Cloud key management system

US 9,350,536 B2
Filed: 01/03/2013
Issued: 05/24/2016
Est. Priority Date: 08/16/2012
Status: Active Grant

First Claim

Patent Images

1. A method for encrypted email key management, comprising:

creating, by a key agent executing on a processor, a secure tunnel between the key agent and a cloud key service executing on a processor;

receiving, by the cloud key service from the key agent, a request for key generation for the email sender, the request including email sender credentials;

verifying, by the cloud key service, the request for key generation;

identifying, by the cloud key service, a tenant location on the cloud key service, the tenant location being associated with the email sender;

creating, by the cloud key service, a key pair and corresponding digital certificate for the email sender;

encrypting, by the cloud key service, the key pair and corresponding digital certificate with a key controlled by the key agent;

storing the encrypted key pair and corresponding digital certificate at the identified tenant location;

transmitting a public key from the key pair and the corresponding digital certificate to an email address specified in the digital certificate; and

closing the secure tunnel.

View all claims

17 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention uses a cloud-based key management system to store, retrieve, generate, and perform other key operations. The cloud-based system ensures security of the keys while preventing their loss or destruction. Using this invention, a company can now manage, audit, and maintain control and security around their keys. Security event auditing permits evaluation of the operations to ensure that each step is completely secure.

16 Citations

View as Search Results

33 Claims

1. A method for encrypted email key management, comprising:
- creating, by a key agent executing on a processor, a secure tunnel between the key agent and a cloud key service executing on a processor;
  
  receiving, by the cloud key service from the key agent, a request for key generation for the email sender, the request including email sender credentials;
  
  verifying, by the cloud key service, the request for key generation;
  
  identifying, by the cloud key service, a tenant location on the cloud key service, the tenant location being associated with the email sender;
  
  creating, by the cloud key service, a key pair and corresponding digital certificate for the email sender;
  
  encrypting, by the cloud key service, the key pair and corresponding digital certificate with a key controlled by the key agent;
  
  storing the encrypted key pair and corresponding digital certificate at the identified tenant location;
  
  transmitting a public key from the key pair and the corresponding digital certificate to an email address specified in the digital certificate; and
  
  closing the secure tunnel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. A method according to claim 1, where the key agent local to email sender.
  - 3. A method according to claim 1, wherein verifying the request for key generation comprises evaluating a cloud-based key policy.
  - 4. A method according to claim 1, wherein verifying the request for key generation comprises verifying an identity of the email sender.
  - 5. A method according to claim 1, further comprising:
    - creating, by the key agent, a second secure tunnel between the key agent and the cloud key service;
      
      receiving, by the cloud key service from the key agent, a request for use of the key by a mail server;
      
      identifying, by the cloud key service, the tenant location storing the encrypted key pair and corresponding digital certificate;
      
      receiving, by the cloud key service, the key controlled by the key agent;
      
      decrypting, by the cloud key service, the encrypted key pair and corresponding digital certificate;
      
      performing, by the cloud key service, a key service using the decrypted key pair; and
      
      closing the second secure tunnel.
  - 6. A method according to claim 1, where the cloud key service accesses a segmented location associated with the tenant location on the cloud-based system for decrypting, encrypting and signing key services.
  - 7. A method according to claim 6, where the segmented location is associated with the email sender.
  - 8. A method according to claim 1, where the key agent communicates information about the key service to the email sender.
  - 9. A method according to claim 8, where the information comprises a digital certificate.
  - 10. A method according to claim 8, where the information comprises a digital key.
  - 11. A method according to claim 8, where the information comprises security events that document actions taken by the cloud key service.
  - 12. A method according to claim 1, where the key generation is performed in accordance with a key policy located on the cloud key service.
  - 13. A method according to claim 5, where the key service comprises deleting or revoking a key.
  - 14. A method according to claim 13, where the key is deleted or revoked by a key provisioner.
  - 15. A method according to claim 1, where the encrypted key pair and corresponding digital certificate is stored on a segmented location of the cloud based service.
  - 16. A method according to claim 1, further comprising creating, by the cloud key service, at least one security event that document actions taken by the cloud key service.
  - 17. A method according to claim 16, further comprising transmitting, by the cloud key service, at least one security event to a security events collector.
  - 18. A method according to claim 5, where the performance of the key services are evaluated by a key validator to ensure the key service complies with the key policy, where the key policy is stored by the cloud key service.

