Centralized policy management for security keys

US 9,124,430 B2
Filed: 09/23/2013
Issued: 09/01/2015
Est. Priority Date: 09/23/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, using a centralized key management system, key file information associated with a plurality of keys;

storing, by the centralized key management system, the key file information in a plurality of key objects, such that each key object contains information associated with one of the plurality of keys;

associating the plurality of key objects with at least one key set object such that each of the at least one key set objects has at least one associated key object resulting in at least one hierarchy of objects defined by each of the at least one key set objects and its at least one associated key object, each of the at least one key set objects representing a group of keys that are managed together; and

associating at least one policy object with each of the at least one key set objects, the at least one policy object defining parameters to manage the group of keys represented by the associated key set object.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Example embodiments include centralized systems for managing cryptographic keys and trust relationships among systems. Embodiments may include a centralized key store and a centralized policy store. Key sets comprising public/private keys may be stored in or identified by key objects. Key objects within the key store may be organized into key sets and trust sets. Policies may apply at any level within the key store. Policies and associated keys may be grouped and organized to manage groups of keys according to common policies and to present complex relationships to a user. Lower level keys may inherit policy properties from higher levels. Higher levels may be locked to preclude changes at lower levels. Policies may include a variety of properties/fields to facilitate key management. Policies may determine what actions are taken with respect to a key or group of keys.

Citations

21 Claims

1. A method comprising:
- receiving, using a centralized key management system, key file information associated with a plurality of keys;
  
  storing, by the centralized key management system, the key file information in a plurality of key objects, such that each key object contains information associated with one of the plurality of keys;
  
  associating the plurality of key objects with at least one key set object such that each of the at least one key set objects has at least one associated key object resulting in at least one hierarchy of objects defined by each of the at least one key set objects and its at least one associated key object, each of the at least one key set objects representing a group of keys that are managed together; and
  
  associating at least one policy object with each of the at least one key set objects, the at least one policy object defining parameters to manage the group of keys represented by the associated key set object.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 further comprising associating the at least one key set objects with at least one trust set object such that each of the at least one trust set objects has at least one associated key set object.
  - 3. The method of claim 1 further comprising grouping plurality of key objects into groups defined by at least one of:
    - a geographic location;
      
      a company;
      
      an organization within a company;
      
      a host system;
      
      a property of the at least one policy object;
      
      a property of the key object; and
      
      combinations thereof.
  - 4. The method of claim 3 wherein each of the plurality of key objects has properties comprising at least one of:
    - a key;
      
      multiple keys;
      
      a key pair;
      
      comments;
      
      a key option;
      
      a location of a key;
      
      a key user or holder;
      
      a key contact;
      
      a key set approver;
      
      a key permission; and
      
      a key type.
  - 5. The method of claim 3 wherein each of the at least one policy object has properties comprising at least one of:
    - a key length;
      
      a method used to generate a key or key pair;
      
      a key format;
      
      key file metadata;
      
      a key option;
      
      a property indicating key ownership;
      
      a property indicating key approver;
      
      a property indicating key permissions;
      
      a property indicating key expiration;
      
      an action to be taken at key expiration;
      
      a grace period;
      
      a rollback period;
      
      a property indicating whether a key or key pair is managed;
      
      a property indicating whether key rotation is allowed;
      
      a property indicating key rollback period;
      
      a property indicating key testing at rollback; and
      
      a property indicating a security level.
  - 6. A method as in claim 1 wherein the at least one policy object is a plurality of policy objects and wherein one of the plurality of policy objects is associated with the at least one key set object and another of the plurality of policy objects is associated with a key object associated with the at least one key set object to create a hierarchical relationship between the one of the plurality of policy objects and the another of the plurality of policy objects.

7. A system comprising:
- memory;
  
  a processor coupled to the memory;
  
  a centralized key store comprising a plurality of key objects, each key object identifying a key, the plurality of key objects being organized into a key set identified by a key set object;
  
  a centralized policy store, the centralized policy store comprising a first policy object associated with the key set object;
  
  executable instructions, that when executed on the processor, configure the system to at least;
  
  create a first effective policy by evaluating the first policy object and a second policy object and applying conflict resolution rules when information in the first policy object conflicts with information in the second policy objects;
  
  compare information in a first key object with the first effective policy to identify out of policy conditions for the first key object; and
  
  perform an operation upon identifying out of policy conditions for the first key object.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 8. The system of claim 7 wherein the centralized key store further comprises a trust set object, the trust set object being associated with the key set object and wherein the centralized policy store comprises a trust set policy object associated with the trust set object, and executable instructions further configure the system to at least:
    - create a second effective policy by evaluating the first policy object and the trust set policy object and applying conflict resolution rules when information in the first policy object conflicts with information in the trust set policy object;
      
      compare information in the trust set object with the second effective policy to identify out of policy conditions for the trust set object; and
      
      perform an operation upon identifying out of policy conditions.
  - 9. The system of claim 8 wherein properties of the trust set policy object are either locked or unlocked and wherein when the properties of the trust set policy object are locked, corresponding properties of the first policy object may not be changed.
  - 10. The method of claim 7 wherein the executable instructions further configure the system to at least group the plurality of key objects into groups defined by at least one of:
    - a geographic location;
      
      a company;
      
      an organization within a company;
      
      a host system;
      
