Cloud-based key management
First Claim
1. A method comprising:
- providing an administrator password for a host of an enterprise network;
retrieving a company private key for the enterprise network to an administrative host using a call authenticated with a cryptographic hash of the administrator password, wherein the company private key is received from the host as a private key encrypted with the administrative administrator password;
selecting an endpoint within the enterprise network;
creating a rollout password for the endpoint;
creating an endpoint key pair for the endpoint, the endpoint key pair comprising a public endpoint key signed with the company private key and a private endpoint key encrypted with the rollout password;
transmitting the endpoint key pair to a remote computing resource with a call authenticated using a cryptographic hash of the administrator password;
transmitting a cryptographic hash of the rollout password to the remote computing resource with a second call using a cryptographic hash of the administrator password; and
providing the rollout password to a user of the endpoint; and
providing the endpoint key pair from the remote computing resource to the endpoint based on a call from the endpoint to the remote computing resource authenticated using the cryptographic hash of the rollout password.
6 Assignments
0 Petitions
Accused Products
Abstract
Cloud storage of sensitive data is improved by ensuring that all cloud-based data is encrypted at all times, not only when the data is at rest (i.e., stored), but also while data is being processed or communicated. Cryptographic keys can advantageously be managed via cloud based resources without exposing sensitive data. Instead, a key management system maintains cryptographic functions on administrative hosts and endpoints outside of cloud-based resources so that any vulnerabilities of the cloud-based resources will expose only encrypted data, and keys and sensitive data will never be exposed in unencrypted form. Thus sensitive data is protected end-to-end among hosts and endpoints using, e.g., platform independent cryptographic functions and libraries within a web browser or the like, and the cloud functions simply as a storing and forwarding medium for secure data.
-
Citations
30 Claims
-
1. A method comprising:
-
providing an administrator password for a host of an enterprise network; retrieving a company private key for the enterprise network to an administrative host using a call authenticated with a cryptographic hash of the administrator password, wherein the company private key is received from the host as a private key encrypted with the administrative administrator password; selecting an endpoint within the enterprise network; creating a rollout password for the endpoint; creating an endpoint key pair for the endpoint, the endpoint key pair comprising a public endpoint key signed with the company private key and a private endpoint key encrypted with the rollout password; transmitting the endpoint key pair to a remote computing resource with a call authenticated using a cryptographic hash of the administrator password; transmitting a cryptographic hash of the rollout password to the remote computing resource with a second call using a cryptographic hash of the administrator password; and providing the rollout password to a user of the endpoint; and providing the endpoint key pair from the remote computing resource to the endpoint based on a call from the endpoint to the remote computing resource authenticated using the cryptographic hash of the rollout password. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
-
providing an administrator password for a host of an enterprise network; retrieving a company private key for the enterprise network to an administrative host using a call authenticated with a cryptographic hash of the administrator password, wherein the company private key is received from the host as a private key encrypted with the administrative administrator password; selecting an endpoint within the enterprise network; creating a rollout password for the endpoint; creating an endpoint key pair for the endpoint, the endpoint key pair comprising a public endpoint key signed with the company private key and a private endpoint key encrypted with the rollout password; transmitting the endpoint key pair to a remote computing resource with a call authenticated using a cryptographic hash of the administrator password; transmitting a cryptographic hash of the rollout password to the remote computing resource with a second call using a cryptographic hash of the administrator password; providing the rollout password to a user of the endpoint; and providing the endpoint key pair from the remote computing resource to the endpoint based on a call from the endpoint to the remote computing resource authenticated using the cryptographic hash of the rollout password. - View Dependent Claims (28)
-
-
29. A system comprising:
-
a network interface; a memory; and a processor configured by computer executable code stored in the memory to perform the steps of providing an administrator password for a host of an enterprise network, retrieving a company private key for the enterprise network to an administrative host using a call authenticated with a cryptographic hash of the administrator password, wherein the company private key is received from the host as a private key encrypted with the administrative administrator password, selecting an endpoint within the enterprise network, creating a rollout password for the endpoint, creating an endpoint key pair for the endpoint, the endpoint key pair comprising a public endpoint key signed with the company private key and a private endpoint key encrypted with the rollout password, transmitting the endpoint key pair to a remote computing resource with a call authenticated using a cryptographic hash of the administrator password, transmitting a cryptographic hash of the rollout password to the remote computing resource with a second call using a cryptographic hash of the administrator password, providing the rollout password to a user of the endpoint, and providing the endpoint kev pair from the remote computing resource to the endpoint based on a call from the endpoint to the remote computing resource authenticated using the cryptographic hash of the rollout password. - View Dependent Claims (30)
-
Specification