Securing client-specified credentials at cryptograpically attested resources
US-2015244716-A1 · Aug 27, 2015 · US
Enhanced remote key management for an enterprise in a cloud-based environment
US9756022B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9756022-B2 |
| Application number | US-201414472540-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 29, 2014 |
| Priority date | Aug 29, 2014 |
| Publication date | Sep 5, 2017 |
| Grant date | Sep 5, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems and methods are disclosed for facilitating remote key management services in a collaborative cloud-based environment. In one embodiment, the remote key management architecture and techniques described herein provide for local key encryption and automatic generation of a reason code associated with content access. The reason code is logged by a hardware security module which is monitored by a remote client device (e.g., an enterprise client) to control a second (remote) layer of key encryption. The remote client device provides client-side control and configurability of the second layer of key encryption.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for facilitating remote key management services in a collaborative cloud-based environment, the method comprising: processing a data item indicated by a content request to determine that the data item is associated with remote key management functionality; identifying audit log information associated with the content request, wherein the audit log information comprises a reason code enumerating a reason associated with the content request, wherein the reason comprises at least one of: accessing a data item request, fulfilling a maintenance request, performing a text extraction request, or fulfilling backend services; initiating a secure key request by a HSM interface engine to a hardware security module (HSM), wherein the secure key request comprises the audit log information; and determining whether to accept or reject the content request by processing the reason code from the secure key request based at least in part on one or more pre-configured rules by the HSM, wherein the HSM is located on a second client device that is remote from the HSM interface engine located on a first client device, the secure key request sent across a network from the first client device to the second client device for determining whether to accept or reject the content request based at least in part on the reason code. 2. The method of claim 1 , wherein the secure key request directs the HSM to store the audit log information. 3. The method of claim 2 , wherein the secure key request further directs the HSM to sign the audit log information with a secure key. 4. The method of claim 1 , wherein the audit log information is included in a free form block of the secure key request to the HSM. 5. The method of claim 1 , wherein the HSM is hosted by the collaborative cloud-based environment but the audit log information is inaccessible via the collaborative cloud-based environment. 6. The method of claim 1 , wherein the HSM is hosted by a second collaborative cloud-based environment distinct from the collaborative cloud-based environment. 7. The method of claim 1 , wherein the HSM is hosted by a managed services provider. 8. The method of claim 1 , wherein the HSM provides access to the collaborative cloud-based environment and the collaborative cloud-based environment is distinct from a client enterprise that owns the HSM. 9. The method of claim 1 , wherein the content request comprises an upload request and wherein the secure key request includes a request to encrypt an encrypted encryption key. 10. The method of claim 1 , wherein the content request comprises an access request and wherein the secure key request includes a request to decrypt a twice encrypted encryption key. 11. A system for facilitating remote key management services in a collaborative cloud-based environment, the system comprising: one or more processors; a memory unit having instructions stored thereon which, when executed by the one or more processors, causes the system to: process a data item indicated by a content request to determine that the data item is associated with remote key management functionality; identify audit log information associated with the content request, wherein the audit log information comprises a reason code enumerating a reason associated with the content request, wherein the reason comprises at least one of: accessing a data item request, fulfilling a maintenance request, performing a text extraction request, or fulfilling backend services; initiate a secure key request by a HSM interface engine to a hardware security module (HSM), wherein the secure key request comprises the audit log information; and determine whether to accept or reject the content request by processing the reason code from the secure key request based at least in part on one or more pre-configured rules by the HSM, wherein the HSM is located on a second client device that is remote from the HSM interface engine located on a first client device, the secure key request sent across a network from the first client device to the second client device for determining whether to accept or reject the content request based at least in part on the reason code. 12. The system of claim 11 , wherein the secure key request directs the HSM to store the audit log information. 13. The system of claim 12 , wherein the secure key request further directs the HSM to sign the audit log information with a secure key. 14. The system of claim 11 , wherein the instructions, when executed by the one or more processors, further causes the system to: format the audit log information for a free form block of the secure key request to the HSM, wherein the audit log information is included in the free form block of the secure key request to the HSM. 15. The system of claim 11 , wherein the HSM is hosted by the collaborative cloud-based environment but the audit log information is inaccessible via the collaborative cloud-based environment. 16. The system of claim 11 , wherein the HSM is hosted by a second collaborative cloud-based environment distinct from the collaborative cloud-based environment. 17. The system of claim 11 , wherein the HSM is hosted by a managed services provider. 18. The system of claim 11 , wherein the HSM provides access to the collaborative cloud-based environment and the collaborative cloud-based environment is distinct from a client enterprise that owns the HSM. 19. The system of claim 11 , wherein the content request comprises an upload request and wherein the secure key request includes a request to encrypt an encrypted encryption key. 20. The system of claim 11 , wherein the content request comprises an access request and wherein the secure key request includes a request to decrypt a twice encrypted encryption key. 21. A system for facilitating remote key management services in a collaborative cloud-based environment, the system comprising: a processor; a key service proxy device configured to initiate a secure key request responsive to a determination that a data item indicated by a content request is associated with remote key management functionality, wherein the secure key request comprises a reason code enumerating a reason associated with the content request, wherein the reason comprises at least one of: accessing a data item request, fulfilling a maintenance request, performing a text extraction request, or fulfilling backend services; a reason engine configured to determine a reason code associated with the content request, wherein determining the reason code comprises directing the processor to identify a reason associated with the content request and responsively generate the reason code associated with the content request; a hardware security interface engine configured to format the secure key request according to a particular hardware security module (HSM); and the HSM configured to determine whether to accept or reject the content request by processing the reason code from the secure key request based at least in part on one or more pre-configured rules by the HSM, wherein the HSM is located on a second client device that is remote from the key service proxy device located on a first client device, the secure key request sent across a network from the first client device to the second client device for determining whether to accept or reject the content request based at least in part on the reason code. 22. The system of claim 21 , wherein the reason code is included in a free form b
Assignees
Inventors
Classifications
for supporting key management in a packet data network (cryptographic mechanisms or cryptographic arrangements for key management H04L9/08) · CPC title
- H04L63/0428Primary
wherein the data content is protected, e.g. by encrypting or encapsulating the payload · CPC title
using key encryption key · CPC title
Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms (network architectures or network communication protocols for using time-dependent keys in a packet data network H04L63/068) · CPC title
Providing cryptographic facilities or services · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9756022B2 cover?
- Systems and methods are disclosed for facilitating remote key management services in a collaborative cloud-based environment. In one embodiment, the remote key management architecture and techniques described herein provide for local key encryption and automatic generation of a reason code associated with content access. The reason code is logged by a hardware security module which is monitored…
- Who is the assignee on this patent?
- Box Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0428. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Sep 05 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).