Search

EP-4413694-B1 - POLICY-GOVERNED CRYPTOGRAPHIC SELECTION SYSTEM

EP4413694B1EP 4413694 B1EP4413694 B1EP 4413694B1EP-4413694-B1

Inventors

  • BENSON, MARK
  • Beveridge, Daniel James
  • BROTHERSON, MARC WAYNE
  • HUNTLEY, SEAN JAMES
  • JENKINS, AKEEM LAMAR
  • MOREAU, DENNIS
  • OTT, DAVID

Dates

Publication Date
20260506
Application Date
20221003

Claims (14)

  1. A method (700) of operating a cryptographic selection system, the method comprising: receiving (702) an abstracted cryptographic API call associated with a request for cryptographic operations from a cryptographic API; identifying (704) one or more cryptographic policies that apply to the request for the cryptographic operations; mapping (706) the one or more cryptographic policies to a plurality of cryptographic features; selecting (708) one or more cryptographic features of the plurality of cryptographic features to include in a cipher solution configured to provide the cryptographic operations, wherein the cipher solution satisfies each of the one or more cryptographic policies that apply to the request for the cryptographic operations; and transmitting (710) the cipher solution to the cryptographic API in response to the abstracted API call.
  2. The method (700) of claim 1, wherein identifying (704) the one or more cryptographic policies comprises identifying characteristics of the request for providing the cryptographic operations, wherein the characteristics are selected from the group consisting of: a location of a device making the request, a type of the device and an account associated with the request.
  3. The method (700) of claim 1, wherein identifying (704) the one or more cryptographic policies comprises querying a policy engine containing a plurality of cryptographic policies for the one or more cryptographic policies that apply to the request for the cryptographic operations.
  4. The method (700) of claim 1, wherein identifying (704) the one or more cryptographic policies comprises identifying characteristics of the request for the cryptographic operations, wherein the characteristics are selected from the group consisting of: computing resource sensitivity, an origin of a device making the request, a type of the device and an account associated with the request.
  5. The method (700) of claim 1, wherein each of the one or more cryptographic policies includes one or more tags or classes that identify minimum cryptographic feature requirements for the request.
  6. The method (700) of claim 5, wherein mapping (706) the one or more cryptographic policies to the plurality of cryptographic features comprises utilizing the one or more tags to identify any cryptographic features contained within one or more cryptographic libraries meeting the minimum cryptographic feature requirements.
  7. The method (700) of claim 6, wherein the one or more of the plurality of cryptographic features are selected to optimize a speed at which the cipher solution provides the cryptographic operations.
  8. The method (700) of claim 1, wherein the one or more cryptographic features is one of a cryptographic algorithm, a cryptographic protocol, a function and a combination of cryptographic algorithms, protocols or functions.
  9. The method (700) of claim 1, wherein the cryptographic operations provide secure access to one or more computing resources.
  10. The method (700) of claim 1, further comprising receiving (602) a request to add a cryptographic feature to a cryptographic library managed by a library manager; updating (604) the cryptographic library to add the cryptographic feature to the cryptographic library; and mapping (606) the cryptographic feature to an abstracted cryptographic API call of the application.
  11. A cryptographic selection system (201), comprising: a cryptographic shim (206), configured to receive an abstracted cryptographic API call associated with a request for cryptographic operations from a cryptographic API (202); a policy manager (208), configured to identify one or more cryptographic policies that apply to the request for the cryptographic operations; and a library manager (210), configured to map the one or more cryptographic policies to a plurality of cryptographic features; select one or more cryptographic features of the plurality of cryptographic features to include in a cipher solution configured to provide the cryptographic operations, wherein the cipher solution satisfies each of the one or more cryptographic policies that apply to the request for the cryptographic operations; and transmit the cipher solution to the cryptographic API (202) in response to the abstracted API call.
  12. The cryptographic selection system (201) of claim 11, wherein the policy manager (208) is further configured to manage a plurality of cryptographic policies, the plurality of cryptographic policies being established at least in part by network policies of a network hosting an application supported by a cryptographic provider (204); and the library manager (210) is further configured to manage a plurality of cryptographic libraries (212, 214).
  13. The cryptographic selection system (201) of claim 11, further comprising a processor configured to: receive a request to add a cryptographic feature to a cryptographic library (212, 214) managed by the library manager (210); update the cryptographic library (212, 214) to add the cryptographic feature to the cryptographic library (212, 214); and map the cryptographic feature to an abstracted cryptographic API call of the application.
  14. A non-transitory computer-readable storage medium storing instructions configured to be executed by one or more processors to carry out the steps of the method of any one of claims 1 to 10.

