The present disclosure relates generally to configuring an application or service with reconfigurable cryptographic algorithms. In particular, the cryptographic algorithms can be manually or autonomously reconfigured based upon administrator-defined cryptographic policies.
The demand for improvements in cryptography-based security measures continue to increase and scale with the increasing ability of processors to break through and defeat cryptography-based security measures. Substantial increases in processing power associated with the introduction of quantum computing makes these improvements even more necessary. Unfortunately, conventional cryptographic configurations are generally implemented using hard-coded API calls to particular cryptographic features contained in a static cryptographic library. These hardcoded API calls make adapting to the rapidly changing security threat environment slow and costly since programmers are often needed to make manual changes to the software applications and systems to implement changes that keep the software applications and systems secure. In extreme circumstances, these systems and applications may be forced to reduce functionality or even shutdown until they are able to implement cryptographic features needed to ensure secure operations. Consequently, solutions for reducing the overhead and time needed to implement changes to the cryptographic configurations are desirable.
This disclosure describes policy-governed mechanisms for dynamically changing cryptographic library and algorithm usage.
A non-transitory computer-readable storage medium is disclosed. Instructions stored within the computer-readable storage medium are configured to be executed by one or more processors to carry out steps that include: receiving an abstracted cryptographic API call associated with a request for cryptographic operations from a cryptographic API; identifying one or more cryptographic policies that apply to the request for cryptographic operations; mapping the one or more cryptographic policies to a plurality of cryptographic features; selecting one or more cryptographic features of the plurality of cryptographic features to include in a cipher solution configured to provide the cryptographic operations, wherein the cipher solution satisfies each of the one or more cryptographic policies that apply to the request for cryptographic operations; and transmitting the cipher solution to the cryptographic API in response to the abstracted API call.
A cryptographic provider, includes the following: a policy manager configured to manage a plurality of cryptographic policies, the plurality of cryptographic policies being established at least in part by network policies of a network hosting an application supported by the cryptographic provider; a library manager configured to manage a plurality of cryptographic libraries; and a cryptographic shim configured to receive abstracted cryptographic API calls from the application for use with the plurality of cryptographic libraries.
A method of operating a cryptographic selection system. The method includes at least the following: receiving an abstracted cryptographic API call associated with a request for cryptographic operations from a cryptographic API; identifying one or more cryptographic policies that apply to the request for cryptographic operations; mapping the one or more cryptographic policies to a plurality of cryptographic features; selecting one or more cryptographic features of the plurality of cryptographic features to include in a cipher solution configured to provide the cryptographic operations, wherein the cipher solution satisfies each of the one or more cryptographic policies that apply to the request for cryptographic operations; and transmitting the cipher solution to the cryptographic API in response to the abstracted API call.
Other aspects and advantages of the invention will become apparent from the following detailed description taken in conjunction with the accompanying drawings which illustrate, by way of example, the principles of the described embodiments.
The disclosure will be readily understood by the following detailed description in conjunction with the accompanying drawings, wherein like reference numerals designate like structural elements.
Certain details are set forth below to provide a sufficient understanding of various embodiments of the invention. However, it will be clear to one skilled in the art that embodiments of the invention can be practiced without one or more of these particular details. Moreover, the particular embodiments of the present invention described herein are provided by way of example and should not be used to limit the scope of the invention to these particular embodiments. In other instances, hardware components, network architectures, and/or software operations have not been shown in detail in order to avoid unnecessarily obscuring the invention.
Cryptographic frameworks and algorithms are a foundation of security protocols used in many software applications and systems for secure communications. Due to cyber security threats from quantum computing, malware, phishing, and the like to secure communications, cybersecurity algorithms are constantly evolving to protect against evolving cyber threats. Updating software applications or systems to incorporate latest cybersecurity algorithms and security protocols using existing interfaces can be complicated and may require a user or an organization to spend a considerable amount of time.
