Method and system for provision of cryptographic services

US 9,530,011 B2
Filed: 06/22/2010
Issued: 12/27/2016
Est. Priority Date: 06/22/2009
Status: Active Grant

First Claim

Patent Images

1. An encryption service system comprising:

an application programming interface (API) separating calling applications, cryptographic servers and key servers executed using a computer processor and configured to;

receive encryption/decryption requests from one or more calling applications, each request comprising information identifying an encryption or decryption operation to be performed on specified data, and an identity of an origin of the data, and/or an identity of a target of the data, and wherein an encryption policy is determined at least in part on the basis of the identity of the origin and/or target;

wherein the encryption policy defines a cryptographic mechanism;

request an appropriate cryptographic server to perform the requested encryption/decryption; and

send output data in response to the corresponding encryption/decryption requests; and

the cryptographic server comprising a computer processor and configured to;

authenticate the calling application and upon successful authentication, return an identifier token, an ID token, wherein the ID token is appended to an ID token chain by the API, and wherein the ID token comprises a reference to an attribute of the calling API, an expiration time for the ID token and mechanism to prevent replay of the ID token;

generate said corresponding output data by applying the encryption or decryption operation to the specified data; and

a key server operable to receive a key request from the cryptographic server and to reply with an encrypted key, wherein the key server is operable to send a query command to the cryptographic server, wherein the query command comprises a command to test if a specified key is being used or is resident at the cryptographic server; and

wherein the cryptographic server is operable to receive a pre-fetch request from one of said calling applications through the API and to load a defined set of keys into a local key store in response thereto, wherein the keys that are loaded are grouped and flagged by the ID token, when the ID token is deleted the keys are removed from the local key store.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An encryption service system comprises an API for receiving requests from one or more calling applications. Each request comprises information identifying the operations to be performed on data to be processed and information identifying the origin and target of the data. The encryption service system further comprises a cryptographic server for processing the requests and determining, for each request, an encryption policy to be applied.

Citations

41 Claims

1. An encryption service system comprising:
- an application programming interface (API) separating calling applications, cryptographic servers and key servers executed using a computer processor and configured to;
  
  receive encryption/decryption requests from one or more calling applications, each request comprising information identifying an encryption or decryption operation to be performed on specified data, and an identity of an origin of the data, and/or an identity of a target of the data, and wherein an encryption policy is determined at least in part on the basis of the identity of the origin and/or target;
  
  wherein the encryption policy defines a cryptographic mechanism;
  
  request an appropriate cryptographic server to perform the requested encryption/decryption; and
  
  send output data in response to the corresponding encryption/decryption requests; and
  
  the cryptographic server comprising a computer processor and configured to;
  
  authenticate the calling application and upon successful authentication, return an identifier token, an ID token, wherein the ID token is appended to an ID token chain by the API, and wherein the ID token comprises a reference to an attribute of the calling API, an expiration time for the ID token and mechanism to prevent replay of the ID token;
  
  generate said corresponding output data by applying the encryption or decryption operation to the specified data; and
  
  a key server operable to receive a key request from the cryptographic server and to reply with an encrypted key, wherein the key server is operable to send a query command to the cryptographic server, wherein the query command comprises a command to test if a specified key is being used or is resident at the cryptographic server; and
  
