US20210185026A1 - System and method for hierarchy manipulation in an encryption key management system - Google Patents
System and method for hierarchy manipulation in an encryption key management system Download PDFInfo
- Publication number
- US20210185026A1 US20210185026A1 US17/162,714 US202117162714A US2021185026A1 US 20210185026 A1 US20210185026 A1 US 20210185026A1 US 202117162714 A US202117162714 A US 202117162714A US 2021185026 A1 US2021185026 A1 US 2021185026A1
- Authority
- US
- United States
- Prior art keywords
- key
- policies
- policy
- node
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
- 238000000034 method Methods 0.000 title claims description 53
- 230000004044 response Effects 0.000 claims description 31
- 238000007726 management method Methods 0.000 description 246
- 238000004891 communication Methods 0.000 description 181
- 230000006854 communication Effects 0.000 description 181
- 230000008569 process Effects 0.000 description 38
- 230000001413 cellular effect Effects 0.000 description 23
- 230000000875 corresponding effect Effects 0.000 description 20
- 238000010586 diagram Methods 0.000 description 20
- 238000007689 inspection Methods 0.000 description 19
- 230000008520 organization Effects 0.000 description 19
- 230000009471 action Effects 0.000 description 13
- 230000006870 function Effects 0.000 description 10
- 230000000694 effects Effects 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 6
- 230000008859 change Effects 0.000 description 6
- 239000002131 composite material Substances 0.000 description 6
- 239000003795 chemical substances by application Substances 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 238000004422 calculation algorithm Methods 0.000 description 4
- 238000012217 deletion Methods 0.000 description 4
- 230000037430 deletion Effects 0.000 description 4
- 230000010354 integration Effects 0.000 description 4
- 238000004590 computer program Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000000977 initiatory effect Effects 0.000 description 3
- 238000010295 mobile communication Methods 0.000 description 3
- 239000010453 quartz Substances 0.000 description 3
- VYPSYNLAJGMNEJ-UHFFFAOYSA-N silicon dioxide Inorganic materials O=[Si]=O VYPSYNLAJGMNEJ-UHFFFAOYSA-N 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000007935 neutral effect Effects 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 238000013519 translation Methods 0.000 description 2
- 230000014616 translation Effects 0.000 description 2
- VBMOHECZZWVLFJ-GXTUVTBFSA-N (2s)-2-[[(2s)-6-amino-2-[[(2s)-6-amino-2-[[(2s,3r)-2-[[(2s,3r)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-2-[[(2s)-2,6-diaminohexanoyl]amino]-5-(diaminomethylideneamino)pentanoyl]amino]propanoyl]amino]hexanoyl]amino]propanoyl]amino]hexan Chemical compound NC(N)=NCCC[C@@H](C(O)=O)NC(=O)[C@H](CCCCN)NC(=O)[C@H](CCCCN)NC(=O)[C@H]([C@@H](C)O)NC(=O)[C@H]([C@H](O)C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCN=C(N)N)NC(=O)[C@@H](N)CCCCN VBMOHECZZWVLFJ-GXTUVTBFSA-N 0.000 description 1
- 241000282672 Ateles sp. Species 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 230000010267 cellular communication Effects 0.000 description 1
- 230000008867 communication pathway Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000001276 controlling effect Effects 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000013499 data model Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 108010068904 lysyl-arginyl-alanyl-lysyl-alanyl-lysyl-threonyl-threonyl-lysyl-lysyl-arginine Proteins 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 239000011800 void material Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/02—Addressing or allocation; Relocation
- G06F12/08—Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
- G06F12/12—Replacement control
- G06F12/121—Replacement control using replacement algorithms
- G06F12/128—Replacement control using replacement algorithms adapted to multidimensional cache systems, e.g. set-associative, multicache, multiset or multilevel
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
- G06F12/1408—Protection against unauthorised use of memory or access to memory by using cryptography
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2212/00—Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
- G06F2212/10—Providing a specific technical effect
- G06F2212/1052—Security improvement
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2212/00—Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
- G06F2212/62—Details of cache specific to multiprocessor cache arrangements
- G06F2212/621—Coherency control relating to peripheral accessing, e.g. from DMA or I/O device
Abstract
Description
- This application is a Continuation of application Ser. No. 15/439,873, filed Feb. 22, 2017, which claims priority Provisional Application No. 62/300,717, titled System And Method For Hierarchy Manipulation In An Encryption Key Management System, filed Feb. 26, 2016, and is incorporated herein by reference in its entirety. The present disclosure relates to U.S. patent application Ser. No. 14/506,346, titled System And Method For Encryption Key Management Federation And Distribution, and filed Oct. 3, 2014, which is incorporated herein by reference in its entirety. The present disclosure also relates to U.S. provisional patent application Ser. No. 62/132,372, titled KO Hierarchy For Key Orchestration System And Process, and filed Mar. 12, 2015, which is incorporated herein by reference in its entirety.
- In security systems, an encryption key refers to a parameter or data that dictates how plain data may be translated into encrypted data during an encryption process and encrypted data into plain data during a decryption process. Typically, the encryption key is made available both of a source device (e.g., a transmitting device) and a target device (e.g., a receiving device) in a communication transaction. Given that encryption keys are so widely used, effective management of the encryption keys (as well as other security objects) to defend and respond to threats against the security systems is of paramount importance.
- Traditionally, encryption key management is initiated and executed at the device level (e.g., by the source device and/or the target device that are involved in the communication transaction). Communication management, on the other hand, is traditionally centrally managed at a higher level (e.g., by a server for the source device and target device). The end result may be that the encryption management is procedurally unsynchronized with communications management. Thus, loose controls of encryption keys, as demonstrated in current public key infrastructure (PKI) instances, may result. In addition, loose controls of symmetric keys generated and distributed in an enterprise may also occur. Accordingly, an end result may be a breakdown in communication management or communication security. Similar problems confront other types of encryption objects.
- In addition, because people, processes, devices, and technologies in an organization may realign from time to time (in some cases, rapidly or constantly), encryption key management associated with those changing entities and devices within the organization should also be realigned and updated accordingly so that security is maintained throughout the system, despite realignments and other changes in the organization.
- Examples described herein relate to manipulation of a structure of a policy hierarchy, while reformulating policies associated with the manipulated nodes of the hierarchy. In some examples, a node may be created, moved, and/or deleted, and the policies associated with the manipulated node (and other nodes effected by the manipulation of the node) may be reformulated, based on the new position of the node or other nodes in the hierarchy. In some examples, nodes indirectly effected by the hierarchy manipulation may be moved within the hierarchy as a result.
-
FIG. 1 is a schematic block diagram illustrating an example of a general encryption key orchestration system according to various examples. -
FIG. 2 is a schematic block diagram illustrating an example of an encryption key orchestration system according to various examples. -
FIG. 2A is a schematic block diagram illustrating an example of an encryption key orchestration system according to various examples. -
FIG. 3 is a schematic block diagram illustrating an example of an encryption key federation system as implemented in various examples. -
FIG. 4 is a schematic block diagram illustrating an example of a communication device consuming key orchestration services according to some examples. -
FIG. 5 is a process flow diagram illustrating an example of a request authentication process for issuing requests and receiving encryption keys according to some examples. -
FIG. 6 is a process flow diagram illustrating an example of a communication device registration process implemented in various key orchestration systems according to various examples. -
FIG. 7 is a process flow diagram illustrating an example of a key management and distribution process according to various examples. -
FIG. 8 is a process flow diagram illustrating an example of a key federation process according to various examples. -
FIG. 9 is a process flow diagram illustrating an example of an encryption key management and distribution process according to various examples. -
FIG. 10 is a diagram illustrating an example of a policy hierarchy according to some examples. -
FIG. 11 is a diagram illustrating examples of groups according to some examples. -
FIG. 12 is a table illustrating examples of policies having complex logical operations according to some examples. -
FIGS. 13A, 13B, and 13C illustrate an example of a policy hierarchy undergoing nodal manipulation. - In the following description of various examples, reference is made to the accompanying drawings which form a part hereof and in which are shown by way of illustration specific examples in which the examples may be practiced. It is to be understood that other examples may be utilized, and structural changes may be made without departing from the scope of the various examples disclosed in the present disclosure.
- Examples described herein generally relate to security object orchestration. The security object orchestration may include management, distribution, and federation of the security object. Security objects may include encryption keys and other sensitive objects (such as, but not limited to, user identity information, certificates, biometric data, random number generator data, determinate random number generator data, non-determinate random number generator data, user authentication information, policy components, other components associated with organization security component, and/or the like). In the present disclosure, encryption key-based orchestration is described in various examples as examples of the security object orchestration systems and methods. It should be appreciated that the orchestration systems and methods are likewise applicable to other security objects, including those described above.
- As used herein, “key orchestration” may refer to a combination of key management, key federation, and key distribution activities in one or more enterprises. For example, examples described may be associated with the orchestration of encryption key information correlated with utilizing encryption in the one or more enterprises. “Enterprise key management” may include managing and/or overseeing the multiple uses of asymmetric and symmetric keys required for encrypting data, signing emails, authenticating web services, and/or other potential uses. This may also include encryption management for communications systems to include radio, cellular, satellite and internet protocol based communications. “Enterprise key federation” may include coordinating and negotiating the federation of key information to a plurality of disparate key orchestration platforms (each associated with disparate federating organizations) based on established trust between the federating organizations (e.g., the enterprises). “Key distribution” may refer to a centralized distribution (e.g., pushing or forwarding) of key material to support encryption operations within a local enterprise and/or a foreign enterprise. In particular, key distribution may be concerned with assigning or otherwise transmitting the appropriate encryption keys to an appropriately associated device (e.g., the communication device, which may either be a source device or a target device).
- Examples of key orchestration (e.g., a key orchestration device such as a management request handler coupled to a request handler and various supporting databases) may provide control of encryption key management, federation, and distribution through a centralized user interface. Such key orchestration devices may provide centralized systems and/or methods of managing encryption keys associated with communications, infrastructure, and applications. Such key orchestration devices may also manage device enrollment, monitor device health related to encryption capabilities, and monitor status for key orchestration activities. Such capabilities may allow robust transaction reporting to support audit activities associated with communications, application, and infrastructure management.
- Key orchestration may be leveraged for additional systems other than the communication systems. Other implementations of key orchestration may include application encryption management, virtualization encryption management, storage encryption management, and/or user identity encryption management. In short, if applications, communications, or infrastructures require use of encryption (or other types of security mechanisms using security objects) and keys (or security objects), orchestration may be applied to provide advantages as described. Communication systems may include, but are not limited to, radio communications, cellular communications, transmission control protocol/internet protocol (TCP/IP) based communications, satellite communications equipment, and the like. Application systems may include, but are not limited to voice-over-internet protocol VOIP applications, virtualization, identification and authentication, messaging, local storage. Infrastructure systems may include, but are not limited to storage solutions, physical security infrastructure, and medical equipment.
- In particular examples, a key orchestration device may enable encryption key lifecycle activities across multiple types of communication devices in a centralized manner. The key orchestration device may leverage industry standards for key management for interoperability with existing systems and may use, for example, protocols for applied key management as a part of key orchestration. A distinction between applied key orchestration and key management alone may be demonstrated in encryption key management and key distribution for communication systems. Given the requirement to make new encryption connections before breaking existing connections, typical communication systems cannot utilize rekey commands as it would break communications before management steps are taken to establish new lines of communications. However, rekey commands may work for infrastructure—to include storage, applications and virtualization solutions—where services can be reestablished without loss of centralized control of the managed capability.
- The system architecture of key orchestration can be configured to allow for use of a standard-based approach for supported systems such as key management interoperability protocol (KMIP), for example, but also the capability to develop support interfaces for non-standardized systems such as physical security infrastructure, virtualization applications, satellite communications systems, and medical equipment. This may be accomplished by architecturally separating message handling from support interfaces. Using a purely KMIP example, a storage device may receive a “rekey” command, a communication equipment may receive “put-and-notify” commands, and cellular devices may request queued “notify” commands informing the cellular devices to send “get messages” to the key orchestration device to be relayed to key management and generation system components. Example systems implementing such features are discussed below.
- Examples described herein may include a key orchestration device to implement centralized, top-down enterprise encryption key management encryption keys (e.g., such as, but not limited to symmetric key encryption, asymmetric key encryption, and the like) as well as other security objects used in security systems. Such centralized, top-down control of encryption may be for a given enterprise. Examples may include implementing coordinated KMIP on enterprise key management, communications systems, applications, and infrastructure for encryption key lifecycle functions implementing at least one of: device registration, user registration, system and user initialization, key material installation, key establishment, key registration, operational use, key storage, key distribution, key update, key recovery, key de-registration, key destruction, key revocation, and the like.
- As referred to herein, a “key attribute” (attribute, encryption attribute, and/or the like) associated with an encryption key may refer to a characteristic associated with the encryption key, cryptographic or security characteristics of the encryption key, the cryptographic algorithms of the encryption key, a device generating/transmitting/receiving the encryption key, a user of the device, and/or the like. Each encryption key may be associated with at least one key attribute. The encryption key may be transmitted and/or received with its associated key attributes represented in data values.
- As referred to herein, a “policy” may be a rule managing an encryption key based on key attribute(s) associated with that encryption key. In particular examples, a policy may dictate whether the particular encryption key is an acceptable encryption key. Such acceptability may be based on the security and cryptographic considerations as to whether the encryption key (e.g., as shown from the key attributes associated with the encryption key) may be secure enough. In other words, the encryption key generated for a particular communication transaction may be presented for inspection by the policy to be evaluated as to whether the encryption key is to be allowed or denied for that communication transaction.
- Some examples include an interface for key orchestration for mobile communication devices (e.g., a wireless device, and/or the like), or provide an interface for key orchestration for radio/satellite communications systems to include telemetry and payload in satellite communications. Particular implementations of the examples may include interfaces for banking applications such as, but not limited to, automated teller machines (ATMs), bank account interfaces, and the like. The interfaces for banking applications may be implemented on any mobile or non-mobile devices. Examples may provide an interface for key orchestration for applications that include virtualization or providing an interface for key orchestration for network infrastructure to include routers, switches, virtual private network (VPN) appliances, firewalls, intrusion detection systems (IDSs), intrusion prevention system (IPSs), tokenizers, and/or the like.
- For example, a centralized encryption management may be provided for symmetric encryption keys or asymmetric encryption keys, in both private and/or public contexts. In some examples, existing network infrastructure information may be consumed to distribute encryption keys based on active/inactive status of network infrastructure or distributing and managing encryption keys for network infrastructure based on equipment that can readily accept encryption keys (e.g., existing hardware/software may be installed on the equipment for accepting encryption keys).
- Examples may queue encryption key transaction information for communication devices not available at the point of a given encryption management operation (e.g., in a push-key event). In addition, examples described herein may centrally display encryption key lifecycle information (for supported infrastructure) and successful encryption key management transactions. In addition to or as an alternative, failure message and/or a cause of unsuccessful encryption key management transactions may be displayed.
- In some examples, a service interface for a communication device to acquire new asymmetric keys on a timed basis may be provided. In addition, a service interface for a communication device to acquire new symmetric keys on a timed basis may be provided. In some examples, a service interface for a communication device to acquire new asymmetric keys on user initiated basis may be provided. In various examples, a service interface for a communication device to acquire new symmetric keys on a user initiated basis may be provided. Also, federated distribution of encryption keys based on established trust based key exchange between two or more key management and orchestration devices may be provided as described.
- In some examples, distributing federated symmetric key to local enterprise infrastructure based on configurations for federated symmetric key distribution may be provided. In various examples, distributing federated asymmetric key to local enterprise infrastructure based on configurations for federated asymmetric key distribution may be provided. In addition, implementing federated trust model by using multiple devices and split key distribution may be provided to establish trust between two untrusted entities that need to communicate securely.
- The key orchestration device (e.g., the management request handler and associated components) may include sub-modules including a business logic module, authentication and authorization module, policy enforcement module, system consistency/validation module, and/or the like for performing functions described herein.