Description

FIELD The present disclosure relates generally to configuring an application or service with reconfigurable cryptographic algorithms. In particular, the cryptographic algorithms can be manually or autonomously reconfigured based upon administrator-defined cryptographic policies. BACKGROUND The demand for improvements in cryptography-based security measures continue to increase and scale with the increasing ability of processors to break through and defeat cryptography-based security measures. Substantial increases in processing power associated with the introduction of quantum computing makes these improvements even more necessary. Unfortunately, conventional cryptographic configurations are generally implemented using hard-coded API calls to particular cryptographic features contained in a static cryptographic library. These hardcoded API calls make adapting to the rapidly changing security threat environment slow and costly since programmers are often needed to make manual changes to the software applications and systems to implement changes that keep the software applications and systems secure. In extreme circumstances, these systems and applications may be forced to reduce functionality or even shutdown until they are able to implement cryptographic features needed to ensure secure operations. Consequently, solutions for reducing the overhead and time needed to implement changes to the cryptographic configurations are desirable. US 2012/131354 A1 describes an encryption service system that comprises an API for receiving requests from one or more calling applications. Each request comprises information identifying the operations to be performed on data to be processed and information identifying the origin and target of the data. The encryption service system further comprises a cryptographic server for processing the requests and determining, for each request, an encryption policy to be applied. SUMMARY This disclosure describes policy-governed mechanisms for dynamically changing cryptographic library and algorithm usage. The invention is defined by the independent claims. Further embodiments are defined by the dependent claims. Other aspects and advantages of the invention will become apparent from the following detailed description taken in conjunction with the accompanying drawings which illustrate, by way of example, the principles of the described embodiments. BRIEF DESCRIPTION OF THE DRAWINGS The disclosure will be readily understood by the following detailed description in conjunction with the accompanying drawings, wherein like reference numerals designate like structural elements. FIG. 1 shows a block diagram illustrating a cryptographic framework associated with a software application.FIG. 2 shows a block diagram illustrating an exemplary application or system, in accordance with the embodiments described herein.FIG. 3 shows a block diagram illustrating an implementation of a cryptographic selection system embedded within a software application, in accordance with the embodiments described herein.FIG. 4 shows a block diagram illustrating an implementation of a cryptographic agility outside a software application, in accordance with the embodiments described herein.FIG. 5 shows a block diagram illustrating the operation of multiple cloud services implementing a cryptographic selection system.FIG. 6 shows a flow diagram illustrating a process for updating a cryptographic library.FIG. 7 shows a flow diagram illustrating a process for operating a cryptographic selection system. DETAILED DESCRIPTION Certain details are set forth below to provide a sufficient understanding of various embodiments of the invention. However, it will be clear to one skilled in the art that embodiments of the invention can be practiced without one or more of these particular details. Moreover, the particular embodiments of the present invention described herein are provided by way of example and should not be used to limit the scope of the invention to these particular embodiments. In other instances, hardware components, network architectures, and/or software operations have not been shown in detail in order to avoid unnecessarily obscuring the invention. Cryptographic frameworks and algorithms are a foundation of security protocols used in many software applications and systems for secure communications. Due to cyber security threats from quantum computing, malware, phishing, and the like to secure communications, cybersecurity algorithms are constantly evolving to protect against evolving cyber threats. Updating software applications or systems to incorporate latest cybersecurity algorithms and security protocols using existing interfaces can be complicated and may require a user or an organization to spend a considerable amount of time. In addition to constantly updating the cryptographic algorithms and security protocols, software applications may be required to support alternative cryptographic algorithms and/or s