sign in sign up
<<
Home , Secure channel

US 20060149962A1 (19) United States (12) Patent Application Publication (10) Pub. No.: US 2006/0149962 A1 Fountain et al. (43) Pub. Date: Jul. 6, 2006

(54) NETWORK ATTACHED Publication Classification (75) Inventors: Thomas Fountain, Redwood City, CA (51) Int. Cl. (US); Alan Frindell, Mountain View, H04L 9/00 (2006.01) CA (US) H04L 9/32 (2006.01) G06F 5/16 (2006.01) Correspondence Address: G06F 7/30 (2006.01) PERKINS COE LLP G06F 7/04 (2006.01) P.O. BOX 21.68 G06F 7/58 (2006.01) MENLO PARK, CA 94026 (US G06K 9/00 (2006.01) 9 (US) G06K 9/00 (2006.01) (73) Assignee: Ingrian Networks, Inc., Redwood City, (52) U.S. Cl...... 713/151; 726/3 CA (US) (57) ABSTRACT A method and apparatus are provided for managing crypto (21) Appl. No.: 10/519,239 graphic keys and performing cryptographic services within server or other computing environments. An appliance func (22) PCT Filed: Jul. 11, 2003 tions as a cryptographic server to secure cryptographic keys and provide cryptographic operations as a network (86). PCT No.: PCT/US03/21.695 service.

20

Application NetWOrk SerWer

Cryptographic Key Server Patent Application Publication Jul. 6, 2006 Sheet 1 of 9 US 2006/0149962 A1 03

Patent Application Publication Jul. 6, 2006 Sheet 2 of 9 US 2006/0149962 A1

09

Patent Application Publication Jul. 6, 2006 Sheet 3 of 9 US 2006/0149962 A1

Data 110

104 I/O

CPU 112 CRYPTO

C 114 Hard Ware Security Module 108 Keys 120 RAM 116 Smart Card InterfaCe

102

FIG. 3A Patent Application Publication Jul. 6, 2006 Sheet 4 of 9 US 2006/0149962 A1 150 N 152

Receive Request for Backup and Restoring of Private Keys

At Least k-Out-Of-n Smart Cards InSerted?

Deny Request

Grant Request

FIG. 3B Patent Application Publication Jul. 6, 2006 Sheet 5 of 9 US 2006/0149962 A1 1. 200 2O2 Establish Private Keys on Networked Key Server

2O4 Establish Secure NetWork Communications Channel Between Application Server and Key Server and Perform Authentication

2O6 Key Server Receives Request for Cryptographic Services via

208 Authorize Request ?

210

Perform Services Specified in Perform Housekeeping Authorized Request Related to

Inauthenticated & 212 Unauthorized Request Respond to Application Server Via Secure Channel w

214 Perform Housekeeping Related to Authorized Request

FIG. 4 Patent Application Publication Jul. 6, 2006 Sheet 6 of 9 US 2006/0149962 A1 208

Start

Determine AuthOrization Privileges of Requesting Entity

254 Request Within Requesting Entity's False Rights ?

256 True 252 Approve Deny Request Request

DOne

FIG. 5 Patent Application Publication Jul. 6, 2006 Sheet 7 of 9 US 2006/0149962 A1

302 Integrate a Standardized Software Cryptographic API. Within Application Server 304 ExpOSe Cryptographic ServiceS Via Cryptographic API to Application Executing On Application Server 306 Receive Request for

Cryptographic Services from an Application ???? Via Cryptographic API 308 MarShall Request and IranSmit to NetWOrked Key Server

- 1310 ReCeive and UnmarShall Response to Request 312 Provide Response to Requesting Program Via Cryptographic API

DOne FIG. 6 Patent Application Publication Jul. 6, 2006 Sheet 8 of 9 US 2006/0149962 A1 406

