KR20050026478A - Network attached encryption - Google Patents

Abstract

A method and apparatus are provided for managing cryptographic keys and performing cryptographic services within server or other computing environments. An appliance functions as a cryptographic key server (16) to secure cryptographic keys and provide cryptographic operations as a network service.

Description

Network Attached Encryption

TECHNICAL FIELD The present invention relates to the field of data security, and more particularly, to providing secure encryption keys for encrypted network services and network environments.

Computer systems that handle sensitive content are striving to protect this security content between network transport and localized storage. For example, e-commerce websites use various mechanisms to protect the user's credit card number and user password during transmission. Often these sites use the well-known Secure Socket Layer (SSL) and Transport Layer Security (TLS) to protect all sensitive data while passing from the consumer's computer to the website. Use a protocol.

SSL and TLS protect data while in transit by encrypting data using session-keys (ie, encryption keys) known only to websites and users' computers. The receiving server processes the data (valid credit card numbers) and often stores sensitive data in a server database.

The encryption key used to establish an SSL connection between the web client and the internal web server is stored on the same internal web server. Similarly, encryption is performed on data stored on the back-end application server and the database, and the encryption key is stored on the same back-end application server. The back-end application server is a platform that is not secured.

Web servers and application servers, where the encryption process is performed directly, exhibit low performance because of what is required to process the encryption process. In one approach, expensive hardware such as cryptographic acceleration cards are used in such servers to improve server performance. However, this is a cost constraint for installing expensive cryptographic accelerators on each web / application server.

In addition to protecting cryptographic keys, other methods are needed to perform the encryption process without installing expensive cryptographic accelerators on each web / application server that requires cryptographic services.

1 illustrates a computer server environment 10 for providing a network cryptographic service according to an embodiment of the present invention.

2 illustrates a software structure in accordance with one embodiment of the present invention.

3A is a hardware configuration suitable for a network cryptographic key server according to an embodiment of the invention.

3B is operation 150 for backing up and storing a private key for a cryptographic server that provides k-out-of-n secret distribution in accordance with one embodiment of the present invention.

4 illustrates a computer-implemented method in which a network cryptographic key server in accordance with an embodiment of the present invention provides cryptographic services.

Figure 5 illustrates a computer-implemented method for performing authentication and authentication analysis of a password request according to an embodiment of the present invention.

6 illustrates a computer-implemented method for enabling an application implemented on an application server to access remote and local cryptographic services through standard cryptographic APIs.

7 illustrates a cryptographic service computing environment in accordance with one embodiment of the present invention.

8 illustrates a system structure of a network security device for providing a network encryption key service according to an embodiment of the present invention.

9 illustrates a network structure including a clear decryption network security device and an encryption key server.

In adding reference numerals to components of the following drawings, it is determined that the same components have the same reference numerals as much as possible even if displayed on different drawings, and it is determined that they may unnecessarily obscure the subject matter of the present invention. Detailed descriptions of well-known functions and configurations will be omitted.

1 illustrates a computer server environment 10 for providing a networked encryption service according to an embodiment of the present invention. The computer server environment 10 includes a plurality of clients 12, an application server 14, an encryption key server 16, and a computer network 18 coupled in all directions. Computer network 18 may take the form of any suitable network, such as the Internet or a local network. The combined application server 14 in both directions is the network database 20. Application server 14 provides the requested service to client 12 via computer network 18. Services requested by client 12 may specifically include cryptographic services, and may prompt preparation for cryptographic services. For example, a service requested by a client may require the storage of sensitive data in network database 20 or the retrieval of encrypted data from network database 20. Cryptographic server 16 is useful for application server 14 to perform cryptographic services. This relieves the burden of computing cryptographic services from application server 14.

The associated encryption key server is known as Networked Attached Encryption. The nature of cryptographic services as well as various mechanisms for implementing such functionality will be described in detail below.

2 is a schematic diagram illustrating a software structure 50 for an application server 52 and an encryption key server 54 according to an embodiment of the present invention. The software structure of FIG. 2 is not limited to the application server, and may be variously implemented. The plurality of computer devices and systems may be clients of cryptographic key server 54. In a preferred embodiment, application server 52 and cryptographic key server 54 are coupled in both directions via secure network communication channel 56. Secure network communication channel 56 may be implemented via any suitable secure communication technology such as SSL or TLS. Alternatively, the secure channel may be implemented in direct physical coupling or at the level of those skilled in the art. Software-based application 52 is just one example of a client that requires cryptographic services of a cryptographic key server.

