Method and system for providing an encryption proxy

US 9,569,630 B2
Filed: 05/27/2016
Issued: 02/14/2017
Est. Priority Date: 10/15/2013
Status: Active Grant

First Claim

Patent Images

1. A system for providing an encryption proxy comprising:

at least one processor; and

at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for providing an encryption proxy, the process for providing an encryption proxy including;

securely decentralizing encryption key data and decreasing access latency for encryption key data by providing an encryption proxy in a cloud computing environment, the encryption proxy being a virtual asset instantiated in the cloud computing environment, the encryption proxy including encryption proxy authentication data, the encryption proxy authentication data for identifying the encryption proxy as a trusted virtual asset in the cloud computing environment, the encryption proxy authentication data including hardware identification data identifying underlying hardware on which the encryption proxy is running;

providing a secrets distribution management system, the secrets distribution management system being in a second computing environment, the secrets distribution management system having access to the encryption key data representing one or more encryption keys, the secrets distribution management system controlling the distribution of the one or more encryption keys in accordance with one or more encryption key distribution policies;

providing, by the encryption proxy, the encryption proxy authentication data to the secrets distribution management system;

authenticating, by the secrets distribution management system, the encryption proxy by comparing the hardware identification data with data obtained via a cloud provider of the cloud computing environment;

identifying, by the secrets distribution management system, the encryption proxy as a trusted virtual asset eligible to cache encryption key data in a remote encryption key cache outside the second computing environment;

generating, by the encryption proxy, cache encryption key request data representing a request for data representing one or more requested encryption keys to be cached in the remote encryption key cache;

providing, by the encryption proxy, the cache encryption key request data to the secrets distribution management system; and

providing, by the secrets distribution management system in response to the cache encryption key request data, data representing one or more of the requested encryption keys to the remote encryption key cache.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An encryption proxy is instantiated in a first computing environment and includes encryption proxy authentication data for identifying itself to a secrets distribution management system in a second computing environment as a trusted virtual asset to receive and cache encryption key data in a secure encryption key cache outside the second computing environment. The encryption proxy requests one or more encryption keys to be cached and is then provided encryption key data representing the requested encryption keys in the encryption key cache. The encryption proxy then receives application request data from a second virtual asset instantiated in the first computing environment requesting one or more encryption keys be applied to second virtual asset data. The encryption proxy then obtains the required encryption keys from the secure secrets cache and coordinates the application of the encryption keys to the second virtual asset data.

87 Citations

View as Search Results

29 Claims

1. A system for providing an encryption proxy comprising:
- at least one processor; and
  
  at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for providing an encryption proxy, the process for providing an encryption proxy including;
  
  securely decentralizing encryption key data and decreasing access latency for encryption key data by providing an encryption proxy in a cloud computing environment, the encryption proxy being a virtual asset instantiated in the cloud computing environment, the encryption proxy including encryption proxy authentication data, the encryption proxy authentication data for identifying the encryption proxy as a trusted virtual asset in the cloud computing environment, the encryption proxy authentication data including hardware identification data identifying underlying hardware on which the encryption proxy is running;
  
  providing a secrets distribution management system, the secrets distribution management system being in a second computing environment, the secrets distribution management system having access to the encryption key data representing one or more encryption keys, the secrets distribution management system controlling the distribution of the one or more encryption keys in accordance with one or more encryption key distribution policies;
  
  providing, by the encryption proxy, the encryption proxy authentication data to the secrets distribution management system;
  
  authenticating, by the secrets distribution management system, the encryption proxy by comparing the hardware identification data with data obtained via a cloud provider of the cloud computing environment;
  
  identifying, by the secrets distribution management system, the encryption proxy as a trusted virtual asset eligible to cache encryption key data in a remote encryption key cache outside the second computing environment;
  
  generating, by the encryption proxy, cache encryption key request data representing a request for data representing one or more requested encryption keys to be cached in the remote encryption key cache;
  
  providing, by the encryption proxy, the cache encryption key request data to the secrets distribution management system; and
  
  providing, by the secrets distribution management system in response to the cache encryption key request data, data representing one or more of the requested encryption keys to the remote encryption key cache.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The system for providing an encryption proxy of claim 1 wherein the cloud computing environment is an untrusted computing environment.
  - 3. The system for providing an encryption proxy of claim 2 wherein the encryption proxy is a virtual asset generated in the untrusted computing environment.
  - 4. The system for providing an encryption proxy of claim 1 wherein the second computing environment is a trusted computing environment.
  - 5. The system for providing an encryption proxy of claim 4 wherein the second computing environment is a data center network.
  - 6. The system for providing an encryption proxy of claim 1 wherein the secrets distribution management system is a Hardware Security Module (HSM).
  - 7. The system for providing an encryption proxy of claim 1 wherein the encryption proxy authentication data includes data representing an authentication mechanism consisting of:
    - loading specified datum from a specified storage service onto the encryption proxy and then providing the specified datum to confirm the identity of the encryption proxy.
  - 8. The system for providing an encryption proxy of claim 1 wherein the one or more requested encryption keys to be cached in the remote encryption key cache are selected by the encryption proxy based on the type of computing environment represented by the cloud computing environment.
  - 9. The system for providing an encryption proxy of claim 1 wherein the one or more requested encryption keys to be cached in the remote encryption key cache are selected by the encryption proxy based on the types of virtual assets in the cloud computing environment.
  - 10. The system for providing an encryption proxy of claim 1 wherein the one or more requested encryption keys to be cached in the remote encryption key cache are selected by the encryption proxy based on the capabilities of the virtual assets in the cloud computing environment.
  - 11. The system for providing an encryption proxy of claim 1 wherein the one or more requested encryption keys to be cached in the remote encryption key cache are selected by the encryption proxy based on the reputation profiles of the virtual assets in the first computing environment.
  - 12. The system for providing an encryption proxy of claim 1 wherein the one or more requested encryption keys to be cached in the remote encryption key cache are selected by the encryption proxy based on the resources associated with the virtual assets in the first computing environment.
  - 13. The system for providing an encryption proxy of claim 1 wherein the encryption proxy provides the encryption proxy authentication data to the secrets distribution management system via a secure communications channel.
  - 14. The system for providing an encryption proxy of claim 13 wherein the secure communications channel is an authenticated Secure Sockets Layer (SSL) communications channel.
  - 15. The system for providing an encryption proxy of claim 13 wherein the secure communications channel is any private communications channel.
  - 16. The system for providing an encryption proxy of claim 1 wherein the remote encryption key cache is an encryption key data store outside the second computing environment.
  - 17. The system for providing an encryption proxy of claim 1 wherein the remote encryption key cache is part of the encryption proxy.
  - 18. The system for providing an encryption proxy of claim 1 further comprising:
    - a second virtual asset instantiated in the cloud computing environment, the second virtual asset generating encryption/decryption request data requesting that second virtual asset data associated with a second virtual asset be encrypted or decrypted;
      