402 Cryptographic Key Server

Cryptographic Key Server SerWer

506 NetWOrk 508

Security ApplicationA Angel Server Server

FIG. 8

US 2006/0149962 A1 Jul. 6, 2006

NETWORK ATTACHED ENCRYPTION 0010 FIG. 3A illustrates a hardware architecture suitable for a networked cryptographic key server in accordance with TECHNICAL FIELD one embodiment of the invention; 0001. The present invention relates generally to the field 0011 FIG. 3B illustrates an operation 150 for backup of data security, and more particularly to providing crypto and restoring of the private keys with respect to a crypto graphic network services and securing cryptographic keys in graphic server that Supports k-out-of-n of the a network environment. group key in accordance with certain embodiments of the present invention; BACKGROUND 0012 FIG. 4 is a flowchart that illustrates a computer 0002 Computer systems dealing with sensitive content implemented method by which a networked cryptographic strive to protect this secure content both during network key server may provide cryptographic services in accor transmission and localized storage. For example, e-com dance with one embodiment of the present invention; merce web sites use a variety of mechanisms to protect user credit card numbers and user passwords during transmis 0013 FIG. 5 is a flowchart that illustrates a computer sion. Often these sites use the well-known Secure Socket implemented method for performing authentication and Layer (SSL) or Transport Layer Security (TLS) protocols to authorization analysis of a cryptographic request in accor protect all sensitive data during transit between customer dance with one aspect of the present invention; computers and web sites. 0014 FIG. 6 is a flowchart that illustrates a computer 0003) SSL and TLS protect data while in transit by implemented method for enabling applications instantiated encrypting the data using a session-key, (i.e., a crypto on an application server to access remote and local crypto graphic key), known only to the web server and the client graphic services through a standard cryptographic API: computer. According to these protocols, the data is 0015 FIG. 7 illustrates a distributed cryptographic ser decrypted upon arrival at the receiving web server. The vices computing environment in accordance with certain receiving server processes the data (e.g., validating the credit embodiments of the present invention; card number) and then often stores the sensitive data in a server database. 0016 FIG. 8 is a block diagram that illustrates a system architecture in which a network security appliance provides 0004 The cryptographic keys that are used to set up the networked cryptographic key services in accordance with SSL connection between Web clients and internal Web certain embodiments of the invention; and servers are stored in the same internal Web servers. Simi larly, when encryption is performed on data to be stored on 0017 FIG. 9 is a block diagram that illustrates a network back-end application servers and databases, the crypto architecture including a transparent encryption network graphic keys are stored in the same back-end application security appliance and a cryptographic key server. servers, which are usually unsecured platforms. Thus, cryp 0018. In the drawings, the same reference numbers iden tographic keys that are stored on the same web server or tify identical or Substantially similar elements or acts. Any back-end application server are vulnerable to theft. The headings used herein are for convenience only and do not encrypted data are only as safe as the cryptographic keys that affect the scope or meaning of the claimed invention. protect the encrypted data. 0005 Web Servers and applications servers, on which DETAILED DESCRIPTION OF THE cryptographic operations are directly performed, Suffer from ILLUSTRATED EMBODIMENTS poor performance due to the processing requirements of the 0019 FIG. 1 illustrates a computer server environment cryptographic operations. In one approach, expensive hard 10 providing networked cryptographic services in accor ware such as cryptographic accelerator cards are used on dance with one embodiment of the present invention. The such servers to improve performance of the servers. How computer server environment 10 includes a plurality of ever, it is cost prohibitive to install expensive cryptographic clients 12, an application server 14, and a cryptographic key accelerators on each Web/application server. server 16, all bi-directionally coupled via a computer net 0006 A different architecture is needed to protect cryp work 18. The computer network 18 may take the form of any tographic keys as well as improve performance of crypto suitable network such as the Internet or a local area network. graphic operations without installing expensive crypto Bi-directionally coupled to the application server 14 is a graphic accelerators on each Web/application server that network database 20. The application server 14 provides needs cryptographic services. requested services to the clients 12 via the computer network 18. Services requested by the clients 12 may specifically BRIEF DESCRIPTION OF THE FIGURES involve cryptographic services, or may precipitate the need for cryptographic services. For example, the client requested 0007. The accompanying figures illustrate embodiments services may require the storage of sensitive data on the of the claimed invention. In the figures: network database 20, or the retrieval of encrypted data from 0008 FIG. 1 illustrates a computer server environment the network database 20. The cryptographic key server 16 is 10 providing networked cryptographic services in accor available to the application server 14 to perform crypto dance with one embodiment of the present invention; graphic services, thus offloading the computational intensi 0009 FIG. 2 diagrammatically illustrates a software ties of cryptographic services from the application server 14. architecture in accordance with one embodiment of the 0020. The cryptographic key server referred to herein is present invention; also known as a Networked Attached Encryption device. US 2006/0149962 A1 Jul. 6, 2006