-
FIG. 1 is a schematic diagram of an example of a general encryption key orchestration system 100 as implemented in various examples. In various examples, akey orchestration device 110 may be coupled to at least onesource device 150 a and at least onetarget device 150 b. Thekey orchestration device 110 may comprise at least one desktop computer, mainframe computer, laptop computer, pad device, smart phone device or the like, configured with hardware and software to perform operations described herein. For example, thekey orchestration device 110 may comprise computation systems having suitable processing capabilities, memory, user interface (e.g., display and input) capabilities, and communication capabilities configured with suitable software to perform operations described herein. Thus, particular examples may be implemented, using processor devices that are often already present in many business and organization environments, by configuring such devices with suitable software processes described herein. Accordingly, such examples may be implemented with minimal additional hardware costs. However, other examples of thekey orchestration device 110 may relate to systems and processes that are implemented with dedicated device hardware/devices specifically configured for performing operations described herein. - Generally, the
source device 150 a may be a communication device transmitting data (or initiating communication) for which encryption (and therefore an encryption key) may be required or preferred. Thetarget device 150 b may be a communication device for receiving data that may have been encrypted (e.g., with an encryption key). According to various examples, thesource device 150 a and/or thetarget device 150 b may be an ATM. Thesource device 150 a and/or thetarget device 150 b may also be any server or device for storing bank account information and executing banking functions. In particular examples, each of thesource device 150 a and thetarget device 150 b may include a mobile smart phone (such as, but not limited to an iPhone™, an Android™ phone, or the like) or other wireless mobile communication devices with suitable processing and encryption capabilities. Typical modern mobile communication devices include telephone communication electronics as well as some processor electronics, one or more display devices and a keypad and/or other user input device. In further examples, each of thesource device 150 a and thetarget device 150 b may comprise any suitable type of mobile phone and/or other type of portable electronic communication device, such as, but not limited to, an electronic smart pad device (such as, but not limited to an iPad′), a portable computer, or the like. It should be noted that an encryption key may originate from thesource device 150 a or thetarget device 150 b, and/or both. In other words, either of thesource device 150 a or thetarget device 150 b may be akey source 170. Thesource device 150 a and thetarget device 150 b may be associated with a same enterprise or separate enterprises. In other examples, one or both of thesource device 150 a and thetarget device 150 b may be a wired device suitable for communication with a wired or wireless device. - In some examples, the
key orchestration device 110 may be a part of the enterprise associated with thesource device 150 a andtarget device 150 b. An enterprise may be an organization or security unit having dominance over at least onesource device 150 a and/ortarget device 150 b. With respect to communication between thesource device 150 a and thetarget device 150 b associated with disparate enterprises, thesource device 150 a may be associated with a first enterprise and thetarget device 150 b may be associated with a second disparate enterprise. An enterprise may be a company, subgroup within a company, autonomous and independent entity, a communication group, security provider, various entities, organizations, and/or the like. Eachkey orchestration device 110 may perform key orchestration activities for a plurality of devices such as thesource device 150 a and thetarget devices 150 b, establishing a hierarchical model for key orchestration. - In other examples, the
key orchestration device 110 may be a third party server coupled to the enterprise associated with thesource device 150 a and/ortarget device 150 b. Thus, various examples may affect centralization of encryption key orchestration with existing communication systems and protocols of the enterprise. In other words, thekey orchestration device 110 may be implemented to cooperate with the existing encryption technology for communications, applications, and infrastructure. Key orchestration (e.g., by a third party or otherwise) may interact with both the sources and targets of key information (e.g., the encryption key and the associated key attributes 160). Accordingly, a top-down control of key orchestration may be achieved, while maintaining a request model in which thesource device 150 a and thetarget device 150 b may request key information. - In some examples, a
key source 170 may be coupled to thekey orchestration device 110. Thekey source 170 may be any source by which an encryption key (or any other types of security objects) may be generated. In some examples, thekey source 170 may be a part of the key orchestration device 110 (e.g., a module or database within thekey orchestration device 110 or coupled to the key orchestration device 110). In other examples, thekey source 170 may be a source external to thekey orchestration device 110. Thekey source 170 may include thesource device 150 a and/or thetarget device 150 b, one or more of which may be capable of generating encryption keys for the communication therebetween. Alternatively or additionally, thekey source 170 may be a key-generating device (other than thesource device 150 a and thetarget device 150 b) internal or external to the same enterprise as thesource device 150 a and/or thetarget device 150 b. In these cases, thekey source 170 may be an existing specialized key generating device implemented separately from the key orchestration device 110 (e.g., the key generation andmanagement device 230 ofFIG. 2 ). Other examples of thekey source 170 may include amanagement user interface 220 ofFIG. 2 (e.g., encryption keys may be generated manually through the management user interface 220), akey federation interface 260 ofFIG. 2 (e.g., encryption keys generated from a disparate enterprise), various databases storing generated encryption keys, and/or the like. - In various examples, a
request 175 may be sent to thekey orchestration device 110. Therequest 175 may be a request to generate an encryption key. For example, thekey orchestration device 110 may itself generate (or retrieve from a database coupled to the key orchestration device 110) encryption keys in response to therequest 175. In other examples, thekey orchestration device 110 may request an encryption key from other devices (e.g., the key source 170) within the same or a disparate enterprise. - The
request 175 may originate from thesource device 150 a, thetarget device 150 b, the key orchestration device itself 110, a third-party device within the same enterprise (e.g., themanagement user interface 220, thekey management interface 240, and the like), a third-party device in a disparate enterprise (e.g., from thekey federation interface 260 ofFIG. 2 ), and/or the like. Examples of thekey orchestration device 110 may therefore serve as an intermediary device between thesource device 150 a, thetarget device 150 b, the requesting device (which issues the request 175), thekey source 170, and/or the like. Accordingly, key management, distribution, and federation may effectively be managed for various devices in a same or disparate enterprise. - Various components within the general encryption key orchestration system 100 (e.g., the
key orchestration device 110, thesource device 150 a, thetarget device 150 b, the key orchestration device itself 110, the device that issues therequest 175, thekey source 170, and/or the like) may be connected via any suitable wired or wireless network. The network may be secured or unsecured. For example, the network may be a wide area communication network, such as, but not limited to, the internet, or one or more intranets, local area networks (LANs), ethernet networks, metropolitan area networks (MANs), a wide area network (WAN), combinations thereof, or the like. In particular examples, the network may represent one or more secure networks configured with suitable security features, such as, but not limited to firewalls, encryption, or other software or hardware configurations that inhibits access to network communications by unauthorized personnel or entities. - In some examples, key attributes 160 may refer generally to characteristics associated with the encryption key itself, characteristics of a device associated with the encryption key, and/or the like. In other words, the key attributes 160 may refer to when, where, how, for what, with what device the encryption key has been or is about to be generated. Examples of the key attributes 160 may include, but not limited to, encryption key size, a classification of the encryption key, a time at which the encryption key has been or about to be generated (e.g., by the key source 170), a location in which the encryption key has been or about to be generated (e.g., by the key source 170), a role associated with the
key source 170, a role associated with thesource device 150 a, a role associated with thetarget device 150 b, a role associated with a key generating/storage device, a role associated with a user of thesource device 150 a, thetarget device 150 b, the key generating/storage device, thesource 170, a combination thereof, and/or the like. - In some examples, the key attributes 160 may include the key size. Typically, the larger the key size (i.e., the longer the encryption key), the more security it may provide for the communication. The key attributes 160 may also include the classification of the encryption key. In various examples, the classification of the encryption key may refer to its utilization e.g., what the encryption key may be used for. Examples of the utilization may include (e.g., for communication systems) whether an encryption key is a global hopping key, whether the encryption key is a secret key, whether the encryption key is symmetrical or asymmetrical, a combination thereof, and/or the like.
- In some examples, the key attributes 160 may include a time and/or location at which the encryption key has been or about to be generated. As described, the time and/or location at which the encryption key may be generated may be defined from the perspective of the
source device 150 a, thetarget device 150 b, and/or any otherkey sources 170. For example, when an encryption key is generated (and/or sent, received), a corresponding time of the device (e.g., the key sources 170) generating (and/or sending, receiving) the encryption key may be determined. The encryption key may be transmitted/stored with a time stamp representing the time. Similarly, when an encryption key is generated (and/or sent, received), a corresponding geo-location of the device (e.g., the key sources 170) generating (and/or sending, receiving) the encryption key may be determined. The encryption key may be transmitted/stored with the geo-location. - In various examples, the key attributes 160 may include role(s) associated the
source device 150 a, thetarget device 150 b, thekey source 170, the other key generating/storage device, as well as their associated user. Particularly, a role may refer to a group/classification (e.g., based on predefined assignment, time, geo-location of the device, whether the device is generating encryption keys, whether the device is transmitting the encryption key, whether the device is receiving the encryption keys, and/or the like) in which the device/user is assigned to, a level of security clearance, the type of the device/user, a combination thereof, and/or the like. In particular examples, each device/user may be associated with at least a security group (e.g., assigned to a server). Within each security group, subgroups may exist to further subdivide the devices/users. The groups/subgroups may be predetermined by any suitable personnel. In other or further examples, the groups/subgroups may be defined when the encryption key is generated (e.g., based on current characteristics of the device such as geo-location, time of the day, and/or the like). - It should be appreciated by one of ordinary skill in the art that one or more
key attributes 160 may be associated with a given encryption key. In fact, as implemented in various examples, an encryption key may be associated with a plurality of key attributes 160. The encryption key may be transmitted along with the associated key attributes 160 to a device (e.g., the key orchestration device 110). The encryption key and the key attributes 160 associated with the encryption key may be inspected according to at least one policy related to the key attributes 160. Such process may be referred to as “shooting” the key attributes 160 against the relevant policies or “presenting” the key attributes 160 for “inspection” by the policy. - The encryption keys may generally be managed by a set of
policies 115. As implemented in various examples, a policy may refer to at least one defined rules governing the criteria for the key attributes 160. In some examples, a policy engine (e.g., as embedded in thekey orchestration device 110 and/or other devices as described herein) may receive the encryption key and the key attributes 160 associated with the encryption key as input. The policy engine may output a response as to whether the encryption key may be allowable based on the key attributes 160. In particular examples, the policy engine may output a binary response (e.g., accepted or denied). - The encryption key and the associated key attributes 160 may be presented for inspection one or more times per communication transaction. In some examples, the encryption key and the associated key attributes 160 may only be required to be presented for inspection by
policy 115 once per communication transaction (e.g., at the initiation stage before the communication transaction has taken place but after the encryption key has been generated). In other or further examples, the encryption key and the associated key attributes 160 may be required to be presented for inspection by thepolicies 115 periodically and/or every time the encryption key has been altered for a given communication transaction. In some case several encryption keys may be presented for inspection by thepolicies 115 for a given communication transaction. - The policy engine may identify the key attributes 160 received. The policy engine may retrieve
relevant policy 115 from a local or remote storage database. In other examples, the policy engine may inspect particular key attributes 160 (or sometimes all key attributes 160) associated with the encryption key as the policy engine determines acceptability based on the predefined set ofpolicies 115. For example, the policy engine may determine, based on therelevant policy 115, whether the encryption key should be accepted for the communication transaction for which the encryption key may be generated. - In one non-limiting example, the
policies 115 may dictate that a size of the encryption key must be within a predetermined range (e.g., the size of the encryption key must exceed and/or be below 128 bits, 192 bits, 256 bits, and/or the like). In some cases, thepolicy 115 may dictate that the size of the encryption keys must be a particular key size (e.g., 256-bit, and/or the like). - The
policies 115 may require that the geo-location attribute of the key attributes 160 to be associated with (or not associated with) a predetermined location and/or within (or not within) a predetermined area. For example, when the geo-location attribute of the encryption key (e.g., as defined by the geo-location of the generating, transmitting, and/or receiving device of the encryption key) is associated with a “danger” zone, the policy engine may deny the encryption key. This is because there may be a high likelihood that the encryption key may be compromised in the danger zone. On the other hand, when the geo-location attribute of the encryption key is associated with a “safe” zone, then the encryption key may be allowed for the communication transaction. This is because there may be at most a low likelihood of comprised security keys. In further examples, a “neutral” zone may be a safe zone, or, in the alternative, a zone associated with an intermediate likelihood of comprised security keys. - In another non-limiting example, the
policies 115 may require the time attribute of the key attributes 160 to be within (or not within) a predetermined time period. Thepolicy 115 may deny the encryption key on the basis that the time attribute (e.g., a time stamp) associated with the creation, transmission, and/or reception of the encryption key may be outside of a predetermined time period (for example, at 3:00 am, where acceptable creation, transmission, and/or reception time of the encryption key may be between 9:00 am-5:00 pm). - In various examples, the
policies 115 may allow the encryption key, when the role attribute of the key attributes 160 is associated with the encryption key generating/transmitting/receiving device (and the device's associated user) is within a predetermined accepted group. In some examples, thesource device 150 a (thetarget device 150 b or other source devices 170) associated with a first security group within an enterprise may generate an encryption key and present the encryption key for inspection by thepolicy 115. The policy engine may determine whether the first security group may be a part of the accepted group. When the policy engine determined that thesource device 150 a (thetarget device 150 b or other source devices 170) is a part of the accepted group (e.g., the first security group falls within the accepted group), the encryption key may be allowed for the communication transaction for which the encryption has been created for. - It should be appreciated by one of ordinary skill in the art that a plurality of
policies 115 may act in concert for a comprehensive encryption key management scheme. This means that, the plurality ofpolicies 115, each of which may regulate at least one disparatekey attribute 160, may be aggregated into a set ofpolicies 115 for regulating encryption keys presented to the policy engine. - In other examples, other key sources 170 (e.g., other than the
source device 150 a and thetarget device 150 b) may generate an encryption key to be distributed (or pushed) to thesource device 150 a and/or thetarget device 150 b for a communication transaction between those devices. The policy engine (e.g., the key orchestration device 110) may inspect the key attributes 160 to determine whether the encryption key is allowable. In response to the encryption key being determined to be allowable, thekey orchestration device 110 may determine to distribute the encryption key to thesource device 150 a and/or thetarget device 150 b for the communication transaction. - In various examples, when the policy engine denies the encryption key, the policy engine may transmit a rejection indicator (e.g., a “denied” message) to the
key source 170. The key generating device may redesign a second encryption key to be presented (along with the key attributes 160 associated with the second encryption key) to the policy engine for a second round of inspection. In other examples, when the policy engine denies the encryption key, the policy engine may transmit a “denied” message to thekey source 170 along with a cause of failure (e.g., a hint) as to which thekey attribute 160 caused the denial and/or what it should be. - For example, an encryption key with
key attributes 160 including a time attribute of 4:49 am, geo-location attribute of “safe zone,” and role attribute of “security group A” may be presented to a set ofpolicies 115. The policy engine may allow the encryption key when the encryption key is generated between 5:00 a.m.-9:00 p.m., in either a “safe zone” or a “neutral zone,” and for security groups A-C. Such encryption key may be denied, given that it is not generated between 5:00 a.m.-9:00 p.m. The policy engine may transmit the “denied” message along with a time attribute hint (e.g., to generate the encryption key after 5:00 a.m., in 11 minutes). - Accordingly, the
key orchestration device 110 may be configured to manage encryption keys and distribute the encryption keys. In other words, thekey orchestration device 110 may serve as an intermediary between thesource devices 150 a, thetarget devices 150 b, otherkey sources 170, and/or the like as these devices themselves may lack the capability to distribute and manage encryptions in the manner set forth with respect to thekey orchestration device 110. Thekey orchestration device 110 may include a plurality of modules (or may be coupled to remote modules) for each feature as described herein. In addition, the general encryption key orchestration system 100 may be coupled with at least one other similar general encryption key orchestration system 100 to make up the encryption key federation scheme as described herein. -
FIG. 2 is schematic diagram illustrating an example of an encryptionkey orchestration system 200 according to various examples. In some examples, the encryptionkey orchestration system 200 may illustrate a particularized implementation of the general encryption key orchestration system 100. From an architectural perspective, examples as illustrated for the encryptionkey orchestration system 200 may be centered around message handling and interoperability with key generation technology, other key orchestration devices, supported communications systems, applications, and infrastructure. - The
key orchestration device 110 may include at least amanagement request handler 205, arequest handler 210, asupport structure 215, akey federation interface 260, as well as the associated databases (e.g., a localkey database 270,transactions database 275,policy database 280,local user repository 285,configuration database 290, device inventory database 295). - In various examples, the
management request handler 205 may include (or is) the policy engine that may be implemented for policy-based encryption key management, distribution, and federation. As themanagement request handler 205 can be an intermediary layer between the various components described, rapid integration of the policy-based encryption key management, distribution, and federation may be added to an existing system without having to make changes to the system level message handling. Themanagement request handler 205 may provide a top-down management for various communication devices (e.g., acellular device 250 a, anetwork device 250 b, . . . , adevice N 250 n, and/or the like) associated with a given enterprise. In various examples, each of thecellular device 250 a, thenetwork device 250 b, . . . , and thedevice N 250 n may be thesource device 150 a or thetarget device 150 b depending on the particular communication transaction for which the encryption key is generated. - The
