Cryptographic keys that computer applications or devices use to authenticate to, encrypt data to, and/or decrypt data from other computers or applications have to be carefully managed to maintain secrecy, privacy and confidentiality. Computer systems vendors and computer application vendors provide methods to manage these cryptographic keys from a console manually. The management of many devices, securely, is a problem, and without automation tools and secure processes, the job is time-consuming, tedious, and prone to mistakes.
The certificate life-cycle includes request, issuance, installation, and renewal of public key and symmetric key based cryptographic solutions. Manual cryptographic key installation and renewal can be difficult and is expensive. The number of servers across many systems often large, e.g. some systems include well over 5,000 servers, and server management, with certificate management excepted, is highly automated.
In asymmetric public key infrastructure (PKI) based solutions, the expiration of the client keys regularly results in production service outages and customer confusion. As well, symmetric, i.e. private, key based systems suffer from cumbersome, time-consuming and risky key update processes.
Server administrators have to interact with applications, to request and properly setup application key stores to interact with other “relying” applications. This interface is typically manual, cumbersome, slow, and requires a certain level of training and understanding for the administrator to properly request and configure the application. The result is limited use of a powerful technology, and excess cost in human interface activity. Additionally, administrators can inadvertently configure application key stores to trust what they should not. As well, without substantial training, the administrator does not know what to do to meet appropriate policies or guidelines.
Research has shown that such problems are recognized, yet most businesses continue to use the manual methods for cryptographic system management.
It would therefore be advantageous to provide a system and method to automate certificate life-cycle management for cryptographic keys. The development of such an automated cryptographic key system would constitute a major technological advance.
Several methods have been described for cryptographic key management.
S. Lee and P. Smith, Management of Cryptographic Keys, U.S. Pat. No. 4,912,762, disclose a “method for simplifying key management in situations where unique cryptographic keying relationships are required end-to-end between pairs of parties and a symmetric encryption algorithm is to be used. It is useful in cases where the parties come from disjoint subsets of the total population of parties. The method provides some of the characteristics of a public key crypto system (PKS) utilizing the public identities of the parties as part of the key, but lacks the property of PKS which allows a party to independently generate a secret key which is known only to that party.”
J. Howard, P. Hess and J. MacStravic, Apparatus and Methods for Managing Key Material in Cryptographic Assets, U.S. Patent Application Publication No. US 2001/0026619 A1, disclose “Apparatus and methods for managing key material in cryptographic assets are disclosed. The methods can include defining first key material to be delivered to a cryptographic asset, wherein the first key material has a cryptoperiod having an expiration. Second key material to be delivered to the cryptographic asset is also defined. An automatic delivery of the second key material is scheduled such that the second key material will be delivered automatically to the cryptographic asset at or before the expiration of the cryptoperiod of the first key material. The methods can include defining a set of equipment classes, and registering at least one cryptographic asset with each equipment class. Cryptographic assets selected from the registered cryptographic assets are grouped into secure communication services, thereby defining secure communication interfaces between the cryptographic assets. Key material for each communications interface is defined, and an automatic delivery of the key material to the selected cryptographic assets is scheduled. The apparatus and methods of the invention provide an integrated key management system suitable for managing key material in a plurality of cryptographic assets from a single system.”
T. Ninomiya and K. Matsunaga, Cryptographic Key Management Method, U.S. Patent Application Publication No. US 2002/0131601 A1, disclose “A network system has: an application server for providing service; a client for using the service; and a key server. The client acquires and stores a management cryptographic key, acquires a transaction cryptographic key to be used for a transaction with the application server, encrypts the transaction cryptographic key with the management cryptographic key, sends the encrypted transaction cryptographic key to the key server, requests the key server to send back the encrypted transaction cryptographic key for a transaction, and decrypts the encrypted transaction cryptographic key with the management cryptographic key to acquire the transaction cryptographic key. The key server stores the sent, encrypted transaction cryptographic key and sends the encrypted transaction cryptographic key to the client in response to a request from the client.”
