US-12621173-B2 - System and method for multi-tenant session management of cryptographic devices

Abstract

Provide is a system and method for root of trust and dynamic session management of cryptographic devices servicing cryptographic requests from multi-tenant applications in a cryptographic computing environment is provided. The system comprises a Connection Manager to provide low-latency cryptographic operations, a Cache Store to support multi-tenancy, a Session Scheduler to provide high-throughput cryptographic services, and a Session Health Monitor to provide resiliency. The system tracks a state of the PKCS11 sessions and revises session assignments of client applications depending on whether a PKCS11 session with the cryptographic device is busy or in a range of error states, and detects, classifies and remedies multiple error situations occurring within a prepared Pool of session blocks in view of the health metrics to provide improved cryptographic operation performance. Other embodiments disclosed.

Inventors

• Sunil MAURYA
• Robert Fitzpatrick

Assignees

• Thales DIS CPL USA, Inc

Dates

Publication Date

20260505

Application Date

20240129

Claims (14)

1. 1 . A System for root of trust and dynamic session management of cryptographic devices servicing cryptographic requests from multi-tenant applications in a cryptographic computing environment, comprising: one or more processors and memory operatively coupled to the one or more processors, wherein the memory includes computer instructions which when executed by the one or more processors causes the one or more processors to perform the operations of: a Connection Manager to provide low-latency cryptographic operations on one or more Cryptographic Devices that are local or remote to the System; by creating a block of multiple PKCS11 sessions for a client application logged into a PKCS11 session to use for crypto operations for a tenant that has established a root-of-trust in a tenant partition of the one or more Cryptographic Devices; assigning these session blocks to the tenant partitions of said one or more Cryptographic Devices to service incoming requests from one or more of the client applications performing said crypto operations, thereby lowering a latency for handling the incoming requests compared to using a single session since multiple PKCS11 sessions in the block are available and ready to use for the tenant; allocating incoming requests to PKCS11 sessions from pool of these session blocks for different clients for handling these crypto operations in real-time thereby providing low-latency and high-throughput for also handling crypto operations with a different client; a Cache Store associated with said Connection Manager to support multi-tenancy on the one or more Cryptographic Devices by tracking of individual tenant's partition mapping to their respective session blocks in the pool; managing lifecycle of said individual tenant's connection along with its sessions to said one or more Cryptographic Devices; a Session Scheduler to provide cryptographic services with a high throughput compared to that of a single session on said one or more Cryptographic Devices by selecting session block from said Cache Store that is mapped to the tenant partition and available for use to ensure tenant isolation; assigning an available PKCS11 session from said session block to service the crypto operations allocated to individual tenants of the Cryptographic Device(s); and a Session Health Monitor to provide resiliency by evaluating health metrics of the Session Scheduler and a set of PKCS11 sessions in the pool of session blocks allocated to individual tenant's partition mapping; reporting an assessment of overall session block health as a measurement for throughput of crypto operations across the session blocks; and remediating and self-repairing session blocks in the event of session errors in the pool of session blocks.
2. 2 . The system of claim 1 , wherein the Connection Manager in association with Session Health Monitor: tracks a state of the PKCS11 sessions and revises session assignments of client applications depending on whether a PKCS11 session with the cryptographic device is in one or more error states; and detects, classifies and remedies of the one or more error states occurring within the pool of session blocks in view of the health metrics, thereby minimizing latency and maximizing availability of the cryptographic device services by way of the revised session assignments in view of the overall session block health.
3. 3 . The system of claim 1 , wherein the Session Scheduler returns a PKCS11 session to an ‘available’ state in the session block once that PKCS11 session is done servicing crypto operation, and making that session re-useable for further crypto operations requests without closing it.
4. 4 . The system of claim 3 , wherein the Session Scheduler in association with Session Health Monitor maintains individual PKCS11 sessions in an open state after tenant use for as long as possible to maintain the pool and so as to be available for use by an established client application.
5. 5 . The system of claim 4 , wherein the Session Scheduler with Session Health Monitor tracks a range of errors during PKCS11 session usage and allocation, and repairs and remediates as necessary to ensure a healthy pool of PKCS11 sessions.
6. 6 . The system of claim 1 , wherein the Connection Manager creates a PKCS11 session on demand, and at a certain point in time is assigned to a particular tenant on the cryptographic device for exclusive and permanent use with that tenant.
7. 7 . The system of claim 1 , wherein the incoming requests comprise a payload such as an operand along with a connection specification, and a requested cryptographic operation such as an encrypt, decrypt, or signing.
8. 8 . The system of claim 1 , wherein a Cryptographic Device is one or more of a Hardware Security Module (HSM), USB based cryptographic token and smart card.
9. 9 . The system of claim 1 , wherein when the Connection Manager asks the Session Scheduler to allocate a PKCS11 session for a tenant, and execute the crypto operation on the Cryptographic Device, but, if the PKCS11 session is not available for the tenant, it will create a session block with open PKCS11 sessions exclusively for that tenant to use, and then used PKCS11 sessions will be returned to the pool for that session block for that tenant for later use, without closing or terminating the PKCS11 session.
10. 10 . The system of claim 9 , wherein the Session Scheduler with the Cache Store and Session Health Monitor efficiently manages multiple PKCS11 sessions on behalf of multiple tenants or applications to service a volume of crypto requests at one or more partitions of said one or more Cryptographic Devices.
11. 11 . The system of claim 10 , wherein the Connection Manager with the Cryptographic device's client dynamically establishes and maintains the life cycle of a secure communication channel with the Cryptographic Device for one or more tenants by way of adding a dedicated connection and removal, over Transport Layer Security (TLS), and then provides for PKCS11 Application Programming Interface (API) call support over said secure communication channel to service crypto requests for one or more tenants.
12. 12 . The system of claim 11 , wherein the Session Scheduler runs in a loop whereby it waits until an incoming request is present in the queue, then extracts it from the queue; examines the amount of time the request was in the queue, wherein if the request was in the queue for a predetermined time, it is discarded, and thereafter; finds a ‘free’ PKCS11 session in the session block, wherein if one is found, the request is assigned to the PKCS11 session and invokes the callback mechanism with details of the PKCS11 session, and thereafter; and updates the health status of the block, examining the age of errors and resetting the one or more error states of the block when applicable.
13. 13 . The system of claim 1 , wherein the Session Scheduler processes and handles session allocation requests from a session allocation request queue, wherein said requests are dequeued sequentially by waiting for a session allocation request for a PKCS11 session, and then receiving the request, upon dequeuing, performs a check operation to determine a length of time the request was in said queue, and discards or drops said request if said request was in the queue for a time matching or exceeding said length of time.
14. 14 . The system of claim 13 , wherein the Session Scheduler before attempting to wait for and dequeue a further request, examines a session state of the session block, and, upon determining if the session state is ACTIVE, waits for said further request, and if not, exits, otherwise, on dequeuing said further request and passing a queue time-residency check, examines the pool of sessions to determine whether a compatible PKCS11 session is available, and, if no such compatible PKCS11 session is available within an allotted timeframe, an error is returned, and if such a PKCS11 compatible session is available, assigns that session to said further request and sets a variable for the session indicating that it is in a USE session state.

