Key creation and rotation for data encryption

US 8,879,728 B2
Filed: 04/08/2013
Issued: 11/04/2014
Est. Priority Date: 12/08/2011
Status: Active Grant

First Claim

Patent Images

1. A method for cryptographic processing of data using a network device that is operative to perform actions, comprising:

responsive to receiving a request to rotate at least one current key, performing further actions, including;

generating at least one transitional key by encrypting the at least one current key using at least one system key;

generating at least one new key based on at least one determined key parameter;

activating the at least one new key based on provided data provided by from at least two key holders, wherein the provided data includes at least a password provided by each of the at least two key holders and at least portion of keying data provided by the at least each two key holders, wherein the at least portion of keying data is encrypted and is based on at least one of seeding data or entropy data, and wherein the at least portion of keying data is decrypted with the password provided by the at least two key holders;

generating at least one new current key based on the at least one activated key, wherein the at least one new current key is stored at least in volatile memory; and

encrypting the at least one transitional key using the at least one new current key and storing it in at least one key array;

receiving at least one encrypted client data from at least one client device;

decrypting the at least one encrypted client data to form decrypted client data, wherein the decrypted client data includes at least one identifier, wherein the at least one identifier identifies at least one key within the key array;

retrieving at least one other key from the at least one key array based on at least one key array index;

determining if the at least one identifier identifies the at least one other key;

sending at least a portion of the decrypted client data to the at least one client device upon determining that the at least one identifier identifies the at least one other key;

advancing the at least one key array index to the next available key in the at least one key array upon determining that the at least one identifier is unable to identify the at least one other key.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed towards enabling cryptographic key rotation without disrupting cryptographic operations. If key rotation is initiated, a transitional key may be generated by encrypting the current key with a built-in system key. A new key may be generated based one at least one determined key parameter. Next, the new key may be activated by the one or more key holders. If the new key is activated, it may be designated as the new current key. The new current key may be employed to encrypt the transitional key and store it in a key array. Each additional rotated key may be stored in the key array after it is encrypted by the current cryptographic key. Further, in response to a submission of an unencrypted query value, one or more encrypted values that correspond to a determined number of rotated cryptographic keys are generated.

21 Citations

View as Search Results

26 Claims

1. A method for cryptographic processing of data using a network device that is operative to perform actions, comprising:
- responsive to receiving a request to rotate at least one current key, performing further actions, including;
  
  generating at least one transitional key by encrypting the at least one current key using at least one system key;
  
  generating at least one new key based on at least one determined key parameter;
  
  activating the at least one new key based on provided data provided by from at least two key holders, wherein the provided data includes at least a password provided by each of the at least two key holders and at least portion of keying data provided by the at least each two key holders, wherein the at least portion of keying data is encrypted and is based on at least one of seeding data or entropy data, and wherein the at least portion of keying data is decrypted with the password provided by the at least two key holders;
  
  generating at least one new current key based on the at least one activated key, wherein the at least one new current key is stored at least in volatile memory; and
  
  encrypting the at least one transitional key using the at least one new current key and storing it in at least one key array;
  
  receiving at least one encrypted client data from at least one client device;
  
  decrypting the at least one encrypted client data to form decrypted client data, wherein the decrypted client data includes at least one identifier, wherein the at least one identifier identifies at least one key within the key array;
  
  retrieving at least one other key from the at least one key array based on at least one key array index;
  
  determining if the at least one identifier identifies the at least one other key;
  
  sending at least a portion of the decrypted client data to the at least one client device upon determining that the at least one identifier identifies the at least one other key;
  
  advancing the at least one key array index to the next available key in the at least one key array upon determining that the at least one identifier is unable to identify the at least one other key.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein activating the at least one new key further comprises:
    - receiving the at least portion of keying data from the at least one two key holders, wherein the at least one two key holders activates the at least portion of keying data using at least one password that corresponds to the at least portion of keying data.
  - 3. The method of claim 1, wherein storing the at least one transitional key in the at least one key array further comprises, linking a previous current key with the at least one new current key.
  - 4. The method of claim 1, further comprising:
    - receiving the at least one password from the at least one two key holders;
      
      retrieving each un-activated at least one new key that is associated with the at least one two key holders; and
      
      validating the at least portion of keying data associated with each un-activated at least one new key using the at least one password.
  - 5. The method claim 1, further comprising:
    - receiving at least one request from the at least one client device that includes at least one query value and at least one key name;
      
      retrieving the at least one key within the key array, wherein the at least one retrieved key is associated with the at least one key name;
      
      encrypting the at least one query value to generate at least one encrypted query value, wherein the at least one encrypted query value is generated for each retrieved at least one key; and
      
      returning the at least one encrypted query value to the at least one client device.
  - 6. The method of claim 1, further comprising, storing the at least one current key and the at least one rotated key in a cache that is in the volatile memory.
  - 7. The method of claim 1, further comprising:
    - generating a key name that is associated with the at least one current key, the determined key parameter, and the data provided by the at least one two key holders.