Other methods have also been described for cryptographic key and certificate management, such as: European Patent Application No. EP—0 287 720—Management of Cryptographic Keys; European Patent Application No. EP 1 241 826 A2—Cryptographic Key Management Method; WADAA, A et al., Scalable Cryptographic Key Management in Wireless Sensor Networks; Proceedings—24th International Conference on Distributed Computing System Workshops p. 796-802, IEEE Comput. Soc, Los Alamitos, Calif., USA, 2004; WILLIAM, P; Cisco System's Simply Certificate Enrollment Protocol—White Paper; IMCentric, Inc., Automating Digital Certificate Management; IMCentric Product Overview for AutoCert Manager, http://www.IMCentric.com; IMCentric, Inc., IMCentric Product Overview, IMCentric Product Overview, http//www.lMCentric.com; and Wong, C. K. et al.; Keystone: A Group Key Management Service; HRL Laboratories, LLC, Malibu, Calif., USA.
Other systems provide various details of the operation of cryptographic systems, such as European Patent Application No. EP 1 274 243 A2, System for Securing Encryption Renewal System and for Registration and Remote Activation of Encryption Device; European Patent Application No. EP 863 021 20.0, Transaction System; J. Okimoto and L. Tang, System for Securing Encryption Renewal System and for Registration and Remote Activation of Encryption Device, U.S. Patent Application Publication No. US 2002/0051539 A1; E. Scheidt and C. Wack, System and Method of Providing Communication Security, U.S. Patent Application Publication No. US 2002/0062451 A1; N. So, J. Okimoto, A. Chen, L. Tang, A. Wakabayashi and K. Cochran, System for Securely Delivering Encrypted Content on Demand with Access Control, U.S. Patent Application Publication No. US 2002/0083438 A1; J. Howard Jr., P. Hess and J. MacStravic, Apparatus and Methods for Managing Key Material in Cryptographic Assets, U.S. Patent Application Publication No. US 2002/0126849 A1; C. Ogg and W. Chow, Secured Centralized Public Key Infrastructure, U.S. Patent Application Publication No. 2002/0178354 A1; T. Olkin and J. Moreh, Security Server System, U.S. Patent Application Publication No. US 2003/0074552 A1; P. Fahn and J. Semple, URL-Based Certificate in a PKI, U.S. Patent Application Publication No. US 2003/0074555 A1; M. Nadooshan and J. Ren, Method and Apparatus for Secure Key Management Using Multi-Threshold Secret Sharing, U.S. Patent Application Publication No. US 2003/0147535 A1; K. McCurley and B. Reed, Secure User-Level Tunnels on the Internet, U.S. Patent Application Publication No. US 2003/0167403 A1; R. Ziegler, System and Methods for Processing PIN-Authenticated Transactions, U.S. Patent Application Publication No. US 2004/0044739 A1; G. Kalogridis, G. Clemo and C. Yeun, Methods and Apparatus for Secure Data Communication Links, U.S. Patent Application Publication No. US 2004/0117623 A1; K. Ginter, V. Shear, F. Spahn, D. Van Wie and R. Weber, Trusted Infrastructure Support Systems, Methods and Techniques For Secure Electronic Commerce Transaction and Rights Management, U.S. Patent Application Publication No. US 2004/0123129 A1; S. Matyas, D. Abraham, D. Johnson, R. Karne, A. Le, R. Prymak, J. Thomas, J. Wilkins and P. Yeh, Data Cryptography Operations Using Control Vectors, U.S. Pat. No. 4,918,728; S. Matyas, D. Abraham, D. Johnson, R. Karne, A. Le, R. Prymak, J. Thomas, J. Wilkins and P. Yeh, Secure Management of Keys Using Control Vectors, U.S. Pat. No. 4,941,176; S. Matyas, D. Johnson, R. Karne, A. Le, W. Martin, R. Prymak and J. Wilkins, Secure Key Management Using Programmable Control Vector Checking, U.S. Pat. No. 5,007,089; S. Matyas, D. Abraham, D. Johnson, R. Karne, A. Le, P. McCormack, R. Prymak and J. Wilkins, Secure Management of Keys Using Control Vectors With Multi-Path Checking, U.S. Pat. No. 5,103,478; T. Nguyen, M. Subramanian and D. Haller, System, Method and Article of Manufacture for a