  wherein the cryptographic server is operable to receive a pre-fetch request from one of said calling applications through the API and to load a defined set of keys into a local key store in response thereto, wherein the keys that are loaded are grouped and flagged by the ID token, when the ID token is deleted the keys are removed from the local key store.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The system of claim 1, wherein the encryption policy is further determined at least in part on the basis of the operation to be performed.
  - 3. The system of claim 1, wherein the requests do not specify an encryption key and/or mechanism for the performance of the encryption or decryption operation.
  - 4. The system of claim 1, wherein the specified data is included within each request.
  - 5. The system of claim 1, wherein the operation is an encryption operation, and the encrypted output data comprises managed data.
  - 6. The system of claim 5, wherein the output data identifies an encryption key and cryptographic mechanism.
  - 7. The system of claim 1, wherein the operation is an encryption operation, and the encrypted output data comprises unmanaged data.
  - 8. The system of claim 7, wherein the cryptographic server defines a policy for decryption of the encrypted output data.
  - 9. The system of claim 1, wherein the key server is operable to reply with a key encryption key for the encrypted key.
  - 10. The system of claim 1, wherein the key server is operable to receive a key load command from the cryptographic server, and to load a specified key in response thereto.
  - 11. The system of claim 1, wherein the query command comprises a command to test if a specified cryptographic engine is resident at the cryptographic server.
  - 12. The system of claim 1, wherein the key server is operable to send an action command to the cryptographic server.
  - 13. The system of claim 12, wherein the action command comprises a command to purge a specified key from the cryptographic server.
  - 14. The system of claim 12, wherein the action command comprises a command to force a change of a key.
  - 15. The system of claim 1, wherein the set of keys is defined by a specified list of encryption/decryption operations to perform.
  - 16. The encryption service system of claim 1, wherein the API is operable to allow a calling application to log on prior to requesting encryption/decryption services.
  - 17. The encryption service system of claim 16, wherein the ID token includes an expiry parameter, and API is further operable to request the calling application to renew ID token upon expiry of the ID token.
  - 18. The system of claim 1, wherein the defined set of keys are cleared from local store when the corresponding calling application has logged off.
  - 19. The system of claim 1, wherein each request further comprises information identifying an identity of an origin of the data, and an identity of a target of the data, wherein the identity of the origin of the data comprises the identity of a sender application of the specified data and/or a user associated with the sender application, and wherein the identity of the target of the data comprises the identity of a recipient application of the specified data and/or a user associated with the recipient application.
  - 20. The system of claim 19, wherein the cryptographic server is further configured to:
    - determine, for each request, an encryption policy to be applied to the encryption or decryption operation based at least in part on the identity of the target of the data, wherein the encryption policy defines a cryptographic mechanism; and
      
      generate said corresponding output data by applying the encryption or decryption operation to the specified data according to the cryptographic mechanism defined by the determined encryption policy.

21. A method of providing an encryption service comprising:
- receiving, at an application programming interface (API) separating calling applications, cryptographic servers and key servers executed using a hardware computer processor, encryption/decryption requests from one or more calling applications, each request comprising information identifying an encryption or decryption operation to be performed on specified input data, an identity of an origin of the data, and/or an identity of a target of the data, and wherein an encryption policy is determined at least in part on the basis of the identity of the origin and/or target;
  
  wherein the encryption policy defines a cryptographic mechanism;
  
  request an appropriate cryptographic server to perform the requested encryption/decryption; and
  
  at the cryptographic server comprising a computer processor,authenticate the calling application and upon successful authentication, return an identifier token, an ID token, wherein the ID token is appended to an ID token chain by the API, and wherein the ID token comprises a reference to an attribute of the calling API, an expiration time for the ID token and mechanism to prevent replay of the ID token;
  
  at the cryptographic server, for each request, performing the requested encryption or decryption operation on the input data according to the cryptographic mechanism defined by the determined encryption policy, to generate corresponding output data; and
  
  outputting the corresponding output data at the application programming interface (API); and
  
  receiving, at a key server, a key request from the cryptographic server and replying with an encrypted key;
  
  sending, from the key server, a query command to the cryptographic server, wherein the query command comprises a command to test if a specified key is being used or is resident at the cryptographic server; and
  
  receiving, at the cryptographic server from one of said calling applications through the API, a pre-fetch request and loading a defined set &
  
