Signing key log management
First Claim
1. A system, comprising:
- at least one processor; and
memory including instructions that, when executed by the at least one processor, cause the system to;
receive a first request to generate a cryptographic key, the first request associated with a user and indicating a type of logging to be performed for use of the cryptographic key;
authenticate an identity of the user;
generate the cryptographic key, the cryptographic key including private parameters for a cryptographic signing function, information indicating the identity of the user, and metadata specifying a logging value and a mutability value, the logging value specifying the type of logging, the mutability value specifying how the logging value is changeable over a lifecycle of the cryptographic key;
provide the user with access to the cryptographic key;
receive a second request to sign data using the cryptographic key;
determine the logging value of the cryptographic key;
determine that the type of logging specified by the logging value is able to be enforced by the system;
sign the data using the cryptographic key;
perform the type of logging specified by the logging value for signing the data; and
transmit the signed data to a destination specified by the second request.
1 Assignment
0 Petitions
Accused Products
Abstract
Cryptographic keys can include logging properties that enable those keys to be used only if the properties can be enforced by the cryptographic system requested to perform one or more actions using the keys. The logging property can specify how to log use of a respective key. A key can also include a mutability property for specifying whether the logging property can be changed, and if so under what circumstances or in which way(s). The ability to specify and automatically enforce logging can be important for environments where audit logs are essential. These can include, for example, public certificate authorities that must provide accurate and complete audit trails. In cases where the data is not to be provided outside a determined secure environment, the key can be generated with a property indicating not to log any of the usage.
-
Citations
12 Claims
-
1. A system, comprising:
-
at least one processor; and memory including instructions that, when executed by the at least one processor, cause the system to; receive a first request to generate a cryptographic key, the first request associated with a user and indicating a type of logging to be performed for use of the cryptographic key; authenticate an identity of the user; generate the cryptographic key, the cryptographic key including private parameters for a cryptographic signing function, information indicating the identity of the user, and metadata specifying a logging value and a mutability value, the logging value specifying the type of logging, the mutability value specifying how the logging value is changeable over a lifecycle of the cryptographic key; provide the user with access to the cryptographic key; receive a second request to sign data using the cryptographic key; determine the logging value of the cryptographic key; determine that the type of logging specified by the logging value is able to be enforced by the system; sign the data using the cryptographic key; perform the type of logging specified by the logging value for signing the data; and transmit the signed data to a destination specified by the second request. - View Dependent Claims (2, 3, 4)
-
-
5. A method, comprising:
-
receiving a first request to generate a cryptographic key, the first request associated with a user and indicating a type of logging to be performed for use of the cryptographic key; authenticating an identity of the user; generating the cryptographic key, the cryptographic key including private parameters for a cryptographic signing function, information indicating the identity of the user, and metadata specifying a logging value and a mutability value, the logging value specifying the type of logging, the mutability value specifying how the logging value is changeable over a lifecycle of the cryptographic key; providing the user with access to the cryptographic key; receiving a second request to sign data using the cryptographic key; determining the logging value of the cryptographic key; determining that the type of logging specified by the logging value is able to be enforced by the system; signing the data using the cryptographic key; performing the type of logging specified by the logging value for signing the data; and transmitting the signed data to a destination specified by the second request. - View Dependent Claims (6, 7, 8)
-
-
9. Non-transitory computer-readable storage media having stored therein instructions which, when executed by at least one computing device, cause the at least one computing device to:
-
receive a first request to generate a cryptographic key, the first request associated with a user and indicating a type of logging to be performed for use of the cryptographic key; authenticate an identity of the user; generate the cryptographic key, the cryptographic key including private parameters for a cryptographic signing function, information indicating the identity of the user, and metadata specifying a logging value and a mutability value, the logging value specifying the type of logging, the mutability value specifying how the logging value is changeable over a lifecycle of the cryptographic key; provide the user with access to the cryptographic key; receive a second request to sign data using the cryptographic key; determine the logging value of the cryptographic key; determine that the type of logging specified by the logging value is able to be enforced by the system; sign the data using the cryptographic key; perform the type of logging specified by the logging value for signing the data; and transmit the signed data to a destination specified by the second request. - View Dependent Claims (10, 11, 12)
-
Specification