management request handler 205 and therequest handler 210 may be of an agent-interface relationship. That is, therequest handler 210 may serve as the interface between themanagement request handler 205 and the various communication devices associated with the enterprise (e.g., thecellular device 250 a, thenetwork device 250 b, . . . , thedevice N 250 n, and/or the like). The communication between themanagement request handler 205 and therequest handler 210 may be facilitated by thesupport structure 215. Thesupport structure 215 may provide suitable communication protocol, management application, infrastructure, communication application program interface (API), configurations, translations, and/or the like for interfacing between themanagement request handler 205 and therequest handler 210. - The
request handler 210 may receivekey generating requests 175 and/or encryption keys from the various communication devices and relate them to themanagement request handler 205 with the assistance from thesupport structure 215. Therequest handler 210 may also relate the response of the management request handler 205 (including the hint in some examples) and/or encryption keys to the various communication devices with the assistance from thesupport structure 215. - In various examples, the
management request handler 205 may receive therequest 175 for generating an encryption key. Various components may be capable of transmitting therequest 175 to themanagement request handler 205. The some examples, themanagement request handler 205 may receive therequest 175 from the various communication devices associated with the enterprise (e.g., thecellular device 250 a,network device 250 b, . . . ,device N 250 n, and/or the like). Therequest 175 may be related by therequest handler 210, which may serve as the interface between the devices and the management request handler as described. Thekey federation interface 260, themanagement user interface 220, and thekey management interface 240 may also transmit therequest 175 to the management request handler. - In non-request-driven examples, the
management request handler 205 may receive encryption keys from at least onekey source 170. Thekey source 170 may be the key generation andmanagement device 230, which may be any suitable existing encryption key generating apparatus implemented within the enterprise. In other words, the key generation andmanagement device 230 may represent any existing schemes internal or external to the communication systems of the enterprise. For example, the key generation andmanagement device 230 may be any suitable native protocol associated with safe net equipment. - Examples of the
key management interface 240 may represent an internal integration of key generation and key management capabilities as well as an external interface with existing solutions. This is because thekey management interface 240 may be poised between the key generation and management device 230 (which may generate encryption keys) and the management request handler 205 (which inspectskey attributes 160 of the encryption keys based on policies 115). For example, thekey management interface 240 may be a translation interface that maintains a standard encryption management messaging language with thekey orchestration device 110. This can allow enterprise interoperability between existing solutions (e.g., the key generation and management device 230) and the key orchestration platform (e.g., the management request handler 205). Accordingly, the policy-based encryption key orchestration systems and methods may be implemented with various types of security object (e.g., encryption key) generation protocols. - Additionally or alternatively, in request-driven examples, the
management user interface 220 may transmit therequest 175 to themanagement request handler 210. Themanagement user interface 220 may utilize the same API as other components described herein to assure interoperability. Themanagement user interface 220 may include suitable user input and display devices to receive and display data to a designated managing user. In particular examples, themanagement user interface 220 may include a mobile device such as a smartphone or a tablet. Themanagement user interface 220 may also include a wired device. - In some examples, the
key federation interface 260 may transmit therequest 175 to themanagement request handler 205. Thekey federation interface 260 may be in communication with a second key federation interface (such as, but not limited to, the key federation interface 260) associated with a disparate enterprise (which may utilize the same or similar key orchestration systems and methods described). When one of the various communication devices (e.g., thecellular device 250 a,network device 250 b, . . . ,device N 250 n, and/or the like) wishes communicate with another device from the disparate enterprise (or vice versa), therequest 175 may be transmitted (from thekey federation interface 260 of the second enterprise) to thekey federation interface 260 of the current enterprise. In some examples, therequest 175 may be directly transmitted to themanagement request handler 205 when thekey federation interface 260 has designated the relationship between the enterprises to be trusted. - In some examples, instead of or in addition to the
request 175, encryption keys as well as the “allowed” and “denied” messages may be transmitted and received between the key federation interface 260 (of the current and the second enterprise). The encryption key and its associatedattributes 160 may be stored in the localkey database 270, which may be accessible by the management request handler 205 (for policy inspection) and/or the request handler 210 (for distribution). - The
request 175 may be transmitted with further instructions related to generating the encryption key. The further instructions include, but are not limited to, a source of encryption keys, the encryption keys themselves,key attributes 160 associated with the encryption keys, and/or the like. - In various examples, in response to receiving the
request 175, themanagement request handler 205 may generate or facilitate the generation of the encryption key. For example, where therequest 175 may be silent as to where the encryption key is to be generated (e.g., the key source 170), themanagement request handler 205 itself may generate the encryption key. Themanagement request handler 205 may generate the encryption key based on the set ofpolicies 115 stored in thepolicy database 280. In other words, themanagement request handler 205 may generate the encryption keys withkey attributes 160 that would not have violated anypolicies 115 set forth in thepolicy database 280. - Where the
request 175 may be silent as to where the encryption key is to be generated (e.g., the key source 170), or specifies that a particularkey source 170 to generate the encryption key, themanagement request handler 205 may retrieve or otherwise request the encryption key from a suitablekey source 170. Themanagement request handler 205 may request encryption keys from themanagement user interface 220, thekey federation interface 260, the communication devices (e.g., thecellular device 250 a,network device 250 b, . . . ,device N 250 n,source device 150 a, andtarget device 150 b),key management interface 240, and/or the like. - The
management request handler 205 may retrieve encryption keys from a designated database storing encryption keys (e.g., the local key database 270). The localkey database 270 may be coupled to other key sources 170 (e.g., thecellular device 250 a,network device 250 b, . . . ,device N 250 n,source device 150 a,target device 150 b, the key generation andmanagement device 230 thekey federation interface 260, and/or the like) and store cached encryption keys on behalf of the otherkey sources 170. Themanagement request handler 205 may retrieve encryption keys from the localkey database 270 instead of requesting encryption keys from thekey sources 170. This is so that transaction time for retrieving/generating the encryption key may be improved, and that network problems would not hinder the ability of themanagement request handler 205 to obtain encryption keys, given that the local key database may be local to (e.g., residing on a same network node) themanagement request handler 205. As themanagement request handler 205 is retrieving encryption keys from the localkey database 270, a verification request may be sent to thekey source 170 to ensure whether the encryption key to be retrieved has been altered by thekey source 170. A confirmation or an updated encryption key may be sent to the localkey database 270 in response, so that themanagement request handler 205 may accordingly receive the encryption key. - In some examples, the
management request handler 205, upon receiving encryption keys (whether requested or not) in any manner as described, may cache the encryption key along with the key source identifier and the associated key attributes 160 at the localkey database 270. The encryption key, the key source identifier, and the key attributes 160 may be stored in case that the communication is lost or when the encryption key source of the encryption key is not authoritative. Whereas in some examples, the encryption key may not be transmitted with the key attributes 160. In such examples, themanagement request handler 205 may determine the key attributes 160 from various sources such as, but not limited to, thelocal user repository 285, thedevice inventory database 295, and/or the like. - The
management request handler 205 may then inspect the key attributes 160 associated with the encryption key received based on the set ofpolicies 115 stored in thepolicy database 280. Themanagement request handler 205 may retrieve allpolicies 115 or only the relevant policies (e.g., based on some or all key attributes 160) from thepolicy database 280. In some examples, the encryption keys generated by themanagement request handler 205 itself or at the direction of themanagement request handler 205 may be spared from inspection bypolicies 115 when they are created based on thepolicies 115. In other examples, all encryption keys generated by themanagement request handler 205 or at the direction of themanagement request handler 205 may be inspected by thepolicies 115. Encryption keys allowable based on thepolicies 115 may be allowed while unacceptable encryption keys may be denied, in the manner described. Themanagement request handler 205 may be configured to update or add policies stored in the policy database 280 (e.g., as directed by the management user interface 220). - The
local user repository 285 may be a database storing information related to local users of the communication devices (e.g., thecellular device 250 a,network device 250 b,device N 250 n, and/or the like) within the enterprise. In various examples, thelocal user repository 285 may store characteristics/information of the users that would constitute key attributes 160. The characteristics include, but not limited to, privileges, security groups, assigned roles, a combination thereof, and/or the like. The security groups may be stored in a hierarchical tree. Themanagement request handler 205 may access thelocal user repository 285 for such characteristics and utilize them askey attributes 160 associated with encryption keys requested, transmitted, or received by that device corresponding to such characteristics. Themanagement request handler 205 may add or alter information stored in thelocal user repository 285. A copy of the information stored in thelocal user repository 285 may be sent to the localkey database 270 askey attributes 160 to be stored in the localkey database 270. - In some examples, the
transaction database 275 may store various communication transactions or potential communication transactions. In some examples, thetransaction database 275 may store encryption key transmission instances (i.e., instances where encryption keys are to be distributed) to one or more devices. For example, when a particular encryption key cannot/should not be forwarded (e.g., pushed to a communication device) for any reason, the forwarding transaction (e.g., a job) may be queued or otherwise stored within thetransactions database 275 for forwarding the encryption key at a later some. Thetransaction database 275 may also store a status of each particular encryption key transmission instance, which may later be read by therequest handler 210. For example, therequest handler 210 may at a later time attempt to transmit all or some encryption keys to corresponding communication devices for all “unsent” encryption key transmission instances. Thetransactions database 275 may be coupled to the localkey database 270 to gain access of the keys to be forwarded to each communication device that the encryption key may be generated for. - In further examples, the
transaction database 275 may be coupled to therequest handler 210 and may store the communication transactions (for which the encryption key may be requested, transmitted, or received) and/or the associated key attributes 160. For example, therequest handler 210 may transmit such information to thetransactions database 275. Thetransaction database 275 may be coupled to the localkey database 270. The communication transactions (as the associated details) may be associated with the encryption keys stored in the localkey database 270. Themanagement request handler 205 may need to access only the localkey database 270 for the encryption keys and the associated key attributes 260. - The
configuration database 290 may store supporting instructions for the key encryptionkey orchestration system 200. In some examples, theconfiguration database 290 may store internal network, configuration of clients, configuration of applications, IP address allocations, various component configurations, device privileges, device communication pathways, credentials, and/or the like. Theconfiguration database 290 may be coupled to themanagement request handler 205, which may require the instructions stored within theconfiguration database 290 for operations. Themanagement request handler 205 may also add or alter the information stored in theconfiguration database 290. - In some examples, the
device inventory database 295 may store information related to the communication devices associated with the given enterprise. For example, information stored may include, but not limited to, security group, security level, geo-location, identification number, internal classification, device specifications, time stamp in which an encryption has been created, a combination thereof, and/or the like. Therequest handler 210 may be coupled to thedevice inventory database 295 to store such data therein. Themanagement request handler 205 may be coupled to thedevice inventory database 295 for accessing such device information. Thedevice inventory database 295 for associating particular cached keys with the corresponding device information as key attributes 160. A copy of the information stored in thedevice inventory database 295 may be sent to the localkey database 270 as key attributes 160. - The
key federation interface 260 may allow onekey orchestration device 110 to federate encryption key information with one or more other key orchestration devices 110 (through their associated respective key federation interfaces 260) based on an established trust relationship. Each enterprise may include by akey orchestration device 110. As such, thekey federation interface 260 may maintain a trust relationship with the communication systems of at least one other enterprise. It is, in other words, a gateway to extend trust. - In some examples, various examples described herein may be implemented with the systems set forth in
FIG. 2A .FIG. 2A is a schematic block diagram illustrating an example of an encryption key orchestration system 200 a or a key orchestration appliance according to various examples. Referring toFIGS. 1-2A , the encryption key orchestration system 200 a corresponds to the key orchestration class model and applies the same toward solving technical problems by building a key orchestration application. The encryption key orchestration system 200 a may correspond to thekey orchestration device 110. - In some examples, a
Quartz 210 a may handle creation and management of composite jobs for the encryption key orchestration system 200 a, including but not limited to key orchestration administration, user/device administration, key distribution, key management, key federation, and the like. Job control may be made aware of overall application state and interacts with apolicy engine 222 a for policy checks for broad compliance with job creation. TheQuartz 210 a may facilitate management of j ob objects, which represent a composite set of actions for key management, key orchestration application management, user/device management, and/or the like in light of those functions. TheQuartz 210 a may have a connection with thepolicy engine 222 a for policy checks associated with composite functions. The job objects may be created by ajob control module 236 a. Job objects may be associated with atomic transactions. Atomic transactions created by thejob control module 236 a can be inspected by thepolicy engine 222 a to pre-validate a job before running the job. - The encryption key orchestration system 200 a may include an
action module 218 a, which represents atomic transactions for key orchestration administration, user/device administration, key distribution, key management, key federation, or the like. Transactions interact with thepolicy engine 222 a for inspection of actions as they are occurring for policy compliance at the point of the transaction being executed. - The encryption key orchestration system 200 a may include an
agent 216 a, which may represent a programmatic interface that can invoke other functions within the encryption key orchestration system 200 a. Theagent 216 a itself may be a plugin type architecture that allows for plugin components to be implemented per invocation. This may resemble a factory design pattern. - The
policy engine 222 a may provide an interface to determine if job control, jobs, or transactions are compliant with defined policy. Thepolicy engine 222 a may consume user defined policy and exposes the policy as a series of compliance statements and default values. - In some examples, a
KMIP C Server 240 a may be a library that provides for a KMIP interface provided by Cryptsoft. TheKMIP C Server 240 a may operably coupled to aspider monkey 244 a, which may be a library that allows the encryption key orchestration system 200 a to interact with theKMIP C Server 240 a to allow for server-side execution of Java Script. TheKMIP C Server 240 a may include aKMIP C Client 241 a for interfacing with theKMIP client 204 a. A KMIPServer OPS KO 220 a may provide a key orchestration-specific extension of the KMIP C Server that ties all KMIP operations into actions that are evaluated by policy - In some examples, a
key source 202 a may represent sources of key information such as a Hardware Security Module (HSM), a KMIP-enabled key management server, or the like. Thekey source 202 a can also represent key messages (for elements beyond KMIP register). Thekey source 202 a may correspond to thekey source 170. AKMIP client 204 a may represent users and/or devices that use the KMIP protocols. TheKMIP client 204 a may be a key orchestration daemon, key orchestration service, or another device that uses the KMIP protocols. Thekey source 202 a and theKMIP client 204 a may be external to the encryption key orchestration system 200 a. - The encryption key orchestration system 200 a may include interfaces such as, but not limited to, a
KMIP interface 212 a,proto interface 214 a, or the like. Much like theagent 216 a, each interface may be a plugin implementation that provides a channel for sending and/or receiving key management, distribution, and federation type of communications between the encryption key orchestration system 200 a with thekey source 202 a and/or theKMIP client 204 a. The encryption key orchestration system 200 a may maintain records of available interfaces through data model. Thekey source 202 a and theKMIP client 204 a may communicate with theKMIP interface 212 a using KMIP standards. TheKMIP interface 212 a may call OpenSSL. - In some examples, transaction data 224 a may represents data access objects for transactions. Specifically, the transaction data 224 a tracks composite jobs and atomic transactions that are in progress and that are completed. The transaction data 224 a can be used to recover a job if a transaction fails for some reason and recovery is defined as an option in policy.
-
Key data 226 a may represent data for keys that are both locally stored or locally referenced\remotely stored. Thekey data 226 a may also be tied to attributes associated with the key data.Policy data 228 a may represent the storage of the policy Document Security language (DSL), represented as chunks of Extensive Markup Language (XML) that is constructed in thepolicy engine 222 a based on what part of the hierarchy that a job is being executed on. -
Hierarchy data 230 a may represent the structural organization of control for encryption key orchestration system 200 a. Hierarchy nodes are associated with one or more user\devices, one or more key sources and defined policy. Administrative users are also associated with the Hierarchy. From a source\device perspective, thepolicy data 228 a and thehierarchy data 230 a can be “looked up” to have inheritance. A hierarchy node can exist without anything being assigned to it. - In some examples,
device data 232 a may be needed to identify a creator or consumer of key information and contact the creator or consumer of information. Thedevice data 232 a may include attributes associated with devices, such as thesource device 150 a and/or thetarget device 150 b. In some examples,user data 234 a may include information on administrative users. Theuser data 234 a may have a normalized relationship with thedevice data 232 a andhierarchy data 230 a.Compositions 238 a may include executable Java Script associated with complex key management operations. - In some examples, the encryption key orchestration system 200 a may include a rest API. Much like an interface that can invoke key orchestration functions, the rest API can allow for external applications to invoke the key orchestration functions with information required to create, read, execute, update, or maybe even delete a key orchestration job. The rest API can leverage the
KMIP interface 212 a andproto interface 214 a to invoke theagent 216 a that executes actions associated with operating the encryption key orchestration system 200 a. The rest API can be operably coupled to aNode.JS 206 a. An admin user interface may use the rest API. In some examples, aKO shell 208 a may be a console interface that uses theKMIP interface 212 a andproto interface 214 a to invoke theagent 216 a that executes actions associated with the encryption key orchestration system 200 a. - From an interface perspective, a file driver is no different than any other user\device key orchestration Daemon\Service as one or more of KMIP, classX (as a secondary messaging protocol), and the like are used. The file driver may be a kernel module (character device driver) that represents a certificate or other key file to the host operating system for simpler integration. Other clients may represent other interfaces that encryption key orchestration system 200 a can use, including customer-specific solutions or other standards such as PKCS 11 or HSM wire protocols.
