EP1540628A2 - Network attached encryption - Google Patents
Network attached encryptionInfo
- Publication number
- EP1540628A2 EP1540628A2 EP03764490A EP03764490A EP1540628A2 EP 1540628 A2 EP1540628 A2 EP 1540628A2 EP 03764490 A EP03764490 A EP 03764490A EP 03764490 A EP03764490 A EP 03764490A EP 1540628 A2 EP1540628 A2 EP 1540628A2
- Authority
- EP
- European Patent Office
- Prior art keywords
- cryptographic
- key server
- services
- recited
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 claims abstract description 46
- 230000006870 function Effects 0.000 claims abstract description 27
- 230000006854 communication Effects 0.000 claims description 35
- 238000004891 communication Methods 0.000 claims description 35
- 238000013475 authorization Methods 0.000 claims description 21
- 230000004044 response Effects 0.000 claims description 15
- 230000008569 process Effects 0.000 claims description 11
- 230000005540 biological transmission Effects 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 7
- 238000012795 verification Methods 0.000 claims description 7
- JLQUFIHWVLZVTJ-UHFFFAOYSA-N carbosulfan Chemical compound CCCCN(CCCC)SN(C)C(=O)OC1=CC=CC2=C1OC(C)(C)C2 JLQUFIHWVLZVTJ-UHFFFAOYSA-N 0.000 claims description 4
- VBMOHECZZWVLFJ-GXTUVTBFSA-N (2s)-2-[[(2s)-6-amino-2-[[(2s)-6-amino-2-[[(2s,3r)-2-[[(2s,3r)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-2-[[(2s)-2,6-diaminohexanoyl]amino]-5-(diaminomethylideneamino)pentanoyl]amino]propanoyl]amino]hexanoyl]amino]propanoyl]amino]hexan Chemical compound NC(N)=NCCC[C@@H](C(O)=O)NC(=O)[C@H](CCCCN)NC(=O)[C@H](CCCCN)NC(=O)[C@H]([C@@H](C)O)NC(=O)[C@H]([C@H](O)C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCN=C(N)N)NC(=O)[C@@H](N)CCCCN VBMOHECZZWVLFJ-GXTUVTBFSA-N 0.000 claims description 3
- 108010068904 lysyl-arginyl-alanyl-lysyl-alanyl-lysyl-threonyl-threonyl-lysyl-lysyl-arginine Proteins 0.000 claims description 3
- 230000002085 persistent effect Effects 0.000 claims description 3
- 230000001052 transient effect Effects 0.000 claims description 3
- 230000006835 compression Effects 0.000 claims description 2
- 238000007906 compression Methods 0.000 claims description 2
- 238000010276 construction Methods 0.000 claims description 2
- 230000006837 decompression Effects 0.000 claims description 2
- 238000009795 derivation Methods 0.000 claims description 2
- 241000845082 Panama Species 0.000 claims 2
- 241000251730 Chondrichthyes Species 0.000 claims 1
- 101100217298 Mus musculus Aspm gene Proteins 0.000 claims 1
- MHABMANUFPZXEB-UHFFFAOYSA-N O-demethyl-aloesaponarin I Natural products O=C1C2=CC=CC(O)=C2C(=O)C2=C1C=C(O)C(C(O)=O)=C2C MHABMANUFPZXEB-UHFFFAOYSA-N 0.000 claims 1
- 241000270295 Serpentes Species 0.000 claims 1
- 241001441724 Tetraodontidae Species 0.000 claims 1
- 101150055569 arc4 gene Proteins 0.000 claims 1
- 230000007175 bidirectional communication Effects 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 238000004886 process control Methods 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 235000006719 Cassia obtusifolia Nutrition 0.000 description 1
- 235000014552 Cassia tora Nutrition 0.000 description 1
- 244000201986 Cassia tora Species 0.000 description 1
- 230000001133 acceleration Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 239000002244 precipitate Substances 0.000 description 1
- 230000000135 prohibitive effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F15/00—Digital computers in general; Data processing equipment in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F15/00—Digital computers in general; Data processing equipment in general
- G06F15/16—Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
-
- G—PHYSICS
- G09—EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
- G09C—CIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
- G09C3/00—Typewriters for ciphering or deciphering cryptographic text
- G09C3/04—Typewriters for ciphering or deciphering cryptographic text wherein the operative connections between the keys and the type-bars are automatically and continuously permuted, during operation, by a coding or key member
- G09C3/08—Typewriters for ciphering or deciphering cryptographic text wherein the operative connections between the keys and the type-bars are automatically and continuously permuted, during operation, by a coding or key member the connections being electrical
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Definitions
- the present invention relates generally to the field of data security, and more particularly to providing cryptographic network services and securing cryptographic keys in a network environment.