  keys into a local key store in response thereto, wherein the keys that are loaded are grouped and flagged by the ID token, when the ID token is deleted the keys are removed from the local key store.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 22. The method of claim 21, wherein the encryption policy is further determined at least in part on the basis of the operation to be performed.
  - 23. The method of claim 21, wherein the requests do not specify an encryption key and/or mechanism for the performance of the encryption/decryption operation.
  - 24. The method of claim 21, wherein the input data is included within each request.
  - 25. The method of claim 21, wherein the operation is an encryption operation, and the encrypted output data comprises managed data.
  - 26. The method of claim 25, wherein the output data includes an encryption key and cryptographic mechanism identification.
  - 27. The method of claim 21, wherein the operation is an encryption operation, and the encrypted output data comprises unmanaged data.
  - 28. The method of claim 27, wherein the cryptographic server defines a policy for decryption of the encrypted output data.
  - 29. The method of claim 21, wherein the key server replies with a key encryption key for the encrypted key.
  - 30. The method of claim 21, further comprising receiving, at the key server, a key load command from the cryptographic server, and loading a specified key in response thereto.
  - 31. The method of claim 21, wherein the query command comprises a command to test if a specified cryptographic engine is resident at the cryptographic server.
  - 32. The method of claim 21, further comprising sending, from the key server, an action command to the cryptographic server.
  - 33. The method of claim 32, wherein the action command comprises a command to purge a specified key from the cryptographic server.
  - 34. The method of claim 32, wherein the action command comprises a command to force a change of a key.
  - 35. The system of claim 31, wherein the set of keys is defined by a specified list of encryption/decryption operations to perform.
  - 36. The method of claim 21, further comprising a calling application logging on to the cryptographic server prior to requesting encryption services.
  - 37. The method of claim 36, wherein the ID token includes an expiry parameter, and API requests the calling application to renew ID token upon expiry of the ID token.
  - 38. The method of claim 21, including clearing the defined set of keys from the local store when the corresponding calling application has logged off.
  - 39. The method of claim 21, wherein each request further comprises information identifying an identity of an origin of the data, and an identity of a target of the data, wherein the identity of the origin of the data comprises the identity of a sender application of the specified data and/or a user associated with the sender application, and wherein the identity of the target of the data comprises the identity of a recipient application of the specified data and/or a user associated with the recipient application.
  - 40. The method of claim 39, wherein the cryptographic server is further configured to:
    - determine, for each request, an encryption policy to be applied to the encryption or decryption operation based at least in part on the identity of the target of the data, wherein the encryption policy defines a cryptographic mechanism; and
      
      generate said corresponding output data by applying the encryption or decryption operation to the specified data according to the cryptographic mechanism defined by the determined encryption policy.

41. A non-transitory computer readable medium having instructions stored thereon which, when executed by a computer processor, cause the processor to perform a method comprising:
- receiving, at an application programming interface (API), separating calling applications, cryptographic servers and key servers encryption/decryption requests from one or more calling applications, each request comprising information identifying an encryption or decryption operation to be performed on specified input data, an identity of an origin of the data, and/or an identity of a target of the data, and wherein an encryption policy is determined at least in part on the basis of the identity of the origin and/or target;
  
  wherein the encryption policy defines a cryptographic mechanism; and
  
  send output data in response to the corresponding encryption requests;
  
  at the cryptographic server, authenticate the calling application and upon successful authentication, return an identifier token, an ID token, wherein the ID token is appended to an ID token chain by the API, and wherein the ID token comprises a reference to an attribute of the calling API, an expiration time for the ID token and mechanism to prevent replay of the ID token;
  
  at the cryptographic server, for each request, performing the requested encryption or decryption operation on the input data, to generate corresponding output data; and
  
  outputting the corresponding output data at the application programming interface (API);
  
  receiving, at a key server, a key request from the cryptographic server and replying with an encrypted key;
  
  sending, from the key server, a query command to the cryptographic server, wherein the query command comprises a command to test if a specified key is being used or is resident at the cryptographic server; and
  
  receiving, at the cryptographic server from one of said calling applications through the API, a pre-fetch request and loading a defined set of keys into a local key store in response thereto, wherein the keys that are loaded are grouped and flagged by the ID token, when the ID token is deleted the keys are removed from the local key store.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Barclays Execution Services Ltd. (Barclays PLC)
Original Assignee
Barclays Bank PLC (Barclays PLC)
Inventors
French, George
Primary Examiner(s)
BEHESHTI SHIRAZI, SAYED ARESH

Application Number

US13/379,736
Publication Number

US 20120131354A1
Time in Patent Office

2,380 Days
Field of Search

713/189, 713/150, 713/151, 713/152, 713/155, 713/156, 713/157, 713/158, 713/171, 713/175, 713/176, 726/27, 726/1, 726/26, 380/28, 380/277, 380/278, 705/59
US Class Current

1/1
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/20   for managing network securi...

H04L 9/088   Usage controlling of secret...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3271   using challenge-response

H04L 9/50   using hash chains, e.g. blo...

Method and system for provision of cryptographic services

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for provision of cryptographic services

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links