System for cryptographic key sharing among networked key servers
First Claim
1. An apparatus comprising:
- a network interface configured to enable communications over one or more networks; and
a processor of a key server coupled to the network interface and a memory encoded with instructions that, when executed by the processor, cause the processor to;
store cryptographic keys and an associated authentication and cryptographic policy on behalf of the key server;
provide the cryptographic keys and the associated authentication and cryptographic policy to a device group including multiple devices connected with the key server over a local area network, to enable the device group to encrypt messages with the keys, wherein the device group is configured to;
authenticate and integrity check the messages with the keys; and
authenticate and integrity check the messages received from other device groups with other keys; and
act as a proxy for other key servers, including;
determining the other key servers from which the other keys are to be requested based on a service discovery protocol;
requesting the other keys to decrypt encrypted messages from the determined other key servers over a wide area network, the encrypted messages encrypted with the other keys and received from other device groups respectively connected with the other key servers over respective local area networks;
receiving the other keys together with respective associated authentication and cryptographic policies from the other key servers over the wide area network; and
providing the other keys and associated authentication and cryptographic policies to the device group over the local area network to decrypt the encrypted messages.
1 Assignment
0 Petitions
Accused Products
Abstract
A technique for key sharing among multiple key servers connected to one another over a communication network is provided herein. Each key sever of the multiple key servers stores respective cryptographic keys, and provides the keys to a local device group connected with the key server, to enable the device group to encrypt messages with the keys. Each key server acts as a proxy for the other key servers in order to receive other keys from the other key servers over the network, and provide the other keys to the device group for use to decrypt messages received from other local device groups respectively connected with the other key servers that were encrypted with the other keys and to check message integrity. The multiple key servers may share keys with each other directly, or alternatively, indirectly through a central key server, as needed to support secure communications between their respective device groups.
-
Citations
18 Claims
-
1. An apparatus comprising:
-
a network interface configured to enable communications over one or more networks; and a processor of a key server coupled to the network interface and a memory encoded with instructions that, when executed by the processor, cause the processor to; store cryptographic keys and an associated authentication and cryptographic policy on behalf of the key server; provide the cryptographic keys and the associated authentication and cryptographic policy to a device group including multiple devices connected with the key server over a local area network, to enable the device group to encrypt messages with the keys, wherein the device group is configured to; authenticate and integrity check the messages with the keys; and authenticate and integrity check the messages received from other device groups with other keys; and act as a proxy for other key servers, including; determining the other key servers from which the other keys are to be requested based on a service discovery protocol; requesting the other keys to decrypt encrypted messages from the determined other key servers over a wide area network, the encrypted messages encrypted with the other keys and received from other device groups respectively connected with the other key servers over respective local area networks; receiving the other keys together with respective associated authentication and cryptographic policies from the other key servers over the wide area network; and providing the other keys and associated authentication and cryptographic policies to the device group over the local area network to decrypt the encrypted messages. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method comprising:
at a key server connected to one or more networks; storing cryptographic keys and an associated authentication and cryptographic policy on behalf of the key server; providing the keys and the associated authentication and cryptographic policy to a device group including multiple devices connected with the key server over a local area network, to enable the device group to encrypt messages with the keys, wherein the device group is configured to; authenticate and integrity check messages with the keys; and authenticate and integrity check messages received from other device groups with other keys; and acting as a proxy for other key servers, wherein acting as a proxy includes; determining the other key servers from which the other keys are to be requested based on a service discovery protocol; requesting the other keys to decrypt encrypted messages from the other key servers over a wide area network, the encrypted messages encrypted with the other keys and received from other device groups respectively connected with the other key servers over respective local area networks; receiving the other keys together with respective associated authentication and cryptographic policies from the other key servers over the wide area network; and providing the other keys and the associated authentication and cryptographic policies to the device group over the local area network to decrypt the encrypted messages. - View Dependent Claims (7, 8, 9, 10)
-
11. A non-transitory computer readable storage medium encoded with instructions that, when executed by a processor of a key server, cause the key server to:
-
store cryptographic keys and an associated authentication and cryptographic policy on behalf of the key server; provide the keys and the associated authentication and cryptographic policy to a device group including multiple devices connected with the key server over a local area network, to enable the device group to encrypt messages with the keys, wherein the device group is configured to; authenticate and integrity check messages with the keys; and authenticate and integrity check messages received from other device groups with other keys; and act as a proxy for other key servers, wherein acting as a proxy includes; determining the other key servers from which the other keys are to be requested based on a service discovery protocol; requesting the other keys to decrypt encrypted messages from the other key servers over a wide area network, the encrypted messages encrypted with the other keys and received from other device groups respectively connected with the other key servers over respective local area networks; receiving the other keys together with respective associated authentication and cryptographic policies from the other key servers over the wide area network; and providing the other keys and the associated authentication and cryptographic policies to the device group over the local area network to decrypt the encrypted messages. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A method comprising:
-
at a key server connected to one or more networks; storing cryptographic keys on behalf of the key server; providing the keys and an associated authentication and cryptographic policy to a device group including multiple devices connected with the key server over a local area network, to enable the device group to encrypt messages with the keys, wherein the device group is configured to; authenticate and integrity check messages with the keys; and authenticate and integrity check messages received from other device groups with other keys; transmitting the keys and the associated authentication and cryptographic policy over the wide area network to a central key server for storage therein along with other keys and respective associated authentication and cryptographic policies transmitted from other key servers to the central key server; and acting as a proxy for the other key servers, wherein acting as a proxy includes; requesting the other keys to decrypt encrypted messages from the central key server over a wide area network, the encrypted messages encrypted with the other keys and received from other device groups respectively connected with the other key servers over respective local area networks; receiving the other keys and the associated authentication and cryptographic policies for the other key servers from the central key server over the wide area network; and providing the other keys and the associated authentication and cryptographic policies over the local area network to the device group to decrypt the encrypted messages. - View Dependent Claims (17, 18)
-
Specification