Trusted data processing in the public cloud

US 9,118,639 B2
Filed: 03/14/2013
Issued: 08/25/2015
Est. Priority Date: 03/14/2013
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a cloud server comprising a first trusted execution environment, the cloud server one of a plurality of cloud servers configured to perform data processing operations for a plurality of clients;

a cloud storage device coupled to the cloud server;

a root key management (“

RKM”

) server comprising a key server module, the RKM server configured to sign the key server module using a first private key; and

a gateway server configured to provide the signed key server module to the cloud server,the first trusted execution environment configured to verify the key server module using a first public key related to the first private key and to launch the key server module if the key server module verifies, the key server module configured to establish a first secure communication channel between the gateway server and the key server module, and the gateway server configured to provide a first cryptographic key to the key server module via the first secure communication channel.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Generally, this disclosure describes a system and method for trusted data processing in the public cloud. A system may include a cloud server including a trusted execution environment, the cloud server one of a plurality of cloud servers, a cloud storage device coupled to the cloud server, and a RKM server including a key server module, the RKM server configured to sign the key server module using a private key and a gateway server configured to provide the signed key server module to the cloud server, the trusted execution environment configured to verify the key server module using a public key related to the private key and to launch the key server module, the key server module configured to establish a secure communication channel between the gateway server and the key server module, and the gateway server configured to provide a cryptographic key to the key server module via the secure communication channel.

17 Citations

View as Search Results

20 Claims

1. A system comprising:
- a cloud server comprising a first trusted execution environment, the cloud server one of a plurality of cloud servers configured to perform data processing operations for a plurality of clients;
  
  a cloud storage device coupled to the cloud server;
  
  a root key management (“
  
  RKM”
  
  ) server comprising a key server module, the RKM server configured to sign the key server module using a first private key; and
  
  a gateway server configured to provide the signed key server module to the cloud server,the first trusted execution environment configured to verify the key server module using a first public key related to the first private key and to launch the key server module if the key server module verifies, the key server module configured to establish a first secure communication channel between the gateway server and the key server module, and the gateway server configured to provide a first cryptographic key to the key server module via the first secure communication channel.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, whereinthe cloud server comprises a second trusted execution environment,the RKM server is configured to sign a data processing module using a second private key, andthe gateway server is configured to provide the signed data processing module and a plurality of blocks of encrypted data to the cloud server, the plurality of blocks of encrypted data including the block of encrypted data,the cloud server is configured to store the plurality of blocks of encrypted data in the cloud storage device, andthe second trusted execution environment is configured to launch the data processing module and to verify the data processing module using a second public key related to the second private key.
  - 3. The system of claim 2, wherein the key server module is configured to establish a second secure communication channel between the data processing module and the key server module and to provide the first cryptographic key to the data processing module via the second secure communication channel if the data processing module verifies.
  - 4. The system of claim 3, wherein the data processing module is configured to:
    - load the block of encrypted data into the second trusted execution environment, decrypt the block of encrypted data using the first cryptographic key to yield a corresponding block of decrypted data, process the block of decrypted data to produce a result, encrypt the result, and at least one of store the encrypted result in the cloud storage device or provide the encrypted result to the gateway server.
  - 5. The system of claim 1, wherein the RKM server is configured to generate the first cryptographic key.
  - 6. The system of claim 1, wherein the first public key is certified by the RKM server.

7. A method comprising:
- providing a key server module from a root key management (“
  
  RKM”
  
  ) server to a cloud server of a plurality of cloud servers configured to perform data processing operations for a plurality of clients, the cloud server coupled to a cloud storage device, the key server module signed using a first private key;
  
  verifying the key server module using a first public key related to the first private key;
  
  launching the key server module in a first trusted execution environment in the cloud server if the key server module verifies;
  
  establishing a first secure communication channel between a gateway server and the key server module; and
  
  providing a first cryptographic key from the gateway server to the key server module via the first secure communication channel, the first cryptographic key configured to decrypt a block of encrypted data.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The method of claim 7, further comprising:
    - providing a plurality of blocks of encrypted data from the gateway server to the cloud server, the plurality of blocks of encrypted data including the block of encrypted data;
      
