Postponing entropy depletion in key management systems with hardware security modules
US-2019132127-A1 · May 2, 2019 · US
Scalable hardware encryption
US10826693B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10826693-B2 |
| Application number | US-201816209674-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 4, 2018 |
| Priority date | Dec 4, 2018 |
| Publication date | Nov 3, 2020 |
| Grant date | Nov 3, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Hardware Security Modules (HSMs) may be utilized to store master keys that are used to secure (e.g., wrap) encryption keys that are stored outside of the HSMs. The wrapping of the encryption keys may include using the master key to mask each of the plurality of encryption keys. The master keys are then stored within the HSMs and the wrapped encryption keys may be stored outside of the HSMs. Since the plurality of encryption keys are wrapped, the wrapped encryption keys may be stored outside of the HSMs with a reduced potential for the wrapped encryption keys to be misappropriated. As such, the plurality of encryption keys may be stored in systems that do not have as many security requirements, and thus, have more memory available. As such, the memory needed to store keys within the HSMs is reduced.
First claim
Opening claim text (preview).
What is claimed is: 1. A scalable hardware security module (HSM) system for encryption, the system comprising: one or more memory devices having computer readable code stored thereon; and one or more processing devices operatively coupled to the one or more memory devices, wherein the one or more processing devices are configured to execute the computer readable code to: set up one or more HSMs and a plurality of partitions for the one or more HSMs to provide encryption services to a plurality of applications; create an application programming interface (API) to interact with the plurality of applications; assign each of the plurality of applications to the one or more HSMs and the plurality of partitions within the one or more HSMs wherein the plurality of partitions separate memory of the one or more HSMs into separate parts of the one or more HSMs; create a plurality of encryption keys for data for an application; encrypt the data to create encrypted data for the application; create a master key for the plurality of encryption keys for the application; wrap the plurality of encryption keys with the master key to form a plurality of wrapped encryption keys; store the plurality of wrapped encryption keys outside of the one or more HSMs; store the master key within a partition from the plurality of partitions of an HSM from the one or more HSMs; receive a request from the application to call a wrapped encryption key for decryption; authenticate the application for access to the partition of the HSM; identify the wrapped encryption key from the plurality of wrapped encryption keys for the application outside of the one or more HSMs; provide the wrapped encryption key to the one or more HSMs; identify the master key for the wrapped encryption key within the partition of the HSM; identify the encryption key by using the master key to unwrap the wrapped encryption key; and utilize the encryption key in accordance with the request from the application for the decryption. 2. The system of claim 1 , wherein authenticating the application for access to the one or more HSMs comprises identifying access rights of the application from an encryption rules engine within the one or encryption systems. 3. The system of claim 1 , wherein the one or more processing devices are configured to execute the computer readable code to: assign application identifiers to each of the plurality of wrapped encryption keys, wherein identifying the wrapped encryption key from the plurality of wrapped encryption keys comprises comparing the application with the application identifiers associated with the plurality of wrapped encryption keys to identify the application identifier corresponding to the application. 4. The system of claim 3 , wherein the application identifier is a machine identifier on which the application is stored. 5. The system of claim 1 , wherein identifying the wrapped encryption key from the plurality of wrapped encryption keys for the application comprises: identifying the partition within the HSM for the application. 6. The system of claim 1 , wherein the one or more processing devices are configured to execute the computer readable code to: discard the encryption key after decryption; create a new encryption key; wrap the new encryption key with the master key to create a new wrapped encryption key; and store the new wrapped encryption key outside of the one or more HSMs. 7. A computer implemented method for a scalable hardware security module (HSM) system for encryption, the method comprising: setting up, by one or more processing components, one or more HSMs and a plurality of partitions for the one or more HSMs to provide encryption services to a plurality of applications; creating, by the one or more processing components, an application programming interface (API) to interact with the plurality of applications; assigning, by the one or more processing components, each of the plurality of applications to the one or more HSMs and the plurality of partitions within the one or more HSMs, wherein the plurality of partitions separate memory of the one or more HSMs into separate parts of the one or more HSMs; creating, by the one or more processing components, a plurality of encryption keys for data for an application; encrypting, by the one or more processing components, the data to create encrypted data for the plurality of applications; creating, by the one or more processing components, a master key for the plurality of encryption keys for the application; wrapping, by the one or more processing components, the plurality of encryption keys with the master key to form a plurality of wrapped encryption keys; storing, by the one or more processing components, the plurality of wrapped encryption keys outside of the one or more HSMs; storing, by the one or more processing components, the master key within a partition from the plurality of partitions of an HSM from the one or more HSMs; receiving, by the one or more processing components, a request from the application to call a wrapped encryption key for decryption; authenticating, by the one or more processing components, the application for access to the partition of the HSM; identifying, by the one or more processing components, the wrapped encryption key from the plurality of wrapped encryption keys for the application outside of the one or more HSMs; providing, by the one or more processing components, the wrapped encryption key to the one of more HSMs; identifying, by the one or more processing components, the master key for the wrapped encryption key within the partition of the HSM; identifying, by the one or more processing components, the encryption key by using the master key to unwrap the wrapped encryption key; and utilizing, by the one or more processing components, the encryption key in accordance with the request from the application for the decryption. 8. The computer implemented method of claim 7 , wherein authenticating the application for access to the one or more HSMs comprises identifying access rights of the application from an encryption rules engine within the one or encryption systems. 9. The computer implemented method of claim 7 , the method further comprising: assigning, by the one or more processing components, application identifiers to each of the plurality of wrapped encryption keys, wherein identifying the wrapped encryption key from the plurality of wrapped encryption keys comprises comparing the application with the application identifiers associated with the plurality of wrapped encryption keys to identify the application identifier corresponding to the application. 10. The computer implemented method of claim 9 , wherein the application identifier is a machine identifier on which the application is stored. 11. The computer implemented method of claim 7 , wherein identifying the wrapped encryption key from the plurality of wrapped encryption keys for the application comprises: identifying the partition within the HSM for the application. 12. The computer implemented method of claim 7 , the method further comprising: discarding, by the one or more processing components, the encryption key after decryption; creating, by the one or more processing components, a new encryption key; wrapping, by the one or more processing components, the new encryption key with the master key to create a new wrapped encryption key; and storing, by the one or more processing components, the new wrapped encryption key outside of the one or more HSMs. 13. A computer program product for a scalable hardware security module (HSM) system for encryp
Assignees
Inventors
Classifications
applying encryption of the keys · CPC title
based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint · CPC title
- H04L9/0897Primary
involving additional devices, e.g. trusted platform module [TPM], smartcard or USB · CPC title
using key encryption key · CPC title
using a plurality of keys or algorithms · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10826693B2 cover?
- Hardware Security Modules (HSMs) may be utilized to store master keys that are used to secure (e.g., wrap) encryption keys that are stored outside of the HSMs. The wrapping of the encryption keys may include using the master key to mask each of the plurality of encryption keys. The master keys are then stored within the HSMs and the wrapped encryption keys may be stored outside of the HSMs. Sin…
- Who is the assignee on this patent?
- Bank Of America
- What technology area does this patent fall under?
- Primary CPC classification H04L9/0897. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Nov 03 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).