8. A network device for cryptographic processing of data over a network, comprising:
- a transceiver component for communicating over a network;
  
  a memory component for storing instructions and data; and
  
  a processor component microprocessor that executes instructions that enable actions, including;
  
  responsive to receiving a request to rotate at least one current key, performing further actions, including;
  
  generating at least one transitional key by encrypting the at least one current key using at least one system key;
  
  generating at least one new key based on at least one determined key parameter;
  
  activating the at least one new key based on provided data provided by from at least two key holders, wherein the provided data includes at least a password provided by each of the at least two key holders and a portion of keying data provided by the at least each two key holders, wherein the portion of keying data is encrypted and is based on at least one of seeding data or entropy data, and wherein the at least portion of keying data is decrypted with the password provided by the at least two key holders;
  
  generating at least one new current key based on the at least one activated key, wherein the at least one new current key is stored at least in volatile memory; and
  
  encrypting the at least one transitional key using the at least one new current key and storing it in at least one key array;
  
  receiving at least one encrypted client data from at least one client device;
  
  decrypting the at least one encrypted client data to form decrypted client data, wherein the decrypted client data includes at least one identifier, wherein the at least one identifier identifies at least one key within the key array;
  
  retrieving at least one other key from the at least one key array based on at least one key array index;
  
  determining if the at least one identifier identifies the at least one other key;
  
  sending at least a portion of the decrypted client data to the at least one client device upon determining that the at least one identifier identifies the at least one other key;
  
  advancing the at least one key array index to the next available key in the at least one key array upon determining that the at least one identifier is unable to identify the at least one other key.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The network device of claim 8, wherein activating the at least one new key further comprises, receiving the at least portion of keying data from the at least one two key holders, wherein the at least one two key holders activates the at least portion of keying data using at least one password that corresponds to the at least portion of keying data.
  - 10. The network device of claim 8, wherein storing the at least one transitional key in the at least one key array further comprises, linking a previous current key with the at least one new current key.
  - 11. The network device of claim 8, wherein the instructions further comprise:
    - receiving the at least one password from the at least one two key holders;
      
      retrieving each un-activated at least one new key that is associated with the at least one two key holders; and
      
      validating the at least portion of keying data associated with each un-activated at least one new key using the at least one password.
  - 12. The network device of claim 8, wherein the instructions further comprise:
    - receiving at least one request from the at least one client device that includes at least one query value and at least one key name;
      
      retrieving the at least one key within the key array, wherein the at least one retrieved key is associated with the at least one key name;
      
      encrypting the at least one query value to generate at least one encrypted query value, wherein the at least one encrypted query value is generated for each retrieved at least one key; and
      
      returning the at least one encrypted query value to the at least one client device.
  - 13. The network device of claim 8, wherein the instructions further comprise:
    - storing the at least one current key and the at least one rotated key in a cache that is in the volatile memory.
  - 14. The network device of claim 8, wherein the instructions further comprise:
    - generating a key name that is associated with the at least one current key, the determined key parameter, and the data provided by the at least one key holder.

15. A processor non-transitory computer readable non-transitive storage media that includes instructions for cryptographic processing of data using a network device that includes a plurality of components and is operative to execute the instructions to perform actions, comprising:
- responsive to receiving a request to rotate at least one current key, performing further actions, including;
  
  generating at least one transitional key by encrypting at least one current key using at least one system key;
  
  generating at least one new key based on at least one determined key parameter;
  
  activating the at least one new key based on provided data provided by from at least two key holders, wherein the provided data includes at least a password provided by each of the at least two key holders and a portion of keying data provided by the at least each two key holders, wherein the portion of keying data is encrypted and is based on at least one of seeding data or entropy data, and wherein the at least portion of keying data is decrypted with the password provided by the at least two key holders;
  
  generating at least one new current key based on the at least one activated key, wherein the at least one new current key is stored at least in volatile memory; and
  
  encrypting the at least one transitional key using the at least one new current key and storing it in at least one key array;
  
  receiving at least one encrypted client data from at least one client device;
  
  decrypting the at least one encrypted client data to form decrypted client data, wherein the decrypted client data includes at least one identifier, wherein the at least one identifier identifies at least one key within the key array;
  
  retrieving at least one other key from the at least one key array based on at least one key array index;
  
  determining if the at least one identifier identifies the at least one other key;
  
  sending at least a portion of the decrypted client data to the at least one client device upon determining that the at least one identifier identifies the at least one other key;
  
  advancing the at least one key array index to the next available key in the at least one key array upon determining that the at least one identifier is unable to identify the at least one other key.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The media of claim 15, wherein activating the at least one new key further comprises, receiving the at least portion of keying data from the at least one two key holders, wherein the at least one two key holders activates the at least portion of keying data using at least one password that corresponds to the at least portion of keying data.
  - 17. The media of claim 15, wherein storing the at least one transitional key in the at least one key array further comprises, linking a previous current key with the at least one new current key.
  - 18. The media of claim 15, wherein the instructions further comprise:
    - receiving the at least one password from the at least one two key holders;
      