The application server 52 of FIG. 2 includes a plurality of applications 60, cryptographic application program interfaces (APIs), and a secure network interface engine 64. Application 60 is a software program that runs on application server 52. These applications will serve local users of the application server 52 and provide network services to remote clients via network connections.

Cryptography API 62 provides a standard set by a plurality of applications 60 that can invoke a plurality of cryptographic services. According to the present invention, at least one cryptographic service is performed by the cryptographic key server 54 over a long distance. To perform network cryptographic services, cryptographic API 62 is sensitive to requests for remote cryptographic services to use cryptographic network interface engine 64 to request cryptographic services.

The cryptographic API is preferably a standardized software cryptographic API that application developers can easily integrate into their software. As such, cryptographic API 62 accommodates special forms relating to subordinate computer environments. Some examples of subordinate computer environments are Java, Microsoft, PKCS # 11 / Cryptoki Provider, and Oracle9i, which are described in detail below.

In the Java computing environment, cryptographic APIs are exposed to applications as Java Cryptography Extensions ('JEC'). JEC is invoked by various sources, including Java Server Pages (JSP), Java Servlets, or Enterprise Java Beans (EJB). Java applications that can use JCE are called by Active Server Pages (ASPs). In another example of the present invention, the application 60 can directly access the cryptographic key server 54 without the help of cryptographic API 62.

In ASP computing environments such as Microsoft's .NET, by using VBScript via the Crypto Service Provider ('CSP'), the cryptographic functions communicate through the use of the Microsoft Cryptography API (MS-CAPI). Exposed. In this case, the CSP or cryptographic API is implemented as a dynamic link library (DLL) that exposes many cryptographic processes to the application 60. The previous description of cryptographic functions and cryptographic APIs are the environment of a web application server. However, cryptographic functions and cryptographic APIs are suitable for non-web-based application servers, such as web-based Java applications that do not use JCE and Windows-based Windows applications that call MS-CAPI.

The secure communication interface engine 64 can establish a secure communication channel 56 with a remote cryptographic key server 54. Similarly, remote cryptographic key server 54 is capable of establishing secure network communications with secure network interface engine 64. After a secure network communication channel 56 is established between the application server 52 and the remote cryptographic server 54, the secure network interface engine sends and arranges security requests for cryptographic services to the remote cryptographic server 54 and requests for security services. It is possible to receive and not sort security responses and to send those responses to security API 62. In turn, cryptographic API 62 provides a response to requesting application 60.

The secure network interface engine 64 exposes secure network services to the application 60 for use in providing a secure communication channel between the application 60 and the client of the application server 52. In FIG. 2, security API 62 and secure network interface engine 64 are represented by two different processes, implemented in application server 52.

As another reference to FIG. 2, the cryptographic key server 54 includes a cryptographic service engine 70, a secure network interface engine 72, and a private key engine 74. Encryption key server 54 is suitable for providing cryptographic services to application server 52 coupled to the encryption key server via secure network communication channel 56. The secure network interface engine 72 may establish a secure network communication channel 56 using the application server 52. Similarly, application server 52 may establish a secure network communication channel using secure network interface engine 72. In addition, the secure network interface engine 72 does not affect the secure cryptographic service request received at the application server 52 or forwards and transmits the secure cryptographic service response to the application server 52.

The cryptographic service engine 70 running on the cryptographic key server 54 is coupled in both directions to the secure network interface engine 72. The cryptographic service engine 70 may supply the security service requested by the application server 52 via the secure network interface engine 72. Security services include: 1) hash operation, 2) signatures and authentication such as RSA and DSA

The security features presented in application 60 are the most desirable ones required by the remote client. This security function must be done in cryptographic key server 54 to relieve the burden on application server 52 or more preferably on application server 52 achieving cryptographic services. As such, it is desirable that the cryptographic service engine 70, which is capable of performing any exposed cryptographic service, does not provide it to the application server 52. Typical exposed functions include, but are not limited to, encryption and decryption (eg, DES, 3DES, AES, RSA, DSA, ECC, etc.), signing and authentication (eg, RSA, DSA, etc.) and hash and authentication ( For example, SHA-1, HMAC, etc.). In general, encryption and decryption functions include:

Symmetric block cipher

Normal password mode

Stream cipher mode

Public-key encryption

Padding Scheme for Public-Key System

Key array scheme

Elliptic Curve Encryption

One-way hash function

Message verification code

Password structure based on hash function

Generate virtual random numbers

Password based on key derivation function

Shamir's Secret Distribution Scheme and Robin's Information Distribution Algorithm (IDA)

Compress / decompress DEFLATE (RFC 1951) with support for gzip (RFC 1952) and zlib formats (RFC 1950).

