Cloud-based key management

US 9,621,524 B2
Filed: 12/16/2013
Issued: 04/11/2017
Est. Priority Date: 12/16/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

providing an administrator password for a host of an enterprise network;

retrieving a company private key for the enterprise network to an administrative host using a call authenticated with a cryptographic hash of the administrator password, wherein the company private key is received from the host as a private key encrypted with the administrative administrator password;

selecting an endpoint within the enterprise network;

creating a rollout password for the endpoint;

creating an endpoint key pair for the endpoint, the endpoint key pair comprising a public endpoint key signed with the company private key and a private endpoint key encrypted with the rollout password;

transmitting the endpoint key pair to a remote computing resource with a call authenticated using a cryptographic hash of the administrator password;

transmitting a cryptographic hash of the rollout password to the remote computing resource with a second call using a cryptographic hash of the administrator password; and

providing the rollout password to a user of the endpoint; and

providing the endpoint key pair from the remote computing resource to the endpoint based on a call from the endpoint to the remote computing resource authenticated using the cryptographic hash of the rollout password.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Cloud storage of sensitive data is improved by ensuring that all cloud-based data is encrypted at all times, not only when the data is at rest (i.e., stored), but also while data is being processed or communicated. Cryptographic keys can advantageously be managed via cloud based resources without exposing sensitive data. Instead, a key management system maintains cryptographic functions on administrative hosts and endpoints outside of cloud-based resources so that any vulnerabilities of the cloud-based resources will expose only encrypted data, and keys and sensitive data will never be exposed in unencrypted form. Thus sensitive data is protected end-to-end among hosts and endpoints using, e.g., platform independent cryptographic functions and libraries within a web browser or the like, and the cloud functions simply as a storing and forwarding medium for secure data.

Citations

30 Claims

1. A method comprising:
- providing an administrator password for a host of an enterprise network;
  
  retrieving a company private key for the enterprise network to an administrative host using a call authenticated with a cryptographic hash of the administrator password, wherein the company private key is received from the host as a private key encrypted with the administrative administrator password;
  
  selecting an endpoint within the enterprise network;
  
  creating a rollout password for the endpoint;
  
  creating an endpoint key pair for the endpoint, the endpoint key pair comprising a public endpoint key signed with the company private key and a private endpoint key encrypted with the rollout password;
  
  transmitting the endpoint key pair to a remote computing resource with a call authenticated using a cryptographic hash of the administrator password;
  
  transmitting a cryptographic hash of the rollout password to the remote computing resource with a second call using a cryptographic hash of the administrator password; and
  
  providing the rollout password to a user of the endpoint; and
  
  providing the endpoint key pair from the remote computing resource to the endpoint based on a call from the endpoint to the remote computing resource authenticated using the cryptographic hash of the rollout password.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The method of claim 1 wherein the administrator password is provided through a hardware security token.
  - 3. The method of claim 2 wherein a strong administrator password is automatically generated and stored on the hardware security token.
  - 4. The method of claim 1 further comprising selecting a plurality of endpoints,wherein the rollout password is shared among the plurality of endpoints.
  - 5. The method of claim 1 further comprising creating a company key pair on the host, the company key pair including the company private key and a company public key,wherein the company private key is encrypted using the administrator password and wherein the company public key is signed with the company private key.
  - 6. The method of claim 5 further comprising transmitting the company key pair from the host to the remote computing resource.
  - 7. The method of claim 5 wherein the company key pair is a Rivest-Shamir-Adelman (RSA) key pair.
  - 8. The method of claim 5 wherein the company key pair is a Diffie-Hellman key pair.
  - 9. The method of claim 1 wherein the rollout password is for a plurality of endpoints.
  - 10. The method of claim 1 further comprising retrieving the endpoint key pair from the remote computing resource to the endpoint with a call from the endpoint to the remote computing resource authenticated using the cryptographic hash of the rollout password.
  - 11. The method of claim 10 further comprising decrypting the endpoint private key from the endpoint key pair using the rollout password.
  - 12. The method of claim 1 further comprising retrieving the endpoint public key from the remote computing resource to the host using a call to the remote computing resource authenticated with a cryptographic hash of the administrator password.
  - 13. The method of claim 12 further comprising creating a data encryption key for the endpoint, encrypting the data encryption key with the endpoint public key to provide an encrypted data key, and transmitting the encrypted data key to the remote computing resource with a call to the remote computing resource using a cryptographic hash of the administrator password.
  - 14. The method of claim 13 wherein the data encryption key is a machine key for the endpoint.
  - 15. The method of claim 14 further comprising retrieving the encrypted machine key from the remote computing resource to the endpoint using a call authenticated with a signature of the endpoint private key, decrypting the encrypted machine key with the endpoint private key to provide the machine key, and storing the machine key in a key store of the endpoint.
  - 16. The method of claim 1 further comprising:
    - creating a security policy for the endpoint;
      