The nature of the cryptographic services as well as a variety Cryptographic API (MS-CAPI). In this case, the CSP or of mechanisms implementing such functionality are cryptographic API would be implemented as a Dynamic described below in more detail. Linked Library that exposes a number of cryptographic operations to the applications 60. The foregoing descriptions 0021 FIG. 2 diagrammatically illustrates a software of the cryptographic functionality and cryptographic API are architecture 50 for an application server 52 and a crypto in the context of web application servers. However, the graphic key server 54 in accordance with one embodiment cryptographic functionality and cryptographic API are of the present invention. The software architecture of FIG. equally applicable for application servers that are non-web 2 is not limited to application servers and may vary from implementation to implementation. Any number of com based. Such as non-web-based Java applications using JCE puter devices and systems may be a client of cryptographic and non-web-based Windows applications invoking MS key server 54. In preferred embodiments, the application CAPI, etc. server 52 and the cryptographic key server 54 are bi 0027. The secure network interface engine 64 is operable directionally coupled via a secure network communications to establish the secure network communications channel 56 channel 56. The secure network communications channel 56 with the remote cryptographic key server 54. Similarly, the may be effectuated through any suitable secure communi remote cryptographic key server 54 is operable to establish cations technique such as the Secure communications pro the secure network communications channel 56 with the tocols SSL or TLS. Alternatively, a secure channel may be secure network interface engine 64. After the secure network effectuated via a direct physical link or by any means known communications channel 56 is established between the to those skilled in the art. Software-based application server application server 52 and the remote cryptographic key 52 is only one example of a client that needs the crypto server 54, the secure network interface engine is operable, graphic services of a cryptographic key server. for example, to marshal and transmit secure requests for cryptographic services to the remote cryptographic key 0022. The application server 52 of FIG. 2 includes a server 54, receive and unmarshal Secure responses to plurality of applications 60, a cryptographic application requests for cryptographic services, and forward Such program interface (API) 62, and a secure network interface response back to the cryptographic API 62. In turn, the engine 64. The applications 60 are software programs cryptographic API 62 provides a response to the requesting instantiated and executing on the application server 52. These applications 60 may provide services to local users of application 60. the application server 52, and may provide network services 0028. It is contemplated that the secure network interface to remote clients via a network connection. engine 64 could expose secure network services to the 0023 The cryptographic API 62 provides a set of stan applications 60 for use in providing secure communications dards by which the plurality of applications 60 can invoke a channels between the applications 60 and clients of the plurality of cryptographic services. According to the present application server 52. In FIG. 2, the cryptographic API 62 invention, at least one of this plurality of cryptographic and the secure network interface engine 64 appear as two services is performed remotely by the cryptographic key distinct processes, each instantiated on the application server 52. This allows separate modification of each of these server 54. To effectuate networked cryptographic key ser processes. However, another embodiment of the present vices, the cryptographic API 62 is responsive to a request for invention teaches that the functionality of the cryptographic a remote cryptographic service to utilize the secure network API 62 and the secure network interface engine 64 are interface engine 64 to request the cryptographic services. provided as a single process or are included in an application 0024. The cryptographic API 62 is preferably a standard 60. ized software cryptographic API which applications devel 0029. With further reference to FIG. 2, the cryptographic opers can easily integrate into their software. Thus, the key server 54 includes a cryptographic service engine 70, a cryptographic API 62 would take on a specific form relating secure network interface engine 72, and a private key engine to the underlying computing environment. Several examples 74. The cryptographic key server 54 is suitable for providing of underlying computing environments include Java, cryptographic services to the application server 52 coupled Microsoft, PKCS #11/Cryptoki Provider, Oracle.9i, etc. to said cryptographic key server via the secure network some of which are described in more detail immediately communications channel 56. The secure network interface below. engine 72 is operable to establish the secure network com 0025. In a Java computing environment, the crypto munications channel 56 with the application server 52. graphic API 62 could be exposed to applications as Java Similarly, the application server 52 is operable to establish Extensions (JCE). The JCE could be used or the secure network communications channel 56 with the invoked by a variety of sources, including Java Server Pages secure network interface engine 72. Further, the secure (JSP), Java servlets, or Enterprise Java Beans (EJB). Java network interface engine 72 is operable to unmarshal applications capable of using JCE may also be invoked by secured cryptographic service requests received from the Active Server Pages (ASP). In certain other embodiments of application server 52, and marshal and transmit secure the invention, applications 60 may directly access the cryp cryptographic service responses to the application server 52. tographic key server 54 without the aid of cryptographic API 0030 The cryptographic service engine 70 executing on 62. the cryptographic key server 54 is bi-directionally coupled 0026. In ASP computing environments, such as the with the secure network interface engine 72. The crypto Microsoft's NET, the cryptographic functionality may be graphic service engine 70 is operable to provide crypto exposed, e.g., using VBScript, via a Crypto Service Provider graphic services requested by the application server 52 via (CSP) that VBScript communicates with using Microsoft the secure network interface engine 72. Cryptographic Ser US 2006/0149962 A1 Jul. 6, 2006

vices may include: 1) hashing operations, and 2) signing and service engine 70 and the secure network interface engine 72 verification operations such as RSA and DSA. are provided as a single process. 0031. The cryptographic functions exposed to the appli 0051 FIG. 3A illustrates a hardware architecture 100 cations 60 would include those most likely desired by the Suitable for a networked cryptographic key server Such as remote clients. These cryptographic functions must be per cryptographic key server 54 of FIG. 2 in accordance with formed either at the application server 52, or more prefer one embodiment of the present invention. The hardware ably at the cryptographic key server 54 in order to offload architecture 100 includes a central processing unit (CPU) from the application server 52 the burden of performing 104, a persistent storage device 106 such as a hard disk, a cryptographic services. Thus, it is preferred that the cryp transient storage device 108 Such as random access memory tographic service engine 70 be capable of performing any (RAM), a network I/O device 110, an encryption device 112 exposed cryptographic services not provided at the applica Such as a cryptographic accelerator card, a hardware security tion server 52. Typical exposed functionality would include, module (HSM) 114, and a smart card interface 116, all but is not limited to, functions such as encryption and bi-directionally coupled via a databus 102. Other additional decryption (e.g. DES, 3DES, AES, RSA, DSA, ECC, etc.), components may be part of the hardware architecture 100. signing and Verification (e.g. RSA, DSA, etc.), and hashing and verification (e.g. SHA-1, HMAC, etc.). Generally, 0052 According to one embodiment of FIG. 3A, the encryption and decryption functions include: private keys 120 are loaded into HSM 114 and stored in an encrypted format. In preferred embodiments, the HSM 114 0032) symmetric block , is a tamper resistant device. The private keys 120 are 0033 generic modes, encrypted using a group key known only to a small, pre defined group of cryptographic key servers. These group 0034 modes, keys are protected by Smart cards. When a backup operation 0035 public-key cryptography, is performed on one member of the predefined group of cryptographic servers, an encrypted form of the original 0036 schemes for public-key systems, cryptographic key is created as a backup file. Only crypto graphic servers that are part of the predefined group of 0037 key agreement schemes, devices are able to decrypt the encrypted key using a 0038 elliptic curve cryptography, separate cryptographic key. 0039 one-way hash functions, 0053. In one embodiment, the cryptographic server also Supports k-out-of-n secret sharing of the group key for 0040 codes, increased security. This means that the cryptographic server requires Smart cards for backup and restoring of the private 0041 cipher constructions based on hash functions, keys. For example, if the group key information is distrib 0042 pseudo random number generators, uted across a group of five Smart cards (n), preferences can be set so that group data can be accessed only after inserting 0043 password based key derivation functions, three smart cards (k) into the Smart card reader 116. Any 0044 Shamir's secret sharing scheme and Rabin's attempt to access the data with less than three Smart cards information dispersal algorithm (IDA), will fail. Using a k of n schema ensures data safety; if a single card is stolen, the thief will not be able to access the 0045 DEFLATE (RFC 1951) compression/decom configuration data stored on the HSM 114 because the thief pression with gzip (RFC 1952) and Zlib (RFC 1950) does not have enough cards to meet the k of n criteria set format Support, forth above. According to certain embodiments, FIG. 3B 0046 fast multi-precision integer (bignum) and poly illustrates an operation 150 for backup and restoring of the nomial operations, private keys with respect to a cryptographic server that Supports k-out-of-n secret sharing of the group key. In step 0047 finite field arithmetic, including GF(p) and 152, a request for backup and restoring of the private keys GF(2"), and is received. At step 154, in response to the request for backup, it is determined whether at least k-out-of-n Smart 0048 prime number generation and verification. cards has been inserted is a Smart card interface device 0049. As will be appreciated, the private key engine 74 associated with cryptographic server at which the request for provides the cryptographic service engine 70 the private backup was made. If it is determined that at least k-out-of-n keys required for performing cryptographic operations. Such smart cards has not been inserted, then at step 156, the private keys can be generated and stored through a variety request for backup and restoring is denied. If it is determined of mechanisms known in the art, as well as by several that at least k-out-of-n Smart cards has been inserted, then at methods contemplated by the present invention. One pre step 158, the request for backup and restoring is granted. ferred embodiment for generating and handling the private 0054 With reference to FIG. 4, a computer-implemented keys is described below with reference to FIG. 3. method 200 by which a networked cryptographic key server 0050. In FIG. 2, the cryptographic service engine 70 and Such as cryptographic key server 16 or 54 may provide the secure network interface engine 72 appear as two distinct cryptographic services in accordance with one embodiment processes each instantiated on the cryptographic service of the present invention will now be described. In an initial engine 70. This allows separate modification of each of these step 202, a set of private keys is established on the net processes. However, another embodiment of the present worked key server. These private keys may be generated and invention teaches that the functionality of cryptographic maintained according to any Suitable mechanism. In pre US 2006/0149962 A1 Jul. 6, 2006