Gateway System Architecture with System Architecture with System Administration Information Accessible From a Browser, U.S. Pat. No. 5,931,917; K. Rowney and Y. Chen, System, Method and Article of Manufacture For Secure Digital Certification of Electronic Commerce, U.S. Pat. No. 5,996,076; T. Moreau, Initial Secret Key Establishment Including Facilities for Verification of Identity, U.S. Pat. No. 6,061,791; T. Nguyen, D. Haller and G. Kramer, System, Method and Article of Manufacture For a Gateway Payment Architecture Utilizing a Multichannel, Extensible, Flexible Architecture, U.S. Pat. No. 6,072,870; R. Lewis, T. Dwyer, M. Abdelsadek, D. Han, J. Rogoff and L. Parks, Methods and Apparatus for Internet Based Financial Transactions With Evidence of Payment, U.S. Pat. No. 6,233,565 B1; S. Bisbee, L. Moskowitz, D. Trotter and M. White, System and Method for Electronic Transmission Storage and Retrieval of Authenticated Documents, U.S. Pat. No. 6,237,096 B1; G. Kramer and J. Weber, Settlement of Aggregated Electronic Transactions Over a Network, U.S. Pat. No. 6,324,525 B1; J. Howard Jr., P. Hess and J. MacStravic, Apparatus and Methods for Managing Key Material in Heterogeneous Cryptographic Assets, U.S. Pat. No. 6,442,690 B1; K. Ginter, V. Shear, F. Spahn, D. Van Wie and R. Weber, Trusted Infrastructure Support System, Methods and Techniques for Secure Electronic Commerce Transaction and Rights Management, U.S. Pat. No. 6,658,568 B1; International Publication No. WO 00/25473, Apparatus and Methods for Managing Key Material in Heterogeneous Cryptographic Assets; International Publication No. WO 00/45347, Methods for Operating Infrastructure and Applications for Cryptographically-Supported Services; International Publication No. WO 01/22322 A2, Electronic Commerce with Cryptographic Authentication; International Publication No. WO 01/22650 A2, Server-Side Implementation of a Cryptographic System; International Publication No. WO 01/22651 A2, Cryptographic Server with Provisions for Interoperability Between Cryptographic Systems; International Publication No. WO 02/39224 A2—Methods for Distributed Trust Environment; International Publication No. WO 03/034682 A1, URL-Based Certificate in a PKI; International Publication No. WO 98/52316, Initial Secret Key Establishment Including Facilities for Verification of Identity; International Publication No. WO 99/14979, Cryptographic System for Public ATM/SONET Communication System With Virtual Circuit Lookup and Pipelined Data Encryption and Decryption; Cungang Yang et al., Cryptographic Key Management Solution in a Role Hierarchy, Canadian Conference on Electrical and Computer Engineering 2004 (IEEE Cat. No. 04CH37513) vol. 1 p. 575-8, IEEE, Piscataway, N.J., USA, 2004; B. Lehane et al., Shared RSA Key Generation in a Mobile Ad Hoc Network, MILCOM 2003. 2003 IEEE Military Communications Conference (IEEE Cat. No. 03CH37500) vol. 2 p. 814-19, IEEE, Piscataway, N.J., USA, 2003; Applied Cryptography and Network Security; Second International Conference, ACNS 2004. Proceedings (Lecture Notes in Comput. Sci. vol. 3089), Springer-Verlag, Berlin, Germany, 2004; Y. Wang et al., An Efficient Key Management for Large Dynamic Groups, Proceedings. Second Annual Conference on Communication Networks and Services Research p. 131-6, IEEE Comput. Soc, Los Alamitos, Calif., USA, 2004; T. Berson, Crytography Everywhere; Advances in Cryptology, ASIACRYPT 2000, 6th International Conference on the Theory and Application of Cryptology and Information Security. Proceedings (Lecture Notes in Computer Science vol. 1976) p. 72, Springer-Verlag, Berlin, Germany, 2000; R. Oppliger, Protecting Key Exchange and Management Protocols Against Resource Clogging Attacks, Secure Information Networks. Communications and Multimedia Security, IFIP TC6/TC11 Joint Working Conference on Communications and Multimedia Security (CMS'99) p. 163-75, Kluwer Academic