      signing the security policy with the company private key to provide a signed policy; and
      
      transmitting the signed policy from the host to the remote computing resource using a call to the remote computing resource authenticated with a cryptographic hash of the administrator password.
  - 17. The method of claim 16 further comprising:
    - retrieving the signed policy from the remote computing resource to the endpoint with a call to the remote computing resource authenticated with a signature of the endpoint private key;
      
      validating the signed policy at the endpoint; and
      
      applying the security policy at the endpoint.
  - 18. The method of claim 1 further comprising:
    - generating a secure item at the endpoint;
      
      signing the secure item with the endpoint private key to provide a signed item; and
      
      transmitting the signed item from the endpoint to the remote computing resource using a call to the remote computing resource authenticated with a signature of the endpoint private key.
  - 19. The method of claim 18 wherein the secure item is a confidential item.
  - 20. The method of claim 18 wherein the secure item is a tamper-protected item.
  - 21. The method of claim 18 further comprising:
    - retrieving the endpoint public key from the remote computing resource to the host using a call to the remote computing resource authenticated with a cryptographic hash of the administrator password; and
      
      retrieving the signed item from the remote computing resource to the host using a call to the remote computing resource authenticated with the cryptographic hash of the administrator password.
  - 22. The method of claim 18 further comprising validating the signature of the endpoint public key and a signature of the signed item at the host.
  - 23. The method of claim 18 further comprising encrypting the secure item at the endpoint with the company public key.
  - 24. The method of claim 23 further comprising decrypting the secure item at the host with the company private key.
  - 25. The method of claim 18 wherein the secure item is a local key for the endpoint.
  - 26. The method of claim 18 wherein the secure item is a status report for the endpoint.

27. A computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
- providing an administrator password for a host of an enterprise network;
  
  retrieving a company private key for the enterprise network to an administrative host using a call authenticated with a cryptographic hash of the administrator password, wherein the company private key is received from the host as a private key encrypted with the administrative administrator password;
  
  selecting an endpoint within the enterprise network;
  
  creating a rollout password for the endpoint;
  
  creating an endpoint key pair for the endpoint, the endpoint key pair comprising a public endpoint key signed with the company private key and a private endpoint key encrypted with the rollout password;
  
  transmitting the endpoint key pair to a remote computing resource with a call authenticated using a cryptographic hash of the administrator password;
  
  transmitting a cryptographic hash of the rollout password to the remote computing resource with a second call using a cryptographic hash of the administrator password;
  
  providing the rollout password to a user of the endpoint; and
  
  providing the endpoint key pair from the remote computing resource to the endpoint based on a call from the endpoint to the remote computing resource authenticated using the cryptographic hash of the rollout password.
- View Dependent Claims (28)
- - 28. The computer program product of claim 27 further comprising code that performs the steps of retrieving the endpoint key pair from the remote computing resource to the endpoint with a call from the endpoint to the remote computing resource authenticated using the cryptographic hash of the rollout password, and decrypting the endpoint private key from the endpoint key pair using the rollout password.

29. A system comprising:
- a network interface;
  
  a memory; and
  
  a processor configured by computer executable code stored in the memory to perform the steps of providing an administrator password for a host of an enterprise network, retrieving a company private key for the enterprise network to an administrative host using a call authenticated with a cryptographic hash of the administrator password, wherein the company private key is received from the host as a private key encrypted with the administrative administrator password, selecting an endpoint within the enterprise network, creating a rollout password for the endpoint, creating an endpoint key pair for the endpoint, the endpoint key pair comprising a public endpoint key signed with the company private key and a private endpoint key encrypted with the rollout password, transmitting the endpoint key pair to a remote computing resource with a call authenticated using a cryptographic hash of the administrator password, transmitting a cryptographic hash of the rollout password to the remote computing resource with a second call using a cryptographic hash of the administrator password, providing the rollout password to a user of the endpoint, and providing the endpoint kev pair from the remote computing resource to the endpoint based on a call from the endpoint to the remote computing resource authenticated using the cryptographic hash of the rollout password.
- View Dependent Claims (30)
- - 30. The system of claim 29 further comprising an endpoint configured to retrieve the endpoint key pair from the remote computing resource to the endpoint with a call from the endpoint to the remote computing resource authenticated using the cryptographic hash of the rollout password, and to decrypt the endpoint private key from the endpoint key pair using the rollout password.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Brenner, Stephan
Primary Examiner(s)
Rahman, Mahfuzur
Assistant Examiner(s)
GUIRGUIS, MICHAEL M

Application Number

US14/107,752
Publication Number

US 20150172260A1
Time in Patent Office

1,212 Days
Field of Search

713171, 380281
US Class Current
CPC Class Codes

H04L 63/061 for key exchange, e.g. in p...

H04L 63/083 using passwords cryptograph...

Cloud-based key management

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Cloud-based key management

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links