Abstract: A new approach is proposed to support monitoring Perfect Forward Secrecy (PFS) network traffic by utilizing a hardware security module (HSM) appliance. Here, the HSM appliance is a high-performance, Federal Information Processing Standards (FIPS) 140-compliant security hardware with embedded firmware, which can be used for management and sharing of ephemeral keys used in a secured PFS communication session between two parties. Specifically, the HSM allows a server to share one or more of its ephemeral keys and/or parameters used in PFS traffic during the session with a third party under specified access rights and/or authorization, wherein the third party can be but is not limited to a traffic monitoring module. The HSM allows the third party to access the ephemeral keys stored on the HSM under the specified access rights and/or authorization so that the third party may decrypt and run analytics on the PFS traffic captured during the session.

Abstract: A new approach is proposed that contemplates systems and methods to support a mechanism to offload IPSec/IKE processing of virtual machines (VMs) running on a host to an embedded networking device, which serves as a hardware accelerator for the VMs that need to have secured communication with a remote device/server over a network. By utilizing a plurality of its software and hardware features, the embedded networking device is configured to perform all offloaded IPSec operations on data packets transferred between the host and the remote device over the network as required for the secured communication before the data packets can be transmitted over the network. The embedded networking device, in effect, acts as a proxy on behalf of the VMs running on the host to perform the offloaded IPSec operations as well as serving as the network interface for the secured communication between the VMs and the remote device.

Abstract: A new approach is proposed that contemplates systems and methods to support a mechanism to offload all aspects of inline SSL processing of an application running on a server/host to an embedded networking device such as a Network Interface Card (NIC), which serves as a hardware accelerator for all applications running on the server that need to have a secure connection with a remote client device over a network. By utilizing a plurality of its software and hardware features, the embedded networking device is configured to process all SSL operations of the secure connection inline, i.e., the SSL operations are performed as packets are transferred between the host and the client over the network, rather than having the SSL operations offloaded to the NIC, which then returns the packets to the host (or the remote client device) before they can be transmitted to the remote client device (or to the host).

Abstract: A new approach is proposed that contemplates systems and methods to support a secure machine environment on a HSM adapter, which enables an end user of the HSM adapter to run its own security sensitive applications securely via a secure machine within the HSM adapter and to gain access to its security measures. During operation, the secure machine receives commands from an application running on a host outside of the HSM adapter and executes a security sensitive application within the secure machine environment. The secure machine is configured to process all sensitive information of the security sensitive application via one or more secure machine processes/threads, while the applications running on the host only deal with non-sensitive information. The secure machine then sends a response back to the application running on the host following execution of the security sensitive application within the secure machine environment.

Abstract: A new approach is proposed to support monitoring Perfect Forward Secrecy (PFS) network traffic by utilizing a hardware security module (HSM) appliance. Here, the HSM appliance is a high-performance, Federal Information Processing Standards (FIPS) 140-compliant security hardware with embedded firmware, which can be used for management and sharing of ephemeral keys used in a secured PFS communication session between two parties. Specifically, the HSM allows a server to share one or more of its ephemeral keys and/or parameters used in PFS traffic during the session with a third party under specified access rights and/or authorization, wherein the third party can be but is not limited to a traffic monitoring module. The HSM allows the third party to access the ephemeral keys stored on the HSM under the specified access rights and/or authorization so that the third party may decrypt and run analytics on the PFS traffic captured during the session.

Abstract: A new approach is proposed that contemplates systems and methods to support a mechanism to offload IPSec/IKE processing of virtual machines (VMs) running on a host to an embedded networking device, which serves as a hardware accelerator for the VMs that need to have secured communication with a remote device/server over a network. By utilizing a plurality of its software and hardware features, the embedded networking device is configured to perform all offloaded IPSec operations on data packets transferred between the host and the remote device over the network as required for the secured communication before the data packets can be transmitted over the network. The embedded networking device, in effect, acts as a proxy on behalf of the VMs running on the host to perform the offloaded IPSec operations as well as serving as the network interface for the secured communication between the VMs and the remote device.

Abstract: A new approach is proposed to support secured hardware security module (HSM) backup for a plurality of web services hosted in a cloud to offload their key storage, management, and crypto operations to the HSM. Each HSM is a high-performance, FIPS 140-compliant security solution for crypto acceleration of the web services. Each HSM includes multiple partitions isolated from each other, where each HSM partition is dedicated to support one of the web service hosts/servers to offload its crypto operations via a HSM virtual machine (VM) over the network. The HSM-VM is configured to export objects from the key store of a first HSM partition to a key store of a second HSM partition, wherein the second HSM partition is configured to serve the key management and crypto operations offloaded from the web service host once the objects exported from the key store of the first HSM partition are received.

