Enhanced remote key management for an enterprise in a cloud-based environment
US-10574442-B2 · Feb 25, 2020 · US
Unified HSM and key management service
US11575508B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11575508-B2 |
| Application number | US-202117336721-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 2, 2021 |
| Priority date | Jun 2, 2021 |
| Publication date | Feb 7, 2023 |
| Grant date | Feb 7, 2023 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Methods and systems for unified HSM and key management services are disclosed. According to certain embodiments, an encryption service request is issued by a client instance to a key management service (KMS) logic in a KMS cloud instance. The KMS logic parses the request to verify authorization for the request, identify the instance ID, and provide additional information to the request needed by hardware security management (HSM) middleware and hardware. A router receives the request from the KMS logic and routes the request to a service based on the instance ID, that transfers the request to HSM middleware. The HSM middleware parses HSM type from the request, translates the request to HSM vendor-specific instructions and routes the translated request to an HSM. The HSM according to certain embodiments is in a cloud computing environment separate from the KMS cloud instance, and in some embodiments the HSM is on-prem at a physical client site.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: receiving at a key management system (KMS) database of a KMS cloud instance a client service request from a client instance, the client service request comprising an encryption key operation request relating to a first encryption key and the encryption key operation request comprising a client instance identification (ID) and a hardware security module ID (HSM ID); identifying a tag relating to the client instance ID and determining whether the tag is a single tenant (ST) or a multi-tenant (MT) tag; routing the encryption key operation request to an HSM middleware associated with the instance ID, based on the tag determination and the client instance ID; translating the encryption key operation request to a vendor-specific HSM language associated with the HSM ID based on parsing the encryption key operation request at the HSM middleware based on the HSM ID; and transmitting, based on the client instance ID and HSM ID, the translated encryption key operation request to a vendor-specific HSM associated with the vendor-specific HSM language, outside of the KMS cloud instance, for performing the encryption key operation using the first encryption key. 2. The method of claim 1 further comprising: receiving one or more encryption transactions for the HSM ID at the HSM middleware, within the KMS cloud instance; receiving the one or more encryption transactions at a router; and providing the one or more encryption transactions to the client instance. 3. The method of claim 2 wherein receiving the client service request further comprises verifying authorization of the client service request and wherein the encryption key operation request comprises a data encryption key (DEK) request from the client instance. 4. The method of claim 3 further comprising decrypting a previously encrypted instance key encryption key (IKEK) and a customer root key (CRK) at the vendor-specific HSM. 5. The method of claim 4 further comprising receiving a random number from the HSM and issuing an encryption transaction at the HSM using the random number for encryption. 6. The method of claim 5 wherein the one or more completed encryption transactions comprises a DEK. 7. The method of claim 1 wherein the encryption key operation request is routed using a tableless router, the tableless router comprising a cluster, and the routing being based on implicit routing functions of the cluster. 8. A computer program product for unified HSM and key management services, the computer programming product comprising: a computer-readable storage medium storing computer-readable program code embodied therewith, the computer-readable program code being executable by one or more computer processors to: receive at a key management system (KMS) database of a KMS cloud instance a client service request from a client instance, the client service request comprising an encryption key operation request relating to a first encryption key and the encryption key operation request comprising a client instance identification (ID) and a hardware security module ID (HSM ID); identify a tag relating to the client instance ID and determine whether the tag is a single tenant (ST) or a multi-tenant (MT) tag; route the encryption key operation request to an HSM middleware associated with the instance ID, based on the tag determination and the client instance ID; translate the encryption key operation request to a vendor-specific HSM language associated with the HSM ID based on parsing the encryption key operation request at the HSM middleware based on the HSM ID; and transmit, based on the client instance ID and HSM ID, the translated encryption key operation request to a vendor-specific HSM associated with the vendor-specific HSM language, outside of the KMS cloud instance, for performing the encryption key operation using the first encryption key. 9. The computer program product of claim 8 wherein the computer-readable program code is further executed by the one or more computer processors to: receive one or more encryption transactions for the HSM ID at the HSM middleware, within the KMS cloud instance; receive the one or more encryption transactions at a router; and provide the one or more encryption transactions to the client instance. 10. The computer program product of claim 9 wherein the computer-readable program code that causes the one or more processors to receive the client service request further causes the one or more processors to verify authorization of the client service request and wherein the encryption key operation request comprises a data encryption key (DEK) request from the client instance. 11. The computer program product of claim 10 , wherein the computer-readable program code is further executed by the one or more computer processors to decrypt a previously encrypted instance key encryption key (IKEK) and a customer root key (CRK) at the vendor-specific HSM. 12. The computer program product of claim 11 , wherein the computer-readable program code is further executed by the one or more computer processors to receive a random number from the HSM and issuing an encryption transaction at the HSM using the random number for encryption. 13. The computer program product of claim 12 wherein the one or more completed encryption transactions comprises a DEK. 14. The computer program product of claim 8 wherein the encryption key operation request is routed using a tableless router, the tableless router comprising a cluster, and the routing being based on implicit routing functions of the cluster. 15. A system, comprising: a memory comprising computer-readable code for unified HSM and key management services; and one or more processors configured with the computer-readable code to: receive at a key management system (KMS) database of a KMS cloud instance a client service request from a client instance, the client service request comprising an encryption key operation request relating to a first encryption key and the encryption key operation request comprising a client instance identification (ID) and a hardware security module ID (HSM ID); identify a tag relating to the client instance ID and determine whether the tag is a single tenant (ST) or a multi-tenant (MT) tag; route the encryption key operation request to an HSM middleware associated with the instance ID, based on the tag determination and the client instance ID; translate the encryption key operation request to a vendor-specific HSM language associated with the HSM ID based on parsing the encryption key operation request at the HSM middleware based on the HSM ID; and transmit, based on the client instance ID and HSM ID, the translated encryption key operation request to a vendor-specific HSM associated with the vendor-specific HSM language, outside of the KMS cloud instance, for performing the encryption key operation using the first encryption key. 16. The system of claim 15 wherein the computer-readable code is further executed by the one or more processors to: receive one or more encryption transactions for the HSM ID at the HSM middleware, within the KMS cloud instance; receive the one or more encryption transactions at a router; and provide the one or more encryption transactions to the client instance. 17. The system of claim 16 wherein the computer-readable code that causes the one or more processors to receive the client service request further causes the one or more processors to verify authorization of the client service request and wherein the encryption key operation reque
Assignees
Inventors
Classifications
applying encryption of the keys · CPC title
Entity profiles · CPC title
Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up · CPC title
- H04L9/0897Primary
involving additional devices, e.g. trusted platform module [TPM], smartcard or USB · CPC title
- H04L9/083Primary
involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11575508B2 cover?
- Methods and systems for unified HSM and key management services are disclosed. According to certain embodiments, an encryption service request is issued by a client instance to a key management service (KMS) logic in a KMS cloud instance. The KMS logic parses the request to verify authorization for the request, identify the instance ID, and provide additional information to the request needed b…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification H04L9/0897. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Feb 07 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).