Abstract: Preservation of sensitive electronic data records in the face of either natural or man-made catastrophes has become important. In some fields, such as the medical and legal fields, current law requires that such data survive these events, and be available to authorized users in a timely fashion. This invention presents a method to protect sensitive data such that the systems used for preservation need be neither private nor secure. Data sets are replicated at multiple servers that can be geographically distant increasing the survivability of these records. Both the name and the contents of these files are private to the client, and are not available even to the operators of the disaster recovery system. By allowing the preserved data to be accessible on the public Internet, yet be undecipherable, the confidentiality and survival of such data is significantly improved. This preservation methodology minimizes the data to be sent by sending only new and changed files, and multiple geographic sites are supported.

Abstract: In scalable multi-node systems, applications that interact with remote users often use sessions that involve multiple messages. Unless the application instance that initiates the conversation processes all subsequent parts of that session, the context of the conversation must be passed between application instances. This context often involves sensitive data, such as session keys. This invention uses a central service, known as a Key Repository process, to create and manage a set of symmetric encryption keys unique to this application. All authorized instances of the application then obtain these keys from the Key Repository process, enabling these application instances to encrypt and save the context on disk, and allowing a possibly different instance of the application to retrieve and decrypt the context. As a result, these application programs can be designed to operate in a context-free manner.

Abstract: In situations where cryptographic systems need to protect two keys, and one key is less secure than the other, this invention provides a method of linking the two keys together which can detect the unauthorized modification of the less secure key. The more secure key is split or shared among multiple owners, such that a predetermined number of owners are required to expose this key. The exposure of the less secure key requires fewer owners. This invention uses several techniques to accomplish this, including encrypting the less secure key with the more secure key, or creating a message digest incorporating both keys, or using symmetric message integrity check of the less secure key using the more secure key.

Abstract: In computer environments where passwords are used to compute retained secrets by methods such as password-based encryption, a need often arises to update these secrets. Retaining the password value, or the keys computed from the password, would be unwise; and requiring each password owner to type in their password would be cumbersome. The present invention describes a method that allows a fully operational system to modify the retained secrets without retaining passwords or requiring human intervention.

Abstract: A server computer performing sensitive applications in an enterprise under the control of a single person provides an opportunity for fraud. A method and system are described for distributing responsibility to multiple individuals and enforcing this distribution with a computer program called a Key Repository process; a process designed to manage the trust relationships of an enterprise. It secures and manages the secrets of the enterprise, enforcing these trust relationships. Secrets are given only to pre-authorized applications. Public Key Infrastructure certificate management is handled centrally. All sensitive data is stored in encrypted form. Exposure of this data, as well as any change in a security-related parameter, is possible only with the approval of a pre-determined number of owners. The system is designed to accommodate a large number of application processes performing the work of the enterprise.

Abstract: In enterprise computer environments involving sensitive data, it is important that security policy decisions be made and be approved by the appropriate individuals owning the particular policy decision, rather than relegating this function to computer operators. These policy decisions often include the approval of specific programs to act on behalf of the enterprise, exposure of cryptographic secrets, and others affecting risk. The present invention enforces the separation of the functions of computer operator and policy decision owners.

Abstract: In scalable multi-node systems, applications that interact with remote users often use sessions that involve multiple messages. Unless the application instance that initiates the conversation processes all subsequent parts of that session, the context of the conversation must be passed between application instances. This context often involves sensitive data, such as session keys. This invention uses a central service, known as a Key Repository process, to create and manage a set of symmetric encryption keys unique to this application. All authorized instances of the application then obtain these keys from the Key Repository process, enabling these application instances to encrypt and save the context on disk, and allowing a possibly different instance of the application to retrieve and decrypt the context. As a result, these application programs can be designed to operate in a context-free manner.

Abstract: In scalable multi-process and possibly multi-node application environments, the management of sensitive data, such as cryptographic keys, is complicated by the number of processes, the frequency at which they are created and destroyed, and by the desire to avoid storing any keys in the clear in these processes or in data files. The present invention defines a central autonomous process, called the Key Repository process, which is tasked with many functions, including controlling and limiting the distribution of the relevant sensitive information, authenticating operators and policy owners, and performing key renewal operations. The Key Repository process is initiated by multiple acts of human intervention, in combination, thus allowing for the shared responsibility of ownership. Once the Key Repository process is initiated and configured, it enforces the policy decisions of the enterprise. At no point is the sensitive data written to the disk in the clear.

Abstract: In large computer application environments supporting secure enterprise applications, it is often necessary to distribute the environment among multiple systems in diverse locations, and yet share and maintain a set of keys and other sensitive information securely. This invention describes a method to accomplish this, by positioning in each remote site a trusted local agent, and establishing a secure and authenticated communications link between this remote agent and the master system. This remote agent limits the distribution of sensitive information to authorized applications, thus enforcing the security policy of the enterprise.

Abstract: In server environments where sensitive information is used, it is important to protect that information. Policy decisions concerning the distribution of such information must be enforced. Sensitive information is often protected by passwords known to one or more individuals. In these environments, it is impractical to have an operator or other individual authorize every use of sensitive information. This invention describes the pre-authorization of application programs to receive sensitive information of an enterprise, allowing the server to operate without human intervention while preserving and enforcing the security policy of the enterprise.

Abstract: In scalable multi-node multi-process application environments, identical copies of applications are often executing in parallel thus allowing the distribution of load and tolerance of system failure. A problem arises when these applications are security-oriented and involve keying information that changes periodically, such as in the case of public key certificate renewal. When these certificates need renewal, each instance of such applications could attempt to contact the certification authority, potentially causing a conflict since each instance is unaware of the renewal efforts by others. The present invention implements a central process called the Key Repository process, assigning it the function of performing these renewals and other certificate management functions, and inhibiting the application programs from performing these actions. When new certificates are issued, the Key Repository Process makes them available to affected applications when they next request them.