In addition to constantly updating the cryptographic algorithms and security protocols, software applications may be required to support alternative cryptographic algorithms and/or security protocols depending on state or context of the user using the applications or system, a state of the device used by the user for accessing resources, and the like. For example, weak or compromised algorithms (e.g., RSA) may need to be replaced with strong algorithms when a user is trying to access a resource from a network in a high security threat area. Accordingly, depending on the circumstances surrounding a user or a user device, different algorithms from a range of cryptographic algorithms may be required for protecting secure data. Directly incorporating the latest advanced algorithms within existing systems or applications may require extensive work at significant cost and the implementation may cause delays if the algorithm is not widely accepted. Modifying every single application on a large scale to rapidly adopt existing cryptographic frameworks to arising threats is complex and costly.
One way in which cryptography-based security measures can be improved is to configure the cryptographic frameworks, upon which the security measures are based, with the ability to quickly make adjustments. For example, this allows a compromised cryptographic feature employed by an existing application to be quickly replace with a more secure cryptographic feature. The ability to rapidly reconfigure the cryptographic frameworks also allows the cryptographic frameworks to be configured to leverage different features or entire cryptographic libraries based on specific use cases. For example, in response to a request for services from a device operating outside of a trusted computer network, the service could be configured to leverage more secure cryptographic features and/or libraries in order to satisfy security policies. This ability for the cryptography framework to agilely reconfigure allows users operating on more secure networks or from more secure locations to benefit from lower overhead cryptography, while maintaining higher security only when needed.
The present embodiments also enable automated selection of one or more cryptographic libraries and/or algorithms and configuration of cryptographic framework based on contextual data surrounding a cryptographic transaction (e.g., access to secure resource or secure communication). The contextual data may indicate sensitivity of data being protected, user's role participating in a data exchange or communication, the communication network detail, the characteristics of devices involved, the nature of the application, and the like.
The ability to automatically select among cryptographic algorithms and key configuration parameters for optimal protection based on the context data (or contextual information) allows the cryptographic frameworks to be configured to leverage multiple cryptographic libraries depending the circumstances. The cryptographic agility, discussed in the present invention, allows an application or system to consume any library or algorithm it may require in a given circumstance.
These and other embodiments are discussed below with reference to
Cryptographic provider 204 is then responsible for processing the API calls received from the cryptographic shim and interacts with two primary modules: policy manager 208 and library manager 210 to assist in executing the abstracted cryptographic API calls generated by application 200.
Library manager 210 is configured to manage cryptographic libraries. While library manager 210 is depicted managing cryptographic libraries 212 and 214 it should be appreciated that library manager 210 can be configured to manage any number of cryptographic libraries needed to support the operation of application 200. Library manager 210 is responsible for providing access to one or more cryptographic features included in cryptographic libraries 212 and 214 in response to the API calls received by cryptographic provider 204. Library manager 210 is also configured to assist with updating existing cryptographic features and registering new cryptographic features. A cryptographic feature can take the form of a cryptographic algorithm, protocol, function, or combination of cryptographic algorithms, protocols or functions.
In some embodiments, library manager 210 includes a mapping table 211, which associates particular cryptographic features with tags configured to associate the cryptographic features contained within cryptographic libraries 212 and 214 with particular functions and capabilities. Whenever updates are made to one of cryptographic libraries 212 and 214, library manager 210 is configured to update mapping table 211 to associate any new or updated cryptographic features with one or more tags.
New cryptographic features can be added to cryptographic selection system 201 by first referencing algorithms/implementation table 216, which can include a listing and/or locations of all potential cryptographic algorithms, libraries, functions, rules and the like compatible with cryptographic provider 204 and then selecting one or more cryptographic features from algorithms/implementation table 216 for registration with cryptographic selection system 201. It should be noted that, while algorithms/implementation table 216 is depicted as being directly attached to library manager 210, algorithms/implementation table 216 can also be maintained and/or stored at a location outside of an attached storage or a local network.
In some examples, library manager 210 can be managed using a user interface operated through application 200 and/or through another management application. The user interface allows a user to register one or more new cryptographic features listed in algorithms/implementation table 216 to update cryptographic selection system 201. For example, an administrator could access the user interface to configure one or more of the cryptographic libraries with cipher suites supporting different bit rates or types of encryption.
