Patent number 8798273 is assigned to
The following quote was obtained by the news editors from the background information supplied by the inventors: "This disclosure relates generally to cryptographic key lifecycle management.
"Business data is growing at exponential rates, and along with that growth is a demand for securing that data. Enterprises have responded by implementing encryption at various layers, such as in hardware, on the network, and in various applications. This response has resulted in a series of encryption silos, some of which hold confidential customer data, with fragmented approaches to security, keys and coverage. Further, different applications across the enterprise often employ different encryption methods. Thus, for example, some departments in the organization may use public-key cryptography while others use secret-key or hashes. Still others do not encrypt data while it is at rest (such as when it is stored on a device or in a database) but only when the data is in motion, using virtual private networks (VPNs) to secure the data pipeline. Key management for these encryption approaches is often similarly fragmented. Sometimes key management is carried out by department teams using manual processes or embedded encryption tools. Other times, the key management function is centrally managed and executed. In some cases, no formal key management process is in place. This fragmented approach to key management can leave the door open for loss or breach of sensitive data.
"Key Management Interoperability Protocol (KMIP) is a new standard for key management sponsored by the
"There is a challenge, however, in implementing KMIP with existing key management server architecture that is based on a centralized model, namely, one wherein clients are largely pre-provisioned with all of the cryptographic materials that they might need. This centralized model of this type accommodates a device-oriented support paradigm wherein the devices are sophisticated (e.g., storage devices) and have administrators responsible for their administration and management. KMIP, on the other hand, treats cryptographic clients uniformly and, more importantly, as entities that are intelligent and themselves capable of specifying cryptographic information, such as correct key sizes, encryption algorithms, and the like. The KMIP view of cryptographic clients is inconsistent with typical storage device types that today interact with enterprise key management servers. Indeed, such storage devices typically are better served with pre-provisioning support. As a consequence, there is an incompatibility between, on the one hand, the ability of existing key management servers to set up cryptographic attributes ahead of time, and, on the other hand, KMIP's theoretical support of otherwise highly-capable cryptographic clients that need no such pre-provisioning.
"Although KMIP was designed to allow multiple-client authentication and authorization schemes, the only mechanisms defined in the first version of the protocol are UID (user identifier) and password, and client-side certificates. A key management server, however, needs to know more about the identity of its clients to be able to group them into device types and device groups and thus match them with pre-provisioned materials that befit their needs.
"The subject matter of this disclosure addresses this need."
In addition to the background information obtained for this patent, VerticalNews journalists also obtained the inventors' summary information for this patent: "According to this disclosure, a key management protocol (such as KMIP) is extended to provide an extended credential type to pass information from clients to the server to enable the server to deduce pre-provisioned cryptographic materials for the individual clients. Preferably, KMIP client code communicates device information to a key management server in a value in the headers of KMIP requests that flow to the server. In this manner, KMIP requests are associated with pre-provisioned cryptographic materials for particular devices or device groups.
"According to an embodiment, when a particular client device makes a request to a key management server, a request header includes a credential value that is a concatenated string of data that includes a device identifier (e.g., a serial number), and a device group. The body of the request includes at least one operation that is intended to be carried out at the server under the authorization of the credential provided. Based on the credential value (and the information encoded therein), the key management server computes a relationship between the device serial number and a device group. The key management server may also store the device serial number and associates it with a device group. This enables the key management server to connect the request to appropriate pre-provisioned cryptographic materials for particular devices or device groups.
"According to another embodiment, a key management server-side method of processing device type information in a client-side certificate authentication process begins upon receiving a client request for key material. The key material typically identifies a device type. Preferably, a plurality of devices having a same device type typically share a pool of the key material. The client request includes a client-side certificate and a custom credential distinct from the certificate. The client-side certificate is used to authenticate the client, and the custom credential is used to identify the client and to determine whether key material for the client has been provisioned. If, and based on the determination, the client has been identified and the key material for the client has been provisioned, the key material is then served according to a key management protocol. If, however, the custom credential fails to identify the client, or if the key material has not been provisioned, a given action is taken. The given action may be refusing the client request, placing the client request in a queue for administrator review, or the like.
"The foregoing has outlined some of the more pertinent features of the invention. These features should be construed to be merely illustrative. Many other beneficial results can be attained by applying the disclosed invention in a different manner or by modifying the invention as will be described."
URL and more information on this patent, see: Rich,
Keywords for this news article include: Information Technology, Information and Cryptography,
Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC
Most Popular Stories
- Businesses, Investors Pressing for Green Policy
- 'The Voice' Sounds Different This Season
- NSHMBA to Rebrand With New Name, Logo
- Lower Used-Car Prices Roil the Auto Industry
- Chrysler and Google Launch Virtual Plant Tour
- Perry Wants to Skip Court for Foreign Trip
- Investors Fret Yahoo's Future, Stock Dips
- Iran Digs in on Underground Nuclear Site
- Existing Home Sales in U.S. Fell in August
- Hispanic Designer Honored As Rising Star