      storing the plurality of blocks of encrypted data in the cloud storage device;
      
      providing a data processing module from the gateway server to the cloud server, the data processing module signed using a second private key;
      
      launching the data processing module in a second trusted execution environment in the cloud server; and
      
      verifying the data processing module using a second public key related to the second private key.
  - 9. The method of claim 7, further comprising:
    - establishing a second secure communication channel between the data processing module and the key server module if the data processing module verifies; and
      
      providing the first cryptographic key from the key server module to the data processing module via the second secure communication channel.
  - 10. The method of claim 9, further comprising:
    - loading the block of encrypted data into the second trusted execution environment;
      
      decrypting the block of encrypted data using the first cryptographic key to yield a corresponding block of decrypted data;
      
      processing the block of decrypted data by the data processing module to produce a result;
      
      encrypting the result; and
      
      at least one of storing the encrypted result in the cloud storage device or providing the encrypted result to the gateway server.
  - 11. The method of claim 7, further comprising:
    - generating the first cryptographic key by the RKM server.
  - 12. The method of claim 7, wherein the first public key is certified by the RKM server.
  - 13. The method of claim 10, wherein the result is encrypted using a second cryptographic key provided to the data processing module by the key server module.

14. A system comprising one or more storage mediums having stored thereon, individually or in combination, instructions that when executed by one or more processors result in the following operations comprising:
- providing a key server module from a root key management (“
  
  RKM”
  
  ) server to a cloud server of a plurality of cloud servers configured to perform data processing operations for a plurality of clients, the cloud server coupled to a cloud storage device, the key server module signed using a first private key;
  
  verifying the key server module using a first public key related to the first private key;
  
  launching the key server module in a first trusted execution environment in the cloud server if the key server module verifies;
  
  establishing a first secure communication channel between a gateway server and the key server module; and
  
  providing a first cryptographic key from the gateway server to the key server module via the first secure communication channel, the first cryptographic key configured to decrypt a block of encrypted data.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system of claim 14, wherein the instructions that when executed by one or more processors result in the following additional operations comprising:
    - providing a plurality of blocks of encrypted data from the gateway server to the cloud server, the plurality of blocks of encrypted data including the block of encrypted data;
      
      storing the plurality of blocks of encrypted data in the cloud storage device;
      
      providing a data processing module from the gateway server to the cloud server, the data processing module signed using a second private key;
      
      launching the data processing module in a second trusted execution environment in the cloud server; and
      
      verifying the data processing module using a second public key related to the second private key.
  - 16. The system of claim 14, wherein the instructions that when executed by one or more processors result in the following additional operations comprising:
    - establishing a second secure communication channel between the data processing module and the key server module if the data processing module verifies; and
      
      providing the first cryptographic key from the key server module to the data processing module via the second secure communication channel.
  - 17. The system of claim 16, wherein the instructions that when executed by one or more processors result in the following additional operations comprising:
    - loading the block of encrypted data into the second trusted execution environment;
      
      decrypting the block of encrypted data using the first cryptographic key to yield a corresponding block of decrypted data;
      
      processing the block of decrypted data by the data processing module to produce a result;
      
      encrypting the result; and
      
      at least one of storing the encrypted result in the cloud storage device or providing the encrypted result to the gateway server.
  - 18. The system of claim 14, wherein the instructions that when executed by one or more processors result in the following additional operations comprising:
    - generating the first cryptographic key by the RKM server.
  - 19. The system of claim 14, wherein the first public key is certified by the RKM server.
  - 20. The system of claim 17, wherein the result is encrypted using a second cryptographic key provided to the data processing module by the key server module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Phegade, Vinay, Jain, Nilesh K, Walker, Jesse
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
LITTLE, VANCE M

Application Number

US13/994,451
Publication Number

US 20140281531A1
Time in Patent Office

894 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/06   for supporting key manageme...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0827   involving distinctive inter...

H04L 9/083   involving central third par...

Trusted data processing in the public cloud

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Trusted data processing in the public cloud

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links