ferred embodiments, the private keys are stored within a 0058 When step 208 determines that the request may not tamper-resistant hardware device and are not distributed be performed for failure of the authorization step 208, a step across the network, but rather are managed through a 216 performs housekeeping functions related to a failed process such as that described above with reference to the request for services. In certain embodiments, this includes HSM 114 of FIG. 3. Subsequent requests for cryptographic include maintaining a database related to cryptographic services by a given application server for which a set of requests (time, client identity, service requested, etc.). This private keys is already established on the networked key database can be used to evaluate whether an attack is being server do not involve step 202. made, or to determine errors in the system. 0059 Turning next to FIG. 5, a computer-implemented 0055. In a next initial step 204, a secure network com method 208 for performing authorization analysis of a munications channel is established between the application cryptographic request in accordance with one aspect of the server and the cryptographic key server. In certain embodi present invention will now be described in more detail. As ments, a connection pool is established between the appli described above with reference to FIG. 4, the method 208 is cation server and the key server prior to the client's request invoked when a remote application server requests that a of any specific cryptographic services. The connection pool cryptographic key server perform certain cryptographic can be maintained indefinitely or may be closed due to functions for the application server, likely on behalf of a inactivity. Establishing a secure connection is processing client of the application server. In a first step 250, the intensive, so once the secure connection is established it is authorization privileges granted to the application server, the efficient to maintain the Secure connection. The secure application, and the client are determined. If the authoriza channel may be established with SSL or TLS, or any suitable tion privileges granted to the application server, the appli method known in the art. In many situations, HTTPS with cation, and the client cannot be determined, then the autho server and client certificates might be used. Further, at step rization test of step 250 is deemed to have failed. When the 204, the identity of the requesting entity is verified, i.e., authorization test of step 250 fails, then the request is denied authenticated. This may include Verification of the applica in a step 252. When the authorization test of step 252 tion server identity, verification of the identity of the appli succeeds, then a step 254 determines whether the specific cation executing on the application server, and identification request is within the rights of the requesting entity. For of the client requesting services of the application server, if example, a certain application running on the application appropriate. If the authentication of the requesting entity server may not be entitled to decrypt certain data, or simply fails, then the request for cryptographic services is denied. may not be entitled to decrypt data whatsoever, even though Further, in certain embodiments, when the authentication of that same application may be entitled to encrypt data. In any the requesting entity fails, process control passes to step 216 event, when the request is not within the rights of the performs housekeeping functions related to a failed request requesting entity, the request is denied in step 252. When the for services as explained below. request is within the rights of the requesting entity, the 0056. Once the private keys have been established in step request is approved in a step 256 and process control 202, and a secure network communications channel has proceeds to implement the requested cryptographic services. been established in step 204 and the authentication process 0060. With reference to FIG. 6, a computer-implemented is complete, the cryptographic key server may be used to method 300 for enabling applications instantiated on an provide cryptographic services. Accordingly, in a step 206 application server to access remote and local cryptographic the key server receives a request for cryptographic services services through a standard cryptographic API will now be via the secure channel. In receiving the cryptographic Ser described. Steps 302 and 304 are initialization steps to make Vice request, the key server will unmarshal the request from the cryptographic services available to applications. In a step encrypted network format. As described above with refer 302, a standardized software cryptographic API is integrated ence to FIG. 2, in certain embodiments this may be per within the application server. As discussed above in more formed by a secure network interface engine. In a step 208, detail with reference to FIG. 2, the cryptographic API can be the key server will perform an authorization analysis of the designed for the specific computing environment (Java, cryptographic service request. The authorization analysis of Microsoft, etc.) of the application server. In a step 304, the step 208 determines whether the requested services should cryptographic services are exposed to an application instan be provided to the requesting client. One embodiment of tiated on the application server so that service requests may step 208 is described below in more detail with reference to be made within executing applications. Cryptographic pro FIG. 4. viders allow programmers to develop application software 0057 When step 208 determines that the request may be utilizing standard cryptography made available by the cryp performed, process control flows from step 208 to a step 210 tographic API. that performs the requested cryptographic services. For 0061. In a step 306, an application calls a cryptographic example, the application server may be requesting that function and the cryptographic API receives this request for certain data be encrypted or decrypted. In a step 212, the service. This request is processed by the cryptographic API cryptographic key server will respond to the application to determine whether the request should be passed along to server via the secure channel. This includes marshalling the the remote cryptographic server, or performed locally or data into secure format for transmission across the network. perhaps the application server performs some authentication In a next step 214, a variety of housekeeping functions and authorization locally prior to allowing a request for related to satisfaction of an authorized request are per cryptographic services to be passed along. When the request formed. In certain embodiments, these include maintaining is to be transmitted to a remote cryptographic server, a step a database related to cryptographic requests (time, client 308 attends to marshalling and transmitting the request. In identity, service requested, satisfactory completion, etc.) preferred embodiments, the marshalling and transmission is US 2006/0149962 A1 Jul. 6, 2006 performed by a secure network interface engine via a area network 604 Such as the Internet, a transparent encryp previously established secure network transmission channel. tion appliance 606, a plurality of application servers 608, a In a step 310, the application server receives and unmarshals local area network 610, at least one cryptographic key server a response to a cryptographic service request. In preferred 612, two or more network databases 614, and a plurality of embodiments, the receipt and unmarshalling of responses is back-end servers 616. As described in related patent appli performed by a secure network interface engine via a cations, the transparent encryption appliance 606 is config previously established secure network transmission channel. ured to inspect all requests entering the site via the network The response is provided to the cryptographic API and in a 604, and encrypts sensitive data using one of the installed step 312, the cryptographic API provides a response to the private keys 120. The transparent encryption appliance 606 requesting application in a Suitable format. and the cryptographic key server 612 are both members of 0062 FIG. 7 illustrates a distributed cryptographic ser a predefined group of TE Appliances that share a group key, vices computing environment 400 in accordance with cer and are loaded with the same private keys 120. Multiple tain embodiments of the present invention. The computing application servers 608 are able to request cryptographic environment 400 includes a plurality of cryptographic key services from the cryptographic key server 612, as are servers 402, a plurality of application servers 404, and a back-end servers 616, via the local area network 610. plurality of clients 406, all bi-directionally coupled with a 0067 For purposes of illustration, assume that client 602 wide area network 4.08 such as the Internet. The crypto registers with a financial institution over the Internet. In this graphic key servers 402 and application servers 404 may example, application server 608 is a web server, and the take any suitable form. For example, the embodiments client 602 provides a credit card number to web server 608 described above with reference to FIGS. 1-3 would be over the network 604 via a secure session. TE Appliance 606 suitable. detects that the credit card number is sensitive information 0063 A variety of ways for implementing operation of and encrypts this data using one of the installed private keys the distributed cryptographic services computing environ 120, so that web server 608 does not manage the sensitive ment 400 are contemplated. For example, the plurality of information in the clear. Similarly, the credit card number is cryptographic key servers 402 may operate in an indepen stored in network database 614 only in encrypted form. dent fashion, each providing services in an independent Back-end server 616 needs to access the client credit card fashion. Alternatively, a specific cryptographic key server number to retrieve account information, and make a request 402 could act as a manager of all services, directing all to cryptographic key server 612 to decrypt the credit card requests from the application servers 404 to the other number. In this example, back-end server 616 is authorized cryptographic key servers 402 based on a predetermined to access the client credit card number, and therefore cryp load balancing scheme. tographic key server 612 decrypts the credit card number as 0064 FIG. 8 shows a block diagram of a system archi requested. tecture 500 in which a network security appliance provides 0068 The figures and the discussion herein provide a networked cryptographic key services. The system architec brief, general description of a suitable computing environ ture 500 includes a plurality of clients 502, a wide area ment in which aspects of the invention can be implemented. network 504 such as the Internet, a network security appli Although not required, embodiments of the invention are ance 506, and an application server 508. With the exception described in the general context of computer-executable of the network security appliance 506, all other elements of instructions, such as routines executed by a general-purpose FIG.8 will be readily understood by referring to the above computer (e.g., a server or personal computer). Those skilled description of FIGS. 1-7. in the relevant art will appreciate that aspects of the inven 0065. The network security appliance 506 physically tion can be practiced with other computer system configu resides between the application server 508 and the network rations, including Internet appliances, hand-held devices, 504. Those skilled in the art will be familiar with network wearable computers, cellular or mobile phones, multi-pro security appliances and their general operation. Some of the cessor Systems, microprocessor-based or programmable services which may be provided by the network security consumer electronics, set-top boxes, network PCs, mini appliance 506 include secure transmission between the computers, mainframe computers and the like. clients 502 and the application server 508, secure caching reducing strain upon the application server 508 and improv 0069. Aspects of the invention can be embodied in a ing response time to users, SSL and TLS acceleration, special purpose computer or data processor that is specifi transparent encryption services, client authentication, etc. cally programmed, configured or constructed to perform one According to the embodiment of FIG. 8, the network or more of the computer-executable instructions explained security appliance 506 further provides cryptographic key in detail below. Indeed, the term “computer,” as used gen services to the application server 508. The network security erally herein, refers to any of the above devices, as well as appliance 506 may have a software architecture as described any data processor. Further, the term “processor as gener above with reference to cryptographic key server 54 of FIG. ally used herein refers to any logic processing unit, such as 2. Likewise, the network security appliance 506 may have a one or more central processing units (CPUs), digital signal hardware architecture 100 as described above with reference processors (DSPs), application-specific integrated circuits to cryptographic key server of FIG. 3. The methods (ASIC), etc. described above with reference to FIGS. 4-6 may well apply 0070. In the foregoing specification, embodiments of the to the operation of the network security appliance 506 and invention have been described with reference to numerous the application server 508. specific details that may vary from implementation to imple 0.066 FIG. 9 is a block diagram that illustrates a network mentation. Thus, the sole and exclusive indicator of what is architecture 600 including a plurality of clients 602, a wide the invention, and is intended by the applicants to be the US 2006/0149962 A1 Jul. 6, 2006

