| CPC H04L 63/0884 (2013.01) [H04L 9/0822 (2013.01); H04L 9/0891 (2013.01); H04L 63/06 (2013.01); H04L 63/083 (2013.01); H04L 63/20 (2013.01)] | 18 Claims |
|
1. A computer-implemented method executed by data processing hardware that causes the data processing hardware to perform operations comprising:
receiving, from a remote entity, an encrypted data encryption key encrypted by the remote entity, the encrypted data encryption key encrypted with a key encryption key unavailable to the data processing hardware;
after receiving the encrypted data encryption key, receiving an operation request requesting a cryptographic operation on data; and
in response to receiving the operation request:
transmitting, to the remote entity, a decryption request requesting decryption of the encrypted data encryption key, the decryption request comprising an authentication request based on contextual information associated with a client, the client associated with the key encryption key, wherein the authentication request is based on an identity of the client, the authentication request, when received by the remote entity, further causing the remote entity to authenticate the identity;
based on transmitting the decryption request to the remote entity, receiving, from the remote entity, a decrypted data encryption key from the remote entity, the decrypted data encryption key comprising the encrypted data encryption key decrypted with the key encryption key;
determining that the received decrypted data encryption key is from the remote entity;
verifying that the received decrypted data encryption key is unmodified during transit from the remote entity to the data processing hardware;
executing, using the decrypted data encryption key, the cryptographic operation on the data; and
after executing the cryptographic operation on the data, discarding the decrypted data encryption key.
|