Fast self-weighting bignum and polynomial operations

Finite field operations, including GF (p) and GF ("2") and prime number generation and authentication

Private key engine 74 provides the cryptographic service engine 74 with the private key required to perform cryptographic operations. Such private keys are generally generated and stored by a variety of well known mechanisms, and are also generated and stored by various methods expected by the present invention. A preferred embodiment for generating and handling a private key is described below in conjunction with FIG.

In FIG. 2, cryptographic service engine 70 and secure network interface engine 72 are represented by two different processes that are each implemented on cryptographic service engine 70. This allows for a separate variant of their process. However, another implementation of the present invention indicates that cryptographic service engine 70 and secure network interface engine 72 are supplied in a single process.

3A is a suitable hardware architecture 100 for a network cryptographic key server as the cryptographic key server 54 of FIG. 2 in accordance with an embodiment of the present invention. The hardware architecture 100 includes a central processing unit (CPU) 104, permanent storage devices such as hard disks, temporary storage devices such as RAM, network input / output devices, cryptographic devices such as cryptographic acceleration cards 112, hardware security modules (HSMs), and smart cards. Interface, which includes a data bus 102 coupled in all directions. Another additional component may be part of hardware architecture 100.

According to the embodiment of FIG. 3A, the private key 120 is loaded into the HSM 114 and stored in an encrypted format. More preferably, HSM 114 is a tamper resistant device. Private key 120 is encrypted using a group key known only from a small, predefined group of cryptographic servers. These group keys are protected by smart cards. When a backup operation is realized on one of the predefined groups of cryptographic servers, an encrypted form of the original cryptographic key is created as a backup file. The cryptographic server, which is part of a predefined group of devices, can decrypt the encrypted key using a separate cryptographic key.

In one embodiment, the cryptographic server supports k-out-of-n secret distribution of group keys for increased security. This means that smart keys are required for backup and restore of private keys. For example, if group key information is distributed across five smart card n groups, the group data may be set to be accessed after inserting three smart cards k into the smart card reader 116. Attempts to access data with less than three smart cards will fail. The use of the k of n scheme ensures the safety of the data. If a card is stolen, the person who picked it up cannot access the configuration data stored on the HSM 114. Because the invader of the card does not have enough cards to satisfy the k of n category described above. According to an obvious implementation, FIG. 3B shows an operation 150 for backup and restore of a private key with respect to a cryptographic server that supports k-out-of-n secret distribution of group keys. In step 154, in response to the request for backup, at least a k-out-of-n smart card must be inserted into the smart card interface device associated with the cryptographic server requested for backup. If at least the k-out-of-n smart card is not inserted, then at step 156, the request for backup and restore is denied. If at least a k-out-of-n smart card is inserted, in step 158 a request for backup and restore is allowed.

4, a computer-implemented method 200 by a network cryptographic key server, such as cryptographic key server 56 or 54, provides cryptographic services in accordance with one embodiment of the present invention to be described later. In an initial step 202, a private key set is established on a network key server. This private key is generated and maintained according to the appropriate mechanism. Preferably, the private key is stored in a tamper-resident hardware device and is not distributed over the network. However, it is managed through a process as described with reference to HSM114 in FIG. Subsequent requests for cryptographic services by a given application server with a set of private keys already installed on a network key server are not included in step 202.

In a next initial step 204, a secure network communication channel is established between the application server and the cryptographic key server. In one embodiment, a connection pool is established between the application server and the keyserver before a client of any particular cryptographic service requests it. The connection pool can be kept indefinitely, or may be closed because of inactivity. Since the establishment of the secure connection is an enhanced processing, maintaining the secure connection is effective once the secure connection is established. Secure channels may be established with SSL, TLS, or with known technologies. In many situations, HTTPS with server and client certificates will be used. In addition, in step 204 the subject of the requesting entity is verified, i.e. authenticated. This includes the identification of the identification code of the application server, the identification of the identification number of the application running on the application server and, if appropriate, the authentication of the client request service of the application server. If authentication of the requesting entity fails, the request for cryptographic services is denied. In addition, in some embodiments, if authentication of the requesting entity fails, process control moves to step 216 and performs housekeeping associated with the failure request for the service described below.