- SSL and TLS protect data while in transit by encrypting the data using a session-key, (i.e., a cryptographic key), known only to the web server and the client computer.
- a session-key i.e., a cryptographic key
- the data is decrypted upon arrival at the receiving ' web server.
- the receiving server processes the data (e.g., validating the credit card number) and then often stores the sensitive data
- the cryptographic keys that are used to set up the SSL connection between Web clients and internal Web servers are stored in the same internal Web servers. Similarly, when encryption is performed on data to be stored on back-end application servers and databases, the cryptographic keys are stored in the same back-end application servers, which are usually
- FIG. 1 illustrates a computer server environment 10 providing networked cryptographic services in accordance with one embodiment of the present invention
- FIG. 2 diagrammatically illustrates a software architecture in accordance with one embodiment of the present invention
- FIG. 3 A illustrates a hardware architecture suitable for a networked cryptographic key server in accordance with one embodiment of the present invention
- FIG. 3B illustrates an operation 150 for backup and restoring of the private keys with respect to a cryptographic server that supports k-out-of-n secret sharing of the group key in accordance with certain embodiments of the present invention
- FIG. 4 is a flowchart that illustrates a computer-implemented method by which a networked cryptographic key server may provide cryptographic services in accordance with one embodiment of the present invention
- FIG. 5 is a flowchart that illustrates a computer-implemented method for performing authentication and authorization analysis of a cryptographic request in accordance with one aspect of the present invention
- FIG. 6 is a flowchart that illustrates a computer-implemented method for enabling applications instantiated on an application server to access remote and local cryptographic services through a standard cryptographic API;
- FIG. 7 illustrates a distributed cryptographic services computing environment in accordance with certain embodiments of the present invention.
- FIG. 8 is a block diagram that illustrates a system architecture in which a network security appliance provides networked cryptographic key services in accordance with certain embodiments of the invention.
- FIG. 9 is a block diagram that illustrates a network architecture including a transparent encryption network security appliance and a cryptographic key server.
- FIG. 1 illustrates a computer server environment 10 providing networked cryptographic services in accordance with one embodiment of the present invention.
- the computer server environment 10 includes a plurality of clients 12, an application server 14, and a cryptographic key server 16, all bi-directionally coupled via a computer network 18.
- the computer network 18 may take the form of any suitable network such as the Internet or a local area network.
- Bi- directionally coupled to the application server 14 is a network database 20.
- the application server 14 provides requested services to the clients 12 via the computer network 18. Services requested by the clients 12 may specifically involve cryptographic services, or may precipitate the need for cryptographic services. For example, the client requested services may require the storage of sensitive data on the network database 20, or the retrieval of encrypted data from the network database 20.
- the cryptographic key server 16 is available to the application server 14 to perform cryptographic services, thus offloading the computational intensities of cryptographic services from the application server 14.
- the cryptographic key server referred to herein is also known as a Networked Attached
- Encryption device The nature of the cryptographic services as well as a variety of mechanisms implementing such functionality are described below in more detail.
- FIG. 2 diagrammatically illustrates a software architecture 50 for an application server 52 and a cryptographic key server 54 in accordance with one embodiment of the present invention.
- the software architecture of FIG. 2 is not limited to application servers and may vary from implementation to implementation. Any number of computer devices and systems may be a client of cryptographic key server 54.
- the application server 52 and the cryptographic key server 54 are bi-directionally coupled via a secure network communications channel 56.
- the secure network communications channel 56 may be effectuated through any suitable secure communications technique such as the secure communications protocols SSL or TLS. Alternatively, a secure channel may be effectuated via a direct physical link or by any means known to those skilled in the art.
- Software-based application server 52 is only one example of a client that needs the cryptographic services of a cryptographic key server.
- the application server 52 of FIG. 2 includes a plurality of applications 60, a cryptographic application program interface (API) 62, and a secure network interface engine 64.
- the applications 60 are software programs instantiated and executing on the application server 52. These applications 60 may provide services to local users of the application server 52, and may provide network services to remote clients via a network connection.
- the cryptographic API 62 provides a set of standards by which the plurality of applications 60 can invoke a plurality of cryptographic services. According to the present invention, at least one of this plurality of cryptographic services is performed remotely by the cryptographic key server 54. To effectuate networked cryptographic key services, the cryptographic API 62 is responsive to a request for a remote cryptographic service to utilize the secure network interface engine 64 to request the cryptographic services.
- the cryptographic API 62 is preferably a standardized software cryptographic API which applications developers can easily integrate into their software. Thus, the cryptographic API 62 would take on a specific form relating to the underlying computing environment.
- underlying computing environments include Java, Microsoft, PKCS #l l/Cryptoki
- the cryptographic API 62 could be exposed to applications as Java Cryptography Extensions (JCE).