invention, is the set of claims that issue from this applica Such that said secure network communication channel is tion, in the specific form in which Such claims issue, established according to a Transport Layer Security (TLS) including any Subsequent correction. Any express defini protocol. tions set forth herein for terms contained in such claims shall 5. The cryptographic key server as recited in claim 1, govern the meaning of Such terms as used in the claims. wherein said secure network interface engine Supports mul Hence, no limitation, element, property, feature, advantage tiple communications protocols including a Secure Socket or attribute that is not expressly recited in a claim should Layer (SSL) protocol and a Transport Layer Security (TLS) limit the scope of Such claim in any way. The specification protocol, said secure network interface engine being respon and drawings are, accordingly, to be regarded in an illus sive to said at least one device to establish said secure trative rather than a restrictive sense. network communication channel according to a protocol selected by said at least one device. 0071 All of the references and U.S. patents and appli 6. The cryptographic key server as recited in claim 1, cations referenced herein are incorporated herein by refer wherein said cryptographic service engine and said secure ence. Aspects of the invention can be modified, if necessary, network interface engine are components of a single process to employ the systems, functions and concepts of the various executing on said cryptographic key server. patents and applications described herein to provide yet 7. The cryptographic key server as recited in claim 1, further embodiments of the invention. These and other wherein said cryptographic service engine is operable to changes can be made to the invention in light of the detailed perform encryption and decryption functions. description herein. 8. The cryptographic key server as recited in claim 7. 0072 While certain aspects of the invention are presented wherein said encryption and decryption functions comprise: below in certain claim forms, the inventors contemplate the various aspects of the invention in any number of claim symmetric block ciphers; forms. For example, while only one aspect of the invention generic cipher modes; is recited as embodied in a computer-readable medium, other aspects may likewise be embodied in a computer stream cipher modes; readable medium. Accordingly, the inventors reserve the public-key cryptography; right to add additional claims after filing the application to pursue such additional claim forms for other aspects of the padding schemes for public-key systems; invention. key agreement schemes; elliptic curve cryptography; We claim: one-way hash functions; 1. A cryptographic key server Suitable for providing cryptographic services to remote devices coupled to said message authentication codes; cryptographic key server via a network, said cryptographic cipher constructions based on hash functions; key server comprising: pseudo random number generators; a secure network interface engine executing on said cryptographic key server, said secure network interface password based key derivation functions; engine operable: Shamir's secret sharing scheme and Rabin's information to establish a secure network communication channel dispersal algorithm (IDA); with at least one remote device; DEFLATE (RFC 1951) compression/decompression with to unmarshal secured cryptographic service requests gzip (RFC 1952) and Zlib (RFC 1950) format support: received from said at least one remote device; and fast multi-precision integer (bignum) and polynomial operations; to marshal and transmit secure cryptographic service responses to said at least one remote device; and finite field arithmetic, including GF(p) and GF(2"); and a cryptographic service engine executing on said crypto prime number generation and Verification. graphic key server, said cryptographic service engine 9. The cryptographic key server as recited in claim 7. being in bi-directional communication with said secure wherein said encryption and decryption functions comprise: network interface engine, said cryptographic service DES, 3DES, AES, RSA, DSA, ECC, RC6, MARS, engine operable to provide cryptographic services , , CAST-256, DESX, RC2, RC5, requested by said at least one remote device via said , Diamond2, TEA, SAFER, 3-WAY, Gost, secure network interface engine. SHARK, CAST-128, , Shipjack, ECB, CBC, 2. The cryptographic key server as recited in claim 1, CTS, CFB, OFB, counter mode(CTR), , ARC4, wherein said at least one device is an application server. SEAL, WAKE, Wake-OFB, Blumblumshub, ElGamal, 3. The cryptographic key server as recited in claim 1, Nyberg-Rueppel (NR), Rabin, Rabin-Williams (RW), wherein said secure network interface engine is arranged LUC, LUCELG, DLIES (variants of DHAES), ESIGN Such that said secure network communication channel is padding schemes for public-key systems: PKCSH 1 established according to a Secure Socket Layer (SSL) pro v2.0, OAEP, PSSR, IEE P1363 EMSA2, Diffie-Hell tocol. man (DH), Unified Diffie-Hellman (DH2), Menezes 4. The cryptographic key server as recited in claim 1, Qu-Vanstone (MQV), LUCDIF, XTR-DH, ECDSA, wherein said secure network interface engine is arranged ECNR, ECIES, ECDH, ECMQV, SHA1, MD2, MD4, US 2006/0149962 A1 Jul. 6, 2006