If the private key is established in step 202, the secure network channel is established in step 204, and the authentication process is completed. Cryptographic key servers can be used to provide cryptographic services. Thus, in step 206 the keyserver receives a request for cryptographic services via a secure channel. In receiving the cryptographic service request, the keyserver will unmarshal the request in decrypted network format. As described in FIG. 2, in some embodiments, this may be performed by a secure network interface engine. In step 208, the keyserver will perform an authorization analysis of the cryptographic service request.

The authorization analysis of step 208 determines whether the requested service has been provided to the requesting client. The embodiment of step 208 will be described in more detail in conjunction with FIG. 4.

When step 208 determines that the request has been fulfilled, process control flows to step 210 to perform the requested cryptographic service in step 208. For example, an application server may be required to encrypt or decrypt data. In step 212, the cryptographic key server responds to the application server via a secure channel. This involves marshaling data in a secure format for transmission across the network. In a next step 214, various cleanup tasks related to the satisfaction of the authenticated request are accomplished. In one embodiment, this includes maintaining a database associated with cryptographic requests (time, client identification, service request, satisfactory completion, etc.).

Step 208 performs a cleanup function related to the failure request for service when the request is not performed for failure of authentication step 208. In one embodiment, this includes maintaining a database associated with cryptographic requests (time, client identification, service request, etc.). This database is used for evaluation to determine whether an attack is being made, or to determine errors in the system.

In FIG. 5, a computer-implemented method 208 for performing authentication analysis of a cryptographic request in accordance with one embodiment of the present invention is described in detail. As described above with reference to FIG. 4, step 208 is invoked when the remote application server requests that the cryptographic key server perform some cryptographic function for the application server. In a first step 250, the authentication privileges granted to the application server, application, and client are determined. If the authentication privileges granted to the application server, application, and client cannot be determined, then the authentication check of step 250 will fail. When the authentication check in step 250 fails, the request is denied in step 252. If the authentication test of step 250 succeeds, step 254 determines whether a particular request is within the rights of the requesting entity. For example, no application running on the application server is granted the right to decrypt any data, or even if the same application is granted the right to decrypt the data, it is not granted the right to decrypt any data. In any event, if the request does not exist in the rights of the requesting entity, the request is negated in step 252. When the request is in the request entity, the request is granted in step 256, and process control begins for the implementation of the requested cryptographic service.

Referring to FIG. 6, a computer-implemented method 300 for enabling an application implemented on an application server to access remote and local cryptographic services through a standard cryptographic API. Steps 320 and 304 are initialization procedures for creating a cryptographic service useful for an application. In step 32 the standardized software cryptographic API is integrated into the application server. As described above in FIG. 2, the cryptographic API may be designed for a particular computing environment (Java, Microsoft, etc.) of the application server. In step 304, the cryptographic service is exposed to an application implemented on the application to create on the application on which the service request is realized. Cryptographic providers allow programmers to develop application software that uses standard cryptography usefully generated by cryptographic APIs.

In step 306 the application calls the cryptographic API requested for the cryptographic function and service. This request is handled by the cryptographic API to determine whether the request was delivered along the remote cryptographic server, performed locally, or whether the application server has performed some authentication locally before the request for cryptographic services can be delivered. When the request is to be sent to the remote crypto server, step 208 marshalls and sends the request. In a preferred embodiment, marshalling and transmission are performed by the secure network interface engine via a previously established secure network transport channel. In step 310, the application server receives and unmarshals a response to the cryptographic service request. This response is supplied to the cryptographic API in step 312, which supplies the response to the requested application in the appropriate format.

7 illustrates a distributed cryptographic service computing environment 400 in accordance with one embodiment of the present invention. Computing environment 400 includes a plurality of cryptographic key servers 402, a plurality of application servers 404, and a plurality of clients 406, a bidirectionally coupled wide area network 408, such as the Internet. The encryption key server 402 and the application server 404 use a suitable form. For example, the embodiment described above in Figures 1-3 will be preferred.

