Automatic change of symmetrical encryption key

US 8,284,945 B2
Filed: 06/02/2009
Issued: 10/09/2012
Est. Priority Date: 06/02/2009
Status: Active Grant

First Claim

Patent Images

1. A method for changing an encryption key, the method comprising:

encrypting data using a first encryption key;

counting bytes of the data in order to determine an amount of data encrypted with the first encryption key; and

changing from the first encryption key to a second, different encryption key for encrypting subsequent data in response to the amount of data encrypted with the first encryption key wherein a byte count threshold for switching from the first encryption key to the second encryption key is determined in response to a byte count range between an upper byte count limit and a lower byte count limit wherein the byte count threshold is determined by Data_min+((Data_max−

Data_min)/x_max)*x where Data_minis the lower byte count limit, Data_maxis the upper byte count limit, and x_maxε

{N} where N is a set of natural numbers.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An encryption system and a method for automatically changing an encryption key. The key is changed in response to an amount of data that has been encrypted. When the amount of data encrypted with a first key reaches or exceeds a byte count threshold, the first key is deactivated and a new key is generated and used for subsequent data encryption.

5 Citations

View as Search Results

17 Claims

1. A method for changing an encryption key, the method comprising:
- encrypting data using a first encryption key;
  
  counting bytes of the data in order to determine an amount of data encrypted with the first encryption key; and
  
  changing from the first encryption key to a second, different encryption key for encrypting subsequent data in response to the amount of data encrypted with the first encryption key wherein a byte count threshold for switching from the first encryption key to the second encryption key is determined in response to a byte count range between an upper byte count limit and a lower byte count limit wherein the byte count threshold is determined by Data_min+((Data_max−
  
  Data_min)/x_max)*x where Data_minis the lower byte count limit, Data_maxis the upper byte count limit, and x_maxε
  
  {N} where N is a set of natural numbers.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 wherein the encryption key is a symmetrical encryption key.
  - 3. The method of claim 1 wherein encrypting the data comprises performing one of a Data Encryption Standard or an Advanced Encryption Standard encryption.
  - 4. The method of claim 3 wherein an upper byte count limit is lower for the Data Encryption Standard encryption than an upper byte count limit for the Advanced Encryption Standard encryption.

5. A method for changing an encryption key, the method comprising:
- determining a maximum number of bytes to encrypt with a first encryption key;
  
  determining a minimum number of bytes to encrypt with the first encryption key;
  
  determining a byte count threshold between the minimum number of bytes and the maximum number of bytes;
  
  counting a number of bytes being encrypted by an encryption operation using the first encryption key;
  
  inactivating the first key when the number of bytes being encrypted reaches a byte count threshold; and
  
  generating a second key for encrypting subsequent data;
  
  wherein the byte count threshold is determined by Data_min+((Data_max−
  
  Data_min)/x_max)*x where Data_minis the minimum number of bytes to encrypt with the first encryption key, Data_maxis the maximum number of bytes to encrypt with the first encryption key, x is a user input such that xε
  
  {0, N}, and x_maxε
  
  {N} where N is a set of natural numbers.
- View Dependent Claims (6, 7, 8, 9, 10)
- - 6. The method of claim 5 wherein generating the second key comprises generating a key identification, a key value, and a key type.
  - 7. The method of claim 5 wherein counting the number of bytes being encrypted comprises:
    - incrementing a byte count after each byte is encrypted; and
      
      comparing the byte count to a predetermined threshold.
  - 8. The method of claim 5 and further comprising storing a key identification of the first key with data encrypted using the first key.
  - 9. The method of claim 5 and further comprising determining a back-up policy that includes a source for secret data to be encrypted, a destination medium for encrypted data, and an encryption type.
  - 10. The method of claim 5 and further comprising performing the encryption operation on additional data using the second key.

11. An encryption system comprising:
- a back-up manager for managing back-up of secret data;
  
  a back-up medium coupled to the back-up manager, the back-up medium configured to store encrypted data;
  
  a host system coupled to the back-up manager, the host system configured to execute an encryption operation using an active encryption key such that the secret data is encrypted and stored on the back-up medium; and
  
  a key management module coupled to the host system and configured to compare a byte count to a threshold and deactivate a first encryption key and activate a second encryption key, to be used as the active encryption key, in response to the byte count being equal to or greater than the threshold wherein the threshold is determined in response to a byte count range between an upper byte count limit and a lower byte count limit wherein the threshold is determined by Data_min+((Data_max−
  
  Data_min)/x_max)*x where Data_minis the lower byte count limit, Data_maxis the upper byte count limit, xε
  
  {0, N}, and x_maxε
  
  {N} where N is a set of natural numbers.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The encryption system of claim 11 wherein the host system is coupled to the back-up manager over a network.
  - 13. The encryption system of claim 11 and further comprising a central database coupled to the back-up manager, the central database configured to store a back-up policy and inventory information.
  - 14. The encryption system of claim 11 wherein the key management module is further configured to comprise a key list and an encryption algorithm list.
  - 15. The encryption system of claim 14 wherein the key list comprises a key identification, a key value, a key status, and a byte counter.
  - 16. The encryption system of claim 14 wherein the encryption algorithm list comprises an encryption operation type, a byte counter upper limit, a byte counter lower limit, and a user input factor for each type of encryption algorithm.
  - 17. The encryption system of claim 11 wherein the back-up medium is configured to store a key identification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Breyel, Oliver
Primary Examiner(s)
HOFFMAN, BRANDON S

Application Number

US12/476,313
Publication Number

US 20100303241A1
Time in Patent Office

1,225 Days
Field of Search

None
US Class Current

380/284
CPC Class Codes

G06F 11/1458   Management of the backup or...

G06F 21/602   Providing cryptographic fac...

H04L 9/0822   using key encryption key

H04L 9/0891   Revocation or update of sec...

Automatic change of symmetrical encryption key

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

5 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic change of symmetrical encryption key

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

5 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links