-
FIG. 3 illustrates an example of an encryptionkey federation system 300 as implemented in various examples. Thekey federation system 300 may implement thekey orchestration device 110 as set forth with respect toFIGS. 1-2 . Thekey federation system 300 may be based on extra-enterprise communication relationship and key federation enabled by the key orchestration device 110 (e.g., themanagement request handler 205 and the associated components). - Encryption keys (e.g., asymmetric encryption keys, symmetric encryption keys, and/or the like) generated by components within one enterprise (e.g.,
enterprise A 390 a) may be distributed to a disparate key orchestration device (e.g., thekey orchestration device 110, themanagement request handler 205, and its associated components, and/or the like) of another enterprise (e.g.,enterprise B 390 b) pursuant to inspection by thepolicies 115 of either (or both) enterprises. This can enable secured communications or data exchange with outside entities (e.g., enterprises) based on the federated trust model. This can also allow encryption management to parallel communications management in supporting external communications to enable symmetric key encryption for communications. Accordingly, performance of the communications platform may be improved, given that utilization of asymmetric encryption may be expensive from a processing perspective as compared to symmetric encryption. - In the
key federation system 300, each enterprise (e.g., theenterprise A 390 a or theenterprise B 390 b) may be associated with a respective one of a keyorchestration device A 310 a and a keyorchestration device B 310 b). Each of the keyorchestration device A 310 a and the keyorchestration device B 310 b may be thekey orchestration device 110. The keyorchestration device A 310 a and the keyorchestration device B 310 b may be in communication with one another through any suitable network. In particular, the key federation interfaces (e.g., the key federation interface 260) of each of the keyorchestration device A 310 a and the keyorchestration device B 310 b may be in communication with one another. - In various examples, the key
management server A 330 a and the keymanagement server B 330 b may be a device such as, but not limited to, the key generation andmanagement device 230 and thekey management interface 240. Each of the keymanagement server A 330 a and the keymanagement server B 330 b may be coupled to their respective key federation interfaces 206 within their respective enterprises in the manner described. - A
device A 350 a and adevice B 350 b may attempt to obtain an encryption key for the communication therebetween. Each of thedevice A 350 a and thedevice B 350 b may be thesource device 150 a, thetarget device 150 b, thecellular device 250 a, thenetwork device 250 b, . . . , thedevice N 250 n, a combination thereof, and/or the like. - An encryption key may be generated within one enterprise (e.g.,
enterprise A 390 a) from any suitablekey source 170 in the manner described. The encryption key may be generated by theenterprise A 390 a (e.g., by akey source 170 in theenterprise A 390 a) with or without arequest 170 from eitherenterprise B 390 b or within enterprise A. The encryption key may likewise be generated by theenterprise B 390 b in a similar manner. The encryption key and its associated key attributes 160 may be presented to the policy engine ofenterprise A 390 a (e.g., the keyorchestration device A 310 a, which may include themanagement request handler 205 and its associated components) for inspection in the manner described. In response to the policy engine ofenterprise A 390 a determining the encryption key is accepted based on the encryption key attributes 160, thekey orchestration device 310 a (e.g., the key federation interface 260) ofenterprise A 390 a may relate the encryption key as well as its associated key attributes 160 to the keyorchestration device B 310 b (e.g., the key federation interface 260) ofenterprise B 390 b. - Upon receiving the encryption key and its associated key attributes 160, the encryption key and its associated key attributes 160 may be presented to the policy engine of enterprise B390 b (e.g., the key
orchestration device B 310 b, which may also include themanagement request handler 205 and its associated components) for inspection in the manner described. The encryption key may be forwarded to both thedevice A 350 a and thedevice B 350 b when the keyorchestration device B 310 b determines that the encryption key is consistent with itspolicies 115 defined forenterprise B 390 b. In other words, the encryption key (as defined by its key attributes 160) may be allowed only if it is consistent with both sets ofpolicies 115 ofenterprise A 390 a as well asenterprise B 390 b. At least some of the set ofpolicies 115 ofenterprise A 390 a may be different from at least some of the set ofpolicies 115 ofenterprise B 390 b. Whereas the encryption key is found not allowable by either the keyorchestration device A 310 a or the keyorchestration device b 310 b, the encryption key may be returned back to thekey source 170 with the “denied” message and/or the hint in the manner described. - In other examples, acceptance by
policies 115 associated with only one enterprise (e.g., eitherenterprise A 390 a orenterprise B 390 b) may be sufficient for encryption key to be allowed. In such cases, the trust extends to some or sometimes all of thepolicies 115. In addition, each enterprise may include a set ofpolicies 115 for the federated instances (e.g., each enterprise may have agreed with the other regarding a set ofpolicies 115 used when communications between the communication devices of the enterprises are to occur. Accordingly, each enterprise may store (e.g., in each respective policy database 280) a same set of federated (mutual and reciprocal) policies for the federated schemes. The federated policies may be the same for both theenterprise A 390 a and theenterprise B 390 b. Thus, allowance by one key orchestration device associated with one enterprise may be sufficient for the encryption key to be forwarded for usage for communication between both enterprises. - In various examples, enterprise federation policies may be stored within each
policy database 280. The enterprise federation policies may specify the manner in which the encryption keys may be federated. For example, the enterprise federation policies may specify the federated policies, which key orchestration device may inspect the key attributes 160, which enterprise may issue arequest 175 for an encryption key, which enterprise may generate an encryption key, a combination thereof, and/or the like. The enterprise federation policies allow flexibility in policy defining. For example, the enterprise federation policies may specify that enterprises may each include itsown policies 115 in addition to the federated policies, where at least a part thepolicies 115 of each enterprise may be disparate. - In some examples, a
communication platform A 320 a and acommunication platform B 320 b of each respective enterprise may be in communication with one another via any suitable network. Such communication between the communication platforms may be encrypted communications, where the encryption key corresponding to such communication may also be presented for inspection bypolicies 115 similar to described with respect to the devices (e.g., thedevice A 350 a, thedevice B 350 b, and/or the like). Each communication platform may be in communication to a respective device, such that configurations related to the key orchestration systems may be exchanged. -
FIG. 4 illustrates an example of acommunication device 400 consuming key orchestration services as part of the enterprise according to some examples. Referring toFIGS. 1-4 , thecommunication device 400 may be a device such as, but not limited to, thesource device 150 a, thetarget device 150 b, thecellular device 250 a, thenetwork device 250 b, . . . , thedevice N 250 n, thedevice A 350 a, thedevice B 350 b, a combination thereof, and/or the like. In some examples, thecommunication device 400 leverages key orchestration to receive encryption keys (or key updates) associated with applications such as, but not limited to, anEmail application 410 a, voice-over-internet protocol (VOIP)application 410 b,storage encryption 410 c, and/orother encryption applications 410 d on thecommunication device 400. - The
communication device 400 may be registered with a key orchestration platform to receive key orchestration services. Thecommunication device 400 may provide anapplication interface 420 based configured to receive with encryption key distribution and encryption key management messages (e.g., the “allowed” message, the “denied” message, the hint, and/or the like) from thekey orchestration device 110. Theapplication interface 420 may be coupled to each of theEmail application 410 a, voice-over-internet protocol (VOIP)application 410 b,storage encryption 410 c, and/orother encryption applications 410 d to forward the accepted encryption key to them. - This
communication device 400 may also utilize KMIP by aKMIP proxy 430 to receive KMIP type commands from thekey orchestration device 110. TheKMIP proxy 430 may be connected to thekey store 440 for managing the encryption keys stored therein. TheKMIP proxy 430 may also be connected to a device-end cryptographic unit 450. The device-end cryptographic unit 450 may be configured to generate encryption keys. In response to the “denied” message, the device-end cryptographic unit 450 may generated a different encryption key to present to the policy engine for inspection. Whereas the hint is given, the device-end cryptographic unit 450 may generate a different encryption key based on the hint. The device-end cryptographic unit 450 may cache its encryption keys in thekey store 440. The device-end cryptographic unit 450 may be coupled to theapplication interface 420. Theapplication interface 420 may transmit the encryption keys generated along with the key attributes 160 to the policy engine and forward the response of the policy engine to the device-end cryptographic unit 450 e.g., when the response is negative. - Accordingly, operation-level policy inspection may be achieved. Given that the
communication device 400 may be capable to interact with the policy engine regarding the encryption keys, the ability to service the request for an encryption key (or inspect the encryption key) by a third-party device (e.g., the policy engine residing in the key orchestration device 110) acting as administrating may be achieved. Therequest 175 for an encryption key or the encryption key may be serviced each communication transaction. -
FIG. 5 illustrates an example of a request authentication process 500 for issuingrequests 175 for encryption keys in various encryption key orchestration systems according to some examples. The request authentication process 500 may be internal to thekey orchestration device 110, when the key orchestration device 110 (e.g., themanagement request handler 205, the keyorchestration device A 310 a, the keyorchestration device B 310 b, and/or the like) itself generates the encryption keys. In other examples, the request authentication process 500 may be external to thekey orchestration device 110 to support integration with existing key management and key generation infrastructure (e.g., the key generation andmanagement device 230, the keymanagement server A 330 a, the keymanagement server B 330 b, and/or the like). - First, at block B510, the
key orchestration device 110 may provide authentication information to akey source 170. As described, suchkey source 170 may be thekey orchestration device 110 itself, the key generation andmanagement device 230, themanagement user interface 220, thekey federation interface 260, the communication devices (e.g., thecellular device 250 a,network device 250 b, . . . ,device N 250 n,source device 150 a,target device 150 b,device A 350 a,device B 350 b,communication device 400, a combination thereof, and/or the like), and/or other external key sources. The authentication information may be any suitable authentication method, such as username/passcode request, security handshake algorithms, biometric request, a combination thereof, and/or the like. - Next, at block B520, the
key orchestration device 110 may receive authentication response from thekey source 170. Thekey orchestration device 110 may authenticate the response and establish trusted relationship between thekey source 170 and thekey orchestration device 110. Next at block B530, thekey orchestration device 110, themanagement user interface 220, the key generation andmanagement device 230, the communication devices, and other API calls may issue a key management/generation request (e.g., the request 175) to thekey source 170. In some examples, thekey orchestration device 110 may forward therequest 175 from a trusted third party (e.g., the communication devices, themanagement user interface 220, thekey federation interface 260, and/or other third-party devices) to thekey source 170. In some examples, therequest 175 may be directly sent to thekey source 170. Thekey orchestration device 110 may be configured to determine whether to generate encryption keys itself or forward the request to anotherkey source 170 when therequest 175 does not identify thekey source 170. Next, at block B540, thekey orchestration device 110 may receive response (e.g., the encryption keys as requested) from thekey source 170. - Subsequently, the encryption keys obtained by the
key orchestration device 110 may be evaluated based on the key attributes 160 and thepolicies 115 in the manner described. When allowed, the encryption keys may be distributed to the communication devices associated with the corresponding communication transaction. When denied, thekey orchestration device 110 may transmit the “denied” message (and in some instances, the hint) and standby for new encryption keys. - In some examples, multiple requests may be sent to a plurality of
key sources 170; each request may correspond to a single communication transaction. In response, the multiple responses (e.g., encryption keys) may be received from thekey sources 170. In other examples, multiple requests may be sent to a plurality ofkey sources 170, where two or more requests may correspond to a same communication transaction. As thekey orchestration device 110 may receive two or more encryption keys from thekey sources 170. Thekey orchestration device 110 may determine one of the two or more encryption keys for the communication transaction based on the policies 115 (e.g., the most secure out of the two or more encryption keys). - Accordingly, large scale distribution by the
key orchestration device 110 may be possible in systems including at least one source for the encryption keys and multiple recipient communication devices. -
FIG. 6 is a process flow diagram illustrating an example of a communication device registration process 600 implemented in various key orchestration systems according to various examples. Blocks B610, B620, B630 may be executed simultaneously or sequentially in that order. First, at block B610 the communication device may be discovered (e.g., by the request handler 210). Therequest handler 210 may detect that the communication device is present within the enterprise (e.g., the networks associated with the enterprise) automatically. - At block B620, the communication device may be registered (e.g., by the request handler 210). In some examples, configuration information related to the key orchestration systems may be transmitted to the communication device. Device information of the communication device may be transmitted to the
local user repository 285,device inventory database 295, and/or the like. At block B630, the communication device may be enrolled (e.g., by the request handler 210). For example, the communication device may transmit a server authentication request therequest handler 210 and receiving a positive authorization response. - Next, at block B640, the communication device may be accepted (e.g., by the request handler 210). For example, the
request handler 210 and/or themanagement request handler 205 may check existingpolicies 115 based on the device information to determine whether the communication device has been classified in the appropriate group, whether thekey orchestration device 110 may be capable of orchestrating the communication device, a combination thereof, and/or the like. - Next, at block B650, the
request handler 210 may provide device authentication information to the communication device. The authentication information may include configurations (e.g., credentials, passcodes, and/or the like) to access thekey orchestration device 110. Next, at block B660, therequest handler 210 and/or themanagement request handler 205 may define orchestration rules for the communication device. Following block B660 at block B670 a corresponding identifier, the commination device has been added to an orchestration registration. Subsequently, the communication device may request for encryption keys, generate encryption keys, receive approved encryption keys, and/or the like in the manner described. Such process ensures that the communication device utilizing services provided by thekey orchestration device 110 may meet the operable standards of thekey orchestration device 110. -
FIG. 7 illustrates an example of a key management anddistribution process 700 according to various examples. Referring toFIGS. 1-7 , the key management anddistribution process 700 may be implemented with communication devices registered, discovered, and/or enrolled with thekey orchestration device 110. - First, at block B710, the
management request handler 205 may define key management command. A key management command may be a particularized command for a key management event (e.g., “job”). The key management event may be an event triggering a set of algorithms to create encryption keys based on thepolicies 115 and distribute (e.g., push) the encryption keys to at least one of the communication devices (e.g., thecellular device 250 a,network device 250 b, . . . ,device N 250 n,source device 150 a,target device 150 b,device A 350 a,device B 350 b,communication device 400, a combination thereof, and/or the like). - In some examples, the key management event may be based on time. For example, the
management request handler 205 may be configured to rekey for at least some (sometimes all) of the communication devices associated with the enterprise (or another enterprise) periodically (e.g., every day, every week, every month, and/or the like). In various examples, the key management event may occur automatically through an API call. The API call may be issued from any components internal and/or external to thekey orchestration device 110 within a same or disparate enterprise. - The key management event may also be user-defined. For example, the
management user interface 220 may receive user input from the designated user to generate encryption keys immediately for at least one communication device. In such examples, such user-defined key management events may be initiated in response to a sudden event, including cyber-attacks, security breaches, change to thepolices 115, and/or the like. Themanagement user interface 220 may also alter thepolicies 115 stored within thepolicy database 280 in response to these key management events. The new encryption keys created must follow the altered set ofpolicies 115. - The key management command may include providing encryption key to some or all communication devices within the same or a disparate enterprise, re-transmitting a same or different encryption key to some or all communication devices within the same or disparate enterprise, a combination thereof, and/or the like. In various examples, the
management request handler 205 may define for a plurality of key management commands, each of which may correspond to a communication transaction and/or communication device associated with the enterprise. In further examples, themanagement request handler 205 may define key management commands for communication devices associated with a disparate enterprise when allowed by the federation model. The management commands (e.g., encryption keys) may be transmitted via thekey federation interfaces 260 associated with each enterprise. - Next, at block B720, the
management request handler 205 may build a key management command queue. A job created in response to the key management event may include a plurality of key management commands, each of which may correspond to a communication device and/or a communication transaction. Accordingly, where the key management commands are generating new encryption keys and distributing to two or more communication devices, the key management commands may be queued (e.g., stored within the transactions database 275) for execution, given the volume of the key management commands. As such, a composite command may correspond to key management commands for multiple key sources to issue encryption keys to multiple encryption key receiving communication devices. The composite command may be associated with a plurality of key management commands, and may be stored as a whole in thetransaction database 275 awaiting distribution. Thus, even if a server (e.g., the management request handler 205) is shut off before all the key management commands are executed/distributed, the process may resume as soon as the sever is switched on. - Key management command associated with inactive communication devices (e.g., communication devices that may be turned off and/or off the network) may be stored in the
transactions database 275 for future distribution (e.g., when the inactive communication devices are switched on) by themanagement request handler 205 at block B730. On the other hand, for active devices (e.g., communication devices that may be turned on and/or on the network), the key management command may be executed by themanagement request handler 205 at block B740. - For example, the
management request handler 205 may request encryption keys fromkey sources 170 based on the key management commands at block B750. For example, the key management commands may specify one or morekey sources 170 to issue encryption keys to the communication devices. Accordingly, some communication devices may receive encryption keys from a first key source while other communication devise may receive encryption keys from a second different key source. Next, at block B760, themanagement request handler 205 may distribute encryption keys to the communication devices. In some examples, themanagement request handler 205 may perform encryption key inspection based on the key attributes 160 and the set ofpolicies 115 in the manner described. Once approved, themanagement request handler 205 may forward the encryption keys to the corresponding communication devices through therequest handler 210. - Next, at block B770, the
management request handler 205 may receive response to the distribution from the communication devices. For example, themanagement request handler 205 may determine, based on the responses of the communication devices, whether such distribution was successful at block B780. Whereas themanagement request handler 205 determines that the distribution was successful with respect to a given communication device (e.g., that communication device has received the encryption key distributed to it), positive feedback may be provided to themanagement request handler 205 at block B795. - On the other hand, whereas the
management request handler 205 determines that the distribution was unsuccessful (e.g., that communication device has not received the encryption key distributed to it) for a given communication device, a negative response of that communication device may be provided to themanagement request handler 205 at block B790. Themanagement request handler 205 may then determine whether to attempt to execute the key management command again at a later time for that communication device based on preexisting algorithms or user input at block B798. - When
management request handler 205 determines that execution of the key management commands (e.g., the distribution of the encryption) is not to be attempted again (B798:NO), the process ends. On the other hand, whereas themanagement request handler 205 determines that key management commands not successfully distributed are to be attempted again (B798:YES), the key management commands may be stored at block B730 (e.g., in the transactions database 275) for future distribution. - In some examples, when distribution of the key management commands may be unsuccessful, the
management request handler 205 may determine to retry distribution of the unsuccessful key management commands (B780:RETRY). For example, themanagement request handler 205 may again execute key management commands for active devices at block B740. -
FIG. 8 is a process flow diagram illustrating an example of an encryption key federation process 800 according to various examples. Referring toFIGS. 1-8 , key orchestration devices 110 (e.g., both in a same local enterprise and in a foreign enterprise) may mutually authenticate and distribute encryption keys based on thepolicies 115 implemented forkey orchestration devices 110 or each enterprise for federating encryption keys from one enterprise to another enterprise. In addition, the encryption key federation process 800 may also include the receiving of encryption keys from a foreign key orchestration device as a result of the federation policy of the foreign key orchestration device. - First, at block B810, the local key orchestration device (e.g., the key
orchestration device A 310 a) may provide authentication information to a foreign key orchestration device (e.g., the keyorchestration device B 310 b). The authentication information may be any suitable authentication prompt and/or request for federation. Next, at block B820, the local key orchestration device may receive authentication response from the foreign key orchestration device agreeing to initiation the federation model. The blocks B810 and B820 may represent typical security credential handshakes, where federation trust has been established between the two enterprises. - Next, at block B830, the local key orchestration device may provide trust policy information to the foreign key orchestration device. At block B840, the local key orchestration device may receive trust policy information from the foreign key orchestration device. The trust policy information may include any configurations, settings, extent of trust, mutually agreed policies, a combination thereof, and/or the like.
- Next, at block B850, the local key orchestration device and the foreign key orchestration device may manage and distribute key information (e.g., the encryption key, the associated key attributes 160, a combination thereof, and/or the like) in the manner described.
