Method for the cryptographic protection of an application
First Claim
1. A method for the cryptographic protection of an application that is associated with an application owner and which is executed in a data processing center administered by an external service provider not belonging to the application owner,wherein the application owner is an entity that developed or otherwise owns the application,wherein the external service provider is an entity distinct from the application owner and provides non-owners of the application, which comprise entities distinct from the application owner and the external service provider, access to use the application,wherein the data processing center provides a security module of the application owner that stores private cryptographic material of the application owner, andwherein the method comprises:
- generating a cryptographic secret by a generation application of the application owner or by the security module;
transmitting the cryptographic secret between a computer of the application owner and the security module via an encrypted transmission via a first secure channel between the application and the computer of the application owner, the encrypted transmission being decryptable by the application and the computer of the application owner, but not by the external service provider or the non-owners of the application, as a result of which encrypted transmission the cryptographic secret is made accessible to the computer of the application owner and the security module but not to the external service provider or the non-owners of the application;
transmitting the cryptographic secret from the computer of the application owner to the application via a second secure channel between the application and the computer of the application owner, as a result of which the cryptographic secret is made accessible to the application, but remains inaccessible to the external service provider and the non-owners of the application; and
performing an authentication of the application to the security module based on the cryptographic secret that is accessible to the application and the security module, wherein following successful authentication the cryptographic material of the application owner is transmittable from the security module to the application via a channel protected by the cryptographic secret.
1 Assignment
0 Petitions
Accused Products
Abstract
A method is provided for cryptographic protection of an application associated with an application owner and executed in an external data processing center having a security module that stores private cryptographic material of the application owner. A first secure channel between the security module and application owner and a second secure channel between the application owner and the application are used for transmitting a cryptographic key. The cryptographic key is automatically made available to the secure module and the application via the secure channels, without the data processing center service operator being able to access said key. The application can authenticate itself using the key so that the cryptographic material can be transmitted to the application via a channel protected by the cryptographic key. The application data can be encrypted using the cryptographic material such that the application data cannot be accessed by the data processing center service operator.
24 Citations
14 Claims
-
1. A method for the cryptographic protection of an application that is associated with an application owner and which is executed in a data processing center administered by an external service provider not belonging to the application owner,
wherein the application owner is an entity that developed or otherwise owns the application, wherein the external service provider is an entity distinct from the application owner and provides non-owners of the application, which comprise entities distinct from the application owner and the external service provider, access to use the application, wherein the data processing center provides a security module of the application owner that stores private cryptographic material of the application owner, and wherein the method comprises: -
generating a cryptographic secret by a generation application of the application owner or by the security module; transmitting the cryptographic secret between a computer of the application owner and the security module via an encrypted transmission via a first secure channel between the application and the computer of the application owner, the encrypted transmission being decryptable by the application and the computer of the application owner, but not by the external service provider or the non-owners of the application, as a result of which encrypted transmission the cryptographic secret is made accessible to the computer of the application owner and the security module but not to the external service provider or the non-owners of the application; transmitting the cryptographic secret from the computer of the application owner to the application via a second secure channel between the application and the computer of the application owner, as a result of which the cryptographic secret is made accessible to the application, but remains inaccessible to the external service provider and the non-owners of the application; and performing an authentication of the application to the security module based on the cryptographic secret that is accessible to the application and the security module, wherein following successful authentication the cryptographic material of the application owner is transmittable from the security module to the application via a channel protected by the cryptographic secret. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for the cryptographic protection of an application that is associated with an application owner and which is executable in a data processing center administered by an external service provider not belonging to the application owner,
wherein the application owner is an entity that developed or otherwise owns the application, wherein the external service provider is an entity distinct from the application owner and provides non-owners of the application, which comprise entities distinct from the application owner and the external service provider, access to use the application, the system comprising: -
a security module of the application owner provided in the data processing center and which stores private cryptographic material of the application owner, and a computer of the application owner, wherein the system is configured to perform the following steps upon execution of the application at the data processing center; generating a cryptographic secret by the application owner; transmitting the cryptographic secret between the computer of the application owner and the security module via an encrypted transmission via a first secure channel between the application and the computer of the application owner, the encrypted transmission being decryptable by the application and the computer of the application owner, but not by the external service provider or the non-owners of the application, as a result of which encrypted transmission the cryptographic secret is made accessible to the computer of the application owner and the security module but not to the external service provider or the non-owners of the application; transmitting the cryptographic secret from the computer of the application owner to the application via a second secure channel between the application and the computer of the application owner, as a result of which the cryptographic secret is made accessible to the application, but remains inaccessible to the external service provider and the non-owners of the application; and performing an authentication of the application to the security module based on the cryptographic secret which is accessible to the application and the security module, wherein following successful authentication the cryptographic material of the application owner is transmittable from the security module to the application via a channel protected by the cryptographic secret.
-
Specification