Policy manager 208 is responsible for managing policy engine 218. Policy engine 218 can take the form of a user-defined and/or autonomously compiled list of policies that establish rules for the operation of cryptographic selection system 201. Policy engine 218 can be implemented as a rule engine, a table, a neural network or the like. The list of policies stored in policy engine 218 affect how library manager 210 of cryptographic provider 204 operates to manage implementation of various cryptographic features included in cryptographic libraries 212 and 214. When an API call is received at cryptographic provider 204, cryptographic provider 204 leverages the list of policies contained in policy engine 218 and managed by policy manager 208 to select one or more cryptographic feature suitable for handling the abstracted cryptographic API call. In some embodiments, policy engine 218 specifies a particular cryptographic feature or features contained within one of cryptographic libraries 212 and 214 for use in response to an API call.
In some embodiments, a policy associated with the API call specifies a tag identifying a solution class defined and maintained within mapping table 211. The identified cryptographic feature or tag is then transmitted to library manager 210. In the case a tag is transmitted to library manager 210, library manager 210 uses mapping table 211 to identify which cryptographic feature or features is associated with the tag. Library manager 210 then instructs cryptographic provider 204 which cryptographic feature or features to implement in response to the received API call. It should be noted that in some embodiments an API call can be associated with multiple tags. This set of cryptographic features used in responding to the API call can be referred to as a cipher solution. This system of using tags associated with functionality in the policy engine instead of particular cryptographic functions allows library manager 210 and policy manager 208 to operate independently from one another. This reduces the need for coordination between the library and policy managers outside of passing tags from the policy manager to the library manager. It should be noted that while
In some embodiments, the abstracted cryptographic API call can take the form of a request for data encryption of a particular type of data. A first policy associated with the API call can specify that the encryption for that type of data be of a specific type (e.g., FIPS compliant encryption) and a second policy associated with the API call can specify that the encryption be of a minimum security strength (i.e. number of bits) or key size for the specified type of data associated with the API call.
In some embodiments, policy engine 218 can be managed at least in part autonomously by making changes to enterprise policies 220. Enterprise policies 220 is one of cryptographic usage/context information sources 219 and are generally managed by a network administrator, allowing for hierarchical network-wide implementation of policies for managing multiple applications having cryptographic frameworks in accordance with the described embodiments. In some embodiments, policy engine 218 can include policies selected based on user context 222, organizational context 224 and/or additional information 226. User context 222 can include data such as a user's location, the user's identity, the nature of the data to be protected, the user's access level, the speed and/or characteristics of the local network the user is accessing, the geographic location of the user, the application context and more. In embodiments where policy engine 218 includes tags identifying particular desired functionalities, in lieu of specifying particular cryptographic features, policy engine 218 assigns the policies it manages tags configured to meet security requirements specified by the enterprise policies.
In some examples, user context 222 would be supplied to cryptographic provider 204 to assist in selection of the right cryptographic feature to meet a respective abstracted cryptographic API call. For example, a policy stored within policy engine 218 could specify that higher minimum levels of encryption are required for users operating outside of a trusted network environment. The higher minimum level of encryption can be specified by a particular tag in the policy corresponding to a specific level of encryption associated with that tag and identified in mapping table 211. When user context 222 indicates the user is operating outside the trusted network, that higher minimum level of encryption rule would be applied when cryptographic provider 204 is selecting a suitable cryptographic feature for responding to a respective API call.
In some examples, entire cryptographic libraries can be dedicated to handling API calls associated with users of a specific type or operating from a particular location. Organizational context 224 can apply in a similar manner to user context 222. For example, applications grouped under a first organization might have a different set of policies than applications grouped under a second organization. These types of policies would generally be implemented by an information security IT team for each organization. For example, the organizational policies might specify different cryptographic features be used in different regions of the world or that different cryptographic features be used based on which business sector or project the request for access is associated with. In some embodiments, certain policies such as FIPS compliant cryptography could be required for all communications associated with a particular company or organization.
