Data security with a security module

US 9,367,697 B1
Filed: 02/12/2013
Issued: 06/14/2016
Est. Priority Date: 02/12/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for key management, comprising:

under the control of a computer system configured with executable instructions,storing a plurality of keys in memory of the computer system;

storing a first set of information in volatile memory without storing the first set of information in non-volatile memory, the first set of information comprising a key used to encrypt the plurality of keys and being sufficient to access the plurality of keys in plaintext form;

using keys from the plurality of keys to respond to requests to perform cryptographic operations;

detecting an event, the event triggering a transition of the computer system into an administrative mode in which one or more administrative operations are permissible as a result of being in the administrative mode;

deleting the first set of information from the computer system by at least removing power to the volatile memory so that the plurality of keys is inaccessible to the computer system in plaintext form while the computer system is in the administrative mode;

after deleting the first set of information, enabling the administrative mode;

entering and subsequently leaving the administrative mode;

after leaving the administrative mode, obtaining a second set of information usable to restore access to the plurality of keys, so that the plurality of keys is accessible to the computer system in plaintext form; and

using the obtained second set of information to access at least one key from the plurality of keys.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security module securely manages keys. The security module is usable to implement a cryptography service that includes a request processing component. The request processing component responds to requests by causing the security module to perform cryptographic operations that the request processing component cannot perform due to a lack of access to appropriate keys. The security module may be a member of a group of security modules that securely manage keys. Techniques for passing secret information from one security module to the other prevent unauthorized access to secret information.

Citations

30 Claims

1. A computer-implemented method for key management, comprising:
- under the control of a computer system configured with executable instructions,storing a plurality of keys in memory of the computer system;
  
  storing a first set of information in volatile memory without storing the first set of information in non-volatile memory, the first set of information comprising a key used to encrypt the plurality of keys and being sufficient to access the plurality of keys in plaintext form;
  
  using keys from the plurality of keys to respond to requests to perform cryptographic operations;
  
  detecting an event, the event triggering a transition of the computer system into an administrative mode in which one or more administrative operations are permissible as a result of being in the administrative mode;
  
  deleting the first set of information from the computer system by at least removing power to the volatile memory so that the plurality of keys is inaccessible to the computer system in plaintext form while the computer system is in the administrative mode;
  
  after deleting the first set of information, enabling the administrative mode;
  
  entering and subsequently leaving the administrative mode;
  
  after leaving the administrative mode, obtaining a second set of information usable to restore access to the plurality of keys, so that the plurality of keys is accessible to the computer system in plaintext form; and
  
  using the obtained second set of information to access at least one key from the plurality of keys.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein deleting the first set of information includes issuing, to a data storage device, a command to perform a confirmable erase operation.
  - 3. The computer-implemented method of claim 1, wherein the volatile memory is a register of a processor of the computer system.
  - 4. The computer-implemented method of claim 1, wherein deleting the first set of information results in the plurality of keys remaining stored by the computer system in encrypted form while the computer system is in the administrative mode.
  - 5. The computer-implemented method of claim 1, wherein:
    - the computer system includes a first processor connected by a bus to a data storage device of a data storage subsystem; and
      
      deleting the first set of information includes transmitting over the bus, from a second processor that is part of the data storage subsystem, a command to the data storage device to delete the first set of information.
  - 6. The computer-implemented method of claim 1, wherein obtaining the second set of information includes receiving the information from a security module different from the computer system.
  - 7. The computer-implemented method of claim 1, wherein obtaining the second set of information requires intervention by an operator of the computer system.
  - 8. The computer-implemented method of claim 1, wherein the computer system is a security module device.

9. A computer-implemented method for key management, comprising:
- under the control of a computer system configured with executable instructions,storing secret information comprising a plurality of keys in memory of the computer system, at least a subset of the plurality of keys used to perform cryptographic operations to respond to requests;
  
  storing a key used to encrypt the plurality of keys in volatile memory without storing the key in non-volatile memory, the key being usable to access the plurality of keys in plaintext form;
  
  detecting an event, the event triggering a transition of the computer system into an administrative mode in which one or more administrative operations are permitted as a result of transitioning into the administrative mode; and
  
  as a result of detecting the event,rendering the key inaccessible to the computer system while in the administrative mode by at least removing power to the volatile memory; and
  
  after rendering the key inaccessible to the computer system, enabling the administrative mode;
  
  entering and subsequently leaving the administrative mode;
  
  rendering the key accessible to the computer system at a time after leaving the administrative mode; and
  
  using the key to access at least one key from the plurality of keys.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The computer-implemented method of claim 9, wherein rendering the information inaccessible includes issuing, to a data storage device, a command to perform a confirmable erase operation.
  - 11. The computer-implemented method of claim 9, wherein the volatile memory includes a register of a processor of the computer system.
  - 12. The computer-implemented method of claim 11, wherein:
    - the plurality of keys, encrypted under the key, is persistently stored in a data storage device of the computer system.
  - 13. The computer-implemented method of claim 9, further comprising:
    - detecting a tamper event indicating intrusion into the computer system; and
      
      as a result of detecting the tamper event, deleting the information.
  - 14. The computer-implemented method of claim 13, wherein:
    - the computer system includes a first processor in communication, over a bus, with a storage device comprising the memory; and
      
      deleting the information includes transmitting over the bus, from a second processor that is part of a data storage subsystem, a command to a data storage device.
  - 15. The computer-implemented method of claim 9, wherein deleting the information includes deleting the secret information from the memory of the computer system.