Abstract: A new approach is proposed that contemplates systems and methods to support a mechanism to offload all aspects of inline SSL processing of an application running on a server/host to an embedded networking device such as a Network Interface Card (NIC), which serves as a hardware accelerator for all applications running on the server that need to have a secure connection with a remote client device over a network. By utilizing a plurality of its software and hardware features, the embedded networking device is configured to process all SSL operations of the secure connection inline, i.e., the SSL operations are performed as packets are transferred between the host and the client over the network, rather than having the SSL operations offloaded to the NIC, which then returns the packets to the host (or the remote client device) before they can be transmitted to the remote client device (or to the host).

Abstract: A new approach is proposed that contemplates systems and methods to support security management for a plurality of web services hosted in a cloud at a data center to offload their crypto operations to one or more hardware security modules (HSMs) deployed in the cloud. Each HSM is a high-performance, Federal Information Processing Standards (FIPS) 140-compliant security solution for crypto acceleration of the web services. Each HSM includes multiple partitions, wherein each HSM partition is dedicated to support one of the web service hosts/servers to offload their crypto operations via one of a plurality of HSM virtual machine (VM) over the network. An HSM managing VM can also be deployed to monitor and manage the operations of the HSM-VMs to support a plurality of web services.

Abstract: A new approach is proposed that contemplates systems and methods to support a trusted local certificate authority (CA) running on a hardware security module (HSM), wherein the trusted local CA is configured to issue a certificate to each of a plurality of network-enabled devices for authentication. The HSM further includes a plurality of HSM service units each configured to process key management and crypto operations offloaded from each of the network-enabled devices once it is authenticated. Each of the network-enabled devices is configured to accept its certificate for authentication from the trusted local CA, establish a secured communication channel with the HSM over a network and present the certificate to the HSM in a request for authentication, and offload its key management and crypto operations to one of the HSM service units once the network-enabled device is authenticated.

Abstract: A new approach is proposed that contemplates systems and methods to support security management for a plurality of web services hosted in a cloud at a data center to offload their crypto operations to one or more hardware security modules (HSMs) deployed in the cloud. Each HSM is a high-performance, Federal Information Processing Standards (FIPS) 140-compliant security solution for crypto acceleration of the web services. Each HSM includes multiple partitions, wherein each HSM partition is dedicated to support one of the web service hosts/servers to offload their key management and crypto operations via one of a plurality of HSM virtual machine (VM) over the network. An HSM managing VM can also be deployed to monitor and manage the operations of the HSM-VMs to support a plurality of web services.

Abstract: A new approach is proposed to support high availability (HA) of hardware security module (HSM) adapters in an HSM HA domain for web services hosted in a cloud to offload their key storage, management, and crypto operations to the HSM adapters. Each of the HSM adapters is a high-performance, FIPS 140-compliant security solution and includes multiple partitions isolated from each other each dedicated to support one of the web service hosts to offload its key management crypto operations. An HSM managing virtual machine (VM) monitors load information on the operations currently being performed by the HSM partitions in the HSM HA domain and identifies one or more second HSM partitions if a first HSM partition serving the operations is determined to be overloaded. The HSM managing VM then distributes a portion of the offloaded key management and crypto operations from the first HSM partition to the second HSM partitions.

Abstract: A new approach is proposed that contemplates systems and methods to support security communication between a hardware security module (HSM) and a plurality of network-enabled devices to offload their key storage, management, and crypto operations to the HSM. The HSM includes a plurality of HSM service units, each configured to authenticate one of the network-enabled devices based on its credentials and process the key management and crypto operations offloaded from the network-enabled device once it is authenticated. The HSM service unit also communicates results of the key management and crypto operations back to the network-enabled device via the secured communication channel.

Abstract: A new approach is proposed to support secured hardware security module (HSM) backup for a plurality of web services hosted in a cloud to offload their key storage, management, and crypto operations to the HSM. Each HSM is a high-performance, FIPS 140-compliant security solution for crypto acceleration of the web services. Each HSM includes multiple partitions isolated from each other, where each HSM partition is dedicated to support one of the web service hosts/servers to offload its crypto operations via a HSM virtual machine (VM) over the network. The HSM-VM is configured to export objects from the key store of a first HSM partition to a key store of a second HSM partition, wherein the second HSM partition is configured to serve the key management and crypto operations offloaded from the web service host once the objects exported from the key store of the first HSM partition are received.

Abstract: A new approach is proposed that contemplates systems and methods to support security communication between a hardware security module (HSM) and for a plurality of web services hosted in a cloud to offload their key storage, management, and crypto operations to the HSM. Each of a plurality of HSM virtual machines (VMs) establishes a secure communication channel with a web service hosts/server to offload its key management and crypto operations to a HSM partition of the HSM dedicated to support the web service. An HSM managing VM can also be deployed to monitor and manage the operations of the HSM-VMs to support the plurality of web service hosts.