Additional information 226 can include other types of contextual information, such as, for example, certificate alert information for a particular usage context (e.g. transactions utilizing systems running Windows 10 versions a threshold number of versions old and/or versions containing a known critical security vulnerability can be identified as they may require additional security mitigation).
In some examples, the client device 310 may interact with at least one server(s) or other computing device(s) over a communications network. The client device 310 may communicate with other computing device(s) or servers (e.g., application 200) over a network directly or indirectly via any suitable intermediate device(s) or network(s). For example, the client device 310 may communicate via one or more cellular base stations or one or more wireless access points such as IEEE 803.11. In some examples, the client device 310 may direct a user's request to an application 200 within the system 300. The application 200 may be a web application, a computing environment hosted on a server, or a data file on a server. In some examples, the application 200 may be installed on the client device 310 or is accessible from the client device 310 using a web browser.
In some examples, the application 200 may enable a user to perform different actions such as accessing one or more resources or secure data at a server, securely communicate with other devices, and the like from the client device 310. A server hosting the application 200 may be any type of known computer, server, or data processing device. The server may further include RAM, ROM, network interface, input/output interfaces, and memory. The one or more resources or secure data may reside on a server hosting the application 200 or on a different device or a server connected to the application 200 through the network, via direct or indirect connection or some other network.
In some examples, a user's requests or queries from client device 310 are directed to the application 200. The application 200 may be capable of handling cryptographic operations involving modern cryptography standards using the cryptographic selection system 201. The cryptographic selection system 201 enables automated configurations and adjustments to cipher solutions for providing secure data access, communications and other operations for the application 200. Specifically, the cryptographic selection system 201 enables automated selection and configuration of cryptographic libraries (or algorithms within libraries) based on contextual information (e.g., user context 222) or key facts surrounding the user and user device such as user's access level, the speed and/or characteristics of the network the user is accessing, the geographic location of the user, the sensitivity of data being protected, user roles participating in a data exchange, the network context, the characteristics of devices involved, the nature of the application, and the like. In some examples, contextual information may be a user's identity, a device type (e.g., personal, company, etc.), nature of data (e.g., confidential, person, public, etc.), nature of application (e.g., company database, web service, etc.), network (e.g., enterprise or outside US), and the like.
Based on the contextual information, sets of policies and available libraries, the cryptographic selection system 201 automatically selects among cryptographic algorithm alternatives and key configuration parameters for optimal protection to operations involving the application 200. The cryptographic selection system 201 may determine a situation surrounding the user and the user's device, determines what cipher solution (e.g., selection of algorithms and/or libraries) is required to process the user's transaction(s), and configure or select a cipher solution for processing the user's request(s). In some examples, the cipher solution is a solution or framework required for one or more cryptographic operations for processing a user's request for one or more operations involving the application 200. Specifically, a cipher solution is a selection of one or more libraries, algorithms, functions, or processes. Updates to the cipher solution can be based on cryptographic policies, available algorithms and libraries, and contextual information.
In some examples, the application 200 includes a cryptographic API (e.g., 202 as shown in
In some examples, library manager 210 is configured to manage cryptographic libraries. In some embodiments, library manager 210 can include one or more cryptographic libraries. Each of the cryptographic libraries can be configured to be implemented in accordance with information provided by policy manager 208. In some examples, the library manager 210 can be managed using a user interface operated through application 200 and/or through another management application. In some examples, the library manager 210 can be managed by an API used to build configurations related user interface applications. In some examples, policy manager 208 may have access to one or more user-defined, enterprise policies and/or autonomously compiled list of policies dictating the operation of cryptographic provider 320. The list of policies affect how library manager 208 operates to manage implementation of various cryptographic features governed by cryptographic libraries.