- JCE Java Cryptography Extensions
- the JCE could be used or invoked by a variety of sources, including Java Server Pages (JSP), Java servlets, or Enterprise Java Beans (EJB). Java applications capable of using JCE may also be invoked by Active Server Pages (ASP).
- ASP Active Server Pages
- applications 60 may directly access the cryptographic key server 54 without the aid of cryptographic API 62.
- the cryptographic functionality may be exposed, e.g., using VBScript, via a Crypto Service Provider (CSP) that VBScript communicates with using Microsoft Cryptographic API (MS-CAPI).
- CSP Crypto Service Provider
- MS-CAPI Microsoft Cryptographic API
- the CSP or cryptographic API would be implemented as a Dynamic Linked Library that exposes a number of cryptographic operations to the applications 60.
- the foregoing descriptions of the cryptographic functionality and cryptographic API are in the context of web application servers. However, the cryptographic functionality and cryptographic API are equally applicable for application servers that are non-web-based, such as non-web-based Java applications using JCE and non-web-based Windows applications invoking MS-CAPI, etc.
- the secure network interface engine 64 is operable to establish the secure network communications channel 56 with the remote cryptographic key server 54.
- the remote cryptographic key server 54 is operable to establish the secure network communications channel 56 with the secure network interface engine 64.
- the secure network interface engine is operable, for example, to marshal and transmit secure requests for cryptographic services to the remote cryptographic key server 54, receive and unmarshal secure responses to requests for cryptographic services, and forward such response back to the cryptographic API 62.
- the cryptographic API 62 provides a response to the requesting application 60.
- the secure network interface engine 64 could expose secure network services to the applications 60 for use in providing secure communications channels between the applications 60 and clients of the application server 52.
- the cryptographic API 62 and the secure network interface engine 64 appear as two distinct processes, each instantiated on the application server 52. This allows separate modification of each of these processes.
- another embodiment of the present invention teaches that the functionality of the cryptographic API 62 and the secure network interface engine 64 are provided as a single process or are included in an application 60.
- the cryptographic key server 54 includes a cryptographic service engine 70, a secure network interface engine 72, and a private key engine 74.
- the cryptographic key server 54 is suitable for providing cryptographic services to the application server 52 coupled to said cryptographic key server via the secure network communications channel 56.
- the secure network interface engine 72 is operable to establish the secure network communications channel 56 with the application server 52.
- the application server 52 is operable to establish the secure network communications channel 56 with the secure network interface engine 72.
- the secure network interface engine 72 is operable to unmarshal secured cryptographic service requests received from the application server 52, and marshal and transmit secure cryptographic service responses to the application server 52.
- the cryptographic service engine 70 executing on the cryptographic key server 54 is bi- directionally coupled with the secure network interface engine 72.
- the cryptographic service engine 70 is operable to provide cryptographic services requested by the application server 52 via the secure network interface engine 72.
- Cryptographic services may include: 1) hashing operations, and 2) signing and verification operations such as RSA and DSA.
- the cryptographic functions exposed to the applications 60 would include those most likely desired by the remote clients. These cryptographic functions must be performed either at the application server 52, or more preferably at the cryptographic key server 54 in order to offload from the application server 52 the burden of performing cryptographic services. Thus, it is preferred that the cryptographic service engine 70 be capable of performing any exposed cryptographic services not provided at the application server 52. Typical exposed functionality would include, but is not limited to, functions such as encryption and decryption (e.g. DES, 3DES, AES, RSA, DSA, ECC, etc.), signing and verification (e.g. RSA, DSA, etc.), and hashing and verification (e.g. SHA-1, HMAC, etc.).
- encryption and decryption e.g. DES, 3DES, AES, RSA, DSA, ECC, etc.
- signing and verification e.g. RSA, DSA, etc.
- hashing and verification e.g. SHA-1, HMAC, etc.
- encryption and decryption functions include: symmetric block ciphers, generic cipher modes, stream cipher modes, public-key cryptography, padding schemes for public-key systems, key agreement schemes, elliptic curve cryptography, one-way hash functions, message authentication codes, cipher constructions based on hash functions, pseudo random number generators, password based key derivation functions,
- the private key engine 74 provides the cryptographic service engine 70 the private keys required for performing cryptographic operations.
- Such private keys can be generated and stored through a variety of mechanisms known in the art, as well as by several methods contemplated by the present invention. One preferred embodiment for generating and handling the private keys is described below with reference to FIG. 3.
- the cryptographic service engine 70 and the secure network interface engine 72 appear as two distinct processes each instantiated on the cryptographic service engine 70. This allows separate modification of each of these processes.
- another embodiment of the present invention teaches that the functionality of cryptographic service engine 70 and the secure network interface engine 72 are provided as a single process.
- FIG. 3 A illustrates a hardware architecture 100 suitable for a networked cryptographic key server such as cryptographic key server 54 of FIG. 2 in accordance with one embodiment of the present invention.