16. A non-transitory computer-readable storage medium having stored thereon instructions that, as a result of execution by a processor of a computer system, cause the computer system to at least:
- store secret information comprising a plurality of keys in memory of the computer system, at least a subset of the plurality of keys used to perform cryptographic operations to respond to requests;
  
  store a key used to encrypt the plurality of keys in volatile memory without storing the key in non-volatile memory, the key being usable to access the plurality of keys in plaintext form;
  
  detect an event, the event triggering a transition of the computer system into an administrative mode in which an operator can access contents of the memory; and
  
  as a result of detecting the event,cause the key to be inaccessible to the computer system while in the administrative mode by at least removing power to the volatile memory so that the plurality of keys is inaccessible to the computer system in plaintext form while the computer system is in the administrative mode; and
  
  enable the administrative mode after the secret information in plaintext form is inaccessible to the computer system;
  
  leave the administrative mode;
  
  after leaving the administrative mode, obtain the key so that the plurality of keys is accessible to the computer system; and
  
  use the key to access at least one key from the plurality of keys.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer-readable storage medium of claim 16, wherein the computer-readable storage medium encodes the instructions such that they are executable by at least two different processors, each processor of the at least two different processors having a different internal architecture that implements a same instruction set architecture.
  - 18. The non-transitory computer-readable storage medium of claim 16, wherein the event is a reboot event.
  - 19. The non-transitory computer-readable storage medium of claim 16, wherein:
    - the key is a first key;
      
      the instructions further cause the computer system to;
      
      provide a public key;
      
      obtain, from an operator of the computer system, the first key encrypted under the public key by another computer system; and
      
      use a private key to decrypt the first key encrypted under the public key.
  - 20. The non-transitory computer-readable storage medium of claim 16, wherein the instructions include instructions that run in user-mode of a general purpose operating system.

21. A system, comprising:
- hardware including one or more processors and memory including instructions executable by the one or more processors, the hardware being configured so that the system;
  
  stores secret information comprising a plurality of keys in memory of the system, at least a subset of the plurality of keys used to perform cryptographic operations to respond to requests;
  
  stores a key used to encrypt the plurality of keys in volatile memory without storing the key in non-volatile memory, the key being usable to access the plurality of keys in plaintext form;
  
  as a result of an event triggering a transition of the system into an administrative mode in which an operator can access contents of the memory;
  
  cause the key to be inaccessible to the system while in the administrative mode by at least removing power to the volatile memory so that the plurality of keys is inaccessible to the system in plaintext form while the system is in the administrative mode; and
  
  enable the administrative mode after the secret information in plaintext form is inaccessible to the system;
  
  leave the administrative mode;
  
  after leaving the administrative mode, obtain the key so that the plurality of keys is accessible to the system; and
  
  use the key to access at least one key from the plurality of keys.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The system of claim 21, wherein the event is a command to enter the administrative mode.
  - 23. The system of claim 21, wherein at least some of the instructions are executable by at least two different processors of the one or more processors, each processor of the at least two different processors having a different internal architecture that implements a same instruction set architecture.
  - 24. The system of claim 21, wherein the event is a restoration of power to the system.
  - 25. The system of claim 21, wherein the event is a reboot event.
  - 26. The system of claim 21, wherein the system is a hardware security module.
  - 27. The system of claim 21, wherein the hardware is further configured so that the system, as a result of the event, overwrites at least a portion of the volatile memory.
  - 28. The system of claim 21, wherein the hardware is further configured so that the system obtains the key from another system so that the plurality of keys is accessible to the system.
  - 29. The system of claim 21, wherein the event is a tamper event indicating physical intrusion into the system.
  - 30. The system of claim 21, wherein the volatile memory includes a register of a processor of the one or more processors.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Wren, Matthew James, Brandwine, Eric Jason, Pratt, Brian Irl
Primary Examiner(s)
Siddiqi, Mohammad A

Application Number

US13/765,020
Time in Patent Office

1,218 Days
Field of Search

713/164, 713/176, 713/167, 713/189
US Class Current

1/1
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/1416   Event detection, e.g. attac...

H04L 9/0897   involving additional device...

Data security with a security module

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Data security with a security module

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links