In some examples, the policy engine 218 may include mapping between contextual information (e.g., user context data 222) associated with the user and one or more cipher solutions. A cipher solution may be a framework or configuration identifying one or more algorithms and/or libraries for handling cryptographic operations. In the above examples, a software system or application may be used within an organization to configure the policy engine 218. The application may configure the policy engine 218 with policies for data centers, edge computing environments, federated cloud information, and other infrastructure components. The application may allow a user to create, modify, and maintain cryptography operations within the organization after configuring the components with the policy engine 218. An example policy may suggest that if a user or client device is outside the company network then use a TLS 1.3 protocol for cryptographic operations. An example policy may suggest if a communication from the client device is related to a health care application then use FIPS-certified suite. An example policy may suggest if the application 200 includes confidential product roadmap information or intellectual property then use a hybrid quantum safe cipher suite for the communication involving the application.
In some examples, the policy manager may map contextual information with a class or a tag instead of a specific library or algorithm. The nature of the class may be determined by a user of cryptographic selection system 201. A class may identify a level of crypto security that should be used and further provide distinctions that an organization would find meaningful. For example, different classes may be designated for different categories such as top secret, confidential, FIPS, non-FIPS, hand-held device policy, server policy, and the like.
In some examples, a cryptographic standard may be designated as a class that is matched to tags registered within a library. In the above example, according to an example policy, if the user of client device 310 is operating in Iran and provides a request to access classified data, then a cipher solution associated with a class tag “Class: Classified” may be used. In the cryptographic library (e.g., 214) there may be multiple cipher solutions (e.g., quantum safe cipher solution). Different cipher solution matching the same tag may be used based on the context of use. For example, if the user is trying to access data from Iran instead of the United States a more robust cipher solution could be selected. In some examples, a tag may be a set of Boolean conditions which may chain several inputs with logical OR/AND conditions between the inputs (or contextual information). The tag may govern a selection of a cipher solution from registered cipher solutions in the library. For example, a tag may be if a user is a senior executive AND the user is “outside of the home country,” then apply a cipher solution of class “XYZ.” In some examples, a list of policies may be mapped to users' profiles. Accordingly, upon detecting a specific user, a set of policies and tags associated with the user's profile may be used for processing the user's request for actions involving cryptographic operations.
In some examples, the mapping table 211 may be a separate table from the policy engine 218 that includes mappings or pointers between tags or classes from the policy engine 218 to one or more libraries or cryptographic algorithms accessible by the library manager 210. The mapping table 211 may include mappings or pointers between one or more cryptographic algorithms or libraries (within algorithms table 216) and one or more policy data (e.g., class or tags associated with the policy engine 218). The mapping table 211 may act in conjunction with a policy engine or can also take over the functions of the policy engine (see, e.g., policy manager 208 from
In the above examples, a user of the client device 310 may request to access one or more secure data or resources associated with the application 200. Accordingly, a user request for accessing secure data or resources may be generated. In some examples, upon generating the user request, the client device 310 may direct the user request to an IP address (using IPv4 or IPv6 protocol format) of a server hosting the application 200. The client device 310 may direct the packets containing the user request and user's contextual information to the application 200. The contextual information may include information associated with the user, the client device 310, the network connection used by the user, or any other information associated with the user, device and/or network used by the client device 310. The contextual information can include a location of the client device 310, determined using, e.g., an IP location or GPS location of client device 310. The contextual information may be determined when a user of the client device 310 requests an access to certain applications or data. The contextual information is shared with the policy engine 218 for the policy engine 218 to select an appropriate cipher solution. Contextual information can also change after the request for access and while the data is being accessed. For example, if client device 310 is a portable device, a location of client device 310 can change, which can trigger an evaluation to determine whether the cipher solution needs to be changed.
In some examples, different sets of mechanisms may be used to collect contextual information to be used by the cryptographic selection system 201. The application 200 may provide context information to the provider 204 (or a processor associated with cryptographic selection system 201) using API calls. In some examples, the provider 204 may check operating system or container level information including configuration data for application 200 and client device 310 to determine contextual information. Further, information about the user's configuration may help determine contextual information. For example, if the application 200 is configurable using API or UI, the provider may determine that the application 200 may be using a certain standardized approach (e.g., FEDRAMP). In some examples, contextual information may be determined based on inspecting packets from the client device 310. In some examples, an organization may have software that collects the contextual information and makes the information available via an API or file that is available to the policy manager 208. Alternatively, the policy manager 208 may collect the activities associated with the contextual information from the operating system and other information sources.
