What technology area does this patent fall under?

Primary CPC classification H04L63/061. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Apr 11 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Cloud-based key management

US9621524B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9621524-B2
Application number	US-201314107752-A
Country	US
Kind code	B2
Filing date	Dec 16, 2013
Priority date	Dec 16, 2013
Publication date	Apr 11, 2017
Grant date	Apr 11, 2017

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Cloud storage of sensitive data is improved by ensuring that all cloud-based data is encrypted at all times, not only when the data is at rest (i.e., stored), but also while data is being processed or communicated. Cryptographic keys can advantageously be managed via cloud based resources without exposing sensitive data. Instead, a key management system maintains cryptographic functions on administrative hosts and endpoints outside of cloud-based resources so that any vulnerabilities of the cloud-based resources will expose only encrypted data, and keys and sensitive data will never be exposed in unencrypted form. Thus sensitive data is protected end-to-end among hosts and endpoints using, e.g., platform independent cryptographic functions and libraries within a web browser or the like, and the cloud functions simply as a storing and forwarding medium for secure data.

First claim

Opening claim text (preview).

What is claimed is: 1. A method comprising: providing an administrator password for a host of an enterprise network; retrieving a company private key for the enterprise network to an administrative host using a call authenticated with a cryptographic hash of the administrator password, wherein the company private key is received from the host as a private key encrypted with the administrative administrator password; selecting an endpoint within the enterprise network; creating a rollout password for the endpoint; creating an endpoint key pair for the endpoint, the endpoint key pair comprising a public endpoint key signed with the company private key and a private endpoint key encrypted with the rollout password; transmitting the endpoint key pair to a remote computing resource with a call authenticated using a cryptographic hash of the administrator password; transmitting a cryptographic hash of the rollout password to the remote computing resource with a second call using a cryptographic hash of the administrator password; and providing the rollout password to a user of the endpoint; and providing the endpoint key pair from the remote computing resource to the endpoint based on a call from the endpoint to the remote computing resource authenticated using the cryptographic hash of the rollout password. 2. The method of claim 1 wherein the administrator password is provided through a hardware security token. 3. The method of claim 2 wherein a strong administrator password is automatically generated and stored on the hardware security token. 4. The method of claim 1 further comprising selecting a plurality of endpoints, wherein the rollout password is shared among the plurality of endpoints. 5. The method of claim 1 further comprising creating a company key pair on the host, the company key pair including the company private key and a company public key, wherein the company private key is encrypted using the administrator password and wherein the company public key is signed with the company private key. 6. The method of claim 5 further comprising transmitting the company key pair from the host to the remote computing resource. 7. The method of claim 5 wherein the company key pair is a Rivest-Shamir-Adelman (RSA) key pair. 8. The method of claim 5 wherein the company key pair is a Diffie-Hellman key pair. 9. The method of claim 1 wherein the rollout password is for a plurality of endpoints. 10. The method of claim 1 further comprising retrieving the endpoint key pair from the remote computing resource to the endpoint with a call from the endpoint to the remote computing resource authenticated using the cryptographic hash of the rollout password. 11. The method of claim 10 further comprising decrypting the endpoint private key from the endpoint key pair using the rollout password. 12. The method of claim 1 further comprising retrieving the endpoint public key from the remote computing resource to the host using a call to the remote computing resource authenticated with a cryptographic hash of the administrator password. 13. The method of claim 12 further comprising creating a data encryption key for the endpoint, encrypting the data encryption key with the endpoint public key to provide an encrypted data key, and transmitting the encrypted data key to the remote computing resource with a call to the remote computing resource using a cryptographic hash of the administrator password. 14. The method of claim 13 wherein the data encryption key is a machine key for the endpoint. 15. The method of claim 14 further comprising retrieving the encrypted machine key from the remote computing resource to the endpoint using a call authenticated with a signature of the endpoint private key, decrypting the encrypted machine key with the endpoint private key to provide the machine key, and storing the machine key in a key store of the endpoint. 16. The method of claim 1 further comprising: creating a security policy for the endpoint; signing the security policy with the company private key to provide a signed policy; and transmitting the signed policy from the host to the remote computing resource using a call to the remote computing resource authenticated with a cryptographic hash of the administrator password. 17. The method of claim 16 further comprising: retrieving the signed policy from the remote computing resource to the endpoint with a call to the remote computing resource authenticated with a signature of the endpoint private key; validating the signed policy at the endpoint; and applying the security policy at the endpoint. 18. The method of claim 1 further comprising: generating a secure item at the endpoint; signing the secure item with the endpoint private key to provide a signed item; and transmitting the signed item from the endpoint to the remote computing resource using a call to the remote computing resource authenticated with a signature of the endpoint private key. 19. The method of claim 18 wherein the secure item is a confidential item. 20. The method of claim 18 wherein the secure item is a tamper-protected item. 21. The method of claim 18 further comprising: retrieving the endpoint public key from the remote computing resource to the host using a call to the remote computing resource authenticated with a cryptographic hash of the administrator password; and retrieving the signed item from the remote computing resource to the host using a call to the remote computing resource authenticated with the cryptographic hash of the administrator password. 22. The method of claim 18 further comprising validating the signature of the endpoint public key and a signature of the signed item at the host. 23. The method of claim 18 further comprising encrypting the secure item at the endpoint with the company public key. 24. The method of claim 23 further comprising decrypting the secure item at the host with the company private key. 25. The method of claim 18 wherein the secure item is a local key for the endpoint. 26. The method of claim 18 wherein the secure item is a status report for the endpoint. 27. A computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of: providing an administrator password for a host of an enterprise network; retrieving a company private key for the enterprise network to an administrative host using a call authenticated with a cryptographic hash of the administrator password, wherein the company private key is received from the host as a private key encrypted with the administrative administrator password; selecting an endpoint within the enterprise network; creating a rollout password for the endpoint; creating an endpoint key pair for the endpoint, the endpoint key pair comprising a public endpoint key signed with the company private key and a private endpoint key encrypted with the rollout password; transmitting the endpoint key pair to a remote computing resource with a call authenticated using a cryptographic hash of the administrator password; transmitting a cryptographic hash of the rollout password to the remote computing resource with a second call using a cryptographic hash of the administrator password; providing the rollout password to a user of the

Assignees

Sophos Ltd

Inventors

Brenner Stephan

Classifications

H04L63/083
using passwords (cryptographic mechanisms or cryptographic arrangements for entity authentication using a predetermined code H04L9/3226) · CPC title
H04L63/061Primary
for key exchange, e.g. in peer-to-peer networks (cryptographic mechanisms or cryptographic arrangements for key agreement H04L9/0838) · CPC title

Patent family

Related publications grouped by family.

View patent family 53369893

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9621524B2 cover?: Cloud storage of sensitive data is improved by ensuring that all cloud-based data is encrypted at all times, not only when the data is at rest (i.e., stored), but also while data is being processed or communicated. Cryptographic keys can advantageously be managed via cloud based resources without exposing sensitive data. Instead, a key management system maintains cryptographic functions on admi…
Who is the assignee on this patent?: Sophos Ltd
What technology area does this patent fall under?: Primary CPC classification H04L63/061. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Apr 11 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).