- the hardware architecture 100 includes a central processing unit (CPU) 104, a persistent storage device 106 such as a hard disk, a transient storage device 108 such as random access memory (RAM), a network I/O device 110, an encryption device 112 such as a cryptographic accelerator card, a hardware security module (HSM) 114, and a smart card interface 116, all bi-directionally coupled via a databus 102.
- Other additional components may be part of the hardware architecture 100.
- the private keys 120 are loaded into HSM 114 and stored in an encrypted format.
- the HSM 114 is a tamper resistant device.
- the private keys 120 are encrypted using a group key known only to a small, predefined group of cryptographic key servers. These group keys are protected by smart cards. When a backup operation is performed on one member of the predefined group of cryptographic servers, an encrypted form of the original cryptographic key is created as a backup file. Only cryptographic servers that are part of the predefined group of devices are able to decrypt the encrypted key using a separate cryptographic key.
- the cryptographic server also supports k-out-of-n secret sharing of the group key for increased security. This means that the cryptographic server requires smart cards for backup and restoring of the private keys. For example, if the group key information is distributed across a group of five smart cards (n), preferences can be set so that group data can be accessed only after inserting three smart cards (k) into the smart card reader 116. Any attempt to access the data with less than three smart cards will fail. Using a k of n schema ensures data safety; if a single card is stolen, the thief will not be able to access the configuration data stored on the HSM 114 because the thief does not have enough cards to meet the k of n criteria set forth above.
- FIG. 3B illustrates an operation 150 for backup and restoring of the private keys with respect to a cryptographic server that supports k-out-of-n secret sharing of the group key.
- step 152 a request for backup and restoring of the private keys is received.
- step 154 in response to the request for backup, it is determined whether at least k- out-of-n smart cards has been inserted, is a smart card interface device associated with cryptographic server at which the request for backup was made. If it is determined that at least k- out-of-n smart cards has not been inserted, then at step 156, the request for backup and restoring is denied.
- a networked cryptographic key server such as cryptographic key server 16 or 54 may provide cryptographic services in accordance with one embodiment of the present invention
- a set of private keys is established on the networked key server. These private keys may be generated and maintained according to any suitable mechanism.
- the private keys are stored within a tamper-resistant hardware device and are not distributed across the network, but rather are managed through a process such as that described above with reference to the HSM 114 of FIG. 3. Subsequent requests for cryptographic services by a given application server for which a set of private keys is already established on the networked key server do not involve step 202.
- a secure network communications channel is established between the application server and the cryptographic key server.
- a connection pool is established between the application server and the key server prior to the client's request of any specific cryptographic services.
- the connection pool can be maintained indefinitely or may be closed due to inactivity. Establishing a secure connection is processing intensive, so once the secure connection is established it is efficient to maintain the secure connection.
- the secure channel may be established with SSL or TLS, or any suitable method known in the art. In many situations, HTTPS with server and client certificates might be used.
- the identity of the requesting entity is verified, i.e., authenticated.
- step 216 performs housekeeping functions related to a failed request for services as explained below.
- the cryptographic key server may be used to provide cryptographic services.
- the key server receives a request for cryptographic services via the secure channel.
- the key server will unmarshal the request from encrypted network format. As described above with reference to FIG. 2, in certain embodiments this may be performed by a secure network interface engine.
- the key server will perform an authorization analysis of the cryptographic service request. The authorization analysis of step 208 determines whether the requested services should be provided to the requesting client.
- One embodiment of step 208 is described below in more detail with reference to FIG. 4.
- step 208 determines that the request may be performed
- process control flows from step 208 to a step 210 that performs the requested cryptographic services.
- the application server may be requesting that certain data be encrypted or decrypted.
- the cryptographic key server will respond to the application server via the secure channel. This includes marshalling the data into secure format for transmission across the network.
- a variety of housekeeping functions related to satisfaction of an authorized request are performed. In certain embodiments, these include maintaining a database related to cryptographic requests (time, client identity, service requested, satisfactory completion, etc.)
- a step 216 performs housekeeping functions related to a failed request for services. In certain embodiments, this includes include maintaining a database related to cryptographic requests (time, client identity, service requested, etc.). This database can be used to evaluate whether an attack is being made, or to determine errors in the system.
- a computer-implemented method 208 for performing authorization analysis of a cryptographic request in accordance with one aspect of the present invention will now be described in more detail.
- the method 208 is invoked when a remote application server requests that a cryptographic key server perform certain cryptographic functions for the application server, likely on behalf of a client of the application server.
- a first step 250 the authorization privileges granted to the application server, the application, and the client are determined. If the authorization privileges granted to the application server, the application, and the client cannot be determined, then the authorization test of step 250 is deemed to have failed. When the authorization test of step 250 fails, then the request is denied in a step 252.