MD5, HAVAL, RIPEMD-160, , SHA-2 (SHA engine and said secure network interface engine, said com 256, SHA-384, and SHA-512), Panama, MD5-MAC, puter hardware architecture comprising: HMAC, XOR-MAC, CBC-MAC, DMAC, Luby-Rack off, MDC, ANSI X9.17 appendix C, PGP's RandPool, a databus; PBKDF1 and PBKDF2 from PKCS H5. a central processing unit bi-directionally coupled to said 10. The cryptographic key server as recited in claim 1, databus; wherein said cryptographic service engine is operable to perform signing and verifying functions. a persistent storage device bi-directionally coupled to said 11. The cryptographic key server as recited in claim 10, databus; wherein said signing and verifying operations includes RSA a transient storage device bi-directionally coupled to said and DSA. databus; 12. The cryptographic key server as recited in claim 1, a network I/O device bi-directionally coupled to said wherein said cryptographic service engine is operable to perform hashing operations. databus; 13. The cryptographic key server as recited in claim 10, a cryptographic accelerator card bi-directionally coupled wherein said hashing operations includes HMAC with SHA to said databus; 1. a hardware security module bi-directionally coupled to 14. The cryptographic key server as recited in claim 1, said databus and Suitable for storing private keys; and wherein said cryptographic service engine is further oper able to authenticate and to determine authorization of a a Smart card interface device. request for cryptographic services prior to and as a condition 22. The cryptographic key server as recited in claim 21, of performing said cryptographic services. wherein said hardware security module is a tamper resistant 15. The cryptographic key server as recited in claim 14, device. wherein authenticating a request for cryptographic services 23. The cryptographic key server as recited in claim 21, includes verifying an identity of one or more of a set wherein said private keys are loaded into said hardware comprising: security module and stored in an encrypted format. 24. The cryptographic key server as recited in claim 21, a client that is requesting for cryptographic services; wherein said private keys are loaded into said hardware said at least one remote device from which said client security module via a Smart card storing said encrypted requesting for cryptographic services; private keys. 25. The cryptographic key server as recited in claim 24, a function or program that is executing on said at least one wherein said cryptographic key server Supports a k-out-of-n remote device. secret sharing Such that said private keys may only be 16. The cryptographic key server as recited in claim 14. accessed by said cryptographic key server after k Smart wherein determining authorization of a request for crypto cards have been inserted. graphic services includes determining authorization privi 26. A cryptographic key server Suitable for providing leges granted to one or more of a set comprising: cryptographic services to remote devices coupled to said a client that is requesting for cryptographic services; cryptographic key server via a network, said cryptographic key server comprising: said at least one remote device from which said client requesting for cryptographic services; a cryptographic accelerator card bi-directionally coupled to a databus; a function or program that is executing on said at least one remote device. a Smart card interface device; 17. The cryptographic key server as recited in claim 16, a hardware security module bi-directionally coupled to wherein the operation of determining authorization a request said databus and Suitable for secure data; and for cryptographic services further includes determining whether said request for cryptographic services is within the and wherein said secure data is accessible only when privileges of a requestor that is associated with said request k-out-of-n Smart cards are inserted into said Smart card for cryptographic services. interface device. 18. The cryptographic key server as recited in claim 1, 27. An application server capable of hosting a plurality of wherein said cryptographic service engine is operable to applications, said application server operable for providing track requests for cryptographic services. services to a plurality of clients via a network, said appli 19. The cryptographic key server as recited in claim 1, cation server comprising: said cryptographic key server further comprising: a cryptographic application program interface (API), said a private key engine, said private key engine operable to cryptographic API providing a set of standards by provide private keys for use by said cryptographic which said plurality of applications can invoke a plu service engine in performing cryptographic services. rality of cryptographic services, at least one of said 20. The cryptographic key server as recited in claim 1, plurality of cryptographic services being performed by wherein said cryptographic key server is a network security a remote cryptographic key server, and appliance. a secure network interface engine, said secure network 21. The cryptographic key server as recited in claim 1, interface engine operable to establish a secure network wherein said cryptographic key server has a computer communication channel with the remote cryptographic hardware architecture Supporting said cryptographic service key server. US 2006/0149962 A1 Jul. 6, 2006

