Authentication and authorization in proximity based service communication using a group key
US-2024314112-A1 · Sep 19, 2024 · US
Key management for encrypted data
US2021111879A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2021111879-A1 |
| Application number | US-201916597265-A |
| Country | US |
| Kind code | A1 |
| Filing date | Oct 9, 2019 |
| Priority date | Oct 9, 2019 |
| Publication date | Apr 15, 2021 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Key management for encrypted data includes establishing a cache of key decryption keys and periodically evicting the keys from the cache. A pool of key encryption keys also is created and periodically, selected key encryption keys are removed from service. Notably, the rate of removal of the encryption keys differs from the rate of cache eviction for the decryption keys. Thereafter, clear data is encrypted with a cipher to produce cipher text, and the cipher is encrypted with a selected key encryption key from the pool. Finally, in response to an access request for the clear data, an attempt to locate in the cache a key decryption key for the encrypted cipher is made. If attempt fails, the key decryption key is retrieved from remote memory. Finally, the encrypted cipher is decrypted with the located key, and the cipher text decrypted to produce the clear data.
First claim
Opening claim text (preview).
We claim: 1 . A method for key management for encrypted data, the method comprising: establishing a cache of key decryption keys in local memory of a host computing system and evicting ones of the decryption keys; creating in the local memory, a pool of key encryption keys and periodically removing from service a key encryption key, selected ones of the key encryption keys in the pool, a rate at which the selected ones of the key encryption keys are removed from service differing from a rate at which the selected ones of the key decryption keys are evicted from the cache; encrypting clear data in the local memory with a cipher to produce cipher text, encrypting the cipher with a selected one of the key encryption keys in the pool; subsequently receiving a request to access the encrypted data; and, responding to the request by: locating in the cache, a key decryption key corresponding to the encrypted cipher and if the key decryption key is unable to be located in the cache, retrieving the key decryption key from remote memory from over a computer communications network, decrypting the encrypted cipher with the located key decryption key, and decrypting the cipher text with the decrypted cipher to produce the clear data. 2 . The method of claim 1 , wherein the key encryption key and the key decryption key are identical. 3 . The method of claim 2 , wherein the cache and the pool are a unified structure and the key encryption key and the key decryption key are stored within the unified structure, the key encryption key being annotated to indicate whether the key encryption key is in active service for use as a key encryption key, or whether the key encryption key is to be used strictly as a key decryption key and is not in active service as a key encryption key. 4 . The method of claim 1 , wherein the cache and the pool are separate structures. 5 . The method of claim 1 , wherein the rate at which each one of the selected ones of the key encryption keys is removed from service depends upon a threshold number of bytes encrypted by each one of the selected ones of the key encryption keys such that each one of the selected ones of the key encryption keys is removed from service after having encrypted a number of bytes beyond the threshold number. 6 . The method of claim 1 , wherein the rate at which each one of the selected ones of the key encryption keys is removed from service depends upon a threshold number of uses such that each one of the selected ones of the key encryption keys is removed from service after having been used in an encryption operation beyond the threshold number. 7 . The method of claim 1 , wherein for each cipher to be encrypted one of the key encryption keys in the pool in active service is selected on a random basis for use in encrypting the cipher. 8 . A key management data processing system for encrypted data, the system comprising: a computer with memory and at least one processor; and, an encryption module comprising computer program instructions executing in the memory of the computer and, during execution, performing: establishing a cache of key decryption keys in local memory of the computer and periodically evicting ones of the decryption keys; creating in the local memory, a pool of key encryption keys and periodically removing from service as a key encryption key, selected ones of the key encryption keys in the pool, a rate at which the selected ones of the key encryption keys are removed from service differing from a rate at which the selected ones of the key decryption keys are evicted from the cache; encrypting clear data in the local memory with a cipher to produce cipher text, encrypting the cipher with a selected one of the key encryption keys in the pool; subsequently receiving a request to access the encrypted data; and, responding to the request by: locating in the cache, a key decryption key corresponding to the encrypted cipher and if the key decryption key is unable to be located in the cache, retrieving the key decryption key from remote memory from over a computer communications network, decrypting the encrypted cipher with the located key decryption key, and decrypting the cipher text with the decrypted cipher to produce the clear data. 9 . The system of claim 8 , wherein the key encryption key and the key decryption key are identical. 10 . The system of claim 9 , wherein the cache and the pool are a unified structure and the key encryption key and the key decryption key are stored within the unified structure, the key encryption key being annotated to indicate whether the key encryption key is in active service for use as a key encryption key, or whether the key encryption key is to be used strictly as a key decryption key and is not in active service as a key encryption key. 11 . The system of claim 8 , wherein the cache and the pool are separate structures. 12 . The system of claim 8 , wherein the rate at which each one of the selected ones of the key encryption keys is removed from service depends upon a threshold number of bytes encrypted by each one of the selected ones of the key encryption keys such that each one of the selected ones of the key encryption keys is removed from service after having encrypted a number of bytes beyond the threshold number. 13 . The system of claim 8 , wherein the rate at which each one of the selected ones of the key encryption keys is removed from service depends upon a threshold number of uses such that each one of the selected ones of the key encryption keys is removed from service after having been used in an encryption operation beyond the threshold number. 14 . A computer program product for key management for encrypted data, the computer program product including a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a device to cause the device to perform a method including: establishing a cache of key decryption keys in local memory of a host computing system and periodically evicting ones of the decryption keys; creating in the local memory, a pool of key encryption keys and periodically removing from service as a key encryption key, selected ones of the key encryption keys in the pool, a rate at which the selected ones of the key encryption keys are removed from service differing from a rate at which the selected ones of the of the key decryption keys are evicted from the cache; encrypting clear data in the local memory with a cipher to produce cipher text, encrypting the cipher with a selected one of the key encryption keys in the pool; subsequently receiving a request to access the encrypted data; and, responding to the request by: locating in the cache, a key decryption key corresponding to the encrypted cipher and if the key decryption key is unable to be located in the cache, retrieving the key decryption key from remote memory from over a computer communications network, decrypting the encrypted cipher with the located key decryption key, and decrypting the cipher text with the decrypted cipher to produce the clear data. 15 . The computer program product of claim 14 , wherein the key encryption key and the key decryption key are identical. 16 . The computer program product of claim 15 , wherein the cache and the pool are a unified structure and the key encryption key and the key decryption key are stored within the unified structure, the key encryption key being annotated to indicate whether the key encryption key is in active service for use as a key encryption key, or wheth
Assignees
Inventors
Classifications
- H04L63/06Primary
for supporting key management in a packet data network (cryptographic mechanisms or cryptographic arrangements for key management H04L9/08) · CPC title
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title
- H04L9/0825Primary
using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates · CPC title
using key encryption key · CPC title
Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2021111879A1 cover?
- Key management for encrypted data includes establishing a cache of key decryption keys and periodically evicting the keys from the cache. A pool of key encryption keys also is created and periodically, selected key encryption keys are removed from service. Notably, the rate of removal of the encryption keys differs from the rate of cache eviction for the decryption keys. Thereafter, clear data …
- Who is the assignee on this patent?
- Google Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/06. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Apr 15 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).