System and method for managing cryptographic keys

US 9,490,973 B1
Filed: 05/17/2016
Issued: 11/08/2016
Est. Priority Date: 12/07/2015
Status: Active Grant

First Claim

Patent Images

1. A method implemented on a first computing device, the method comprising:

retrieving, from a memory, a fourth key;

transmitting, to a second computing device, a request for an encrypted third key, wherein the encrypted third key is generated by encrypting the third key using the fourth key;

receiving, from the second computing device, the encrypted third key;

receiving data for encryption;

transmitting, to an identify and access management device (IAM), a request for a key identifier based on information associated with the data;

receiving, from the IAM, the requested key identifier;

transmitting, to the second computing device, a request for an encrypted first key that is associated with the key identifier;

receiving, from the second computing device, the encrypted first key;

transmitting, to the IAM, a request for an encrypted second key;

receiving, from the IAM, the encrypted second key;

decrypting the encrypted third key using the fourth key;

decrypting the encrypted second key using the decrypted third key;

decrypting the encrypted first key using the decrypted second key;

encrypting the data using the decrypted first key; and

deleting, from a cache of the first computing device, the decrypted first key after a period of time.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In various implementations, a first device retrieves, from a memory, encrypted data encrypted using a first key. The first device transmits, to a second device, a request for an encrypted first key, where the encrypted first key is generated by encrypting the first key using a second key. The first device receives the encrypted first key. The first device transmits, to an identity and access management device (IAM), a request for an encrypted second key, where the encrypted second key is generated by encrypting the second key using a third key. The first device receives the encrypted second key. The first device decrypts the encrypted second key using the third key, decrypts the encrypted first key using the decrypted second key, and decrypts the encrypted data using the decrypted first key. The first device deletes, from its cache, the decrypted first key after a period of time.

20 Citations

23 Claims

1. A method implemented on a first computing device, the method comprising:
- retrieving, from a memory, a fourth key;
  
  transmitting, to a second computing device, a request for an encrypted third key, wherein the encrypted third key is generated by encrypting the third key using the fourth key;
  
  receiving, from the second computing device, the encrypted third key;
  
  receiving data for encryption;
  
  transmitting, to an identify and access management device (IAM), a request for a key identifier based on information associated with the data;
  
  receiving, from the IAM, the requested key identifier;
  
  transmitting, to the second computing device, a request for an encrypted first key that is associated with the key identifier;
  
  receiving, from the second computing device, the encrypted first key;
  
  transmitting, to the IAM, a request for an encrypted second key;
  
  receiving, from the IAM, the encrypted second key;
  
  decrypting the encrypted third key using the fourth key;
  
  decrypting the encrypted second key using the decrypted third key;
  
  decrypting the encrypted first key using the decrypted second key;
  
  encrypting the data using the decrypted first key; and
  
  deleting, from a cache of the first computing device, the decrypted first key after a period of time.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the fourth key is an asymmetric cryptographic key.
  - 3. The method of claim 1, wherein:
    - the encrypted third key is stored in a hardware security module; and
      
      the hardware security module is only accessible via the second computing device.
  - 4. The method of claim 1, wherein:
    - the encrypted first key is stored in a hardware security module; and
      
      the hardware security module is only accessible via the second computing device.
  - 5. The method of claim 1, further comprising storing the encrypted data in the memory, wherein the memory is only accessible via the first computing device.
  - 6. The method of claim 1, wherein:
    - the first key is a symmetric cryptographic key;
      
      the second key is an asymmetric cryptographic key; and
      
      the third key is a symmetric cryptographic key.
  - 7. The method of claim 1, wherein:
    - the first computing device comprises an application server; and
      
      the second computing device comprises a cryptographic key management server.

8. A first computing device comprising a processor, the processor is configured to carry out a method comprising:
- retrieving, from a memory, a fourth key;
  
  transmitting, to a second computing device, a request for an encrypted third key, wherein the encrypted third key is generated by encrypting the third key using the fourth key;
  
  receiving, from the second computing device, the encrypted third key;
  
  receiving data for encryption;
  
  transmitting, to an identify and access management device (IAM), a request for a key identifier based on information associated with the data;
  
  receiving, from the IAM, the requested key identifier;
  
  transmitting, to the second computing device, a request for an encrypted first key that is associated with the key identifier;
  
  receiving, from the second computing device, the encrypted first key;
  
  transmitting, to the IAM, a request for an encrypted second key;
  
  receiving, from the IAM, the encrypted second key;
  
  decrypting the encrypted third key using the fourth key;
  
  decrypting the encrypted second key using the decrypted third key;
  
  decrypting the encrypted first key using the decrypted second key;
  
  encrypting the data using the decrypted first key; and
  
  deleting, from a cache of the first computing device, the decrypted first key after a period of time.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The first computing device of claim 8, wherein the fourth key is an asymmetric cryptographic key.
  - 10. The first computing device of claim 8, wherein:
    - the encrypted third key is stored in a hardware security module; and
      
      the hardware security module is only accessible via the second computing device.
  - 11. The first computing device of claim 8, wherein:
    - the encrypted first key is stored in a hardware security module; and
      
      the hardware security module is only accessible via the second computing device.
  - 12. The first computing device of claim 8, wherein the processor is further configured to store the encrypted data in the memory, and the memory is only accessible via the first computing device.
  - 13. The first computing device of claim 8, wherein:
    - the first key is a symmetric cryptographic key;
      
      the second key is an asymmetric cryptographic key; and
      
      the third key is a symmetric cryptographic key.