      retrieving each un-activated at least one new key that is associated with the at least one two key holders; and
      
      validating the at least portion of keying data associated with each un-activated at least one new key using the at least one password.
  - 19. The media of claim 15, wherein the instructions further comprise:
    - receiving at least one request from the at least one client device that includes at least one query value and at least one key name;
      
      retrieving the at least one key within the key array, wherein the at least one retrieved key is associated with the at least one key name;
      
      encrypting the at least one query value to generate at least one encrypted query value, wherein the at least one encrypted query value is generated for each retrieved at least one key; and
      
      returning the at least one encrypted query value to the at least one client device.
  - 20. The media of claim 15, wherein the instructions further comprise:
    - storing the at least one current key and the at least one rotated key in a cache that is in the volatile memory.

21. A system arranged for cryptographic processing of data, comprising:
- a server device, including;
  
  a transceiver device that is operative to communicate over the network;
  
  a memory device that is operative to store at least instructions; and
  
  a processor device first microprocessor that is operative to execute that executes a first set of instructions that enable actions, including;
  
  responsive to receiving a request to rotate at least one current key, enabling further actions, including;
  
  generating at least one transitional key by encrypting at least one current key using at least one system key;
  
  generating at least one new key based on at least one determined key parameter;
  
  activating the at least one new key based on provided data provided by from at least two key holders, wherein the provided data includes at least a password provided by each of the at least two key holders and a portion of keying data provided by the at least each two key holders, wherein the portion of keying data is encrypted and is based on at least one of seeding data or entropy data, and wherein the at least portion of keying data is decrypted with the password provided by the at least two key holders;
  
  generating at least one new current key based on the at least one activated key, wherein the at least one new current key is stored at least in volatile memory; and
  
  encrypting the at least one transitional key using the at least one new current key and storing it in at least one key array;
  
  receiving at least one encrypted client data from at least one client device;
  
  decrypting the at least one encrypted client data to form decrypted client data, wherein the decrypted client data includes at least one identifier, wherein the at least one identifier identifies at least one key within the key array;
  
  retrieving at least one other key from the at least one key array based on at least one key array index;
  
  determining if the at least one identifier identifies the at least one other key;
  
  sending at least a portion of the decrypted client data to the at least one client device upon determining that the at least one identifier identifies the at least one other key;
  
  advancing the at least one key array index to the next available key in the at least one key array upon determining that the at least one identifier is unable to identify the at least one other key; and
  
  wherein the client device, comprises;
  
  a transceiver device that is operative to communicate over the network;
  
  a memory device that is operative to store at least instructions; and
  
  a second processor device microprocessor that is operative to executes a second set of instructions that enable actions, including;
  
  at least one of providing the at least portion of the keying data provided by the at least one two key holders, or providing the request to rotate the at least one current key.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The system of claim 21, wherein activating the at least one new key further comprises:
    - receiving the at least portion of keying data from the at least one two key holders, wherein the at least one two key holders activates the at least portion of keying data using at least one password that corresponds to the at least portion of keying data.
  - 23. The system of claim 21, wherein storing the at least one transitional key in the at least one key array further comprises:
    - linking a previous current key with the at least one new current key.
  - 24. The system of claim 21, wherein the first set of instructions further comprises:
    - receiving the at least one password from the at least one two key holders;
      
      retrieving each un-activated at least one new key that is associated with the at least one two key holders; and
      
      validating the at least portion of keying data associated with each un-activated at least one new key using the at least one password.
  - 25. The system of claim 21, wherein the first set of instructions further comprises:
    - receiving at least one request from the at least one client device that includes at least one query value and at least one key name;
      
      retrieving the at least one key within the key array, wherein the at least one retrieved key is associated with the at least one key name;
      
      encrypting the at least one query value to generate at least one encrypted query value, wherein the at least one encrypted query value is generated for each retrieved at least one key; and
      
      returning the at least one encrypted query value to the at least one client device.
  - 26. The system of claim 21, wherein the first set of instructions further comprises:
    - storing the at least one current key and the at least one rotated key in a cache that is in the volatile memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
KeyNexus, Inc. (StorMagic Limited)
Original Assignee
KeyNexus, Inc. (StorMagic Limited)
Inventors
MacMillan, Jeffrey Earl, Offrey, Jason Arthur
Primary Examiner(s)
Lagor, Alexander

Application Number

US13/858,841
Publication Number

US 20140177829A1
Time in Patent Office

575 Days
Field of Search

None
US Class Current

380/45
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

H04L 9/0816   Key establishment, i.e. cry...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/0861   Generation of secret inform...

H04L 9/0891   Revocation or update of sec...

Key creation and rotation for data encryption

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Key creation and rotation for data encryption

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links