      a property of the at least one policy object;
      
      a property of the key object; and
      
      combinations thereof.
  - 11. The system of claim 10 wherein the first policy object comprises at least one of:
    - a key length;
      
      a method used to generate a key or key pair;
      
      a key format;
      
      key file metadata;
      
      a key option;
      
      a property indicating key ownership;
      
      a property indicating key approver;
      
      a property indicating key permissions;
      
      a property indicating key expiration;
      
      an action to be taken at key expiration;
      
      a grace period;
      
      a rollback period;
      
      a property indicating whether a key or key pair is managed;
      
      a property indicating whether key rotation is allowed;
      
      a property indicating key rollback period;
      
      a property indicating key testing at rollback; and
      
      a property indicating a security level.
  - 12. The system of claim 10 wherein each of the plurality of key objects comprises at least one of:
    - a key;
      
      multiple keys;
      
      a key pair;
      
      comments;
      
      a key option;
      
      a location of a key;
      
      a key user or holder;
      
      a key contact;
      
      a key set approver;
      
      a key permission; and
      
      a key type.
  - 13. The system of claim 12 wherein the key option comprises at least one of:
    - a restriction on which locations may access the key;
      
      a restriction on which users may access the key;
      
      an indication of which authentication methods are allowed;
      
      an indication of which protocol versions are allowed;
      
      an indication of compatibility;
      
      a forced command.
  - 14. The system of claim 10 wherein centralized key store comprises a plurality of key set objects and wherein the key set objects are organized into policy groups defined by at least one of:
    - a geographic location;
      
      a company;
      
      an organization within a company;
      
      a host system;
      
      a property of the at least one policy object;
      
      a property of the key object; and
      
      combinations thereof.
  - 15. The system of claim 14 wherein centralized key store comprises a plurality of trust set objects and wherein the trust set objects are organized into policy groups defined by at least one of:
    - a geographic location;
      
      a company;
      
      an organization within a company;
      
      a host system;
      
      a property of the at least one policy object;
      
      a property of the key object; and
      
      combinations thereof.
  - 16. The system of claim 15 wherein centralized policy store comprises a plurality of policy objects and wherein a policy object is associated with each of the groups.

17. A machine-readable storage media containing executable instructions that, when executed, configure a system to at least:
- store key file information received from at least one managed system in a plurality of key objects;
  
  associate the plurality of key objects into a key set object, wherein the key set object represents the plurality of key objects to be managed as a group;
  
  associate a policy object with the key set object, the policy object comprising properties to manage the key set object, each of the key objects inheriting policy information from the policy object associated with the key set object;
  
  evaluate the key objects and key set object with respect to the policy object to identify any out of policy conditions; and
  
  in response to identifying an out of policy condition, performing at least one action.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The machine-readable storage media of claim 17 wherein the plurality of key objects are associated into a plurality of key set objects wherein the executable instructions further configure the system to at least:
    - associate the plurality of key set objects into a trust set object, wherein the trust set object represents a plurality of key set objects that should be managed as a group;
      
      associate a second policy object with the trust set object, the second policy object comprising properties to manage the trust set object, each of the key objects inheriting policy information from at least one of the first policy object and the second policy object;
      
      evaluate the first policy object and the second policy object to identify any out of policy conditions in the plurality of key objects, the plurality of key set objects and the trust set object; and
      
      in response to identifying an out of policy condition, performing at least one action.
  - 19. The machine-readable storage media of claim 18 wherein the first policy object and the second policy object each comprise at least one of:
    - a key length;
      
      a method used to generate a key or key pair;
      
      a key format;
      
      key file metadata;
      
      a key option;
      
      a property indicating key ownership;
      
      a property indicating key approver;
      
      a property indicating key permissions;
      
      a property indicating key expiration;
      
      an action to be taken at key expiration;
      
      a grace period;
      
      a rollback period;
      
      a property indicating whether a key or key pair is managed;
      
      a property indicating whether key rotation is allowed;
      
      a property indicating key rollback period;
      
      a property indicating key testing at rollback; and
      
      a property indicating a security level.
  - 20. The machine-readable storage media of claim 18 wherein properties of the second policy object may be locked and wherein when the properties of the second policy object are locked, corresponding properties of the first policy object may not be changed.
  - 21. The machine-readable storage media of claim 18 wherein the plurality of key objects, the plurality of key set objects, the trust set object, or combinations thereof are organized into groups defined by at least one of:
    - a geographic location;
      
      a company;
      
      an organization within a company;
      
      a host system;
      
      a property of the first policy object;
      
      a property of the second policy objecta property of a key object;
      
      a property of a key set object;
      
      a property of the trust set object; and
      
      combinations thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Venafi,Inc.
Original Assignee
Venafi,Inc.
Inventors
Harjula, Tero Petteri, McCartney, Breon Malachy, Saura, Asko Juha
Primary Examiner(s)
Smithers, Matthew

Application Number

US14/034,082
Publication Number

US 20150086020A1
Time in Patent Office

708 Days
Field of Search

380/277, 380/279
US Class Current

1/1
CPC Class Codes

H04L 63/062   for key distribution, e.g. ...

H04L 63/20   for managing network securi...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/083   involving central third par...

H04L 9/30   Public key, i.e. encryption...

Centralized policy management for security keys

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Centralized policy management for security keys

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links