- a step 254 determines whether the specific request is within the rights of the requesting entity. For example, a certain application running on the application server may not be entitled to decrypt certain data, or simply may not be entitled to decrypt data whatsoever, even though that same application may be entitled to encrypt data. In any event, when the request is not within the rights of the requesting entity, the request is denied in step 252. When the request is within the rights of the requesting entity, the request is approved in a step 256 and process control proceeds to implement the requested cryptographic services.
- Steps 302 and 304 are initialization steps to make the cryptographic services available to applications.
- a standardized software cryptographic API is integrated within the application server.
- the cryptographic API can be designed for the specific computing environment (Java, Microsoft, etc.) of the application server.
- the cryptographic services are exposed to an application instantiated on the application server so that service requests may be made within executing applications.
- Cryptographic providers allow programmers to develop application software utilizing standard cryptography made available by the cryptographic API.
- an application calls a cryptographic function and the cryptographic API receives this request for service.
- This request is processed by the cryptographic API to determine whether the request should be passed along to the remote cryptographic server, or performed locally or perhaps the application server performs some authentication and authorization locally prior to allowing a request for cryptographic services to be passed along.
- a step 308 attends to marshalling and transmitting the request.
- the marshalling and transmission is performed by a secure network interface engine via a previously established secure network transmission channel.
- the application server receives and unmarshals a response to a cryptographic service request.
- the receipt and unmarshalling of responses is performed by a secure network interface engine via a previously established secure network transmission channel. The response is provided to the cryptographic API and in a step
- the cryptographic API provides a response to the requesting application in a suitable format.
- FIG. 7 illustrates a distributed cryptographic services computing environment 400 in accordance with certain embodiments of the present invention.
- the computing environment 400 includes a plurality of cryptographic key servers 402, a plurality of application servers 404, and a plurality of clients 406, all bi-directionally coupled with a wide area network 408 such as the
- the cryptographic key servers 402 and application servers 404 may take any suitable form. For example, the embodiments described above with reference to FIGS. 1 - 3 would be suitable.
- the plurality of cryptographic key servers 402 may operate in an independent fashion, each providing services in an independent fashion.
- a specific cryptographic key server 402 could act as a manager of all services, directing all requests from the application servers 404 to the other cryptographic key servers 402 based on a predetermined load balancing scheme.
- FIG. 8 shows a block diagram of a system architecture 500 in which a network security appliance provides networked cryptographic key services.
- the system architecture 500 includes a plurality of clients 502, a wide area network 504 such as the Internet, a network security appliance 506, and an application server 508.
- a network security appliance 506 provides networked cryptographic key services.
- the system architecture 500 includes a plurality of clients 502, a wide area network 504 such as the Internet, a network security appliance 506, and an application server 508.
- the network security appliance 506 all other elements of FIG. 8 will be readily understood by referring to the above description of FIGS. 1 - 7.
- the network security appliance 506 physically resides between the application server 508 and the network 504. Those skilled in the art will be familiar with network security appliances and their general operation. Some of the services which may be provided by the network security appliance 506 include secure transmission between the clients 502 and the application server 508, secure caching reducing strain upon the application server 508 and improving response time to users, SSL and TLS acceleration, transparent encryption services, client authentication, etc. According to the embodiment of FIG. 8, the network security appliance 506 further provides cryptographic key services to the application server 508.
- the network security appliance 506 may have a software architecture as described above with reference to cryptographic key server 54 of FIG. 2. Likewise, the network security appliance 506 may have a hardware architecture 100 as described above with reference to cryptographic key server of FIG. 3. The methods described above with reference to FIGS. 4 - 6 may well apply to the operation of the network security appliance 506 and the application server 508.
- FIG. 9 is a block diagram that illustrates a network architecture 600 including a plurality of clients 602, a wide area network 604 such as the Internet, a transparent encryption appliance 606, a plurality of application servers 608, a local area network 610, at least one cryptographic key server 612, two or more network databases 614, and a plurality of back-end servers 616.
- the transparent encryption appliance 606 is configured to inspect all requests entering the site via the network 604, and encrypts sensitive data using one of the installed private keys 120.
- the transparent encryption appliance 606 and the cryptographic key server 612 are both members of a predefined group of TE Appliances that share a group key, and are loaded with the same private keys 120.
- Multiple application servers 608 are able to request cryptographic services from the cryptographic key server 612, as are back-end servers 616, via the local area network 610.
- appli ⁇ ation server 608 is a web server, and the client 602 provides a credit card number to web server 608 over the network 604 via a secure session.
- TE Appliance 606 detects that the credit card number is sensitive information and encrypts this data using one of the installed private keys 120, so that web server 608 does not manage the sensitive information in the clear.
- the credit card number is stored in network database 614 only in encrypted form.