- In particular examples, the foreign key orchestration device transmit the
request 175 to the local key orchestration device for generating the encryption key for a communication transaction between a communication device associated with the foreign key orchestration device and a communication device associated with the local key orchestration device. The encryption key may be generated by the local key orchestration device and inspected by local policy engine. The encryption key may be transmitted to the foreign key orchestration device for inspection by the foreign policy engine in some examples, but not others. - In some examples, instead of the
request 175, the foreign key orchestration device may transmit a generated encryption key (which may or may not have been inspected by policy engine of the foreign key orchestration device depending on trust policy information specified). The local key orchestration device may or may not inspect the encryption key and its associated key attributes 160 bypolicies 115 based on the trust policy information specified between the enterprises. -
FIG. 9 is a process flow diagram illustrating an example of an encryption key management anddistribution process 900 according to various examples. In various examples, the encryption key management anddistribution process 900 may incorporate elements of key orchestration, including key management, key distribution, and key federation. - First, at block B910, a set of
policies 115 may be defined, where eachpolicy 115 may relate to one or more key attributes 160. Thepolicies 115 may be defined by designed personnel and stored in thepolicy database 280 for future retrieval and update. Next, at block B920, themanagement request handler 205 may receive encryption key and at least one key attribute associated with the encryption key from thekey source 170 in the manner described. - Next, at block B930, the
management request handler 205 may determine acceptability of the encryption key received based, at least in part, on the at least one key attribute and the set ofpolicies 115 that relate to one of the at least one key attribute. For example, themanagement request handler 205 may check a value corresponding to akey attribute 160 to determine whether the value is within an acceptable range as defined by thepolicies 115 in the manner described. - Next, at block B940, the
management request handler 205 may determine whether the encryption key is acceptable. Whereas the encryption key is acceptable (B940:YES), themanagement request handler 205 may distribute the encryption key to the communication devices requiring the key for the communication transaction therebetween, at block B950. On the other hand, whereas the encryption key is unacceptable (B940:NO), themanagement request handler 205 may transmit the “denied” message to thekey source 170 at block B960. Optionally, themanagement request handler 205 may transmit the hint to the key source to facilitate key generation at block B970. Themanagement request handler 205 may then standby until receiving a second encryption key (and associated key attributes 160) at block B920. - The key orchestration system (e.g., the
key orchestration device 110, themanagement request handler 205, keyorchestration device A 310 a, keyorchestration device B 310 b, and/or the like) described herein may be implemented on any suitable computing devices having a processor and a memory device. The processor may include any suitable data processing device, such as a general-purpose processor (e.g., a microprocessor), but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. The processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, at least one microprocessor in conjunction with a DSP core, or any other such configuration. The memory may be operatively coupled to the processor and may include any suitable device for storing software and data for controlling and use by the processor to perform operations and functions described herein, including, but not limited to, random access memory RAM, read only memory ROM, floppy disks, hard disks, dongles or other RSB connected memory devices, or the like. - The
key orchestration device 110, themanagement request handler 205, keyorchestration device A 310 a, and/or keyorchestration device B 310 b may be implemented on suitable operating systems (OS) such as, but not limited to, the Linux OS, Windows, the Mac OS, and the like. Additionally, thekey orchestration device 110, themanagement request handler 205, keyorchestration device A 310 a, and/or keyorchestration device B 310 b may be implemented on small form factors such as embedded systems. - In some examples, the
policies 115 may be organized in a hierarchical structure for a structured organization of thepolicies 115. A structured organization may be a well-known, documented, and understood organization structure. For example, thepolicies 115 may be organized in a Directed Acyclic Graph in some examples. The Directed Acyclic Graph may be a hierarchical graph having nodes (vertices) and directed edges. The directed edges may indicate an order or hierarchy in which the nodes are organized. In other examples, thepolicies 115 may be organized in other suitable hierarchical structures such as, but not limited to, a tree. Each node of the Directed Acyclic Graph or tree may be associated with a particular hierarchical entity of the structured organization. Each node may represent a conceptual level, subdivision, department, collection of clients, and/or the like of a structured organization of a company or other organization. -
FIG. 10 is a diagram illustrating an example of apolicy hierarchy 1000 according to some examples. Referring toFIGS. 1-10 , thepolicy hierarchy 1000 may be a Directed Acyclic Graph having aroot node 1010,Node A 1020,Node B 1030, andNode C 1040. A node (e.g., theroot node 1010,Node A 1020,Node B 1030, or Node C 1040) may be associated with one or more devices such as, but not limited to, thesource device 150 a, thetarget device 150 b,cellular device 250 a, thenetwork device 250 b, . . . , thedevice N 250 n, and/or the like. In some examples, a node may be associated with one or more devices such as, but not limited to, thekey source 170, key generation andmanagement device 230, and/or the like. - In addition or alternatively, each node may be associated with at least one
policy 115 such as, but not limited to, the complex policies EQUAL, ONE-OF, MEMBER OF, NULL, NOT-NULL, GREATER-THAN, GREATER-THAN-OR-EQUAL-TO, LESS-THAN, LESS-THAN-OR-EQUAL-TO, and/or the like described herein. Accordingly, each device associated with a given node may also be associated with thepolicies 115 corresponding to that node. - In some examples, child nodes may inherit the
policies 115 of parent node(s) based on parentage set forth in thepolicy hierarchy 1000. For example, theroot node 1010 may be a parent node toNode A 1020 andNode C 1040.Node A 1020 andNode C 1040 may be child nodes to theroot node 1010.Node A 1020 may be a parent node toNode B 1030.Node B 1030 may be a child node toNode A 1020. In some examples,policies 115 associated with theroot node 1010 may also be associated with devices corresponding withNode A 1020 andNode C 1040 through inheritance. In some examples,policies 115 associated withNode A 1020 may be associated with devices corresponding toNode B 1030. In some examples,policies 115 associated with theroot node 1010 may be associated with devices corresponding toNode B 1030, through inheritance. - In some examples, the
policies 115 may be classified into groups for organizing thepolicies 115 in an ad hoc manner. An ad hoc organization or group is an impromptu, operation-driven implementation influenced by cross-functional organization operations. That is, ad hoc groups may be defined based on need. Groups may be a vehicle to organizing nodes (e.g., the nodes 1010-1040), clients, users, and/or other groups. Clients may refer to devices that consume key orchestration services provided by thekey orchestration device 110. For example, the clients may refer to one or more devices such as, but not limited to, thesource device 150 a, thetarget device 150 b,cellular device 250 a, thenetwork device 250 b, . . . , thedevice N 250 n, and/or the like. Users may refer to consumers ofkey management interface 240 and/or themanagement user interface 220. For example, the users may refer to the key generation andmanagement device 230. -
FIG. 11 is a diagram illustrating examples ofgroups FIGS. 1-11 , each of thegroups policies 115. Each of thegroups policies 115 of that group. For example,Group A 1110 may includeNode B 1030 and thesource devices 150 a. In a non-limiting example, thesource devices 150 a may be associated withNode B 1030 in a policy hierarchy such as, but not limited to, thepolicy hierarchy 1000. In another non-limiting example, thesource devices 150 a may not be associated withNode B 1030 in the policy hierarchy (e.g., thesource devices 150 a may be associated with another node in the same policy hierarchy). Thus, groups may present a separate organization ofpolicies 115 for nodes, clients, users, and/or the like as compared to the policy hierarchy, allowing additional control and flexibility in definingpolicies 115. -
Group B 1120 may include thetarget device 150 b andGroup A 1110. In a non-limiting example, thetarget device 150 b may not be included inGroup A 1110, as shown inFIG. 11 . In another non-limiting example, thetarget device 150 b may be included inGroup A 1110 in addition toGroup B 1120.Group C 1130 may include thecellular device 250 a andNode C 1040. In a non-limiting example, thecellular device 250 a may be associated withnode C 1040. In another non-limiting example, thecellular device 250 a may not be associated withnode C 1040. In other examples, a Group may include those or other devices or nodes or other combinations thereof. - Nodes and groups may be separate vehicles to organize and define the
policies 115. When used in combination, nodes and groups may allow flexible and convenient organization and definition of thepolicies 115, adding additional control and management of thepolicies 115. In some examples, the nodes may correspond to an existing structure of the structured organizations while groups can be used to classify somepolicies 115 based on need. Nodes may be used to organize and define thepolicies 115 associated with particular department, sub-department, and/or office of a company, while groups may be used to organize and define thepolicies 115 associated with other criteria other than the existing structure of the company. The groups may be used to organize and define the policies associated with a particular type of device, user, client, time, and/or other suitable criteria. Illustrating with a non-limiting example, a client of a particular transaction may be associated with a subsidiary company (e.g., the root node 1010), Los Angeles office (e.g., Node A 1020), accounting department (e.g., Node B 1030), and all devices associated with accounting departments across the subsidiary company (e.g., Group A 1110). - In some examples, the
policies 115 may be defined and/or evaluated on a basis of a policy hierarchy (e.g., the policy hierarchy 1000). For example, each node (e.g., the nodes 1010-1040) may have a set ofpolicies 115 associated with any device designated for that node. In some examples, thepolicies 115 may be defined and/or evaluated on a basis of groups (e.g., the groups 1110-1130). For example, each group may have a set ofpolicies 115 associated with any node, client, user, or another group designated for that group. - In some examples, the
policies 115 may be defined and/or evaluated on a basis of clients. For example, each client may be associated with a particular set ofpolicies 115 for that client. Illustrating with a non-limiting example, an encryption key for thecellular device 250 a may be defined and/or evaluated based on at least a first set of policies associated for thecellular device 250 a while an encryption key for thenetwork device 250 b may be defined and/or evaluated based on a second set of policies associated with thenetwork device 250 b. - In some examples, the
policies 115 may be defined and/or evaluated on a basis of users. For example, each user may be associated with a particular set ofpolicies 115 for clients administrated by the user. Illustrating with a non-limiting example, an encryption key for a device administrated by the key generation andmanagement device 230 may be defined and/or evaluated based on a first set of policies associated with the key generation andmanagement device 230 while another device administrated by another user (such as, but not limited to, the key generation and management device 230) may be defined and/or evaluated based on a second set of policies associated with the another user. - In some examples, the
policies 115 may be defined and/or evaluated based on a combination of one or more of the policy hierarchy, groups, clients, or users. Illustrating with a non-limiting example, with respect to a particular communication transaction or action of a particular device (e.g., thesource device 150 a, thetarget device 150 b,cellular device 250 a, thenetwork device 250 b, . . . , thedevice N 250 n, and/or the like), an encryption key may be evaluated based on policies consistent with: -
ΣNode Policies∪ΣGroup Policies (1) - That is, the encryption key may be evaluated by a combination of policies corresponding to a node associated with the device and the policies corresponding to a group associated with the device.
- Illustrating with another non-limiting example, with respect to a particular communication transaction or action of a particular device, an encryption key may be evaluated based on policies consistent with:
-
ΣNode Policies∪ΣGroup Policies∪ΣClient Policies∪ΣUser Policies (2) - That is, the encryption key may be evaluated by a combination or sum of policies corresponding to a node associated with the device, the policies corresponding to a group associated with the device, the policies specific to that device (client), and the policies associated with the user administrating encryption keys for the device.
- In some examples, the
policies 115 may include an EQUAL (or EQ) policy. The EQUAL policy may be concerned with whether a key attribute of an encryption key is equivalent or identical to a policy value. Illustrating with a non-limiting example, the EQUAL policy may evaluate whether a size (e.g., length) of an encryption key is identical or equivalent to the policy value. Illustrating with another non-limiting example, the EQUAL policy may evaluate whether a name (or a portion thereof) of an encryption key is identical or equivalent to the policy value. The name may be in string format in some instances. The EQUAL policy is more complex than a simple True/False statement. - In some examples, the
policies 115 may include an ONE-OF policy. The ONE-OF policy may be concerned with whether a key attribute of an encryption key is a member of a set. Illustrating with a non-limiting example, the ONE-OF policy may evaluate whether a size of an encryption key is one of a set of different sizes, where the set of different sizes represents valid responses. Illustrating with another non-limiting example, the ONE-OF policy may evaluate whether a name (or a portion thereof) of an encryption key is one of a set of different names. - In some examples, the
policies 115 may include a MEMBER-OF policy. The MEMBER-OF policy may be concerned with a parentage (with respect to the nodes) or association (with respect to groups) of akey attribute 160 of an encryption key. Thekey attribute 160 associated with the MEMBER-OF policy may be a client or user from which the encryption key is requested or generated. Illustrating with a non-limiting example, the MEMBER-OF policy may evaluate whether a given client or user is associated with a node or group based on a policy value. The policy value may indicate a name, tag, or another type of identifier representing the node or group. In some examples, a given client or user may be associated with a node or group for the purposes of the MEMBER-OF policy if the client or user directly belongs to the node or group. In additional or alternative examples, a given client or user may be associated with a node (e.g., Node A 1020) for the purposes of the MEMBER-OF policy if the client or user belongs to a child node (e.g., Node B 1030) or parent node (e.g., the root node 1010) of that node (e.g., Node A 1020). In additional or alternative examples, a given client or user may be associated with a group (e.g., Group B 1120) for the purposes of the MEMBER-OF policy if the client or user belongs to a group (e.g., Group A 1110) that is included in that group (e.g., Group B 1120). - In some examples, the
policies 115 may include a NULL policy. The NULL policy may be concerned with whether a key attribute of an encryption key is set to NULL. Illustrating with a non-limiting example, the NULL policy may evaluate whether a date (e.g., date created, date deleted, date modified, date approved, date relocated, and/or the like) associated with an encryption key is set to NULL, as compared to another value. Illustrating with another non-limiting example, the NULL policy may evaluate whether a name of an encryption key is set to NULL, as compared to another value. - In some examples, the
policies 115 may include a NOT-NULL (or EMPTY) policy. The NOT-NULL policy may be concerned with whether a key attribute of an encryption key is set to a non-NULL value. Illustrating with a non-limiting example, the NOT-NULL policy may evaluate whether a date (e.g., date created, date deleted, date modified, date approved, date relocated, and/or the like) associated with an encryption key is set to a non-NULL value, as compared to NULL. Illustrating with another non-limiting example, the NOT-NULL policy may evaluate whether a name of an encryption key is set to a non-NULL value, as compared to NULL. - In some examples, the
policies 115 may include a GREATER-THAN policy. The GREATER-THAN policy may be concerned with whether a key attribute of an encryption key is greater than a policy value. Illustrating with a non-limiting example, the GREATER-THAN policy may evaluate whether a size of an encryption key is greater than a policy value. Illustrating with another non-limiting example, the GREATER-THAN policy may evaluate whether an ASCII value or a number of characters of a name (or a portion thereof) of an encryption key is greater than a policy value. - In some examples, the
policies 115 may include a GREATER-THAN-OR-EQUAL-TO policy. The GREATER-THAN-OR-EQUAL-TO policy may be concerned with whether a key attribute of an encryption key is greater than or equal to a policy value. Illustrating with a non-limiting example, the GREATER-THAN-OR-EQUAL-TO policy may evaluate whether a size of an encryption key is greater than or equal to a policy value. Illustrating with another non-limiting example, the GREATER-THAN-OR-EQUAL-TO policy may evaluate whether an ASCII value or a number of characters of a name (or a portion thereof) of an encryption key is greater than or equal to a policy value. - In some examples, the
policies 115 may include a LESS-THAN policy. The LESS-THAN policy may be concerned with whether a key attribute of an encryption key is less than a policy value. Illustrating with a non-limiting example, the LESS-THAN policy may evaluate whether a size of an encryption key is less than a policy value. Illustrating with another non-limiting example, the LESS-THAN policy may evaluate whether an ASCII value or a number of characters of a name (or a portion thereof) of an encryption key is less than a policy value. - In some examples, the
policies 115 may include a LESS-THAN-OR-EQUAL-TO policy. The LESS-THAN-OR-EQUAL-TO policy may be concerned with whether a key attribute of an encryption key is less than or equal to a policy value. Illustrating with a non-limiting example, the LESS-THAN-OR-EQUAL-TO policy may evaluate whether a size of an encryption key is less than or equal to a policy value. Illustrating with another non-limiting example, the LESS-THAN-OR-EQUAL-TO policy may evaluate whether an ASCII value or a number of characters of a name (or a portion thereof) of an encryption key is less than or equal to a policy value. - In some examples, a STRLEN_MIN policy is concerned with string length. A policy value for the STRLEN_MIN policy represents a minimum string length for a given operation that can be processed as a string. A STRLEN MAX policy is similarly concerned with string length. A policy value for the STRLEN MAX policy represents a maximum string length for a given operation that can be processed as a string. In some examples, an ENTITY_EXISTS policy has a policy value that represents an entity (e.g., a device, group, node, client, user, or the like) that has to exist in the encryption
key orchestration system 200 or within a network of the encryptionkey orchestration system 200 for the operation to be valid. - Each complex policy as described herein defines an operation that ultimately aligns with a single decision to act or not act on the operation based on the outcome of evaluation based on the complex policy. Therefore, as compared to a BOOLEAN policy that traditionally governs the decision to act or not to act on the operation, a complex policy allow improved complexity and flexibility during evaluation of an operation.
-
FIG. 12 is a table 1200 illustrating examples ofpolicies 115 having complex logical operations according to some examples. Referring toFIGS. 1-12 , thepolicies 115 may be organized according to a node (e.g., Node Y), group (e.g., Group X), client (e.g., Client Z), and user (e.g., User Key Admin) according to some examples. In some examples, Client Z may be associated with Node Y in a hierarchical structure (e.g., the policy structure 1000) and Group X in terms of groups. For an encryption key of a given action or transaction of Client Z,relevant policies 115 may include, according to expression (2), a sum of policies associated with Node Y, Group X, Client Z, and User Key Admin. In other examples, therelevant policies 115 may include one or a combination of two or more of thepolicies 115 associated with Node Y, Group X, Client Z, or User Key Admin. Thepolicies 115 of the table 1200 may be presented in a human-readable format for clarity. Thepolicies 115 of the table 1200 may be stored in thepolicy database 280 in the manner described. - A policy name may identify a
particular policy 115 in memory (e.g., in the policy database 280). A policy value may be a value based on which the relevant key attribute of the encryption key may be evaluated. The policy value may be set via themanagement user interface 220 or defined via any suitable manner for caching or storage. A policy type may identify particular types of policies, including, but not limited to, complex policies EQUAL, ONE-OF, MEMBER OF, NULL, NOT-NULL, GREATER-THAN, GREATER-THAN-OR-EQUAL-TO, LESS-THAN, LESS-THAN-OR-EQUAL-TO, and/or the like described herein. A policy operation may identify how thepolicies 115 are evaluated. For example, “ADD” may indicate that thecorresponding policy 115 is to be evaluated in addition toother policies 115 that may apply. - In the non-limiting example of table 1200, Node Y may be associated with complex policies (e.g., “Job.Transaction.Create.Key.Size”) related to the key size of an encryption key that has been created. The key size may be a
key attribute 160 of an encryption key. In some examples, a first complex policy may indicate that the key size should be LESS-THAN-OR-EQUAL-TO 256 bits. In some examples, a second complex policy may indicate that the key size should be GREATER-THAN-OR-EQUAL-TO 128 bits. Thus, an encryption created having a size less than or equal to 256 bits and greater than or equal to 128 bits may be allowed per the combination of the first complex policy and second complex policy, as they are evaluated in combination. - In some examples, a third complex policy may indicate that the key size should be LESS-
THAN 257 bits. In some examples, a fourth complex policy may indicate that the key size should be GREATER-THAN 127 bits. Thus, an encryption created having a size less than 257 bits (less than or equal to 256 bits) and greater than 127 bits (greater than or equal to 128 bits) may be allowed per the combination of the third complex policy and fourth complex policy, as they are evaluated in combination. - In some examples, Node Y may be associated with complex policies (e.g., “Job.Transaction.Get.Attribute.Deleted Date”) related to a delete date of an encryption key that has been created. For example, a fifth complex policy may indicate that a delete date of the encryption key should be NULL, instead of any other values. NULL indicates that the encryption key does not have a delete date (e.g., the encryption key has not been deleted).
