Postponing entropy depletion in key management systems with hardware security modules

Assignee

• International Business Machines Corporation · US

Inventors

• Robert Birke · Adliswil, CH
• Mathias Björkqvist · Thalwil, CH
• Yiyu L. Chen · Thalwil, CH
• Mitch Gusat · Thalwil, CH
• Navaneeth Rameshan · Zürich, CH
• Martin Schmatz · Thalwil, CH

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L2463/062
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

Embodiments of the invention provide a computer-implemented method for managing cryptographic objects in a key management system. This system comprises a set of one or more hardware security modules (HSMs), as well as clients interacting with the HSMs on behalf of users who interact with the clients. The method comprises monitoring, for each HSM of the set, an entropy pool and/or a load at each HSM. The entropy pool of a HSM is the entropy that is available at this HSM for generating cryptographic objects. The load induced at a HSM is the load due to the users interacting with the clients to obtain cryptographic objects. Cryptographic objects are generated, at each HSM, according to the monitored entropy pool and/or load. The extent to which such objects are generated depends on the monitored entropy pool and/or load.