Secure key management

US 9,264,230 B2
Filed: 03/14/2011
Issued: 02/16/2016
Est. Priority Date: 03/14/2011
Status: Expired due to Fees

First Claim

Patent Images

1. A computer program product for secure key management, the computer program product comprising:

a non-transitory computer readable storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for performing a method, comprising;

creating a token and populating a payload section of the token with key material;

selecting a wrapping method from a plurality of supported wrapping methods that specifies how the key material is securely bound to key control information, wherein a structure of the key control information in the token is independent of the wrapping method, and wherein the plurality of supported wrapping methods comprises advanced encryption standard key wrap (AESKW), Rivest Shamir Adelman (RSA) with Optimal Asymmetric Encryption Padding (OAEP), data encryption standard (DES), Elliptic Curve, and message authentication code (MAC); and

wrapping the key material and binding key control information to the key material in the token, the key control information including information relating to usage and management of the key material, wherein the token comprises the key control information, the payload section and a description of the wrapping method, the description of the wrapping method being in a selected section of the token, where sections of the token are known by a party accessing the token, the description of the wrapping method corresponding to one of the plurality of supported wrapping methods wherein the key control information further comprises a label for the token that is recoverable from the token, the label comprising an unencrypted user-specified name of the token, andthe information relating to management of the key material comprises extensible fields that are configured to describe a history and life cycle of the key material and allow updates to the extensible fields after receiving the token by the party accessing the token, and wherein a policy specifying when to retire the token and allowable methods for wrapping the token is configured to be created after receiving the token by the party accessing the token based on the extensible fields.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for implementing computer security is provided. The system includes a computer processor and an application configured to execute on the computer processor, the application implementing a method that includes creating a token and populating a payload section of the token with key material and selecting a wrapping method that specifies how the key material is securely bound to key control information. A structure of the key control information in the token is independent of the wrapping method. Implementing computer security also includes wrapping the key material and binding key control information to the key material in the token. The key control information includes information relating to usage and management of the key material.

50 Citations

View as Search Results

10 Claims

1. A computer program product for secure key management, the computer program product comprising:
- a non-transitory computer readable storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for performing a method, comprising;
  
  creating a token and populating a payload section of the token with key material;
  
  selecting a wrapping method from a plurality of supported wrapping methods that specifies how the key material is securely bound to key control information, wherein a structure of the key control information in the token is independent of the wrapping method, and wherein the plurality of supported wrapping methods comprises advanced encryption standard key wrap (AESKW), Rivest Shamir Adelman (RSA) with Optimal Asymmetric Encryption Padding (OAEP), data encryption standard (DES), Elliptic Curve, and message authentication code (MAC); and
  
  wrapping the key material and binding key control information to the key material in the token, the key control information including information relating to usage and management of the key material, wherein the token comprises the key control information, the payload section and a description of the wrapping method, the description of the wrapping method being in a selected section of the token, where sections of the token are known by a party accessing the token, the description of the wrapping method corresponding to one of the plurality of supported wrapping methods wherein the key control information further comprises a label for the token that is recoverable from the token, the label comprising an unencrypted user-specified name of the token, andthe information relating to management of the key material comprises extensible fields that are configured to describe a history and life cycle of the key material and allow updates to the extensible fields after receiving the token by the party accessing the token, and wherein a policy specifying when to retire the token and allowable methods for wrapping the token is configured to be created after receiving the token by the party accessing the token based on the extensible fields.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer program product of claim 1, wherein the information relating to usage of the key material comprises a field that limits actions that may be performed with the key material.
  - 3. The computer program product of claim 1, wherein the information relating to management of the key material comprises a field that limits distribution of the key material.
  - 4. The computer program product of claim 1, wherein the key control information comprises an extensible field for manufacturer data and an extensible field for user data.
  - 5. The computer program product of claim 1, wherein securely binding the key control information to the key material comprises binding the key control information to a payload that comprises the key material, a hash of the key control information and a padding.
  - 6. The computer program product of claim 1, wherein the information relating to usage of the key material comprises extensible fields.

7. A system for secure key management, comprising:
- a computer processor; and
  
  an application configured to execute on the computer processor, the application implementing a method, the method comprising;
  
  creating a token and populating a payload section of the token with key material;
  
  selecting a wrapping method from a plurality of supported wrapping methods that specifies how the key material is securely bound to key control information, wherein a structure of the key control information in the token is independent of the wrapping method, and wherein the plurality of supported wrapping methods comprises advanced encryption standard key wrap (AESKW), Rivest Shamir Adelman (RSA) with Optimal Asymmetric Encryption Padding (OAEP), data encryption standard (DES), Elliptic Curve, and message authentication code (MAC); and
  
  wrapping the key material and binding key control information to the key material in the token, the key control information including information relating to usage and management of the key material, wherein the token comprises the key control information, the payload section and a description of the wrapping method, the description of the wrapping method being in a selected section of the token, where sections of the token are known by a party accessing the token, the description of the wrapping method corresponding to one of the plurality of supported wrapping methods wherein the key control information further comprises a label for the token that is recoverable from the token, the label comprising an unencrypted user-specified name of the token,and the information relating to management of the key material comprises extensible fields that are configured to describe a history and life cycle of the key material and allow updates to the extensible fields after receiving the token by the party accessing the token, and wherein a policy specifying when to retire the token and allowable methods for wrapping the token is configured to be created after receiving the token by the party accessing the token based on the extensible fields.
- View Dependent Claims (8, 9, 10)
- - 8. The system of claim 7, wherein the information relating to usage of the key material comprises a field that limits actions that may be performed with the key material.
  - 9. The system of claim 7, wherein the information relating to management of the key material comprises a field that limits distribution of the key material.
  - 10. The system of claim 7, wherein the key control information comprises an extensible field for manufacturer data and an extensible field for user data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Arnold, Todd W., Dames, Elizabeth A., Dewkett, Thomas J., Frehr, Carsten D., Kelly, Michael J., Kerr, Kenneth B., Kisley, Richard V., Rossman, Eric D., Smith, Eric B.
Primary Examiner(s)
BROWN, CHRISTOPHER J

Application Number

US13/047,344
Publication Number

US 20120237023A1
Time in Patent Office

1,800 Days
Field of Search

380/44, 713/194, 726/18
US Class Current

1/1
CPC Class Codes

H04L 9/0897 involving additional device...

Secure key management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

50 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Secure key management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links