Various methods for implementing the operation of the distributed cryptographic services computing environment 400 are contemplated. For example, the plurality of cryptographic key servers 402 can operate in a standalone style and can provide services in a standalone style. Optionally, the special cryptographic key server 402 can act as an administrator of all services that direct all requests from the application server to other cryptographic key servers based on a predetermined load balancing scheme.

8 is a block diagram of a system structure of a network security device that provides a network cryptographic key service. The system architecture includes a plurality of clients 502 and a broadband network 504 such as the Internet, a network security device 506, and an application server 508. Except for the network security device 506, all of the elements of FIG. 8 will be fully understood by what has been described in FIGS.

The network security device 506 is physically located between the application server 508 and the network 504. Previous techniques will be familiar with network security devices and their general operation. Some services provided by the network security device 506 include secure transport between the client 502 and the application server 508, reducing oppression on the application server 508 and improving user, SSL, TLS acceleration, transparent cryptographic services, client authentication, and so on. Contains a secure cache. According to the embodiment of FIG. 8, the network security server 506 further provides cryptographic key services to the application server 508. Network security device 506 has the depicted software structure related to cryptographic key server 54 of FIG. As such, the network security device has a hardware architecture 100 as depicted above with respect to the cryptographic key server of FIG. 3. The method depicted in FIGS. 4-6 above applies to the operation of the network security device and the application server 508.

9 illustrates a network structure, in which a plurality of clients, a wide area network such as the Internet, a transparent cryptographic device 606, a plurality of application servers 608, a local network 610, at least one cryptographic key server 612, and at least two or more network databases 614 are shown. , And a plurality of back-end servers 616. As depicted in the associated patented device, the transparent cryptographic device 606 is configured to inspect all requests entering the site via the network 604 and encodes sensitive data using one of the installed private keys 120. The transparent cryptographic device 606 and cryptographic key server 612 are loaded into a private key 120, such as a predefined group member of the TE application that distributes the group key. Multiple application server 608 may request cryptographic services from cryptographic key server 612 as back-end server 616 via local area network 610.

To illustrate, assume a client 602 register with financial institutions on the Internet. In this example, the application server 608 is a web server and the client 602 provides a credit card number to the web server 608 on the network 604 via a secure session. The TE device 606 encodes such data using one of the installed private keys 120, the credit card number being sensitive information, so that the web server 608 does not clearly manage the sensitive information. Similarly, the credit card number is stored in network database 614 in encoded form. Back-end server 616 is needed to access all client credit card numbers in order to retrieve account information. As an example, the van-end server 616 authenticates to access the client credit card number, and as a result, the encryption key server encrypts the credit card number as 612 is requested.

The configuration and discussion so far have been concise and provided as a general depiction of a suitable computing environment in terms of which the invention may be implemented. Although not required, embodiments of the invention are depicted in the general context of computer-executable instructions as routines performed by a general purpose computer (server, or personal computer). Related prior art is directed to aspects of the invention such as Internet appliances, handheld devices, wearable computers, cellular or mobile phones, multi-processor computers, microprocessor-based or program consumer electric machines, set-top boxes, network PCs, minicomputers, It is practical for other computer system configurations, including mainframe computers.

Aspects of the present invention are implemented in a specially programmed, constructed, structured data processor or special purpose computer for performing indicators executable by at least one computer described below. In fact, in general, the word "computer" herein refers to any data process as well as the device. In addition, the term "process" as used herein is used to refer to at least one central processing unit (CPU), digital signal processor (DSP), ASIC.

In the foregoing specification, embodiments of the present invention are described with reference to several specific items that vary from implementation to implementation. As such, the only destructive indicator intended by the applicant of the present invention is the set of claims issued in this specification, in the particular form in which such claims are issued, including any subsequent modification. The expression definitions indicated herein for the terms contained in such claims govern the meaning of those terms as used in the claims. Therefore, benefits or features, properties, attributes, elements, and indefinite limitations not expressly listed in a claim are limited in some way to the scope of such claim. Accordingly, the specification and drawings are to be regarded in an illustrative rather than a restrictive sense.

All references and U.S. patents and applications mentioned herein are incorporated by reference. Aspects of the invention may be modified if possible to make use of the systems, functions, and concepts of the various patents and applications depicted to provide other embodiments of the invention. These and other changes may produce the invention in light of the detailed description.