      the encryption proxy receiving the encryption/decryption request data;
      
      the encryption proxy authenticating the second virtual asset;
      
      the encryption proxy obtaining the encryption keys associated with the encryption/decryption request data from the remote encryption key cache; and
      
      the encryption proxy coordinating the encryption of decryption of the second virtual asset data.
  - 19. The system for providing an encryption proxy of claim 18 wherein the second virtual asset data is an object and the encryption proxy coordinates object level encryption or decryption of the second virtual asset object.
  - 20. The system for providing an encryption proxy of claim 19 wherein once the encryption proxy coordinates object level encryption of the second virtual asset object, the encryption proxy coordinates the storing the object encrypted second virtual asset object in an object store.
  - 21. The system for providing an encryption proxy of claim 18 wherein the encryption proxy coordinates the encryption or decryption of the second virtual asset data performed by an encryption engine implemented in the cloud computing environment.
  - 22. The system for providing an encryption proxy of claim 18 wherein the encryption proxy coordinates the encryption or decryption of the second virtual asset data performed by an encryption engine implemented outside the cloud computing environment.
  - 23. The system for providing an encryption proxy of claim 18 wherein the encryption proxy coordinates the encryption or decryption of the second virtual asset data performed by an encryption engine implemented on the second virtual asset.
  - 24. The system for providing an encryption proxy of claim 18 wherein the encryption proxy encrypts or decrypts the second virtual asset data.
  - 25. The system for providing an encryption proxy of claim 18 wherein the second virtual asset is a virtual asset selected from the group of the virtual assets consisting of:
    - a virtual machine;
      
      a virtual server;
      
      an instance in a cloud infrastructure;
      
      a cloud infrastructure access system;
      
      a mobile device;
      
      a remote sensor;
      
      a laptop;
      
      a desktop;
      
      a point-of-sale device;
      
      an ATM;
      
      an electronic voting machine; and
      
      a database.
  - 26. The system for providing an encryption proxy of claim 18 wherein once the encryption proxy coordinates the encryption or decryption of the second virtual asset data, the encryption proxy coordinates the storing the encrypted or decrypted second virtual asset data.

27. An encryption proxy, the encryption proxy being a virtual asset instantiated in a cloud computing environment, the encryption proxy including:
- encryption proxy authentication logic, the encryption proxy authentication logic for generating encryption proxy authentication data identifying the encryption proxy as a trusted virtual asset in the cloud computing environment to a secrets distribution management system in a second computing environment, the encryption proxy authentication data including hardware identification data identifying underlying hardware on which the encryption proxy is running, the secrets distribution management system having access to encryption key data representing one or more encryption keys, the secrets distribution management system controlling the distribution of the one or more encryption keys in accordance with one or more encryption key distribution policies;
  
  an encryption key cache;
  
  encryption proxy cache encryption key request data generation logic for generating cache encryption key request data representing a request for data representing one or more requested encryption keys to be cached in the encryption key cache;
  
  encryption proxy cache encryption key request data transmission logic for providing the cache encryption key request data to the secrets distribution management system; and
  
  requested encryption key receipt and caching logic for receiving and storing data representing the one or more requested encryption keys to be cached in the encryption key cache.
- View Dependent Claims (28, 29)
- - 28. The encryption proxy of claim 27 wherein the secrets distribution management system is a Hardware Security Module (HSM).
  - 29. The encryption proxy of claim 27 further comprising:
    - encryption proxy encryption/decryption request data receipt logic for receiving encryption/decryption request data from a second virtual asset instantiated in the cloud computing environment, the second virtual asset requiring the application of one or more encryption/decryption regimes to second virtual asset data provided through the second virtual asset;
      
      encryption proxy cached encryption key retrieval logic for the encryption keys associated with the encryption/decryption request data from the encryption key cache;
      
      encryption key cache proxy encryption/decryption application logic for coordinating the encryption or decryption of the second virtual asset data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intuit, Inc.
Original Assignee
Intuit, Inc.
Inventors
Cabrera, Luis Felipe, Lietz, M. Shannon
Primary Examiner(s)
Gergiso, Techane

Application Number

US15/167,593
Publication Number

US 20160275296A1
Time in Patent Office

263 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 9/455   Emulation; Interpretation; ...

H04L 63/00   Network architectures or ne...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0876   based on the identity of th...

H04L 63/0884   by delegation of authentica...

H04L 63/20   for managing network securi...

H04L 9/083   involving central third par...

H04L 9/088   Usage controlling of secret...

Method and system for providing an encryption proxy

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

87 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for providing an encryption proxy

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

87 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links