In the above examples, to further process the user's request, the crypto shim 206 may intercept a call or request for cryptographic operations within the application 200 and redirects the calls or the requests to the cryptographic provider 204. Within the application 200, security operations may be performed over the cryptographic selection system 201. In the above examples, the cryptographic provider 204 or policy manager 208 may obtain and analyze the contextual information received. For example, the cryptographic provider 204 may identify the location of the user's device based on the contextual information. Similarly, the cryptographic provider 204 may determine other information specific to the user, user device, network security of the user device, and type of access requested by the user.
In some examples, a device or client associated with the provider 204 may obtain contextual information by requesting a communication session with an application server associated with the application 200 and/or client device 310. The context information is then used by the policy manager 208 to make an automated decision on which cipher solution to use or change in the configured cipher solution. In some examples, if the user requests access to highly sensitive data from the application 200, the application 200 can signal the policy engine 218 to invoke a change in a cipher solution based on the changed data access context (e.g., location of the user device 310).
The cryptographic provider 204 may further compare the contextual information with corresponding policies and tags/classes within the policy engine 218. The policy engine 218 (or the cryptographic provider 204) may determine a cipher solution (or selection of libraries and/or algorithms) for performing the cryptographic operations for processing the user request.
In the above examples, upon determining the cipher solution for processing the user's request, the cryptographic provider 204 executes the one or more algorithms according to the cipher solution to authenticate or process the user's request. The one or more cryptographic algorithms can include a one way hash function, symmetric key encryption, public key encryption, digital signature, and other types of predefined or customized cryptographic algorithms. Accordingly, proper security measures are followed in processing the user's request to ensure secure communication. In the above examples, a policy and libraries (or algorithms within the libraries) are instantiated in real-time for configuring the cipher solution based on the contextual information.
In alternative examples, the cryptographic provider 204 may have a default or present cipher solution defined for all user's requests. Accordingly, upon receiving the user's request and contextual information, the cryptographic provider 204 may evaluate the present or default framework configured for processing the user's request. In some examples, the cryptographic provider 204 may determine that the present cipher solution (e.g., cryptographic algorithms) is not suggested for processing the user's request based on the received contextual information and the mapping table 211. In the above examples, the cryptographic provider 204 may change or adjust the present cipher solution to include one or more different cryptographic algorithms and/or libraries. Alternatively, the cryptographic provider 204 may determine that the current framework does not need to be updated in accordance with the contextual information.
In alternative examples, the cryptographic provider 204 may compare contextual information with the contextual information associated with the present or default configuration or framework for performing cryptographic operations. If the contextual information is unchanged, the provider 204 does not further evaluate the contextual information against the mapping table 211 and uses the default or present framework for processing the user's request.
In some examples, in response to determining that the present or default cipher solution needs to be updated, the cryptographic provider 204 updates or reconfigures the cipher solution based on the contextual information and mapping table 211. Upon implementing an update to the cipher solution, the cryptographic provider processes the user request by executing the selected cryptographic algorithm(s) in accordance with the updated cipher solution. The above described process may be performed every time a user request needs to be processed using cryptographic operations within the application 200.
In the above examples, as discussed, the policy manager 208 may determine which cipher solution to use based on contextual information. The policy engine 218 may take a set of inputs (e.g., context information), process the inputs with rules or policies, and output a tag representing a class of a cipher solution needed for processing the user request. Upon receiving information about required cipher solution from the policy manager 208, the information may be forwarded to the library manager 210 using one or more APIs supported by the library manager 210.