While any aspect of the present invention is provided below in any claim form, the inventor contemplates various aspects of the invention in any number of claim forms. For example, if one aspect of the invention is embodied in a computer readable medium, the other aspect will be embodied in a computer readable medium. Accordingly, the inventor preserves the right to add the added claim after filing the application in order to pursue the added claim form for another aspect of the present invention.

Claims (53)

An encryption key server for providing a cryptographic service to a remote device coupled to an encryption key server via a network, The cryptographic key server is a secure network interface engine running on the cryptographic key server. Establish a secure network communication channel with at least one remote device; Unmarshal a secure cryptographic service request received at the at least one remote device, Marshal and send a secure cryptographic service response to the at least one remote device; Provide a cryptographic service requested by at least one remote device via a cryptographic service engine performed on the cryptographic key server, the cryptographic service engine provided for bi-directional communication with the secure network interface engine, and the secure network interface engine. An encryption key server comprising a cryptographic service engine. The cryptographic key server of claim 1, wherein the at least one device is an application server. 2. The cryptographic key server of claim 1, wherein the secure network interface engine is arranged as the secure network communication channel is established in accordance with a secure socket layer (SSL) protocol. 2. The cryptographic key server of claim 1, wherein the network interface engine is arranged such that the secure network communication channel is established in accordance with a transport layer security (TLS) protocol. 10. The system of claim 1, wherein the secure network interface engine supports multiple communication protocols including a secure socket layer (SSL) protocol and a transport layer security (TLS) protocol, wherein the network interface engine is selected by the at least one device. And respond to the at least one device for establishing the secure network communication channel in accordance with a protocol. 2. The security key server of claim 1, wherein the security service engine and the security network interface engine are elements of a single process running on the security key server. The security key server of claim 1, wherein the security service engine is capable of performing encryption and decryption functions. The method of claim 7, wherein the encryption and decryption function Symmetric block ciphers; Normal password mode; Stream cipher mode; Public-key cryptography; Padding scheme for public-key system; Key array scheme; Elliptic curve encryption; One-way hash function; Message authentication code; Cryptographic structure based on hash function; Virtual random number generation; Cryptography based on key derivation function; Shamir's secret distribution scheme and Robin's Information Distribution Algorithm (IDA); compression / decompression of DEFLATE (RFC 1951), which supports gzip (RFC 1952) and zlib format (RFC 1950); Fast self-weight precision bignum and polynomial operations; Finite field operations including GF (p) and GF ("2") and prime number generation and authentication; And A cryptographic key server comprising prime number generation and authentication. The method of claim 7, wherein the encryption and decryption function DES, 3DES, AES, RSA, DSA, ECC, RC6, MARS, Twofish, Serpent, CAST-256, DESX, RC2, RC5, Blowfish, Diamond2, TEA, SAFER, 3-WAY, Gost, SHARK, CAST-128, Square, Shipjack, ECB, CBC, CTS, CFB, OFB, counter mode (CTR), Panama, ARC4, SEAL, WAKE, Wake-OFB, BlumBlumshub, ElGamal, Nyberg-Rueppel (NR), Rabin, Rabin-Williams (RW ), LUC, LUCELG, variants of DHAES (DLIES), ESIGN padding schemes for public-key system: PKCS # 1 v2.0, OAEP, PSSR, IEE P1363 EMSA2, Diffie-Hellman (DH), Unified Diffie-Hellman (DH2 ), Menezes-Qu-Vanstone (MQV), LUCDIF, XTR-DH, ECDSA, ECNR, ECIES, ECDH, ECMQV, SHA1, MD2, MD4, MD5, HAVAL, RIPEMD-160, Tiger, SHA-2 (SHA-256) , SHA-384, and SHA-512), Panama, MD5-MAC, HMAC, XOR-MAC, CBC-MAC, DMAC, Luby-Packoff, MDC, ANSI X9.17 appendix C, PGP's RandPool, PBKDF1, PBKDSF2 from PKCS A security key server comprising # 5. The security key server of claim 1, wherein the security service engine is capable of performing a signature and authentication function. 12. The security key server of claim 10, wherein the signing and authentication function comprises an RSA and a DSA. 2. The security key server of claim 1, wherein the cryptographic service engine is capable of performing a hash operation. 11. The secure key server of claim 10, wherein the hash operation comprises an HMAC accompanied by SHA-1. 2. The security key server of claim 1, wherein the cryptographic service engine is capable of determining and authenticating authorization of a request for a cryptographic service in accordance with the performing state of the cryptographic service. 15. The security key server of claim 14, wherein the authentication of the request for cryptographic services identifies at least one set of identification numbers comprising at least: A client making a request for cryptographic services; Said at least one remote device requested by said client for cryptographic services; A function or program executed on the at least one remote device. 15. The cryptographic key server of claim 14, wherein determining the authentication of the request for cryptographic services includes at least one or more authorized authentication privileges, including: A client requesting cryptographic services; At least one remote device from which the client requests cryptographic services; A function or program executed on the remote device. 