28. The application server as recited in claim 27, wherein 36. The computer-implemented method for providing said cryptographic API is operable to utilize said secure cryptographic key services as recited in claim 33, wherein network interface engine to request remote cryptographic said act of establishing a secure network communications services. channel includes use of a SSL protocol. 29. The application server as recited in claim 27, wherein 37. The computer-implemented method for providing said cryptographic API is exposed as Java Cryptography cryptographic key services as recited in claim 33, wherein Extensions (JCE) to said plurality of applications. said act of establishing a secure network communications 30. The application server as recited in claim 27, wherein channel includes use of a TLS protocol. said cryptographic API is exposed via Cryptographic Ser 38. The computer-implemented method for providing vice Provider (CSP) and said cryptographic API is imple cryptographic key services as recited in claim 33, wherein mented as a Dynamic Linked Library. said act of authenticating said request includes the act of 31. The application server as recited in claim 27, wherein authenticating an identity of one or more of a set comprising: said cryptographic API is exposed via MS-CAPI. 32. A device capable of executing a plurality of functions a client that is requesting for cryptographic services; and programs, said device comprising: said networked device from which said client is request a secure network interface engine executing on said ing for cryptographic services; and device, said secure network interface engine operable a function or program that is executing on said networked to establish a secure network communication channel device. with at least one remote cryptographic key server, 39. The computer-implemented method for providing marshal and transmit secure requests for cryptographic cryptographic key services as recited in claim 33, wherein services to said at least one remote cryptographic key said act of determining authorization said request includes server, and receive and unmarshal Secure responses to the act of determining authorization privileges granted to requests for cryptographic services; and one or more of a set comprising: a cryptographic application program interface (API) a client that is requesting for cryptographic services; executing on said device and bi-directionally coupled with said secure network interface engine, said cryp said networked device from which said client is request tographic API providing a set of standards by which ing for cryptographic services; and said plurality of functions and programs can call a a function or program that is executing on said networked corresponding plurality of cryptographic services, device. wherein at least one of said plurality of cryptographic 40. The computer-implemented method as recited in services is performed remotely by said at least one claim 38, wherein the act of determining authorization said cryptographic key server, said cryptographic API being request includes the act of determining whether said request responsive to a request for said at least one remote is within rights of a requestor that is associated with said cryptographic service to utilize the secure network request for cryptographic services. interface engine to request said cryptographic services. 41. The computer-implemented method as recited in 33. A computer-implemented method for providing cryp claim 33, further comprising the act of tracking all requests tographic key services, said method comprising the acts of for cryptographic services. establishing a set of private keys on a networked key 42. A computer-implemented method for providing net server; worked cryptographic key services, said method comprising establishing a secure network communications channel the acts of: between a networked device and said networked key integrating a cryptographic API within an application server; server; receiving a request for cryptographic key services at said exposing cryptographic services to a plurality of applica networked key server from said networked device via tions executing on said application server via said said secure network communications channel; cryptographic API: authenticating said request for cryptographic key ser establishing a secure network communications channel vices; between said application server and a remote crypto determining authorization said request for cryptographic graphic key server, key services; and receiving a request for cryptographic services from an performing said request for cryptographic key services at application at said cryptographic API: said networked key server utilizing said private keys marshalling said request for cryptographic services for when said request is authorized. transmission to said cryptographic key server; 34. The computer-implemented method for providing cryptographic key services as recited in claim 33, wherein transmitting said marshaled request for cryptographic said act of establishing private keys on a networked server services to said cryptographic key server via said includes the act of encrypting said set of private keys. secure network communications channel; 35. The computer-implemented method for providing receiving a response to said request via said secure cryptographic key services as recited in claim 33, wherein said act of encrypting said set of private keys is done using network communications channel; a k-out-of-n secret sharing technique. unmarshalling said response; and US 2006/0149962 A1 Jul. 6, 2006