14. A method implemented on a system comprising an application server, a cryptographic key management server (KMS), and an identity and access management device (IAM), the method comprising:
- retrieving, by the application server from a memory, a fourth key;
  
  transmitting, from the application server to the KMS, a request for an encrypted third key, wherein the encrypted third key is generated by encrypting the third key using the fourth key;
  
  transmitting, from the KMS to the application server, the encrypted third key;
  
  receiving, by the application server, data for encryption;
  
  transmitting, from the application server to the IAM, a request for a key identifier based on information associated with the data;
  
  receiving, by the application server from the IAM, the requested key identifier;
  
  transmitting, from the application server to the KMS, a request for an encrypted first key that is associated with the key identifier;
  
  receiving, by the application server from the KMS, the encrypted first key;
  
  transmitting, from the application server to the IAM, a request for an encrypted second key;
  
  receiving, by the application server from the IAM, the encrypted second key;
  
  decrypting, by the application server, the encrypted third key using the fourth key;
  
  decrypting, by the application server, the encrypted second key using the decrypted third key;
  
  decrypting, by the application server, the encrypted first key using the decrypted second key;
  
  encrypting, by the application server, the data using the decrypted first key; and
  
  deleting, from a cache of the application server, the decrypted first key after a period of time.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method of claim 14, wherein the fourth key is an asymmetric cryptographic key.
  - 16. The method of claim 14, wherein the system further comprises a hardware security module (HSM) only accessible via the KMS, and the encrypted third key and the encrypted first key are stored in the HSM.
  - 17. The method of claim 14, further comprising:
    - at the KMS;
      
      determining whether the encrypted first key is stored in a cache of the KMS;
      
      based on the determination that the encrypted first key is not stored in the cache of the KMS, transmitting, to a hardware security module (HSM), a request for the encrypted first key;
      
      receiving, from the HSM, the encrypted first key; and
      
      storing the encrypted first key in the cache of the KMS.
  - 18. The method of claim 14, wherein:
    - the first key is a symmetric cryptographic key;
      
      the second key is an asymmetric cryptographic key; and
      
      the third key is a symmetric cryptographic key.

19. A system comprising an application server, a cryptographic key management server (KMS), and an identity and access management device (IAM), the system is configured to carry out a method comprising:
- retrieving, by the application server from a memory, a fourth key;
  
  transmitting, from the application server to the KMS, a request for an encrypted third key, wherein the encrypted third key is generated by encrypting the third key using the fourth key;
  
  transmitting, from the KMS to the application server, the encrypted third key;
  
  receiving, by the application server, data for encryption;
  
  transmitting, from the application server to the IAM, a request for a key identifier based on information associated with the data;
  
  receiving, by the application server from the IAM, the requested key identifier;
  
  transmitting, from the application server to the KMS, a request for an encrypted first key that is associated with the key identifier;
  
  receiving, by the application server from the KMS, the encrypted first key;
  
  transmitting, from the application server to the IAM, a request for an encrypted second key;
  
  receiving, by the application server from the IAM, the encrypted second key;
  
  decrypting, by the application server, the encrypted third key using the fourth key;
  
  decrypting, by the application server, the encrypted second key using the decrypted third key;
  
  decrypting, by the application server, the encrypted first key using the decrypted second key;
  
  encrypting, by the application server, the data using the decrypted first key; and
  
  deleting, from a cache of the application server, the decrypted first key after a period of time.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The system of claim 19, wherein the fourth key is an asymmetric cryptographic key.
  - 21. The system of claim 19, further comprising a hardware security module (HSM) only accessible via the KMS, wherein the encrypted third key and the encrypted first key are stored in the HSM.
  - 22. The system of claim 19, wherein the system is further configured to carry out, at the KMS:
    - determining whether the encrypted first key is stored in a cache of the KMS;
      
      based on the determination that the encrypted first key is not stored in the cache of the KMS, transmitting, to a hardware security module (HSM), a request for the encrypted first key;
      
      receiving, from the HSM, the encrypted first key; and
      
      storing the encrypted first key in the cache of the KMS.
  - 23. The system of claim 19, wherein:
    - the first key is a symmetric cryptographic key;
      
      the second key is an asymmetric cryptographic key; and
      
      the third key is a symmetric cryptographic key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Workiva Inc.
Original Assignee
Workiva Inc.
Inventors
Blakely, Benjamin Alan, Sullivan, Matthew Edward, Wesner, Michael Bryan
Primary Examiner(s)
Zaidi, Syed

Application Number

US15/156,963
Time in Patent Office

175 Days
Field of Search

380/281
US Class Current

1/1
CPC Class Codes

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/083   involving central third par...

H04L 9/0897   involving additional device...

System and method for managing cryptographic keys

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

20 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for managing cryptographic keys

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links