17. The method of claim 16, wherein determining the authentication request for cryptographic services further comprises determining whether the request for cryptographic services is present in the requestor's privileges associated with the request for cryptographic services. Encryption key server. 2. The cryptographic key server of claim 1, wherein the cryptographic service engine is capable of tracking requests for cryptographic services. 2. The cryptographic key server of claim 1, wherein the cryptographic key server further comprises a private key engine capable of supplying a private key used by the cryptographic service engine to perform cryptographic services. The encryption key server of claim 1, wherein the encryption key server is a network security device. The computer hardware structure of claim 1, wherein the cryptographic key server has a computer hardware structure for providing the cryptographic service engine and the secure network interface engine. Data bus; A central processing unit coupled to the data bus in both directions; A permanent storage device coupled to the data bus in both directions; A journal storage device coupled to the data bus in both directions; A network input / output device coupled to the data bus in both directions; An encryption accelerator card coupled in both directions with the data bus; A hardware security module coupled in both directions with the data bus and storing a private key; And An encryption key server comprising a smart card interface. 22. The cryptographic key server of claim 21, wherein the hardware security module is a tamper resistant device. 22. The cryptographic key server of claim 21, wherein the private key is loaded into the hardware security module and stored in an encrypted format. 22. The cryptographic key server as claimed in claim 21, wherein the private key is loaded into the hardware security module via a smart card storing the encrypted private key. 25. The method of claim 24, wherein the cryptographic key server provides k-out-of n secret distribution in a manner that the private key is uniquely accessed by the cryptographic key server after a k smart card is inserted. Encryption key server. An encryption key server for providing a cryptographic service to a remote device coupled to an encryption key server via a network, A cryptographic accelerator coupled to the data bus in both directions; Smart card interface devices; A hardware security module coupled to said data bus and suitable for data security, And the secure data is accessible only when a k-out-of-n smart card is inserted into the smart card interface device. An application server that hosts a plurality of applications and provides services to a plurality of clients via a network, The application server A cryptographic application program interface (API) capable of invoking at least one cryptographic service of said plurality of cryptographic services performed by a remote cryptographic key server; An encryption key server comprising a secure network interface for establishing a secure network communication channel with a remote encryption key server. 28. The cryptographic key server of claim 27, wherein the cryptographic API can use the secure network interface engine to request a remote cryptographic service. 28. The cryptographic key server of claim 27, wherein the cryptographic API is exposed to the plurality of applications as a Java cryptographic extension (JCE). 28. The cryptographic key server of claim 27, wherein the cryptographic API is exposed via a cryptographic service provider (CSP), and the cryptographic API is implemented as a dynamic link library. 28. The cryptographic key server of claim 27, wherein the cryptographic API is exposed via an MS-CAPI. In an apparatus for executing a plurality of functions and programs,  The apparatus includes a network interface engine and a cryptographic application program (API), The interface engine runs on the device, may establish a secure network communication channel to at least one remote cryptographic key server, marshal and transmit a security request for cryptographic service to at least one remote cryptographic key server. , The API is executed on the device, coupled to the secure network interface engine in both directions, and provides a standard set of functions and programs capable of invoking corresponding multiple cryptographic services, One of at least a plurality of cryptographic services is performed remotely by the at least one cryptographic key server, and the cryptographic API requests for at least one remote cryptographic service to use a secure network interface engine to request the cryptographic services. Responsive to the device. In the computer-implemented method for providing a cryptographic key service, Establishing a private key set on a network key server; Establishing a secure communication channel between a network device and the network key server; Receiving a request for an encryption key service from a network key server at the network device via the secure network communication channel; Authenticating the request for an encryption key service; Determining authentication of the request for an encryption key service; And when the request is authenticated, performing the request for an encryption key service to the network key server using the private key. 34. The computer-implemented method of claim 33, wherein establishing a private key on the network server comprises decrypting the new key set. 34. The computer-implemented method of claim 33, wherein decrypting the set of personal tees is performed using a k-out-of-n secret distribution method. 34. The computer-implemented method of claim 33, wherein the method of establishing a secure network communication channel uses an SSL protocol. 34. The computer-implemented method of claim 33, wherein the method of establishing a secure network communication channel uses a TLS protocol. 