- In some examples, Node Y may be associated with complex policies (e.g., “Job.Transaction.Get.Attribute.Object.Group”) related to parentage or association of the client (e.g., the Client Z) or the user (e.g., User Key Admin) of the policy operation in which an encryption key has been created. For example, a sixth complex policy may indicate that client or user (from which the encryption key is requested or generated) should be associated with a node or group identified by the name “Fresh.”
- In some examples, Node Y may be associated with at least one BOOLEAN policies such as, but not limited to, “Job.Transaction.Create.Key,” which is related to whether the encryption key has been created.
- In some examples, Group X may be associated with a seventh complex policies (e.g., “Job.Transaction.Create.Key.Encryption Mask”) related to whether the encryption mask is a member of a set named “ENCRYPT DECRYPT ENCRYPT DECRYPT.” The set may be a collection of encryption masks.
- In some examples, Group X may be associated with complex policies (e.g., “Job.Transaction.Create.Key.Name”) related to a name of an encryption key that has been created. For example, an eighth complex policy may indicate that a name of the encryption key should be not be NULL (NOT-NULL), instead of NULL. NOT-NULL indicates that the encryption key has been named.
- In some examples, Client Z may be associated with complex policies (e.g., “Job.Transaction.Create.Key.Name”) related to a name (a descriptive string attribute) of an encryption key that has been created. For example, a ninth complex policy may indicate that a name of the encryption key should EQUAL “foo,” instead of another name. All other names may be denied according to this policy.
- In some examples, the User Key Admin may have the
same policies 115 as those of Node Y in the non-limiting example of the table 1200. In other examples, the User Key Admin may have at least onedifferent policy 115 than one ormore policies 115 of Node Y. The key attributes governed by the complex policies may include, but not limited to, key size, creation, deletion, date created, date deleted, object group, encryption mask, name, key name, and/or the like. - In some examples the complex policies may define unique fine-grained policies for encryption management that can be applied for not only encryption key management lifecycle, but to the actual management of the applied encryption key management server itself.
-
FIGS. 13A, 13B, and 13C illustrate an example of apolicy hierarchy 1300 undergoing nodal manipulation. Referring toFIGS. 1-13A , thepolicy hierarchy 1300 may correspond topolicy hierarchy 1000. In particular examples, thepolicy hierarchy 1300 may include a plurality ofhierarchy nodes Node 1302 may be a hierarchy root node and may correspond to rootnode 1010.Nodes root node 1302.Nodes nodes Node 1308 may be a third level node and may be the child ofnodes Node 1308 may correspond tonode 1030. - In some examples, the
policy hierarchy 1300 may further include agroup A 1310 including node 1308 (hierarchy node 1.2) and one or more source devices. Althoughgroup A 1310 is described as being a part of thepolicy hierarchy 1300,group A 1310 may not be within the hierarchal structure itself, but may encompass one or more components within the policy hierarchy (e.g., one or more nodes, one or more source devices, one or more destination devices, etc.).Group A 1310 may correspond to one or more ofgroups - Referring to
FIGS. 1-13B , a user of the encryptionkey orchestration system 200 may input commands into the system 200 (e.g., via the management user interface 220) for performing realignment, addition, deletion, moving, or any other suitable action with respect to the nodes, devices, users, and the like in thepolicy hierarchy 1300. Accordingly, as a non-limiting example, a move operation ofnode 1308 is illustrated within thepolicy hierarchy 1300. The move operation may change a node's parentage from one lineage of nodes to another lineage of nodes. For example,hierarchy node 1308 may be moved from havingnode 1304 as its parent to havingnode 1306 as its parent (as illustrated by the dashed arrow). As such, in the aftermath of the move,node 1304 no longer has any children, andnode 1306 is now associated with a child (node 1308), whereasnode 1306 previously did not have any children. - In some examples, because in
policy hierarchy 1300 nodes inheritpolicies 115 based on their parentage (i.e., a child node will inherit the policies associated with its parent node), after being moved to itsnew parent node 1306,node 1308 will undergo a change in itspolicy 115 due to its new parentage, and thusnode 1308 will inherit thepolicies 115 corresponding tonode 1306 and forget thepolicies 115 associated withnode 1304. In other words, the policy cache ofnode 1308 may be rebuilt reflecting itsnew policy 115 based on its new parentage, or the string hash representation of policy for the sum of node policies union with the sum of group policy union with the sum of client policies union with the sum of user policies may be reestablished at thenode 1308. - In some examples, the policy cache of a node may be rebuilt any time (e.g., immediately) after an action is performed on the node (e.g., after the node is moved, created, shifted, etc.), or when the node is affected by an operation performed within the policy hierarchy 1300 (e.g., on another node, but affects parentage of the node). In some examples, the rebuilding of the policy cache can be performed at any node that has detected a change in parentage. In some examples, the rebuilding of a policy cache to assign
new policies 115 at a node (e.g., due to a change in parentage) may be performed by the key orchestration system 200 (e.g., at themanagement user interface 220 or by another module of the system 200). In some examples, theeffective policy 115 for operations associated withnode 1308 corresponds to the sum of policies forroot node 1302,parent node 1306, and thenode 1308 itself. Furthermore, becausenode 1308 has membership withingroup A 1310, the sum of policies ofgroup A 1310 may also be incorporated at thenode 1308. - In some examples, in a situation where a conflict in
policies 115 is introduced, thekey orchestration system 200 may automatically bias the conflicting policies toward being failed or null operations. For example, if a destination device associated with thenode 1308 has a policy dictating that a key must be less than 256 bits, but thenew parent node 1306 has a policy dictating that the a key must be greater than 256 bits, thekey orchestration system 200 may void those two conflicting policies at thenode 1308 when rebuilding its policy cache. - In some examples, although the
hierarchy node 1308 has been moved fromparent node 1304 toparent node 1306, the membership of thenode 1308 ingroup A 1310 remains unaffected. In other words, in the aftermath of its move,node 1306 maintains its membership ingroup A 1310. In some examples, because thepolicies 115 ofnode 1308 change due to new parentage, the sum of group A's 1310 policies also changes to account for the node's 1308 move. - Referring to
FIGS. 1-13C , a nodal delete operation is illustrated with respect toparent node 1306. In some examples, a user may delete a node altogether. However, in some examples, because the deletion ofnode 1306 leavesnode 1308, which was moved to be a child ofnode 1306 as shown inFIG. 13B , as an orphaned child node, thepolicy hierarchy 1300 may respond to the orphanednode 1308 and assign it a parent node of the level abovenode 1306, which in this case is theroot node 1302. In other words, in some examples, the parentage of an orphaned node due to a deletion or any other action may be assigned a parent node that was the parent node of the deleted node (e.g., a grandparent node of the orphaned node may be assigned to be the orphan's parent). As such, node parentage may be collapsed to maintain structure of thepolicy hierarchy 1300. In other examples, the parent of an orphaned node may simply be assigned as theroot node 1302, no matter the parental lineage of the orphaned node. However, in some examples, removing groups (e.g., group A 1310) may not impact the relationship between subsequent groups, as group relationships are arbitrary and unstructured and are not a part of the framework of thepolicy hierarchy 1300. - In some examples, similar to the effects on
policies 115 after the move shown inFIG. 13B , thepolicies 115 ofnode 1308 may be rebuilt with respect to its new parentage. For example, the policy cache ofnode 1308 may be rebuilt for inheritance of thepolicies 115 ofroot node 1302,node 1308's new parent. In other words, theeffective policy 115 for operations associated withnode 1308 may include the sum ofpolicies 115 for theroot node 1302 and thenode 1308 itself. In some examples, becausenode 1308 has membership withingroup A 1310, the sum of policies ofgroup A 1310 may also be incorporated at thenode 1308. In some examples, similar to that shown inFIG. 13B , the group membership ofnode 1308 ingroup A 1310 may be maintained regardless of the manipulation ofnode 1308's parentage. - As such, in various examples, restructuring of the
policy hierarchy 1300 and rebuilding of the policy cache of a node may occur not only for a node that is directly operated on (e.g., a moved node), but also at nodes that are indirectly operated on (e.g., a node that has its parent deleted may be assigned a new parent node). - In various examples, other operations may be utilized within the
policy hierarchy 1300. In some examples, a user may create a node and insert the node into the policy hierarchy 1300 (e.g., as a child node, as a parent node, or as both a child and parent node). In some examples, an operation may include moving clients or users to different nodes or groups. In examples, an operation may include assigning clients, users, or nodes to an ad-hoc group that is associated with thepolicy hierarchy 1300. In some examples, an operation may include unassigning clients, users, or nodes from an ad-hoc group that is associated with thepolicy hierarchy 1300. In some examples, an operation may include creating or removing ad-hoc groups. - The examples described with respect to the figures relate to encryptions keys. It should be appreciated by one of ordinary skills in the art that, in other examples, the systems and methods directed to the
key orchestration device 110 involving management, distribution, and federation may be likewise implemented for other sensitive objects such as, but not limited to, user identity information, certificates, biometric data, random number generator data, determinate random number generator data, non-determinate random number generator data, user authentication information, policy components, other components associated with organization security component, and/or the like. - Complex policies are described with respect to Provisional Application No. 62/300,352 and Non-Provisional application attorney docket no. 107283-0221, each of which titled Policy-Enabled Encryption Keys Having Complex Logical Operations and incorporated herein by reference in its entirety. Ephemeral policies are described in detail in Provisional Application No. 62/300,521 and Non-Provisional application attorney docket no. 107283-0222, each of which titled Policy-Enabled Encryption Keys Having Ephemeral Policies and incorporated herein by reference in its entirety. Organization of the
policies 115 are described in detail in Provisional Application No. 62/300,670 and Non-Provisional application attorney docket no. 107283-0223, each of which titled Structure Of Policies For Evaluating Key Attributes Of Encryption Keys and incorporated herein by reference in its entirety. Granular policies are described in detail in Provisional Application No. 62/300,687 and Non-Provisional application attorney docket no. 107283-0224, each of which titled Linking Encryption Key Management With Granular Policy and incorporated herein by reference in its entirety. Policies with device activity is described in detail in Provisional Application No. 62/300,699 and Non-Provisional application attorney docket no. 107283-0225, each of which titled System And Method For Associating Encryption Key Management Policy With Device Activity and incorporated herein by reference in its entirety. - Various examples described above with reference to the figures include the performance of various processes or tasks. In various examples, such processes or tasks may be performed through the execution of computer code read from computer-readable storage media. For example, in various examples, one or more computer-readable storage mediums store one or more computer programs that, when executed by a processor cause the processor to perform processes or tasks as described with respect to the processor in the above examples. Also, in various examples, one or more computer-readable storage mediums store one or more computer programs that, when executed by a device, cause the computer to perform processes or tasks as described with respect to the devices mentioned in the above examples. In various examples, one or more computer-readable storage mediums store one or more computer programs that, when executed by a database, cause the database to perform processes or tasks as described with respect to the database in the above examples.
- Thus, examples include program products comprising computer-readable or machine-readable media for carrying or having computer or machine executable instructions or data structures stored thereon. Such computer-readable storage media can be any available media that can be accessed, for example, by a general purpose or special purpose computer or other machine with a processor. By way of example, such computer-readable storage media can comprise semiconductor memory, flash memory, hard disks, optical disks such as compact disks (CDs) or digital versatile disks (DVDs), magnetic storage, random access memory (RAM), read only memory (ROM), and/or the like. Combinations of those types of memory are also included within the scope of computer-readable storage media. Computer-executable program code may comprise, for example, instructions and data which cause a computer or processing machine to perform certain functions, calculations, actions, or the like.
- The examples disclosed herein are to be considered in all respects as illustrative, and not restrictive. The present disclosure is in no way limited to the examples described above. Various modifications and changes may be made to the examples without departing from the spirit and scope of the disclosure. Various modifications and changes that come within the meaning and range of equivalency of the claims are intended to be within the scope of the disclosure.
Claims (20)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/162,714 US20210185026A1 (en) | 2016-02-26 | 2021-01-29 | System and method for hierarchy manipulation in an encryption key management system |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201662300717P | 2016-02-26 | 2016-02-26 | |
US15/439,873 US10931653B2 (en) | 2016-02-26 | 2017-02-22 | System and method for hierarchy manipulation in an encryption key management system |
US17/162,714 US20210185026A1 (en) | 2016-02-26 | 2021-01-29 | System and method for hierarchy manipulation in an encryption key management system |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/439,873 Continuation US10931653B2 (en) | 2016-02-26 | 2017-02-22 | System and method for hierarchy manipulation in an encryption key management system |
Publications (1)
Publication Number | Publication Date |
---|---|
US20210185026A1 true US20210185026A1 (en) | 2021-06-17 |
Family
ID=59678597
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/439,873 Active US10931653B2 (en) | 2016-02-26 | 2017-02-22 | System and method for hierarchy manipulation in an encryption key management system |
US17/162,714 Abandoned US20210185026A1 (en) | 2016-02-26 | 2021-01-29 | System and method for hierarchy manipulation in an encryption key management system |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/439,873 Active US10931653B2 (en) | 2016-02-26 | 2017-02-22 | System and method for hierarchy manipulation in an encryption key management system |
Country Status (5)
Country | Link |
---|---|
US (2) | US10931653B2 (en) |
EP (1) | EP3420673A4 (en) |
AU (1) | AU2017223725A1 (en) |
CA (1) | CA3015778A1 (en) |
WO (1) | WO2017147343A1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20210226786A1 (en) * | 2015-03-13 | 2021-07-22 | Fornetix Llc | Server-client key escrow for applied key management system and process |
US11700244B2 (en) | 2016-02-26 | 2023-07-11 | Fornetix Llc | Structure of policies for evaluating key attributes of encryption keys |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10630686B2 (en) | 2015-03-12 | 2020-04-21 | Fornetix Llc | Systems and methods for organizing devices in a policy hierarchy |
KR102545959B1 (en) | 2017-01-26 | 2023-06-22 | 셈퍼 포티스 솔루션즈 엘엘씨 | Multiple single-level security in a multi-tenant cloud (MSLS) |
US11113408B2 (en) * | 2018-08-20 | 2021-09-07 | Hewlett Packard Enterprise Development Lp | Providing a secure object store using a hierarchical key system |
US20230205935A1 (en) * | 2021-12-28 | 2023-06-29 | Ati Technologies Ulc | Software assisted acceleration in cryptographic queue processing |
Citations (27)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020046290A1 (en) * | 2000-10-12 | 2002-04-18 | Johann Andersson | Computer system |
US20020091819A1 (en) * | 2001-01-05 | 2002-07-11 | Daniel Melchione | System and method for configuring computer applications and devices using inheritance |
US20020138735A1 (en) * | 2001-02-22 | 2002-09-26 | Felt Edward P. | System and method for message encryption and signing in a transaction processing system |
US20030018786A1 (en) * | 2001-07-17 | 2003-01-23 | Lortz Victor B. | Resource policy management |
US20030023587A1 (en) * | 1998-08-14 | 2003-01-30 | Dennis Michael W. | System and method for implementing group policy |
US20040086125A1 (en) * | 2002-10-31 | 2004-05-06 | Hewlett-Packard Development Company, L.P. | Management of security key distribution |