Upon receiving the information, the library manager 210 may identify correct libraries and obtain access to the libraries using either direct or intermediary mode. In the above examples, a cryptographic library may have one or more cipher solutions with parameters registered and tagged to a same tag that is outputted from the policy manager 208. In direct mode, the library manager 210 may make a call to access the required libraries and/or algorithms and direct the output (pointers to the set of libraries or algorithms) back to cryptographic provider 204 caller (e.g., application 200). In intermediary mode, the library manager 210 may make a call to access the required libraries and/or algorithms and direct the output (pointers to the set of libraries or algorithms) back to the cryptographic provider 204 caller (e.g., application 200) with no indirection turned off. In contrast, in intermediary mode with indirection turned off, the library manager 210 may make a call to access the required libraries and/or algorithms and in response only receives the specific libraries it requested. If the required library references other libraries, with indirection turned off, the library manager 210 does not retrieve the other libraries. A built-in indirection function may provide an access to a library and/or algorithm pointed-to by another library and/or algorithm.
In the above examples, in response to the user's request, a call to the cryptographic provider 204 is directed to a specific cryptographic library, an algorithm family within a cryptographic library (from the algorithms table 216), or a specific function call associated with the algorithm family using different types of input parameters required by the algorithms. In other examples, the steps of communication between cryptographic provider 204, library manager 210 and policy manager 208 may vary with different methods of operations. Additional scenarios and examples of automated cipher solution selection and updates are described in
In some examples, a user's requests or queries from client device 310 are directed to the application 200 are received at a proxy 314. The proxy 314 may include functions, rules or operations for processing security related protocols, such as SSL or TLS. The proxy 314 may serve as a front-end authentication and communication dispatch system. For example, the proxy 314 may encrypt or decrypt network packets associated with the user's request.
In the above examples, the proxy 314 may act as a load balancer for the application 200 to incoming traffic from the internet and/or other networks. The proxy 314 may be deployed alongside the application 200 where the outside world interacts with the application 200 through the proxy 314. The proxy may be an envoy proxy, reverse proxy, or a different type of proxy embedded to the application 200. The proxy 314 may be capable of handling cryptographic operations involving modern cryptography standards.
In some examples, the proxy 314 may act as a load balancer for the application 200 to incoming traffic from the internet and/or other networks. Along with balancing incoming traffic, the proxy 314 may implement TCP (or SSL) protocols. The proxy 314 may include a TLS endpoint proxy 316. The TLS endpoint proxy 316 may act as an intermediary point between the client device and proxy 314, and used to establish and/or terminate TLS tunnels by decrypting and/or encrypting incoming and outgoing communications. The TLS endpoint proxy 316 may set up SSL or TLS connection on behalf of the client device and/or application 200. The proxy 314 may be deployed alongside the application 200 where the outside world interacts with the application 200 through the proxy 314.
In some examples, the system 400 may further include cryptographic selection system 201. The cryptographic selection system 201 enables automated configurations and adjustments to cipher solutions for providing secure data access and communications, as discussed in
In some examples, a user using the client device 310 may request to access one or more secure resources, request a secure communication, or perform some other actions involving the application 200. Accordingly, a user request from the client device 310 may be generated. In some examples, upon generating the user request, the client device 310 may direct the user request to an IP address (using IPv4 or IPv6 protocol format) of a server hosting the application 200.
In the above examples, the client device 310 may direct the packets containing the user request and user's contextual information to the application 200. The packets directed to the application 200 may be received at the proxy 314 within Transport Layer Security (TLS) agility 312. The proxy 314 may encrypt or decrypt network packets associated with the user's request and set up SSL or TLS connection on behalf of the client device and/or application 200. In some examples, TLS endpoint proxy 316 receives the user request via an established TLS tunnel and may decrypt the user request for further processing. In some examples, upon receiving the user request, the proxy 316 may handover cryptographic operations to cryptographic provider 204 via cryptographic shim 206. The crypto shim 206 may act as a library that intercepts a call or request for additional cryptographic operation within the proxy 314 and redirects the call or the request to the cryptographic provider 204.
In the above examples, the cryptographic provider 204 obtains and analyzes the contextual information using various methods described in
In the above examples, the cryptographic provider 204 may determine the cipher solution for processing the user's request. In the above examples, upon determining the cipher solution for processing the user's request, the cryptographic provider 204 executes the one or more algorithms according to the cipher solution or selected algorithms to process the user's request. In the above examples, a policy and libraries (or algorithms within the libraries) are instantiated in real-time for configuring the cipher solution based on contextual information associated with the user, client device 310, and/or network used by the client device 310.