34. The method of claim 33 wherein the method of authenticating the request is A client requesting cryptographic services; The network device that the client requests for cryptographic services; And authenticate at least one set of identifiers comprising functions and programs performed on said network device. 34. The method of claim 33 wherein the method of determining authentication is A client requesting cryptographic services; The network device that the client requests for cryptographic services; And determine an authentication privilege granted to at least one or more sets comprising functions and programs performed on the network device. 39. The computer-implemented method of claim 38, wherein the method of determining authentication of the request determines whether the request is within the requestor's rights associated with the request for cryptographic services. 34. The computer-implemented method of claim 33, further comprising tracking all requests for cryptographic services. In the computer-implemented method for providing a network encryption key service, Integrating a cryptographic API into the application server; Exposing cryptographic services to a plurality of applications running on the application server via the cryptographic API; Establishing a secure network communication channel between the application server and a remote cryptographic key server; Receiving a request for a cryptographic service from an application to the cryptographic API; Marshalling the request for a cryptographic service for transmission to the cryptographic key server; Sending a marshalled request for a cryptographic service to the cryptographic key server via the secure network communication channel; Receiving a response to the request via the secure network communication channel; Unmarshaling the response; And Providing a response appropriate for the requested application via the cryptographic API. A method for securing an encryption key inside a server system, Computer-implemented method Storing an encrypted key in the key server for using the decrypted data; And The keyserver is in communication with at least one configuration of the server system using a secure communication channel. A method for securing an encryption key inside a server system, Computer-implemented method Storing an encryption key using the decrypted data on the key server; And And the key server acts as a network device performing cryptographic operations on behalf of at least one element of the network system. 45. The method of claim 44, wherein said cryptographic operation is performed under a secure socket layer (SSL) protocol. 45. The method of claim 44, wherein said cryptographic operation is performed under a transport layer security (TLS) protocol. 45. The method of claim 44, wherein the sensitive data is stored in the network system in decrypted form. An encryption key server device for securing an encryption key in a network system, the encryption key server storing the encryption key and controlling access to the stored encryption key. 49. The apparatus of claim 48, wherein said access is used for at least one of said stored keys alone for cryptographic operations. 49. The apparatus of claim 48, wherein said access uses at least one of said stored encryption keys independently for cryptographic operations. An encryption device for protecting sensitive information inside a server system, Data communication bus; A central processing unit bidirectionally coupled to the data communication bus; Data bus; A central processing unit coupled to the data communication bus in both directions; A permanent storage device coupled to the data communication bus in both directions; A journal storage device coupled to the data communication bus in both directions; A network input / output device coupled to the data communication bus in both directions; An encryption accelerator card coupled in both directions with the data communication bus; A hardware security module coupled to the data communication bus in both directions and for storing a private key; And a smart card interface coupled with the data communication bus. In the computer-implemented method for providing cryptographic services in a network system, Securely loading an encryption key onto a key server; Establishing a secure transport session between the first component of the network system and the key server; Authenticating to the key server at least one or more elements of the network including the first component;  Determining authentication with the key server at least one or more elements of the network including the first component; Generating a request for cryptographic operation in the first component to the key server; Determining whether the request is performed by the key server based on a result associated with the authentication and the determination of the authentication; If the request is authenticated, performing the requested cryptographic operation on the key server; And providing the result of the requested cryptographic operation from the key server to the first component via the secure transport session. In a method of protecting data in a network system, a computer-implemented method is Providing a network device that is part of a predefined group of cryptographic servers that distributes a group key for intercepting and inspecting data routed to the application server; The network device Determining whether the data is sensitive data; If the data is seal, decrypting the data using a group key distributed by a predefined group of cryptographic servers to form decrypted data; Storing the decrypted data on a storage medium associated with the application server; and If at least one back-end application server authenticates access to the data, at least one of the storage devices employs a predefined group of cryptographic services to play the decrypted data and encrypt the decrypted data. Computer-implemented method characterized in that the step of allowing the above back-end application server