providing a usable response to said requesting application a hardware security module; and via said cryptographic API. a Smart card interface coupled to said data communica 43. A method for securing cryptographic keys within a tions bus. server System, the method comprising the computer-imple 52. A computer-implemented method for providing cryp mented acts of tographic services in a network system, said computer storing on a key server cryptographic keys used for implemented process comprising the acts of encrypting data; and securely loading cryptographic keys onto a key server, wherein said key server communicates with at least one component of said server System using a secure com establishing a secure transport session between a first munications channel. component of said network system and said key server; 44. A method for securing cryptographic keys within a authenticating one or more components of said network network system, the method comprising the computer including said first component to said key server; implemented acts of determining authorization of said one or more compo storing cryptographic keys used for encrypting data on a nents of said network including said first component to key server, and said key server, wherein said key server is a dedicated network appliance making a request for cryptographic operations from said that performs cryptographic operations on behalf of at first component to said key server, least one component of said network system. 45. The method as recited in claim 44, wherein said determining whether said request is to be performed by cryptographic operations include operations under a Secure said key server based on results associated with the acts Socket Layer (SSL) protocol. of authenticating and determining authorization; 46. The method as recited in claim 44, wherein said if said request is authorized, then performing said cryptographic operations include operations under a Trans requested cryptographic operations on said key server, port Layer Security (TLS) protocol. and 47. The method as recited in claim 44, wherein sensitive providing the results of said requested cryptographic data is stored in said network system only in encrypted form. operations from said key server to said first component 48. A cryptographic key server appliance for securing via said secure transport session. cryptographic keys within a network system, wherein said 53. A method for protecting data in a network system, said cryptographic key server stores cryptographic keys and computer-implemented method comprising the acts of: controls access to said stored cryptographic keys. 49. The cryptographic key server appliance as recited in providing a network device for intercepting and inspect claim 48, wherein said access includes using at least one of ing data that is en route to an application server, said stored cryptographic keys solely for encryption opera wherein said network device is part of a pre-defined tions. group of cryptographic servers that share a group key 50. The cryptographic key server appliance as recited in and said network device is operable for: claim 48, wherein said access includes using at least one of said stored cryptographic keys solely for decryption opera determining whether said data is sensitive data; tions. encrypting said data to form encrypted data if said data 51. A cryptographic appliance for securing sensitive infor is sensitive, wherein the act of encrypting includes mation within a server System, comprising: using a group key that is shared by said pre-defined group of cryptographic servers; and a data communications bus; forwarding said encrypted data to said application a central processing unit bi-directionally coupled to said server; data communications bus; storing said encrypted data in a storage medium associ transient memory bi-directionally coupled to said data ated with said application server, and communications bus; allowing one or more back-end application servers to persistent memory bi-directionally coupled to said data employ one of said pre-defined group of cryptographic communications bus; servers to retrieve said encrypted data from said storage a network I/O device bi-directionally coupled to said data medium and decrypt said encrypted data if said one or more back-end application servers is authorized to communications bus; access said data. a crypto-accelerator unit bi-directionally coupled to said data communications bus;