Secure cryptlet tunnel

US 10,833,858 B2
Filed: 05/11/2017
Issued: 11/10/2020
Est. Priority Date: 05/11/2017
Status: Active Grant

First Claim

Patent Images

1. An apparatus for secure transactions, comprising:

a device including at least one memory adapted to store run-time data for the device, and at least one processor that is adapted to execute processor-executable code that, in response to execution, enables the device to perform actions, including;

storing, in an enclave, an enclave key pair including an enclave private key and an enclave public key, wherein the enclave is a secure execution environment;

registering the enclave as a member of an enclave pool, such that members of the enclave pool act as pooled resources, provisionable on demand, for executing smart contract logic off of a blockchain;

establishing and using a secure encrypted communication tunnel between the enclave and a hardware security module (HSM), enabling persistence of secrets across multiple members of the enclave pool, establishing and using the secure encrypted communication tunnel including;

deriving a session public/private enclave key pair, including a session enclave private key and a session enclave public key, from the enclave key pair;

sending the session enclave public key to the HSM;

receiving, from the HSM, a session HSM public key;

encrypting additional information with the session enclave private key;

sending the encrypted additional information to the HSM;

receiving further encrypted information from the HSM; and

decrypting the further encrypted information with the session enclave private key;

receiving, from a cryptlet fabric configured to manage the enclave pool, cryptlet code;

executing the cryptlet code in the enclave; and

signing a payload of the cryptlet code with the enclave private key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed technology is generally directed to secure transactions. In one example of the technology, a secure encrypted communication tunnel between the enclave and a hardware security module (HSM) may be established and used. Establishing the tunnel includes the following steps. A session public/private enclave key pair, including a session enclave private key and a session enclave public key, may be derived from the public/private key pair of the enclave. The session enclave public key may be sent to the HSM. A session HSM public key may be received from the HSM. Additional information may be encrypted with the session HSM public key. The encrypted additional information may be sent to the HSM. Further encrypted information may be received from the HSM. The further encrypted information may be decrypted with the session enclave private key.

97 Citations

View as Search Results

23 Claims

1. An apparatus for secure transactions, comprising:
- a device including at least one memory adapted to store run-time data for the device, and at least one processor that is adapted to execute processor-executable code that, in response to execution, enables the device to perform actions, including;
  
  storing, in an enclave, an enclave key pair including an enclave private key and an enclave public key, wherein the enclave is a secure execution environment;
  
  registering the enclave as a member of an enclave pool, such that members of the enclave pool act as pooled resources, provisionable on demand, for executing smart contract logic off of a blockchain;
  
  establishing and using a secure encrypted communication tunnel between the enclave and a hardware security module (HSM), enabling persistence of secrets across multiple members of the enclave pool, establishing and using the secure encrypted communication tunnel including;
  
  deriving a session public/private enclave key pair, including a session enclave private key and a session enclave public key, from the enclave key pair;
  
  sending the session enclave public key to the HSM;
  
  receiving, from the HSM, a session HSM public key;
  
  encrypting additional information with the session enclave private key;
  
  sending the encrypted additional information to the HSM;
  
  receiving further encrypted information from the HSM; and
  
  decrypting the further encrypted information with the session enclave private key;
  
  receiving, from a cryptlet fabric configured to manage the enclave pool, cryptlet code;
  
  executing the cryptlet code in the enclave; and
  
  signing a payload of the cryptlet code with the enclave private key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The apparatus of claim 1, wherein the further encrypted information includes a key chain, wherein the key chain include a cryptlet public key and a cryptlet private key, and wherein the action further include at least one of signing or encrypting the payload of the cryptlet code with the cryptlet private key.
  - 3. The apparatus of claim 1, wherein receiving, from the HSM, the session HSM public key, is accomplished via an intermediary device that operates as a broker.
  - 4. The apparatus of claim 1, wherein the further encrypted information includes at least one other private key.
  - 5. The apparatus of claim 1, wherein the HSM has persistent storage.
  - 6. The apparatus of claim 1, wherein the further encrypted information includes an encrypted user key.
  - 7. The apparatus of claim 1, wherein the HSM is a key vault.
  - 8. The apparatus of claim 1, the actions further comprising creating a new key in the enclave, and wherein the additional information includes the new key.
  - 9. The apparatus of claim 1, wherein the enclave is a private, tamper-resistant execution environment that is secure from external interference.
  - 10. The apparatus of claim 1, wherein the enclave is at least one of a Virtual Secure Machine or a secure hardware enclave.
  - 11. The apparatus of claim 1, wherein the enclave is a secure execution environment in which code can be run in an isolated, private environment and for which results of the secure execution are capable of being attested to have run unaltered and in private.
  - 12. The apparatus of claim 1, wherein the enclave is a hardware enclave, and wherein the enclave private key of the enclave is etched in silicon.
  - 13. The apparatus of claim 1, the actions further including:
    - registering another enclave as a member of the enclave pool; and
      
      establishing and using another secure encrypted communication tunnel between said another enclave and the HSM to communicate at least a portion of the encrypted additional information from the HSM to said another enclave.
  - 14. The apparatus of claim 1, wherein the further encrypted information includes a cryptlet key pair that includes a public cryptlet key and a private cryptlet key;
    - and a first counterparty key pair associated with a first counterparty, wherein the first counterparty key pair includes a public first counterparty key and a private first counterparty key.
  - 15. The apparatus of claim 14, the actions further including:
    - also signing the payload of the enclave with the private cryptlet key.

16. A method, comprising:
- receiving, from a cryptlet fabric configured to manage an enclave pool that includes a first enclave, cryptlet code, wherein members of the enclave pool act as pooled resources, provisionable on demand, for executing smart contract logic off of a blockchain;
  
  generating a session enclave key pair from an enclave key pair, wherein the enclave key pair includes an enclave private key and an enclave public key, and wherein the session enclave key pair includes a session enclave private key and a session enclave public key;
  
  communicating the session enclave public key to a hardware security module (HSM);
  
  receiving, from the HSM, a session HSM public key;
  
  encrypting additional information with the session HSM public key; and
  
  communicating the encrypted additional information to the HSM, enabling persistence of the encrypted additional information.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, further comprising:
    - receiving further encrypted information from the HSM;
      
      decrypting the further encrypted information with the session enclave private key; and
      
      executing the cryptlet code in the first enclave.
  - 18. The method of claim 16, further comprising:
    - signing a payload of the cryptlet code with the enclave private key.
  - 19. The method of claim 16, wherein the further encrypted information includes at least a cryptlet key pair.
  - 20. The method of claim 16, further comprising creating a new key in the enclave, and wherein the additional information includes the new key.

21. A processor-readable storage medium, having stored thereon processor-executable code that, upon execution by at least one processor, enables actions, comprising:
- establishing and using a secure encrypted communication channel between an enclave and a hardware security module (HSM), enabling persistence of enclave secrets, the enclave being configured to execute smart contract logic off of a blockchain, establishing and using the secure encrypted communication channel including;
  
  deriving a session enclave key pair from an enclave key pair, wherein the enclave key pair includes an enclave private key and an enclave public key, and wherein the session key pair includes a session enclave private key and a session enclave public key;
  
  sending the session enclave public key to the HSM;
  
  receiving, from the HSM, a session HSM public key;
  
  encrypting additional information with the session HSM public key;
  
  sending the encrypted additional information to the HSM;
  
  receiving further encrypted information from the HSM; and
  
  decrypting the further encrypted information with the session enclave private key; and
  
  signing a payload of the enclave with the enclave private key.
- View Dependent Claims (22, 23)
- - 22. The processor-readable storage medium of claim 21, the actions further comprising:
    - registering the enclave as a member of an enclave pool;
      
      receiving, from a cryptlet fabric configured to manage the enclave pool, cryptlet code; and
      
      executing the cryptlet code in the enclave.
  - 23. The processor-readable storage medium of claim 21, wherein the further encrypted information includes at least a cryptlet key pair.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Gray, John Marley
Primary Examiner(s)
Potratz, Daniel B
Assistant Examiner(s)
Straub, D'Arcy Winston

Application Number

US15/592,697
Publication Number

US 20180332011A1
Time in Patent Office

1,279 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06Q 20/065   using e-cash

G06Q 20/382   insuring higher security of...

G06Q 20/3825   Use of electronic signatures

G06Q 20/3829   involving key management

G06Q 2220/00   Business processing using c...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/0442   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/12   Applying verification of th...

H04L 9/0819   Key transport or distributi...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/0861   Generation of secret inform...

H04L 9/0897   involving additional device...

H04L 9/3234   involving additional secure...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3247   involving digital signatures

H04L 9/50   using hash chains, e.g. blo...

Secure cryptlet tunnel

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

97 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Secure cryptlet tunnel

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

97 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links