19. A method for using keys in an email system, comprising:
- receiving a request for key generation at a key agent executing on a processor from an email server, the request associated with an email sender;
  
  creating a first secure tunnel between the key agent and a cloud key service executing on a processor;
  
  communicating the first request to the cloud key service over the first secure tunnel;
  
  generating a key pair at the cloud key service;
  
  storing the generated key in an encrypted store on a segmented location on the cloud key service, where the encrypted store is encrypted using a store key controlled by the key agent;
  
  receiving a request for a key operation at the key agent from the email server and for the email sender;
  
  create a second secure tunnel between the key agent and the cloud key service;
  
  communicating the request for a key operation to the cloud key service of the second secure tunnel;
  
  assessing the segmented location on the cloud key service;
  
  decrypting the generated key stored at the segmented location using the key controlled by the key agent; and
  
  performing the key operation by the cloud key service.
- View Dependent Claims (20, 21, 22, 23)
- - 20. A method according to claim 19, further comprising validating, by the key agent, the identity of an email sender.
  - 21. A method according to claim 19, where the key is generated on a tenant location.
  - 22. A method according to claim 21, where the tenant location is selected by a multi-tenant manager.
  - 23. A method according to claim 19, where the key is encrypted using a store key transmitted to the cloud key service by the key agent.

24. A system for email key management, comprising:
- a key agent comprising a computer processor and computer readable memory storing instructions that cause the key agent to receive a request for key services for an email sender from a mail server and transmit the request to a cloud key service;
  
  a cloud key service comprising;
  
  an encrypted key store located on a segmented location of the cloud key service, the encrypted key store comprising computer readable memory configured to store keys and wherein the encrypted key store is encrypted using a store key controlled by the key agent;
  
  a multi-tenancy manager comprising a computer processor and computer readable memory storing instructions that cause the multi-tenancy manager to route a request from the key agent and identify a tenant store in the cloud key service, wherein the tenant store is associated with the email sender; and
  
  a server manager comprising a computer processor and computer readable memory storing instructions that cause the server manager to perform a key service associated with a key stored at the tenant store.
- View Dependent Claims (25, 26, 27, 28, 29)
- - 25. A system according to claim 24, further comprising a mail server that uses the key agent to communicate with the cloud-based service.
  - 26. A system according to claim 24, further comprising a key validator configured to ensure that the cloud key service complies with a key policy, where the key policy is located on the cloud key service.
  - 27. A system according to claim 24, further comprising a security event collector to receive, collect or distribute security events.
  - 28. A system according to claim 24, further comprising an identity service configured to authenticate an identity.
  - 29. A system according to claim 24, further comprising a key provisioner.

30. An apparatus for providing cloud-based email key services, comprising:
- a processor; and
  
  non-transitory memory storing computer executable instructions that, when executed by the processor, cause the apparatus to at least;
  
  accept requests for use of a key associated with an email sender, the requests being made by an email server through a key agent;
  
  validate an identity of the email sender;
  
  identify that a key associated with the email sender does not exist at a tenant location on the cloud key service;
  
  in response to determining that a key associated with the email sender does not exist, generate a key for the email sender;
  
  identify a tenant location on the cloud key service for storing the key;
  
  encrypting the key using a store key, wherein the store key is controlled by the key agent; and
  
  verify that the key generation is performed correctly.
- View Dependent Claims (31, 32, 33)
- - 31. An apparatus according to claim 30, where the computer executable instructions further cause the apparatus to create security events that document actions taken by the apparatus and the security events are sent to a security events collector.
  - 32. An apparatus according to claim 30, where the computer executable instructions further cause the apparatus to generate a digital certificate for the email sender.
  - 33. An apparatus according to claim 30, where the computer executable instructions further cause the apparatus to open and close a secure tunnel between the key service and the key agent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
DigiCert Incorporated
Original Assignee
DigiCert Incorporated
Inventors
Sabin, Jason Allen
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Nipa, Wasika

Application Number

US13/733,646
Publication Number

US 20140050317A1
Time in Patent Office

1,237 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 9/08 Key distribution or managem...

H04L 9/0894 Escrow, recovery or storing...

Cloud key management system

First Claim

17 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Cloud key management system

First Claim

17 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links