US6772165B2 (en) * | 2000-05-16 | 2004-08-03 | O'carroll Garrett | Electronic document processing system and method for merging source documents on a node-by-node basis to generate a target document |
US20040158583A1 (en) * | 2002-11-21 | 2004-08-12 | Nokia Corporation | Method and device for defining objects allowing establishment of a device management tree for mobile communication devices |
US20070204326A1 (en) * | 2006-02-27 | 2007-08-30 | Research In Motion Limited | Method of customizing a standardized it policy |
US20070226809A1 (en) * | 2006-03-21 | 2007-09-27 | Sun Microsystems, Inc. | Method and apparatus for constructing a storage system from which digital objects can be securely deleted from durable media |
US20090046862A1 (en) * | 2007-06-25 | 2009-02-19 | Takayuki Ito | Method and device for speeding up key use in key management software with tree structure |
US7512676B2 (en) * | 2001-09-13 | 2009-03-31 | Network Foundation Technologies, Llc | Systems for distributing data over a computer network and methods for arranging nodes for distribution of data over a computer network |
US20090132557A1 (en) * | 2007-11-19 | 2009-05-21 | Cohen Richard J | Using hierarchical groupings to organize grc guidelines, policies, categories, and rules |
US20100246827A1 (en) * | 2009-03-27 | 2010-09-30 | Microsoft Corporation | User-specified sharing of data via policy and/or inference from a hierarchical cryptographic store |
US7849497B1 (en) * | 2006-12-14 | 2010-12-07 | Athena Security, Inc. | Method and system for analyzing the security of a network |
US20110131275A1 (en) * | 2009-12-02 | 2011-06-02 | Metasecure Corporation | Policy directed security-centric model driven architecture to secure client and cloud hosted web service enabled processes |
US20130039489A1 (en) * | 2010-01-08 | 2013-02-14 | Nippon Telegraph And Telephone Corporation | Cryptographic processing system, key generation device, key delegation device, encryption device, decryption device, cryptographic processing method, and cryptographic processing program |
US8559638B2 (en) * | 2009-04-23 | 2013-10-15 | Mitsubishi Electric Corporation | Cryptographic processing system |
US20130318126A1 (en) * | 2012-05-22 | 2013-11-28 | Goetz Graefe | Tree data structure |
US20140201520A1 (en) * | 2010-12-03 | 2014-07-17 | Yacov Yacobi | Attribute-based access-controlled data-storage system |
US20140229736A1 (en) * | 2011-09-28 | 2014-08-14 | Koninklijke Philips N.V. | Hierarchical attribute-based encryption and decryption |
US20140289513A1 (en) * | 2013-03-15 | 2014-09-25 | Arizona Board Of Regents On Behalf Of Arizona State University | Enabling Comparable Data Access Control for Lightweight Mobile Devices in Clouds |
US20150010147A1 (en) * | 2012-03-06 | 2015-01-08 | Mitsubishi Electric Corporation | Cryptographic system, cryptographic method, and cryptographic program |
US8972453B2 (en) * | 2011-05-12 | 2015-03-03 | Futurewei Technologies, Inc. | Method and system for longest prefix matching of variable-sized hierarchical names by treelets |
US20150086020A1 (en) * | 2013-09-23 | 2015-03-26 | Venafi, Inc. | Centralized policy management for security keys |
US20150127789A1 (en) * | 2013-11-04 | 2015-05-07 | Amazon Technologies, Inc. | Encoding traffic classification information for networking configuration |
US20150124656A1 (en) * | 2012-07-09 | 2015-05-07 | Murakumo Corporation | Method for managing tree structure, information processing system, and medium |
Family Cites Families (187)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4316055A (en) | 1976-12-30 | 1982-02-16 | International Business Machines Corporation | Stream/block cipher crytographic system |
US5889953A (en) | 1995-05-25 | 1999-03-30 | Cabletron Systems, Inc. | Policy management and conflict resolution in computer networks |
US8914410B2 (en) | 1999-02-16 | 2014-12-16 | Sonicwall, Inc. | Query interface to policy server |
US7673323B1 (en) * | 1998-10-28 | 2010-03-02 | Bea Systems, Inc. | System and method for maintaining security in a distributed computer network |
US6330562B1 (en) | 1999-01-29 | 2001-12-11 | International Business Machines Corporation | System and method for managing security objects |
US6539495B1 (en) * | 1999-02-22 | 2003-03-25 | International Business Machines Corporation | Method, system and program products for providing user-managed duplexing of coupling facility cache structures |
WO2001054374A2 (en) | 2000-01-17 | 2001-07-26 | Certicom Corp. | Customized public key infrastructure and developing tool |
US7660902B2 (en) * | 2000-11-20 | 2010-02-09 | Rsa Security, Inc. | Dynamic file access control and management |
CA2326851A1 (en) | 2000-11-24 | 2002-05-24 | Redback Networks Systems Canada Inc. | Policy change characterization method and apparatus |
US7280990B2 (en) * | 2001-08-07 | 2007-10-09 | Ugs Corp. | Method and system for designing and modeling a product in a knowledge based engineering environment |
US7159125B2 (en) | 2001-08-14 | 2007-01-02 | Endforce, Inc. | Policy engine for modular generation of policy for a flat, per-device database |
US7050589B2 (en) | 2001-08-17 | 2006-05-23 | Sun Microsystems, Inc. | Client controlled data recovery management |
US7499986B2 (en) * | 2001-10-04 | 2009-03-03 | International Business Machines Corporation | Storage area network methods with event notification conflict resolution |
US6678799B2 (en) * | 2001-10-18 | 2004-01-13 | Hewlett-Packard Development Company, Lp. | Aggregation of cache-updates in a multi-processor, shared-memory system |
US7478418B2 (en) * | 2001-12-12 | 2009-01-13 | Guardian Data Storage, Llc | Guaranteed delivery of changes to security policies in a distributed system |
US20040039594A1 (en) | 2002-01-09 | 2004-02-26 | Innerpresence Networks, Inc. | Systems and methods for dynamically generating licenses in a rights management system |
AU2003212412B2 (en) | 2002-02-27 | 2009-01-08 | Opentv, Inc. | A method and apparatus for providing a hierarchical security profile object |
US7451065B2 (en) * | 2002-03-11 | 2008-11-11 | International Business Machines Corporation | Method for constructing segmentation-based predictive models |
US7474657B2 (en) * | 2002-04-30 | 2009-01-06 | University Of Florida Research Foundation, Inc. | Partitioning methods for dynamic router tables |
US20030225778A1 (en) * | 2002-05-28 | 2003-12-04 | Craig Fisher | System and methods for generating a customer specific catalog from a base catalog |
KR100431210B1 (en) | 2002-08-08 | 2004-05-12 | 한국전자통신연구원 | Validation Method of Certificate Validation Server using Certificate Policy Table and Certificate Policy Mapping Table in PKI |
US7184550B2 (en) | 2002-08-15 | 2007-02-27 | Intel Corporation | Method and apparatus for simultaneous decryption and re-encryption of publicly distributed content via stream ciphers |
US7231664B2 (en) | 2002-09-04 | 2007-06-12 | Secure Computing Corporation | System and method for transmitting and receiving secure data in a virtual private group |
US7437752B2 (en) | 2002-09-23 | 2008-10-14 | Credant Technologies, Inc. | Client architecture for portable device with security policies |
US7665125B2 (en) | 2002-09-23 | 2010-02-16 | Heard Robert W | System and method for distribution of security policies for mobile devices |
US7665118B2 (en) | 2002-09-23 | 2010-02-16 | Credant Technologies, Inc. | Server, computer memory, and method to support security policy maintenance and distribution |
US7391724B2 (en) | 2002-10-09 | 2008-06-24 | Spyder Navigations, L.L.C. | System and method with policy control function for multimedia broadcast/multicast system services |
GB2394803A (en) * | 2002-10-31 | 2004-05-05 | Hewlett Packard Co | Management of security key distribution using an ancestral hierarchy |
US8332464B2 (en) | 2002-12-13 | 2012-12-11 | Anxebusiness Corp. | System and method for remote network access |
GB2398712B (en) | 2003-01-31 | 2006-06-28 | Hewlett Packard Development Co | Privacy management of personal data |
US7003117B2 (en) * | 2003-02-05 | 2006-02-21 | Voltage Security, Inc. | Identity-based encryption system for secure data distribution |
JP4759513B2 (en) * | 2003-06-02 | 2011-08-31 | リキッド・マシンズ・インコーポレーテッド | Data object management in dynamic, distributed and collaborative environments |
US7289632B2 (en) | 2003-06-03 | 2007-10-30 | Broadcom Corporation | System and method for distributed security |
WO2005000420A2 (en) * | 2003-06-25 | 2005-01-06 | Infinite Links, Llc | Golf mat with advertising area |
US7831693B2 (en) * | 2003-08-18 | 2010-11-09 | Oracle America, Inc. | Structured methodology and design patterns for web services |
US7200226B2 (en) | 2003-09-04 | 2007-04-03 | Intel Corporation | Cipher block chaining decryption |
WO2005036304A2 (en) | 2003-09-29 | 2005-04-21 | Realm Systems, Inc. | Mobility device server |
US20050071439A1 (en) | 2003-09-29 | 2005-03-31 | Peter Bookman | Mobility device platform |
US20050086477A1 (en) | 2003-10-16 | 2005-04-21 | Taiwan Semiconductor Manufacturing Co. | Integrate PGP and Lotus Notes to encrypt / decrypt email |
US7653816B2 (en) | 2003-12-30 | 2010-01-26 | First Information Systems, Llc | E-mail certification service |
US9094699B2 (en) | 2004-02-05 | 2015-07-28 | Broadcom Corporation | System and method for security key transmission with strong pairing to destination client |
WO2005078606A2 (en) * | 2004-02-11 | 2005-08-25 | Storage Technology Corporation | Clustered hierarchical file services |
US7664828B2 (en) * | 2004-02-20 | 2010-02-16 | Microsoft Corporation | Invalid policy detection |
CA2559369A1 (en) * | 2004-04-12 | 2005-10-27 | Intercomputer Corporation | Secure messaging system |
US7730482B2 (en) | 2004-06-08 | 2010-06-01 | Covia Labs, Inc. | Method and system for customized programmatic dynamic creation of interoperability content |
US7478426B2 (en) | 2004-07-20 | 2009-01-13 | International Busines Machines Corporation | Multi-field classification dynamic rule updates |
WO2006064768A1 (en) | 2004-12-13 | 2006-06-22 | Matsushita Electric Industrial Co., Ltd. | Unauthorized deice detection device, unauthorized device detection system, unauthorized device detection method, program, recording medium, and device information update method |
US7607164B2 (en) | 2004-12-23 | 2009-10-20 | Microsoft Corporation | Systems and processes for managing policy change in a distributed enterprise |
US8099598B1 (en) | 2005-01-03 | 2012-01-17 | Gary Gang Liu | Secure messaging system with automatic recipient enrollment |
KR100675380B1 (en) | 2005-01-14 | 2007-01-29 | 삼성전자주식회사 | Method and system providing authentication in home network |
US8074069B2 (en) | 2005-02-24 | 2011-12-06 | International Business Machines Corporation | Reading a locked windows NFTS EFS encrypted computer file |
US20110167470A1 (en) | 2005-02-28 | 2011-07-07 | Trust Digital, Llc | Mobile data security system and methods |
US8713667B2 (en) | 2005-07-08 | 2014-04-29 | Hewlett-Packard Development Company, L.P. | Policy based cryptographic application programming interface in secure memory |
EP1911191B1 (en) | 2005-08-05 | 2017-12-06 | Hewlett-Packard Enterprise Development LP | System, method and apparatus for cryptography key management for mobile devices |
US20070071243A1 (en) | 2005-09-23 | 2007-03-29 | Microsoft Corporation | Key validation service |
US20090271627A1 (en) | 2005-09-26 | 2009-10-29 | Ram Cohen | Secure Data Transmission |
US8135958B2 (en) | 2005-11-22 | 2012-03-13 | International Business Machines Corporation | Method, system, and apparatus for dynamically validating a data encryption operation |
WO2007071040A1 (en) | 2005-12-19 | 2007-06-28 | Kryptiva Inc. | System and method for providing certified proof of delivery receipts for electronic mail |
US8544058B2 (en) * | 2005-12-29 | 2013-09-24 | Nextlabs, Inc. | Techniques of transforming policies to enforce control in an information management system |
CN101444119A (en) | 2006-03-27 | 2009-05-27 | 意大利电信股份公司 | System for implementing security police on mobile communication equipment |
US9002018B2 (en) | 2006-05-09 | 2015-04-07 | Sync Up Technologies Corporation | Encryption key exchange system and method |
US7822209B2 (en) | 2006-06-06 | 2010-10-26 | Red Hat, Inc. | Methods and systems for key recovery for a token |
JP2008022526A (en) | 2006-06-13 | 2008-01-31 | Hitachi Ltd | Attribute certificate verification method, attribute authority apparatus, service providing apparatus, and attribute certificate verification system |
US8131719B2 (en) | 2006-08-16 | 2012-03-06 | International Business Machines Corporation | Systems and methods for utilizing organization-specific classification codes |
FR2905217B1 (en) | 2006-08-23 | 2008-12-19 | Thales Sa | SYSTEM AND METHOD FOR DECENTRALIZED MANAGEMENT OF A SECURE SYSTEM DELIVERING DIFFERENT SERVICES |
US7779258B2 (en) | 2006-09-22 | 2010-08-17 | International Business Machines Corporation | Method for controlling security function execution with a flexible, extendable, and non-forgable block |
US8116455B1 (en) | 2006-09-29 | 2012-02-14 | Netapp, Inc. | System and method for securely initializing and booting a security appliance |
US8010784B2 (en) | 2006-10-10 | 2011-08-30 | Adobe Systems Incorporated | Method and apparatus for achieving conformant public key infrastructures |
EP2092685A4 (en) | 2006-11-20 | 2012-02-22 | Tet Hin Yeap | System and method for secure electronic communication services |
US8538028B2 (en) | 2006-11-20 | 2013-09-17 | Toposis Corporation | System and method for secure electronic communication services |
US20080118070A1 (en) | 2006-11-20 | 2008-05-22 | 6580874 Canada Inc. | Open and distributed systems to provide secure email service |
US8116456B2 (en) | 2006-11-28 | 2012-02-14 | Oracle International Corporation | Techniques for managing heterogeneous key stores |
US20080216153A1 (en) | 2007-03-02 | 2008-09-04 | Aaltonen Janne L | Systems and methods for facilitating authentication of network devices |
EP2140593A1 (en) | 2007-04-12 | 2010-01-06 | NCipher Corporation Limited | Method and system for identifying and managing encryption keys |
US20080271022A1 (en) * | 2007-04-27 | 2008-10-30 | Motorola, Inc. | Utilizing graphs to detect and resolve policy conflicts in a managed entity |
US8584227B2 (en) | 2007-05-09 | 2013-11-12 | Microsoft Corporation | Firewall with policy hints |
US8296559B2 (en) | 2007-05-31 | 2012-10-23 | Red Hat, Inc. | Peer-to-peer SMIME mechanism |
KR20090002392A (en) | 2007-06-28 | 2009-01-09 | 주식회사 케이티프리텔 | Method and system for sharing contents with removable storage |
US20090080658A1 (en) | 2007-07-13 | 2009-03-26 | Brent Waters | Method and apparatus for encrypting data for fine-grained access control |
US8332636B2 (en) | 2007-10-02 | 2012-12-11 | International Business Machines Corporation | Secure policy differentiation by secure kernel design |
FR2922392B1 (en) | 2007-10-12 | 2011-03-04 | Thales Sa | DEVICE AND METHOD FOR HANDLING EXCHANGE FLOWS OF PUBLIC (OR NON-SENSITIVE) VALUES FOR CREATING COMMON SECRET KEYS BETWEEN SEVERAL ZONES. |
US8594321B2 (en) | 2007-10-26 | 2013-11-26 | International Business Machines Corporation | Apparatus and method for operating a symmetric cipher engine in cipher-block chaining mode |
US20090144380A1 (en) | 2007-11-21 | 2009-06-04 | Kallman William R | Peer-to-peer email |
KR100930018B1 (en) | 2007-12-07 | 2009-12-07 | 주식회사 마크애니 | Digital Information Security System, Kernel Driver Device, and Digital Information Security Method |
US8347347B2 (en) | 2008-01-09 | 2013-01-01 | International Business Machines Corporation | Password policy enforcement in a distributed directory when policy information is distributed |
CN101953112A (en) | 2008-02-25 | 2011-01-19 | 松下电器产业株式会社 | Information security device and information security system |
US8972447B2 (en) | 2008-03-18 | 2015-03-03 | International Business Machines Corporation | Persistent object linkage using ghosting |
FR2930663A1 (en) | 2008-04-25 | 2009-10-30 | Thales Sa | METHOD FOR MANAGING CRYPTOGRAPHIC EQUIPMENT WITH UNIFIED ADMINISTRATION |
US8646049B2 (en) | 2008-05-02 | 2014-02-04 | Toposis Corporation | Systems and methods for secure management of presence information for communication services |
US9253154B2 (en) * | 2008-08-12 | 2016-02-02 | Mcafee, Inc. | Configuration management for a capture/registration system |
EP2166761A1 (en) | 2008-09-19 | 2010-03-24 | Nagravision S.A. | Method to enforce by a management center the access rules to a broadcast product |
US8213620B1 (en) | 2008-11-17 | 2012-07-03 | Netapp, Inc. | Method for managing cryptographic information |
US20100146582A1 (en) | 2008-12-04 | 2010-06-10 | Dell Products L.P. | Encryption management in an information handling system |
GB2472491B (en) | 2009-02-06 | 2013-09-18 | Thales Holdings Uk Plc | System and method for multilevel secure object management |
US20100246828A1 (en) | 2009-03-30 | 2010-09-30 | David Johnston | Method and system of parallelized data decryption and key generation |
US8959353B2 (en) | 2009-03-31 | 2015-02-17 | Topaz Systems, Inc. | Distributed system for multi-function secure verifiable signer authentication |
US20100266132A1 (en) | 2009-04-15 | 2010-10-21 | Microsoft Corporation | Service-based key escrow and security for device data |
WO2010123122A1 (en) | 2009-04-24 | 2010-10-28 | 日本電信電話株式会社 | Cryptogram system, cryptogram communication method, encrypting device, key generating device, decrypting device, content server device, programs, and storage medium |
ES2365887B1 (en) | 2009-05-05 | 2012-09-03 | Scytl Secure Electronic Voting S.A. | METHOD OF VERIFICATION OF DEFRYING PROCESSES |
GB2471282B (en) | 2009-06-22 | 2015-02-18 | Barclays Bank Plc | Method and system for provision of cryptographic services |
US20110113235A1 (en) | 2009-08-27 | 2011-05-12 | Craig Erickson | PC Security Lock Device Using Permanent ID and Hidden Keys |
US8630422B2 (en) | 2009-11-10 | 2014-01-14 | International Business Machines Corporation | Fully homomorphic encryption method based on a bootstrappable encryption scheme, computer program and apparatus |
US8447734B2 (en) * | 2009-11-30 | 2013-05-21 | Hewlett-Packard Development Company, L.P. | HDAG backup system with variable retention |
US8539220B2 (en) | 2010-02-26 | 2013-09-17 | Microsoft Corporation | Secure computation using a server module |
