Key ceremony of a security system forming part of a host computer for cryptographic transactions
First Claim
Patent Images
1. A host computer system comprising:
- a key ceremony application associated with a computing device comprising a memorycreates a for-distribution master key,store the for-distribution master key in the memory connected to the key ceremony application,split the for-distribution master key into N shares,create a plurality of custodian transport layer security (TLS) keys that are different from one another,create a certificate authority that creates a service TLS key,create N bundles, each bundle including a respective one of the N shares, a respective one of the different custodian TLS keys and the service TLS key;
distribute the respective shares among N custodians, each custodian being associated with a respective computing device, andclear the for-distribution master key, custodian TLS keys and the service TLS key from the memory of the computing device associated with the key ceremony application;
a service associated with a different computing device comprising a different memory separate from the key ceremony application performs operations to;
communicate over a communication network with respective computing devices of M of the N custodians to receive at least M of the N shares, where M is equal to or less than N,derive an operational master key from the M shares, andstore the operational master key in memory connected to the service; and
a web application associated with a computing devicecommunicates over the communication network with a customer computer system to execute a checkout process only after the operational master key is stored in the memory connected to the service over the communication network.
1 Assignment
0 Petitions
Accused Products
Abstract
A key ceremony application creates bundles for custodians encrypted with their passphrases. Each bundle includes master key share. The master key shares are combined to store an operational master key. The operational master key is used for private key encryption during a checkout process. The operational private key is used for private key decryption for transaction signing in a payment process. The bundles further include TLS keys for authenticated requests to create an API key for a web application to communicate with a service and to unfreeze the system after it has been frozen by an administrator.
-
Citations
5 Claims
-
1. A host computer system comprising:
-
a key ceremony application associated with a computing device comprising a memory creates a for-distribution master key, store the for-distribution master key in the memory connected to the key ceremony application, split the for-distribution master key into N shares, create a plurality of custodian transport layer security (TLS) keys that are different from one another, create a certificate authority that creates a service TLS key, create N bundles, each bundle including a respective one of the N shares, a respective one of the different custodian TLS keys and the service TLS key; distribute the respective shares among N custodians, each custodian being associated with a respective computing device, and clear the for-distribution master key, custodian TLS keys and the service TLS key from the memory of the computing device associated with the key ceremony application; a service associated with a different computing device comprising a different memory separate from the key ceremony application performs operations to; communicate over a communication network with respective computing devices of M of the N custodians to receive at least M of the N shares, where M is equal to or less than N, derive an operational master key from the M shares, and store the operational master key in memory connected to the service; and a web application associated with a computing device communicates over the communication network with a customer computer system to execute a checkout process only after the operational master key is stored in the memory connected to the service over the communication network. - View Dependent Claims (2)
-
-
3. A method of distributing security data to custodians comprising:
-
creating, by a key ceremony application associated with a computing device comprising a memory, a for-distribution master key; storing, by the key ceremony application, the for-distribution master key in memory connected to the key ceremony application; splitting, by the key ceremony application, the for-distribution master key into N shares; creating, by the key ceremony application, a plurality of custodian transport layer security (TLS) keys that are different from one another; creating, by the key ceremony application, a certificate authority that creates a service TLS key; creating, by the key ceremony application, N bundles, each bundle including a respective one of the N shares, a respective one of the different custodian TLS keys and the service TLS key; distributing, by the key ceremony application, the respective shares among N custodians, each custodian being associated with a respective computing device; clearing, by the key ceremony application, the for-distribution master key, custodian TLS keys and the service TLS key from the memory of the computing device associated with the key ceremony application; communicating, by a master key loader of a service associated with a different computing device comprising a different memory separate from the key ceremony application, over a communication network with respective computing devices of M of N custodians to receive at least M of the N shares, where M is equal to or less than N; and deriving, by the master key loader, the operational master key from the M shares before storing the operational master key in the memory storing, by the master key loader, the operational master key in memory connected to the service; and communicating, using a web application configured associated with a computing device, over the communication network with a customer computer system, to execute a checkout process only after the operational master key is stored in the memory connected to the service over the communication network. - View Dependent Claims (4)
-
-
5. A non-transitory computer-readable medium having stored thereon a set of instructions that, when executed by a processor of a computer carries out a method of distributing security data to custodians comprising:
-
creating, by a key ceremony application associated with a computing device comprising a memory, a for-distribution master key; storing, by the key ceremony application, the for-distribution master key in memory connected to the key ceremony application; splitting, by the key ceremony application, the for-distribution master key into N shares; creating, by the key ceremony application, a plurality of custodian transport layer security (TLS) keys that are different from one another; creating, by the key ceremony application, a certificate authority that creates a service TLS key; creating, by the key ceremony application, N bundles, each bundle including a respective one of the N shares, a respective one of the different custodian TLS keys and the service TLS key; distributing, by the key ceremony application, the respective shares among N custodians, each custodian being associated with a respective computing device; clearing, by the key ceremony application, the for-distribution master key, custodian TLS keys and the service TLS key from the memory of the computing device associated with the key ceremony application; communicating, by a master key loader of a service associated with a different computing device comprising a different memory separate from the key ceremony application, over a communication network with respective computing devices of M of N custodians to receive at least M of the N shares, where M is equal to or less than N; and deriving, by the master key loader, the operational master key from the M shares before storing the operational master key in the memory storing, by the master key loader, the operational master key in memory connected to the service; and communicating, using a web application associated with a computing device, over the communication network with a customer computer system, to execute a checkout process only after the operational master key is stored in the memory connected to the service over the communication network.
-
Specification