management system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

42 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Key management system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links