- Back-end server 616 needs to access the client credit card number to retrieve account information, and make a request to cryptographic key server 612 to decrypt the credit card number.
- back-end server 616 is authorized to access the client credit card number, and therefore cryptographic key server 612 decrypts the credit card number as requested.
- aspects of the invention can be embodied in a special purpose computer or data processor that is specifically programmed, configured or constructed to perform one or more of the computer-executable instructions explained in detail below.
- the term "computer,” as used generally herein, refers to any of the above devices, as well as any data processor.
- processor as generally used herein refers to any logic processing unit, such as one or more central processing units (CPUs), digital signal processors (DSPs), application-specific integrated circuits (ASIC), etc.
- CPUs central processing units
- DSPs digital signal processors
- ASIC application-specific integrated circuits
Abstract
Description
Claims
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US39568502P | 2002-07-12 | 2002-07-12 | |
US395685P | 2002-07-12 | ||
PCT/US2003/021695 WO2004008676A2 (en) | 2002-07-12 | 2003-07-11 | Network attached encryption |
Publications (2)
Publication Number | Publication Date |
---|---|
EP1540628A2 true EP1540628A2 (en) | 2005-06-15 |
EP1540628A4 EP1540628A4 (en) | 2010-08-04 |
Family
ID=30115910
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP03764490A Withdrawn EP1540628A4 (en) | 2002-07-12 | 2003-07-11 | Network attached encryption |
Country Status (6)
Country | Link |
---|---|
EP (1) | EP1540628A4 (en) |
JP (1) | JP2005533438A (en) |
KR (1) | KR20050026478A (en) |
CN (1) | CN1679066B (en) |
AU (1) | AU2003251853A1 (en) |
WO (1) | WO2004008676A2 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2458603B (en) * | 2007-01-18 | 2011-07-13 | Voltage Security Inc | Cryptographic web service |
Families Citing this family (40)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP4961798B2 (en) * | 2005-05-20 | 2012-06-27 | 株式会社日立製作所 | Encrypted communication method and system |
CN101141251B (en) * | 2006-09-08 | 2012-05-23 | 华为技术有限公司 | Method, system and equipment of message encryption signature in communication system |
US9118665B2 (en) | 2007-04-18 | 2015-08-25 | Imation Corp. | Authentication system and method |
JP4902633B2 (en) * | 2008-12-17 | 2012-03-21 | 日本電信電話株式会社 | Web system and request processing method |
KR101008896B1 (en) * | 2009-04-16 | 2011-01-17 | 동서대학교산학협력단 | Secure Data Transmission for ATA-based Virtual Storage System |
JP2012064995A (en) | 2010-09-14 | 2012-03-29 | Hitachi Ltd | Cryptographic device management method, cryptographic device management server, program, and storage medium |
US9197407B2 (en) | 2011-07-19 | 2015-11-24 | Cyberlink Corp. | Method and system for providing secret-less application framework |
US20130179676A1 (en) * | 2011-12-29 | 2013-07-11 | Imation Corp. | Cloud-based hardware security modules |
US9590959B2 (en) * | 2013-02-12 | 2017-03-07 | Amazon Technologies, Inc. | Data security service |
US10075471B2 (en) | 2012-06-07 | 2018-09-11 | Amazon Technologies, Inc. | Data loss prevention techniques |
US9286491B2 (en) | 2012-06-07 | 2016-03-15 | Amazon Technologies, Inc. | Virtual service provider zones |
US10084818B1 (en) | 2012-06-07 | 2018-09-25 | Amazon Technologies, Inc. | Flexibly configurable data modification services |
US9300464B1 (en) | 2013-02-12 | 2016-03-29 | Amazon Technologies, Inc. | Probabilistic key rotation |
US10467422B1 (en) | 2013-02-12 | 2019-11-05 | Amazon Technologies, Inc. | Automatic key rotation |
US9608813B1 (en) | 2013-06-13 | 2017-03-28 | Amazon Technologies, Inc. | Key rotation techniques |
US10211977B1 (en) | 2013-02-12 | 2019-02-19 | Amazon Technologies, Inc. | Secure management of information using a security module |
US9367697B1 (en) | 2013-02-12 | 2016-06-14 | Amazon Technologies, Inc. | Data security with a security module |
US9705674B2 (en) | 2013-02-12 | 2017-07-11 | Amazon Technologies, Inc. | Federated key management |
US10210341B2 (en) * | 2013-02-12 | 2019-02-19 | Amazon Technologies, Inc. | Delayed data access |
CN105409159B (en) * | 2013-07-18 | 2019-09-06 | 日本电信电话株式会社 | Key storage appts, key keeping method and its recording medium |
WO2015025916A1 (en) * | 2013-08-22 | 2015-02-26 | 日本電信電話株式会社 | Multi-party secure authentication system, authentication server, intermediate server, multi-party secure authentication method, and program |
