Centralized policy management for security keys
First Claim
1. A method comprising:
- receiving, using a centralized key management system, key file information associated with a plurality of keys;
storing, by the centralized key management system, the key file information in a plurality of key objects, such that each key object contains information associated with one of the plurality of keys;
associating the plurality of key objects with at least one key set object such that each of the at least one key set objects has at least one associated key object resulting in at least one hierarchy of objects defined by each of the at least one key set objects and its at least one associated key object, each of the at least one key set objects representing a group of keys that are managed together; and
associating at least one policy object with each of the at least one key set objects, the at least one policy object defining parameters to manage the group of keys represented by the associated key set object.
7 Assignments
0 Petitions
Accused Products
Abstract
Example embodiments include centralized systems for managing cryptographic keys and trust relationships among systems. Embodiments may include a centralized key store and a centralized policy store. Key sets comprising public/private keys may be stored in or identified by key objects. Key objects within the key store may be organized into key sets and trust sets. Policies may apply at any level within the key store. Policies and associated keys may be grouped and organized to manage groups of keys according to common policies and to present complex relationships to a user. Lower level keys may inherit policy properties from higher levels. Higher levels may be locked to preclude changes at lower levels. Policies may include a variety of properties/fields to facilitate key management. Policies may determine what actions are taken with respect to a key or group of keys.
-
Citations
21 Claims
-
1. A method comprising:
-
receiving, using a centralized key management system, key file information associated with a plurality of keys; storing, by the centralized key management system, the key file information in a plurality of key objects, such that each key object contains information associated with one of the plurality of keys; associating the plurality of key objects with at least one key set object such that each of the at least one key set objects has at least one associated key object resulting in at least one hierarchy of objects defined by each of the at least one key set objects and its at least one associated key object, each of the at least one key set objects representing a group of keys that are managed together; and associating at least one policy object with each of the at least one key set objects, the at least one policy object defining parameters to manage the group of keys represented by the associated key set object. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system comprising:
-
memory; a processor coupled to the memory; a centralized key store comprising a plurality of key objects, each key object identifying a key, the plurality of key objects being organized into a key set identified by a key set object; a centralized policy store, the centralized policy store comprising a first policy object associated with the key set object; executable instructions, that when executed on the processor, configure the system to at least; create a first effective policy by evaluating the first policy object and a second policy object and applying conflict resolution rules when information in the first policy object conflicts with information in the second policy objects; compare information in a first key object with the first effective policy to identify out of policy conditions for the first key object; and perform an operation upon identifying out of policy conditions for the first key object. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A machine-readable storage media containing executable instructions that, when executed, configure a system to at least:
-
store key file information received from at least one managed system in a plurality of key objects; associate the plurality of key objects into a key set object, wherein the key set object represents the plurality of key objects to be managed as a group; associate a policy object with the key set object, the policy object comprising properties to manage the key set object, each of the key objects inheriting policy information from the policy object associated with the key set object; evaluate the key objects and key set object with respect to the policy object to identify any out of policy conditions; and in response to identifying an out of policy condition, performing at least one action. - View Dependent Claims (18, 19, 20, 21)
-
Specification