Description

TECHNICAL FIELD The present invention relates generally to cryptographic device applications, and more particularly, to improving performance of session management for multi-tenant applications communicating with cryptographic devices. BACKGROUND Cryptographic devices include hardware security modules (HSMs), USB based cryptographic tokens and smart cards. Different cryptographic devices have different capabilities in terms of the storage of cryptographic objects and also for performing different cryptographic operations. These devices generally perform two types of functions: storage of cryptographic objects such as asymmetric keys, symmetric keys and X509 certificates, and performing cryptographic operations, for example, asymmetric key pair generation, symmetric key generation, hashing, encryption/decryption and signing. Applications that need to access the cryptographic devices may use the PKCS #11 interface, since cryptographic device vendors commonly implement this API model in their products. PKCS #11 defines a standard API model for accessing the cryptographic objects and performing different cryptographic operations. Applications communicate with a cryptographic device over one or more PKCS #11 sessions. A session provides a logical connection between the application and the cryptographic device. After it opens a session, an application has access to the objects of the cryptographic device for performing cryptographic functions and operations. A Hardware Security Module (HSM) is one type of dedicated crypto processing device that supports PKCS #11 and is specifically designed for the hardware protection of cryptographic keys. HSM “partitions” are independent logical HSMs that reside within the HSM. Each HSM Partition has its own data, access controls, security policies, and separate administration access. Applications may be assigned to partitions that once connected are referenced as a numbered slot. In some arrangements, an HSM cluster managed by a single server application is used by various services and applications via HSMaaS (HSM as a Service) model. These cloud-based and network-attached HSMs can be used by a large number of clients/tenants and thus need to have the capability of allowing for multi-tenancy. Accordingly, multi-tenant applications need to interface with multiple HSMs' partitions. However, communicating with HSMs in a timely manner requires maintaining numerous PKCS #11 sessions, but on-demand creation of such sessions is ‘costly’. That is, creating and managing these sessions, including handling multiple error scenarios and recovery, poses serious challenges around HSM management, tenant isolation and resiliency. These challenges are compounded by latency and throughput requirements. Accordingly, there is a need for a system for root of trust management with dynamic session management providing improved performance in multi-tenant applications with respect to latency, throughput, and resiliency of cryptographic requests and operations. All of the subject matter discussed in this Background section is not necessarily prior art and should not be assumed to be prior art merely as a result of its discussion in the Background section. Along these lines, any recognition of problems in the prior art discussed in the Background section or associated with such subject matter should not be treated as prior art unless expressly stated to be prior art. Instead, the discussion of any subject matter in the Background section should be treated as part of the inventor's approach to the particular problem, which, in and of itself, may also be inventive. SUMMARY Provided herein is a system and method for establishing and maintaining a potentially-large number of PKCS #11 sessions, such that low-latency and high-performance requirements are satisfied, multiple session error situations are automatically detected, classified and remedied where possible, and where session performance metrics are continually captured, all while maintaining and enforcing tenant isolation. This provides an improvement in performance and processing capability for servicing application requests and handling session management between multi-tenant applications and respective cryptographic devices, including, but not limited to HSMs, USB based cryptographic tokens and smart cards. In some embodiments a System for root of trust and dynamic session management of cryptographic devices servicing cryptographic requests from multi-tenant applications in a cryptographic computing environment is provided. The system comprises one or more processors and memory operatively coupled to the one or more processors, wherein the memory includes computer instructions which when executed by the one or more processors causes the one or more processors to perform the operations of a Connection Manager, a Cache Store, a Session Scheduler, and a Session Health Monitor. In some embodiments the Connection Manager provides low-latency cryptograph