CN103532964B (en) * | 2013-10-22 | 2016-09-07 | 邱文乔 | A kind of method verifying TCP connection safety |
CN104717195A (en) * | 2013-12-17 | 2015-06-17 | 中国移动通信集团福建有限公司 | Service system password management method and device |
JP6287282B2 (en) * | 2014-02-04 | 2018-03-07 | 日本電気株式会社 | Information processing apparatus, information processing method, information processing system, and computer program |
CN103916233B (en) * | 2014-03-28 | 2018-05-29 | 小米科技有限责任公司 | A kind of information ciphering method and device |
US9397835B1 (en) | 2014-05-21 | 2016-07-19 | Amazon Technologies, Inc. | Web of trust management in a distributed system |
US9438421B1 (en) | 2014-06-27 | 2016-09-06 | Amazon Technologies, Inc. | Supporting a fixed transaction rate with a variably-backed logical cryptographic key |
JP6792133B2 (en) * | 2014-08-07 | 2020-11-25 | キヤノンマーケティングジャパン株式会社 | Server and its processing method and program |
US9866392B1 (en) | 2014-09-15 | 2018-01-09 | Amazon Technologies, Inc. | Distributed system web of trust provisioning |
CN105991622A (en) * | 2015-03-05 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Message authentication method and device |
CN106157028B (en) * | 2015-04-15 | 2021-03-26 | 航天信息股份有限公司 | Financial IC card multi-time card issuing system and method based on trusted platform |
KR101610182B1 (en) | 2015-06-18 | 2016-04-08 | (주)가바플러스 | Client terminal security apparatus and method of remote learning data service system |
KR101693249B1 (en) * | 2015-09-08 | 2017-01-06 | 충북대학교 산학협력단 | System and method for managing application |
CN105516083A (en) * | 2015-11-25 | 2016-04-20 | 上海华为技术有限公司 | Data security management method, apparatus, and system |
CN105704148A (en) * | 2016-03-24 | 2016-06-22 | 广州三星通信技术研究有限公司 | Method and equipment for security information transmission |
CN106027646B (en) * | 2016-05-19 | 2019-06-21 | 北京云钥网络科技有限公司 | A kind of method and device accelerating HTTPS |
EP3382612A1 (en) * | 2017-03-31 | 2018-10-03 | Siemens Aktiengesellschaft | Processes for computer support of safety-protected satellite navigation systems |
CN109005187A (en) * | 2018-08-21 | 2018-12-14 | 广州飞硕信息科技股份有限公司 | A kind of communication information guard method and device |
CN110912852B (en) * | 2018-09-14 | 2022-04-08 | 阿里巴巴集团控股有限公司 | Method, device and system for obtaining secret key, storage medium and computer terminal |
JP7041650B2 (en) * | 2019-07-31 | 2022-03-24 | 株式会社Sbi Bits | System for recreating private keys |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001007990A1 (en) * | 1999-07-23 | 2001-02-01 | Microsoft Corporation | Methods and arrangements for mapping widely disparate portable tokens to a static machine concentric cryptographic environment |
WO2001035194A2 (en) * | 1999-11-10 | 2001-05-17 | Unisys Corporation | Method and apparatus for providing redundant and resilient cryptographic services |
US20020078367A1 (en) * | 2000-10-27 | 2002-06-20 | Alex Lang | Automatic configuration for portable devices |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH07170280A (en) * | 1993-12-15 | 1995-07-04 | Ricoh Co Ltd | Local area network |
US5828832A (en) * | 1996-07-30 | 1998-10-27 | Itt Industries, Inc. | Mixed enclave operation in a computer network with multi-level network security |
US6397330B1 (en) * | 1997-06-30 | 2002-05-28 | Taher Elgamal | Cryptographic policy filters and policy control method and apparatus |
JPH1188321A (en) * | 1997-09-02 | 1999-03-30 | Kiyadeitsukusu:Kk | Digital signature generation server |
US6202157B1 (en) * | 1997-12-08 | 2001-03-13 | Entrust Technologies Limited | Computer network security system and method having unilateral enforceable security policy provision |
US6073242A (en) * | 1998-03-19 | 2000-06-06 | Agorics, Inc. | Electronic authority server |
-
2003
- 2003-07-11 KR KR1020057000614A patent/KR20050026478A/en not_active Application Discontinuation
- 2003-07-11 WO PCT/US2003/021695 patent/WO2004008676A2/en active Application Filing
- 2003-07-11 CN CN038165589A patent/CN1679066B/en not_active Expired - Fee Related
- 2003-07-11 EP EP03764490A patent/EP1540628A4/en not_active Withdrawn
- 2003-07-11 JP JP2004521666A patent/JP2005533438A/en active Pending
- 2003-07-11 AU AU2003251853A patent/AU2003251853A1/en not_active Abandoned