In the above examples, upon processing the user's request, the request may be forwarded to the application 200 (or one or more servers associated with the application 200) for further processing of the user's request. Specifically, the application 200 may receive authorization or results based on the execution of the one or more algorithms by the cryptographic provider 204.
Control plane 528 of
In some embodiments, outgoing communications from multiple cloud services that are all intended for a single recipient and are routed through edge gateway 526 might all implement the same cryptographic features, allowing for a single call to the policy manager 530 within control plane 528 to handle the cryptographic feature implementation for the multiple cloud services. It should be noted that, edge gateway 526 can also be used to facilitate communication between policy manager 530, library manager 532 and individual cloud services when handling requests that apply only to a particular one of cloud services 502-510.
The cryptographic provider sends data from the abstracted cryptographic API call to a policy manager for further evaluation. At step 704 the policy manager is configured to identify one or more cryptographic policies that apply to the request for cryptographic operations. The policy manager identifies the cryptographic policies by querying a policy engine containing policies that each specify one or more particular tags or classes that correspond to a context of use associated with a particular abstracted cryptographic API call. For example, a first policy can be associated with any use of a particular application or group of applications and specify that any use of the application or group of applications be associated with a first tag dictating the encryption of communications with the application or group of applications using encryption that exceeds a first minimum threshold. A second policy stored within the policy engine can be associated with a particularly sensitive feature of the application or group of applications and specify that any use of the particularly sensitive feature employ encryption exceeding a second minimum threshold higher than the first minimum threshold. In such a case, both tags could still be associated with the abstracted cryptographic API call but the second tag would supersede the first policy for any uses of the particularly sensitive feature. In some embodiments, both tags could help to form a cipher solution capable of changing encryption types in response to a user transitions between different more or less features of an application without making an additional abstracted cryptographic API call anytime a context of use changes.
At step 706, the tags identified by the policy manager and policy engine are transmitted to a library manager where the one or more cryptographic policies are mapped to a plurality of cryptographic features using a mapping table of the library manager. At step 708, the library manager is responsible for selecting one or more cryptographic features from the plurality of cryptographic features to include in a cipher solution configured to provide the cryptographic operations. The library manager can be responsible for maintaining the mapping table by updating it so that tag or class references correspond to newly added features stored within one or more cryptographic libraries. In selecting the one or more cryptographic features, the library manager can be configured to select cryptographic features that aren't overly burdensome for a particular use case. For example, while a cryptographic library managed by the library manager may include cryptographic features capable of applying extremely high levels of encryption, the library manager can be tuned to select a set of cryptographic features that are optimized for performance in light of the requirements specified by the tags. This would typically involve selecting the highest performing cryptographic features from a pool of available cryptographic features that all fall within the requirements defined by the received tags or classes. This doesn't mean the library manager would always select the least secure cryptographic features allowable by the policies. For example, in the case a device is known to have hardware acceleration for a particular set of cryptographic features a more secure cryptographic feature supported by the hardware acceleration might run faster on that device than a less secure cryptographic feature not supported by the hardware acceleration.
At step 710, the library manager prepares the cryptographic features making up the cipher solution and transmits any information needed to support the cryptographic features back to the cryptographic API by way of the cryptographic provider and the cryptographic shim. The cryptographic shim adapts the information received from the cryptographic provider for use by the application or web service prior to the information being received back at the cryptographic API of the application or web service.
The foregoing description, for purposes of explanation, used specific nomenclature to provide a thorough understanding of the described embodiments. However, it will be apparent to one skilled in the art that the specific details are not required in order to practice the described embodiments. Thus, the foregoing descriptions of specific embodiments are presented for purposes of illustration and description. They are not intended to be exhaustive or to limit the described embodiments to the precise forms disclosed. It will be apparent to one of ordinary skill in the art that many modifications and variations are possible in view of the above teachings.