Handling key rotation problems

US 9,369,279 B2
Filed: 09/23/2013
Issued: 06/14/2016
Est. Priority Date: 09/23/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

generating, via a processor of a computing device, a new key pair having a new public key and a new private key;

retaining a copy of an old key pair having an old public key and and an old private key so the old public key and the old private key are not lost when the new private key and new public key are installed;

installing the new public key at all locations where the old public key resides;

installing the new private key at all locations where the old private key resides;

testing the new key pair to identify whether the keys function properly; and

responsive to detecting the keys are not functioning properly, performing key rollback by reinstalling the old private key and discontinuing use of the new private key.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Example embodiments include centralized systems for managing cryptographic keys and trust relationships among systems. Embodiments may include a centralized key store and a centralized policy store. Key sets comprising public/private keys may be stored in or identified by key objects. Key objects within the key store may be organized into trust sets and policies may apply at any level within the key store. Policies may identify when to rotate key sets. When rotating key sets, a new public key and a new private key may be generated. The new public/private keys may be installed at locations where the old public/private keys reside. As the new public/private keys are installed, they may be tested. If problems with the new public/private keys occur, the new public/private keys may be rolled back to the old public/private keys for locations experiencing problems. Remedial action may then be taken to resolve the problems.

33 Citations

View as Search Results

20 Claims

1. A method comprising:
- generating, via a processor of a computing device, a new key pair having a new public key and a new private key;
  
  retaining a copy of an old key pair having an old public key and and an old private key so the old public key and the old private key are not lost when the new private key and new public key are installed;
  
  installing the new public key at all locations where the old public key resides;
  
  installing the new private key at all locations where the old private key resides;
  
  testing the new key pair to identify whether the keys function properly; and
  
  responsive to detecting the keys are not functioning properly, performing key rollback by reinstalling the old private key and discontinuing use of the new private key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising refraining from performing key rollback when detecting the keys are not functioning properly falls outside a key rollback time period.
  - 3. The method of claim 2 further comprising removing the old public key from locations where it resides after the key rollback time period.
  - 4. The method of claim 1 further comprising removing the old public key from locations where it resides.
  - 5. The method of claim 1 wherein testing the new key pair comprises testing the new public key after the new public key has been installed but before the new private key has been installed.
  - 6. A method as in claim 5 wherein testing the new key pair comprises testing the new private key after the new private key has been installed.
  - 7. A method as in claim 1 wherein testing the new key pair comprises testing the new public key and the new private key after the new private key has been installed.
  - 8. A method as in claim 1 wherein testing the new key pair comprises configuring the new public key to remove any forced commands prior to testing and reconfiguring the new public key to restore any forced commands after the testing.

9. A system comprising:
- memory;
  
  a processor microprocessor coupled to the memory;
  
  executable instructions, that when executed on the processor, configure the system to at least;
  
  generate a new key pair having a new public key and a new private key;
  
  install the new public key at all locations where an old public key resides, the installation of the new public key comprising prepending the new public key to at least some instances of the old public key;
  
  install the new private key at all locations where an old private key resides;
  
  test the new key pair to identify whether the keys function properly; and
  
  detect a problem with the new public key, the new private key, or the new public key and the new private key, and, responsive to detecting a problem, reinstall the old private key resulting in key rollback.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system of claim 9 wherein the executable instructions further configure the system to at least remove the old public key from locations where it resides after a key rollback time period when the test reveals that the new public key and the new private key are functioning properly.
  - 11. The system of claim 9 further comprising removing the old public key from locations where it resides.
  - 12. The system of claim 9 wherein the executable instructions further configure the system to at least test the new public key after the new public key has been installed but before the new private key has been installed.
  - 13. The system of claim 9 wherein the executable instructions further configure the system to at least test the new private key after the new private key has been installed.
  - 14. The system of claim 9 wherein the executable instructions further configure the system to at least test the new public key and the new private key after the new private key has been installed.

15. A machine-readable storage media containing executable instructions that, when executed, configure a system to at least:
- generate a new key pair having a new public key and a new private key;
  
  install the new public key at all locations where an old public key resides;
  
  install the new private key at all locations where an old private key resides;
  
  test the new key pair to identify whether the keys function properly;
  
  detect a problem with the new public key, the new private key, or the new public key and the new private key, and, responsive to detecting a problem, identifying whether the problem was detected within a key rollback time period; and
  
  responsive to the problem being detected within the key rollback time period, reinstall the old private key resulting in key rollback.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The machine-readable storage media of claim 15 wherein the executable instructions further configure the system to at least remove the old public key from locations where it resides after the key rollback time period when the test reveals that the new public key and the new private key are functioning properly.
  - 17. The machine-readable storage media of claim 15 wherein the executable instructions further configure the system to at least test the new public key after the new public key has been installed but before the new private key has been installed.
  - 18. The machine-readable storage media of claim 15 wherein the executable instructions further configure the system to at least test the new private key after the new private key has been installed.
  - 19. A machine-readable storage media as in claim 15 wherein the executable instructions further configure the system to at least configuring the new public key to remove any forced commands prior to testing and reconfiguring the new public key to restore any forced commands after the testing.
  - 20. A machine-readable storage media as in claim 15 wherein the executable instructions further configure the system to at least:
    - identify an SSH client configured so that its SSH connection capability is restricted to the authentication phase only, so that it drops the connection before any key options are triggered; and
      
      test the new key pair against the identified SSH client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Venafi,Inc.
Original Assignee
Venafi,Inc.
Inventors
Harjula, Tero Petteri, McCartney, Breon Malachy, Saura, Asko Juha
Primary Examiner(s)
Le, David

Application Number

US14/034,091
Publication Number

US 20150086009A1
Time in Patent Office

995 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 9/088   Usage controlling of secret...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

Handling key rotation problems

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Handling key rotation problems

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links