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001007990A1 (en) * | 1999-07-23 | 2001-02-01 | Microsoft Corporation | Methods and arrangements for mapping widely disparate portable tokens to a static machine concentric cryptographic environment |
WO2001035194A2 (en) * | 1999-11-10 | 2001-05-17 | Unisys Corporation | Method and apparatus for providing redundant and resilient cryptographic services |
US20020078367A1 (en) * | 2000-10-27 | 2002-06-20 | Alex Lang | Automatic configuration for portable devices |
Non-Patent Citations (4)
Title |
---|
BERSON T ET AL: "Cryptography as a network service" 8TH ANNUAL SYMPOSIUM ON NETWORK AND DISTRIBUTED SYSTEM SECURITY. (NDSS'01) INTERNET SOC RESTON, VA, USA,, 7 February 2001 (2001-02-07), pages 1-12, XP002551706 * |
DAHL GERBERICK: "Working Paper On Functional Spedfications For An EDI Cryptoserver" ACM, 2 PENN PLAZA, SUITE 701 - NEW YORK USA, 1989, XP040067597 * |
MRAZ R: "Secure blue: an architecture for a scalable, reliable high volume SSL internet server" COMPUTER SECURITY APPLICATIONS CONFERENCE, 2001. ACSAC 2001. PROCEEDIN GS 17TH ANNUAL 10-14 DEC 2001, PISCATAWAY, NJ, USA,IEEE, 10 December 2001 (2001-12-10), pages 391-398, XP010584923 ISBN: 978-0-7695-1405-5 * |
See also references of WO2004008676A2 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2458603B (en) * | 2007-01-18 | 2011-07-13 | Voltage Security Inc | Cryptographic web service |
US9749301B2 (en) | 2007-01-18 | 2017-08-29 | Voltage Security, Inc. | Cryptographic web service |
Also Published As
Publication number | Publication date |
---|---|
KR20050026478A (en) | 2005-03-15 |
AU2003251853A8 (en) | 2004-02-02 |
EP1540628A4 (en) | 2010-08-04 |
JP2005533438A (en) | 2005-11-04 |
AU2003251853A1 (en) | 2004-02-02 |
WO2004008676A3 (en) | 2004-04-01 |
CN1679066B (en) | 2011-08-31 |
CN1679066A (en) | 2005-10-05 |
WO2004008676A2 (en) | 2004-01-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20060149962A1 (en) | Network attached encryption | |
EP1540628A2 (en) | Network attached encryption | |
CN111066286B (en) | Retrieving common data for blockchain networks using high availability trusted execution environments | |
US20200329041A1 (en) | Cross-region requests | |
US10680827B2 (en) | Asymmetric session credentials | |
US9584517B1 (en) | Transforms within secure execution environments | |
US8261087B2 (en) | Digipass for web-functional description | |
US9673984B2 (en) | Session key cache to maintain session keys | |
US8719572B2 (en) | System and method for managing authentication cookie encryption keys | |
US9425958B2 (en) | System, method and apparatus for cryptography key management for mobile devices | |
US8989390B2 (en) | Certify and split system and method for replacing cryptographic keys | |
US10182044B1 (en) | Personalizing global session identifiers | |
US10979403B1 (en) | Cryptographic configuration enforcement | |
US20200412548A1 (en) | Code signing method and system | |
US20060291664A1 (en) | Automated key management system | |
US20200401718A1 (en) | Secure storage of and access to files through a web application | |
WO2002084938A2 (en) | Controlled distribution of application code and content data within a computer network | |
CN110489996B (en) | Database data security management method and system | |
US9509504B2 (en) | Cryptographic key manager for application servers | |
CN114244508A (en) | Data encryption method, device, equipment and storage medium | |
CN113312576A (en) | Page jump method, system and device | |
Sarhan et al. | Secure android-based mobile banking scheme | |
AU2012101560B4 (en) | Transaction verification | |
WO2003067850A1 (en) | Verifying digital content integrity | |
Fernando et al. | Information Security |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20050204 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PT RO SE SI SK TR |
|
AX | Request for extension of the european patent |
Extension state: AL LT LV MK |
|
DAX | Request for extension of the european patent (deleted) | ||
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: INGRIAN NETWORKS, INC. |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: SAFENET, INC. |
|
A4 | Supplementary search report drawn up and despatched |
Effective date: 20100706 |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04L 9/32 20060101ALI20100630BHEP Ipc: H04L 29/06 20060101ALI20100630BHEP Ipc: G06F 15/16 20060101ALI20100630BHEP Ipc: G09C 3/08 20060101AFI20050422BHEP |
|
17Q | First examination report despatched |
Effective date: 20110414 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20110825 |