FR2958101A1 (en) | 2010-03-26 | 2011-09-30 | Ntx Res | PHYSICAL SECURITY BI-KEY MANAGEMENT INFRASTRUCTURE (IGCP / PKI) |
US20110296171A1 (en) | 2010-05-28 | 2011-12-01 | Christina Fu | Key recovery mechanism |
US8661499B2 (en) | 2010-07-07 | 2014-02-25 | Ca, Inc. | Dynamic policy trees for matching policies |
WO2012011575A1 (en) | 2010-07-23 | 2012-01-26 | 日本電信電話株式会社 | Cryptosystem, cryptographic communication method, encryption device, key-generating device, decryption device, content server device, program, and recording medium |
EP2599027B1 (en) | 2010-07-28 | 2017-07-19 | Nextlabs, Inc. | Protecting documents using policies and encryption |
WO2012025728A1 (en) | 2010-08-27 | 2012-03-01 | Fxi Technologies As | Electronics Device |
US10122693B2 (en) | 2010-10-25 | 2018-11-06 | International Business Machines Corporation | Protocol based key management |
US9053339B2 (en) | 2010-10-27 | 2015-06-09 | Hytrust, Inc. | System and method for secure storage of virtual machines |
JP4892093B1 (en) | 2010-11-09 | 2012-03-07 | 株式会社東芝 | Authentication linkage system and ID provider device |
US9589145B2 (en) | 2010-11-24 | 2017-03-07 | Oracle International Corporation | Attaching web service policies to a group of policy subjects |
US8719253B2 (en) | 2010-12-01 | 2014-05-06 | Cisco Technology, Inc. | Method and apparatus for efficiently organizing hierarchical QoS policies |
US10817421B2 (en) * | 2010-12-13 | 2020-10-27 | Sandisk Technologies Llc | Persistent data structures |
US8479008B2 (en) | 2010-12-15 | 2013-07-02 | Microsoft Corporation | Providing security services on the cloud |
US8352749B2 (en) | 2010-12-17 | 2013-01-08 | Google Inc. | Local trusted services manager for a contactless smart card |
US9083526B2 (en) | 2011-04-29 | 2015-07-14 | International Business Machines Corporation | Fully homomorphic encryption |
US8621483B2 (en) | 2011-06-20 | 2013-12-31 | Nokia Corporation | Methods, apparatuses and computer program products for provisioning applications to in vehicle infotainment systems with secured access |
US8707026B2 (en) | 2011-07-13 | 2014-04-22 | International Business Machines Corporation | Apparatus for certificate-based cookie security |
US8798273B2 (en) | 2011-08-19 | 2014-08-05 | International Business Machines Corporation | Extending credential type to group Key Management Interoperability Protocol (KMIP) clients |
US20130044882A1 (en) | 2011-08-19 | 2013-02-21 | International Business Machines Corporation | Enhancing provisioning for keygroups using key management interoperability protocol (KMIP) |
US20130097123A1 (en) | 2011-10-18 | 2013-04-18 | Research In Motion Limited | Method and System for Determining Eligible Communication Partners Utilizing an Entity Discovery Engine |
US9489528B2 (en) | 2011-12-12 | 2016-11-08 | Microsoft Technology Licensing, Llc | Single use recovery key |
US10133662B2 (en) | 2012-06-29 | 2018-11-20 | Sandisk Technologies Llc | Systems, methods, and interfaces for managing persistent data of atomic storage operations |
US9166777B2 (en) | 2012-03-05 | 2015-10-20 | Echoworx Corporation | Method and system for user authentication for computing devices utilizing PKI and other user credentials |
CN104145445B (en) | 2012-03-06 | 2017-10-20 | 诺基亚技术有限公司 | Method, equipment and computer-readable recording medium for being securely accessed by social network data |
CN103368901A (en) | 2012-03-27 | 2013-10-23 | 复旦大学 | Cloud computing system based on large-scale discrete data |
US8843739B2 (en) | 2012-04-04 | 2014-09-23 | Lockheed Martin Corporation | Anti-tamper device, system, method, and computer-readable medium |
US9130837B2 (en) | 2012-05-22 | 2015-09-08 | Cisco Technology, Inc. | System and method for enabling unconfigured devices to join an autonomic network in a secure manner |
WO2014002094A2 (en) * | 2012-06-25 | 2014-01-03 | Storone Ltd. | System and method for datacenters disaster recovery |
US9294508B2 (en) * | 2012-08-02 | 2016-03-22 | Cellsec Inc. | Automated multi-level federation and enforcement of information management policies in a device network |
US9256763B2 (en) | 2012-09-03 | 2016-02-09 | Nec Europe Ltd. | Method and system for providing a public key/secret key pair for encrypting and decrypting data |
US9769124B2 (en) * | 2012-09-21 | 2017-09-19 | Nokia Technologies Oy | Method and apparatus for providing access control to shared data based on trust level |
US10210175B2 (en) * | 2012-09-28 | 2019-02-19 | Oracle International Corporation | Techniques for lifecycle state management and in-database archiving |
US9418209B2 (en) | 2012-10-02 | 2016-08-16 | Google Technology Holdings LLC | Systems and methods for manipulating sensitive information in a secure mobile environment |
US20140108558A1 (en) | 2012-10-12 | 2014-04-17 | Citrix Systems, Inc. | Application Management Framework for Secure Data Sharing in an Orchestration Framework for Connected Devices |
US9342666B2 (en) | 2012-10-31 | 2016-05-17 | Intel Corporation | Providing security support for digital rights management in different formats |
US8990883B2 (en) | 2013-01-02 | 2015-03-24 | International Business Machines Corporation | Policy-based development and runtime control of mobile applications |
US8559631B1 (en) | 2013-02-09 | 2013-10-15 | Zeutro Llc | Systems and methods for efficient decryption of attribute-based encryption |
US9578061B2 (en) * | 2013-03-13 | 2017-02-21 | FireMon, LLC | System and method for modeling a networking device policy |
US9716728B1 (en) | 2013-05-07 | 2017-07-25 | Vormetric, Inc. | Instant data security in untrusted environments |
US10681023B2 (en) | 2013-06-28 | 2020-06-09 | Ssh Communications Security Oyj | Self-service portal for provisioning passwordless access |
FR3009163B1 (en) | 2013-07-25 | 2015-09-04 | Thales Sa | METHOD FOR SECURITY EXCHANGE OF DATA ON AN AD-HOC NETWORK USING XCAST BROADCAST SERVICE; ASSOCIATED NODE |
US9083752B2 (en) | 2013-10-01 | 2015-07-14 | Codeproof Technologies, Inc. | Mobile device management as a simplified online software service |
KR101754308B1 (en) | 2013-10-04 | 2017-07-07 | 한국전자통신연구원 | Method for management sensitive data of mobile and escrow server for performing the method |
AU2014332244A1 (en) | 2013-10-07 | 2016-05-05 | Fornetix Llc | System and method for encryption key management, federation and distribution |
US9087205B2 (en) | 2013-10-11 | 2015-07-21 | Sap Se | Shared encrypted storage |
US9213764B2 (en) | 2013-11-22 | 2015-12-15 | Sap Se | Encrypted in-memory column-store |
US9756048B2 (en) * | 2013-11-24 | 2017-09-05 | Truly Protect Oy | System and methods for executing encrypted managed programs |
US9639589B1 (en) * | 2013-12-20 | 2017-05-02 | Amazon Technologies, Inc. | Chained replication techniques for large-scale data streams |
US9654922B2 (en) | 2014-03-21 | 2017-05-16 | Venafi, Inc. | Geo-fencing cryptographic key material |
US9626400B2 (en) * | 2014-03-31 | 2017-04-18 | Sandisk Technologies Llc | Compaction of information in tiered data structure |
US9626399B2 (en) * | 2014-03-31 | 2017-04-18 | Sandisk Technologies Llc | Conditional updates for reducing frequency of data modification operations |
US9537854B2 (en) | 2014-04-18 | 2017-01-03 | Symantec Corporation | Transmitting encoded digital certificate data to certificate authority using mobile device |
US9565227B1 (en) * | 2014-06-16 | 2017-02-07 | Teradici Corporation | Composition control method for remote application delivery |
US9774577B2 (en) | 2014-06-24 | 2017-09-26 | Tata Consultancy Services Limited | Device, system and method providing data security and attribute based data access in participatory sensing |
US10067722B2 (en) * | 2014-07-02 | 2018-09-04 | Hedvig, Inc | Storage system for provisioning and storing data to a virtual disk |
US9571463B2 (en) | 2014-07-14 | 2017-02-14 | Raytheon Bbn Technologies Corp. | Policy-based access control in content networks |
US20160048408A1 (en) * | 2014-08-13 | 2016-02-18 | OneCloud Labs, Inc. | Replication of virtualized infrastructure within distributed computing environments |
US10462114B2 (en) | 2014-09-07 | 2019-10-29 | Definitive Data Security, Inc. | System and associated software for providing advanced data protections in a defense-in-depth system by integrating multi-factor authentication with cryptographic offloading |
US9716716B2 (en) | 2014-09-17 | 2017-07-25 | Microsoft Technology Licensing, Llc | Establishing trust between two devices |
US10592093B2 (en) * | 2014-10-09 | 2020-03-17 | Splunk Inc. | Anomaly detection |
US9495545B2 (en) | 2014-11-13 | 2016-11-15 | Sap Se | Automatically generate attributes and access policies for securely processing outsourced audit data using attribute-based encryption |
US9922054B2 (en) * | 2014-11-19 | 2018-03-20 | Informex, Inc. | Data retrieval apparatus, program and recording medium |
US10594484B2 (en) | 2015-02-13 | 2020-03-17 | Yoti Holding Limited | Digital identity system |
US9626245B2 (en) * | 2015-02-20 | 2017-04-18 | Netapp, Inc. | Policy based hierarchical data protection |
US10560440B2 (en) | 2015-03-12 | 2020-02-11 | Fornetix Llc | Server-client PKI for applied key management system and process |
US10630686B2 (en) * | 2015-03-12 | 2020-04-21 | Fornetix Llc | Systems and methods for organizing devices in a policy hierarchy |
US9967289B2 (en) * | 2015-03-12 | 2018-05-08 | Fornetix Llc | Client services for applied key management systems and processes |
US10965459B2 (en) | 2015-03-13 | 2021-03-30 | Fornetix Llc | Server-client key escrow for applied key management system and process |
US9680649B2 (en) | 2015-03-19 | 2017-06-13 | Oracle International Corporation | Policy-based key sharing |
US9660969B2 (en) | 2015-03-31 | 2017-05-23 | Here Global B.V. | Method and apparatus for providing key management for data encryption for cloud-based big data environments |
US10339106B2 (en) * | 2015-04-09 | 2019-07-02 | Commvault Systems, Inc. | Highly reusable deduplication database after disaster recovery |
EP3132373B1 (en) * | 2015-04-26 | 2018-04-18 | Y.G. Noobaa Ltd. | Systems and methods for security management of multi-client based distributed storage |
US9591000B2 (en) | 2015-06-19 | 2017-03-07 | Oracle International Corporation | Methods, systems, and computer readable media for authorization frameworks for web-based applications |
US10257175B2 (en) * | 2015-09-28 | 2019-04-09 | Fornetix Llc | Encryption deployment discovery |
US9830470B2 (en) | 2015-10-09 | 2017-11-28 | Sap Se | Encrypting data for analytical web applications |
CN109121436B (en) * | 2015-11-25 | 2022-06-21 | 蒂米菲尔股份有限公司 | Method for augmenting, exploring, and maintaining a hierarchy of projects |
US10860086B2 (en) | 2016-02-26 | 2020-12-08 | Fornetix Llc | Policy-enabled encryption keys having complex logical operations |
US10880281B2 (en) | 2016-02-26 | 2020-12-29 | Fornetix Llc | Structure of policies for evaluating key attributes of encryption keys |
US10523645B2 (en) | 2016-10-21 | 2019-12-31 | Thales Esecurity, Inc. | Method and system for protecting user data using individualized keys to enable secure compartmentalized data backup/restore |
US10078552B2 (en) * | 2016-12-29 | 2018-09-18 | Western Digital Technologies, Inc. | Hierarchic storage policy for distributed object storage systems |
US10547598B2 (en) | 2017-02-13 | 2020-01-28 | Thales Esecurity, Inc. | Abstracted cryptographic material management across multiple service providers |
US10721079B2 (en) | 2017-04-05 | 2020-07-21 | Venafi, Inc. | Detection of anomalous key material |
FR3076423B1 (en) | 2017-12-28 | 2020-01-31 | Thales | METHOD AND SYSTEM FOR CRYPTOGRAPHIC ACTIVATION OF A PLURALITY OF EQUIPMENT |
-
2017
- 2017-02-22 US US15/439,873 patent/US10931653B2/en active Active
- 2017-02-23 WO PCT/US2017/019209 patent/WO2017147343A1/en active Application Filing
- 2017-02-23 EP EP17757246.8A patent/EP3420673A4/en not_active Withdrawn
- 2017-02-23 AU AU2017223725A patent/AU2017223725A1/en not_active Abandoned
- 2017-02-23 CA CA3015778A patent/CA3015778A1/en active Pending
-
2021
- 2021-01-29 US US17/162,714 patent/US20210185026A1/en not_active Abandoned
Patent Citations (28)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030023587A1 (en) * | 1998-08-14 | 2003-01-30 | Dennis Michael W. | System and method for implementing group policy |
US20060167858A1 (en) * | 1998-08-14 | 2006-07-27 | Microsoft Corporation | System and method for implementing group policy |
US6772165B2 (en) * | 2000-05-16 | 2004-08-03 | O'carroll Garrett | Electronic document processing system and method for merging source documents on a node-by-node basis to generate a target document |
US20020046290A1 (en) * | 2000-10-12 | 2002-04-18 | Johann Andersson | Computer system |
US20020091819A1 (en) * | 2001-01-05 | 2002-07-11 | Daniel Melchione | System and method for configuring computer applications and devices using inheritance |
US20020138735A1 (en) * | 2001-02-22 | 2002-09-26 | Felt Edward P. | System and method for message encryption and signing in a transaction processing system |
US20030018786A1 (en) * | 2001-07-17 | 2003-01-23 | Lortz Victor B. | Resource policy management |
US7512676B2 (en) * | 2001-09-13 | 2009-03-31 | Network Foundation Technologies, Llc | Systems for distributing data over a computer network and methods for arranging nodes for distribution of data over a computer network |
US20040086125A1 (en) * | 2002-10-31 | 2004-05-06 | Hewlett-Packard Development Company, L.P. | Management of security key distribution |
US20040158583A1 (en) * | 2002-11-21 | 2004-08-12 | Nokia Corporation | Method and device for defining objects allowing establishment of a device management tree for mobile communication devices |
US20070204326A1 (en) * | 2006-02-27 | 2007-08-30 | Research In Motion Limited | Method of customizing a standardized it policy |
US20070226809A1 (en) * | 2006-03-21 | 2007-09-27 | Sun Microsystems, Inc. | Method and apparatus for constructing a storage system from which digital objects can be securely deleted from durable media |
US7849497B1 (en) * | 2006-12-14 | 2010-12-07 | Athena Security, Inc. | Method and system for analyzing the security of a network |
US20090046862A1 (en) * | 2007-06-25 | 2009-02-19 | Takayuki Ito | Method and device for speeding up key use in key management software with tree structure |
US20090132557A1 (en) * | 2007-11-19 | 2009-05-21 | Cohen Richard J | Using hierarchical groupings to organize grc guidelines, policies, categories, and rules |
US20100246827A1 (en) * | 2009-03-27 | 2010-09-30 | Microsoft Corporation | User-specified sharing of data via policy and/or inference from a hierarchical cryptographic store |
US8559638B2 (en) * | 2009-04-23 | 2013-10-15 | Mitsubishi Electric Corporation | Cryptographic processing system |
US20110131275A1 (en) * | 2009-12-02 | 2011-06-02 | Metasecure Corporation | Policy directed security-centric model driven architecture to secure client and cloud hosted web service enabled processes |
US20130039489A1 (en) * | 2010-01-08 | 2013-02-14 | Nippon Telegraph And Telephone Corporation | Cryptographic processing system, key generation device, key delegation device, encryption device, decryption device, cryptographic processing method, and cryptographic processing program |
US20140201520A1 (en) * | 2010-12-03 | 2014-07-17 | Yacov Yacobi | Attribute-based access-controlled data-storage system |
US8972453B2 (en) * | 2011-05-12 | 2015-03-03 | Futurewei Technologies, Inc. | Method and system for longest prefix matching of variable-sized hierarchical names by treelets |
US20140229736A1 (en) * | 2011-09-28 | 2014-08-14 | Koninklijke Philips N.V. | Hierarchical attribute-based encryption and decryption |
US20150010147A1 (en) * | 2012-03-06 | 2015-01-08 | Mitsubishi Electric Corporation | Cryptographic system, cryptographic method, and cryptographic program |
US20130318126A1 (en) * | 2012-05-22 | 2013-11-28 | Goetz Graefe | Tree data structure |
US20150124656A1 (en) * | 2012-07-09 | 2015-05-07 | Murakumo Corporation | Method for managing tree structure, information processing system, and medium |
US20140289513A1 (en) * | 2013-03-15 | 2014-09-25 | Arizona Board Of Regents On Behalf Of Arizona State University | Enabling Comparable Data Access Control for Lightweight Mobile Devices in Clouds |
US20150086020A1 (en) * | 2013-09-23 | 2015-03-26 | Venafi, Inc. | Centralized policy management for security keys |
US20150127789A1 (en) * | 2013-11-04 | 2015-05-07 | Amazon Technologies, Inc. | Encoding traffic classification information for networking configuration |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20210226786A1 (en) * | 2015-03-13 | 2021-07-22 | Fornetix Llc | Server-client key escrow for applied key management system and process |
US11924345B2 (en) * | 2015-03-13 | 2024-03-05 | Fornetix Llc | Server-client key escrow for applied key management system and process |
US11700244B2 (en) | 2016-02-26 | 2023-07-11 | Fornetix Llc | Structure of policies for evaluating key attributes of encryption keys |
Also Published As
Publication number | Publication date |
---|---|
US10931653B2 (en) | 2021-02-23 |
US20170250966A1 (en) | 2017-08-31 |
WO2017147343A1 (en) | 2017-08-31 |
CA3015778A1 (en) | 2017-08-31 |
EP3420673A1 (en) | 2019-01-02 |
AU2017223725A1 (en) | 2018-09-13 |
EP3420673A4 (en) | 2019-10-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11470086B2 (en) | Systems and methods for organizing devices in a policy hierarchy | |
US11537195B2 (en) | Policy-enabled encryption keys having complex logical operations | |
US11700244B2 (en) | Structure of policies for evaluating key attributes of encryption keys | |
US10917239B2 (en) | Policy-enabled encryption keys having ephemeral policies | |
US20210185026A1 (en) | System and method for hierarchy manipulation in an encryption key management system | |
US11063980B2 (en) | System and method for associating encryption key management policy with device activity | |
US10348485B2 (en) | Linking encryption key management with granular policy |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: FORNETIX LLC, MARYLAND Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:WHITE, CHARLES;GARDNER, GARY C.;REEL/FRAME:055083/0679 Effective date: 20160929 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: APPLICATION DISPATCHED FROM PREEXAM, NOT YET DOCKETED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO PAY ISSUE FEE |