Trusted data processing in the public cloud
First Claim
1. A system comprising:
- a cloud server comprising a first trusted execution environment, the cloud server one of a plurality of cloud servers configured to perform data processing operations for a plurality of clients;
a cloud storage device coupled to the cloud server;
a root key management (“
RKM”
) server comprising a key server module, the RKM server configured to sign the key server module using a first private key; and
a gateway server configured to provide the signed key server module to the cloud server,the first trusted execution environment configured to verify the key server module using a first public key related to the first private key and to launch the key server module if the key server module verifies, the key server module configured to establish a first secure communication channel between the gateway server and the key server module, and the gateway server configured to provide a first cryptographic key to the key server module via the first secure communication channel.
1 Assignment
0 Petitions
Accused Products
Abstract
Generally, this disclosure describes a system and method for trusted data processing in the public cloud. A system may include a cloud server including a trusted execution environment, the cloud server one of a plurality of cloud servers, a cloud storage device coupled to the cloud server, and a RKM server including a key server module, the RKM server configured to sign the key server module using a private key and a gateway server configured to provide the signed key server module to the cloud server, the trusted execution environment configured to verify the key server module using a public key related to the private key and to launch the key server module, the key server module configured to establish a secure communication channel between the gateway server and the key server module, and the gateway server configured to provide a cryptographic key to the key server module via the secure communication channel.
17 Citations
20 Claims
-
1. A system comprising:
-
a cloud server comprising a first trusted execution environment, the cloud server one of a plurality of cloud servers configured to perform data processing operations for a plurality of clients; a cloud storage device coupled to the cloud server; a root key management (“
RKM”
) server comprising a key server module, the RKM server configured to sign the key server module using a first private key; anda gateway server configured to provide the signed key server module to the cloud server, the first trusted execution environment configured to verify the key server module using a first public key related to the first private key and to launch the key server module if the key server module verifies, the key server module configured to establish a first secure communication channel between the gateway server and the key server module, and the gateway server configured to provide a first cryptographic key to the key server module via the first secure communication channel. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method comprising:
-
providing a key server module from a root key management (“
RKM”
) server to a cloud server of a plurality of cloud servers configured to perform data processing operations for a plurality of clients, the cloud server coupled to a cloud storage device, the key server module signed using a first private key;verifying the key server module using a first public key related to the first private key; launching the key server module in a first trusted execution environment in the cloud server if the key server module verifies; establishing a first secure communication channel between a gateway server and the key server module; and providing a first cryptographic key from the gateway server to the key server module via the first secure communication channel, the first cryptographic key configured to decrypt a block of encrypted data. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A system comprising one or more storage mediums having stored thereon, individually or in combination, instructions that when executed by one or more processors result in the following operations comprising:
-
providing a key server module from a root key management (“
RKM”
) server to a cloud server of a plurality of cloud servers configured to perform data processing operations for a plurality of clients, the cloud server coupled to a cloud storage device, the key server module signed using a first private key;verifying the key server module using a first public key related to the first private key; launching the key server module in a first trusted execution environment in the cloud server if the key server module verifies; establishing a first secure communication channel between a gateway server and the key server module; and providing a first cryptographic key from the gateway server to the key server module via the first secure communication channel, the first cryptographic key configured to decrypt a block of encrypted data. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification