Encryption key management
First Claim
1. A method of managing secure objects in a computing device, comprising:
- storing, at the computing device, one or more secure objects for performing a secure operation;
associating one or more secure identifiers with the one or more secure objects;
associating one of the one or more version numbers with a particular one of the one or more secure objects associated with one of the one or more secure identifiers, the one or more secure objects being associated with at least one of the one or more version numbers;
receiving, at the computing device, a request to perform the secure operation, the request identifying a particular one of the one or more secure identifiers to be used in performing the secure operation;
as a result of the request including a particular one of the one or more version numbers for identifying a version of the one or more secure objects to be used in performing the secure operation, selecting a particular one of the one or more secure objects corresponding to the particular one of the one or more secure identifiers and associated with the particular one of the one or more version numbers;
as a result of the request not including a version number for identifying the version of the one or more secure objects to be used in performing the secure operation, selecting a current default secure object corresponding to the particular one of the one or more secure identifiers; and
performing the secure operation at the computing device using the selected secure object.
1 Assignment
0 Petitions
Accused Products
Abstract
Secure information is managed for each host or machine in an electronic environment using a series of key identifiers that each represent one or more secure keys, passwords, or other secure information. Applications and services needing access to the secure information can specify the key identifier, for example, and the secure information currently associated with that identifier can be determined without any change to the code or manual input or exposure of the secure information on the respective device. Functionality such as encryption key management and rotation are inaccessible and transparent to the user. In a networked or distributed environment, the key identifiers can be associated with host classes such that at startup any host in a class can obtain the necessary secure information. Updates and key rotation can be performed in a similar fashion by pushing updates to host classes transparent to a user, application, or service.
114 Citations
26 Claims
-
1. A method of managing secure objects in a computing device, comprising:
-
storing, at the computing device, one or more secure objects for performing a secure operation; associating one or more secure identifiers with the one or more secure objects; associating one of the one or more version numbers with a particular one of the one or more secure objects associated with one of the one or more secure identifiers, the one or more secure objects being associated with at least one of the one or more version numbers; receiving, at the computing device, a request to perform the secure operation, the request identifying a particular one of the one or more secure identifiers to be used in performing the secure operation; as a result of the request including a particular one of the one or more version numbers for identifying a version of the one or more secure objects to be used in performing the secure operation, selecting a particular one of the one or more secure objects corresponding to the particular one of the one or more secure identifiers and associated with the particular one of the one or more version numbers; as a result of the request not including a version number for identifying the version of the one or more secure objects to be used in performing the secure operation, selecting a current default secure object corresponding to the particular one of the one or more secure identifiers; and performing the secure operation at the computing device using the selected secure object. - View Dependent Claims (2, 3)
-
-
4. A method of performing a secure operation on a computing device, comprising:
-
receiving, at the computing device, a request to perform a secure operation, the request identifying a secure identifier to be used in performing the secure operation; determining a secure object associated with the secure identifier to perform the secure operation, the secure identifier being associated with one or more secure objects for the secure operation; as a result of the request including a version number for identifying a version of the secure object to be used, performing the secure operation at the computing device using the determined secure object based at least in part on the included version number, wherein the secure object to be used to perform the secure operation is able to be changed by the computing device based at least in part on the version number, and wherein the request to perform the secure operation identifies the secure identifier independent of a change in the secure object to be used to perform the secure operation; and as a result of the request not including a version number, performing the secure operation at the computing device using a default secure object. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method of decrypting content, comprising:
-
receiving, at a computing device, a request to decrypt content identified by the request; extracting information from the content identifying a secure identifier and an algorithm used to encrypt the content, wherein the request does not specify the secure identifier and the algorithm used to encrypt the content; when the computing device has access to the secure identifier and the algorithm, determining a secure object associated with the secure identifier by determining whether a version number is identified in the request; as a result of the request identifying a version number, decrypting the content using a particular version number of the secure object and the algorithm, and providing access to the decrypted content, the secure object being based at least in part on the particular version number; and as a result of the request not identifying a version number, decrypting the content using a default secure object and the algorithm, and providing access to the decrypted content. - View Dependent Claims (15, 16)
-
-
17. A system for performing a secure operation, comprising:
-
a processor; and a memory device including instructions that, when executed by the processor, cause the processor to; receive a request to perform a secure operation, the request identifying a secure identifier; determine a secure object associated with the secure identifier, the secure identifier being associated with one or more secure objects for the secure operation; as a result of the request including a version number for identifying a version of the secure object to be used, perform the secure operation at the computing device using the determined secure object based at least in part on the included version number, wherein the secure object to be used to perform the secure operation is able to be changed by the computing device, and wherein the request to perform the secure operation identifies the secure identifier independent of a change in the secure object to be used to perform the secure operation; and as a result of the request not including a version number, performing the secure operation at the computing device using a default secure object. - View Dependent Claims (18, 19, 20, 21)
-
-
22. A computer program product embedded in a non-transitory computer-readable medium including processor-executable instructions for performing a secure operation, comprising:
-
program code for receiving, at a computing device, a request to perform a secure operation, the request identifying a secure identifier; program code for determining a secure object associated with the secure identifier to perform the secure operation, the secure identifier being associated with one or more secure objects for the secure operation; program code for performing, as a result of the request including a version number for identifying a version of the secure object to be used, the secure operation at the computing device using the determined secure object based at least in part on the included version number, wherein the secure object to be used to perform the secure operation is able to be changed at the computing device, and wherein the request to perform the secure operation identifies the secure identifier independent of a change in the secure object to be used to perform the secure operation; and program code for performing, as a result of the request not including a version number, the secure operation at the computing device using a default secure object. - View Dependent Claims (23, 24, 25, 26)
-
Specification