Publishers, Norwell, Mass., USA, 1999; E. Dawson et al., Key Management in a Non-Trusted Distributed Environment, Future Generation Computer Systems vol. 16, no. 4 p. 319-29, Elsevier, February 2000, Netherlands; D. Branstad et al., Policy-Based Crytographic Key Management: Experience with the KRP Project, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00 vol. 1 p. 103-14, IEEE Comput. Soc, Las Alamitos, Calif., USA, 1999; A. Zugaj; Cryptographic Key Management in IT Networks, Przeglad Telekomunikacyjny+Wiadomosci Telekomunicayjne vol. 71, no. 10 p. 728-31, SIGMA NOT, 1998, Poland; A New Approach to Cryptographic Facility Design, ICL Technical Journal vol. 8, no. 3 p. 492-505, May 1993, UK; Wang Min, A New Cryptographic Key Management Scheme, Chinese Journal of Computers vol. 16, no. 2 p. 106-12; February 1993, China; R. Fullard, Cryptographic Key Management; INFOSEC '90, Information Security Symposium Proceedings p. 71-9, CSIR, Pretoria, South Africa, 1990, South Africa; P. Yeh et al., ESA/390 Integrated Cryptographic Facility: An Overview, IBM Systems Journal vol. 30, no. 2 p. 192-205, 1991, USA; S. Matyas et al., A Key-Management Scheme Based on Control Vectors, IBM Systems Journal vol. 30, no. 2 p. 175-91, 1991, USA; C. Patni, Smart Technology for Corporate Banking, Smart Card '91 International Exhibition p. 11 pp. vol. 2, Agestream Ltd, Peterborough, UK, 1991; D. Gerberick, Cryptographic Key Management or Strong Network Security Management, SIGSAC Review vol. 8, no. 2 p. 12-23, Summer 1990, USA; D. Newman Jr. et al., Public Key Management For Network Security, IEEE Network vol. 1, no. 2 p. 11-16, April 1987, USA; R. Lennon et al., Cryptographic PIN Processing in EFT Systems, COMPCON 79 Proceedings, Using Microprocessors, Extending Our Reach p. 142-7, IEEE, New York, N.Y., USA, 1979; W. Ehrsam, et al., A Cryptographic Key Management Scheme For Implementing The Data Encryption Standard, IBM Systems Journal vol. 17, no. 2 p. 106-25, 1978, USA; A. Perrig et al., ELK, a New Protocol for Efficient Large-Group Key Distribution; University of California Berkeley; R. Poovendran, On the Communication-Storage Minimization for a Class of Secure Multicast Protocols, IEEE Infocom 2001, Dept. of Electrical and Computer Engineering, Univ. of Maryland, USA; G. Eddon et al., Understanding the DCOM Wire Protocol by Analyzing Network Data Packets, http://www.msdn.com/MSJ/March 1998.
It would be advantageous to provide a cryptographic management system that does not require manual intervention to establish, modify, and/or renew security architectures for client machines, such as servers or computers. The development of such a cryptographic management system would constitute a major technological advance.
As well, it would be advantageous to provide a cryptographic management system that provides structures and methodologies for automated establishment, modification, and/or renewal of security architectures for client machines, such as servers or computers. The development of such a cryptographic management system would constitute a major technological advance.
Furthermore, it would be advantageous to provide a cryptographic management system that provides structures and methodologies whereby a system administrator can automatically establish, modify, and/or renew security architectures for client machines, such as servers or computers, whereby a system administrator can automatically. The development of such a cryptographic management system would constitute a further major technological advance.
In addition, it would be advantageous to provide a cryptographic management system that provides structures and methodologies whereby an approving entity can authorize the establishment, modification, and/or renewal of security architectures for one or more client machines. The development of such a cryptographic management system would constitute an additional technological advance.