System and method for managing cryptographic keys
First Claim
1. A method implemented on a first computing device, the method comprising:
- retrieving, from a memory, a fourth key;
transmitting, to a second computing device, a request for an encrypted third key, wherein the encrypted third key is generated by encrypting the third key using the fourth key;
receiving, from the second computing device, the encrypted third key;
receiving data for encryption;
transmitting, to an identify and access management device (IAM), a request for a key identifier based on information associated with the data;
receiving, from the IAM, the requested key identifier;
transmitting, to the second computing device, a request for an encrypted first key that is associated with the key identifier;
receiving, from the second computing device, the encrypted first key;
transmitting, to the IAM, a request for an encrypted second key;
receiving, from the IAM, the encrypted second key;
decrypting the encrypted third key using the fourth key;
decrypting the encrypted second key using the decrypted third key;
decrypting the encrypted first key using the decrypted second key;
encrypting the data using the decrypted first key; and
deleting, from a cache of the first computing device, the decrypted first key after a period of time.
1 Assignment
0 Petitions
Accused Products
Abstract
In various implementations, a first device retrieves, from a memory, encrypted data encrypted using a first key. The first device transmits, to a second device, a request for an encrypted first key, where the encrypted first key is generated by encrypting the first key using a second key. The first device receives the encrypted first key. The first device transmits, to an identity and access management device (IAM), a request for an encrypted second key, where the encrypted second key is generated by encrypting the second key using a third key. The first device receives the encrypted second key. The first device decrypts the encrypted second key using the third key, decrypts the encrypted first key using the decrypted second key, and decrypts the encrypted data using the decrypted first key. The first device deletes, from its cache, the decrypted first key after a period of time.
-
Citations
23 Claims
-
1. A method implemented on a first computing device, the method comprising:
-
retrieving, from a memory, a fourth key; transmitting, to a second computing device, a request for an encrypted third key, wherein the encrypted third key is generated by encrypting the third key using the fourth key; receiving, from the second computing device, the encrypted third key; receiving data for encryption; transmitting, to an identify and access management device (IAM), a request for a key identifier based on information associated with the data; receiving, from the IAM, the requested key identifier; transmitting, to the second computing device, a request for an encrypted first key that is associated with the key identifier; receiving, from the second computing device, the encrypted first key; transmitting, to the IAM, a request for an encrypted second key; receiving, from the IAM, the encrypted second key; decrypting the encrypted third key using the fourth key; decrypting the encrypted second key using the decrypted third key; decrypting the encrypted first key using the decrypted second key; encrypting the data using the decrypted first key; and deleting, from a cache of the first computing device, the decrypted first key after a period of time. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A first computing device comprising a processor, the processor is configured to carry out a method comprising:
-
retrieving, from a memory, a fourth key; transmitting, to a second computing device, a request for an encrypted third key, wherein the encrypted third key is generated by encrypting the third key using the fourth key; receiving, from the second computing device, the encrypted third key; receiving data for encryption; transmitting, to an identify and access management device (IAM), a request for a key identifier based on information associated with the data; receiving, from the IAM, the requested key identifier; transmitting, to the second computing device, a request for an encrypted first key that is associated with the key identifier; receiving, from the second computing device, the encrypted first key; transmitting, to the IAM, a request for an encrypted second key; receiving, from the IAM, the encrypted second key; decrypting the encrypted third key using the fourth key; decrypting the encrypted second key using the decrypted third key; decrypting the encrypted first key using the decrypted second key; encrypting the data using the decrypted first key; and deleting, from a cache of the first computing device, the decrypted first key after a period of time. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A method implemented on a system comprising an application server, a cryptographic key management server (KMS), and an identity and access management device (IAM), the method comprising:
-
retrieving, by the application server from a memory, a fourth key; transmitting, from the application server to the KMS, a request for an encrypted third key, wherein the encrypted third key is generated by encrypting the third key using the fourth key; transmitting, from the KMS to the application server, the encrypted third key; receiving, by the application server, data for encryption; transmitting, from the application server to the IAM, a request for a key identifier based on information associated with the data; receiving, by the application server from the IAM, the requested key identifier; transmitting, from the application server to the KMS, a request for an encrypted first key that is associated with the key identifier; receiving, by the application server from the KMS, the encrypted first key; transmitting, from the application server to the IAM, a request for an encrypted second key; receiving, by the application server from the IAM, the encrypted second key; decrypting, by the application server, the encrypted third key using the fourth key; decrypting, by the application server, the encrypted second key using the decrypted third key; decrypting, by the application server, the encrypted first key using the decrypted second key; encrypting, by the application server, the data using the decrypted first key; and deleting, from a cache of the application server, the decrypted first key after a period of time. - View Dependent Claims (15, 16, 17, 18)
-
-
19. A system comprising an application server, a cryptographic key management server (KMS), and an identity and access management device (IAM), the system is configured to carry out a method comprising:
-
retrieving, by the application server from a memory, a fourth key; transmitting, from the application server to the KMS, a request for an encrypted third key, wherein the encrypted third key is generated by encrypting the third key using the fourth key; transmitting, from the KMS to the application server, the encrypted third key; receiving, by the application server, data for encryption; transmitting, from the application server to the IAM, a request for a key identifier based on information associated with the data; receiving, by the application server from the IAM, the requested key identifier; transmitting, from the application server to the KMS, a request for an encrypted first key that is associated with the key identifier; receiving, by the application server from the KMS, the encrypted first key; transmitting, from the application server to the IAM, a request for an encrypted second key; receiving, by the application server from the IAM, the encrypted second key; decrypting, by the application server, the encrypted third key using the fourth key; decrypting, by the application server, the encrypted second key using the decrypted third key; decrypting, by the application server, the encrypted first key using the decrypted second key; encrypting, by the application server, the data using the decrypted first key; and deleting, from a cache of the application server, the decrypted first key after a period of time. - View Dependent Claims (20, 21, 22, 23)
-
Specification