Patent Issued for Matching cryptographic computing resources to the predicted requirements for decrypting encrypted communications (USPTO 11861023): International Business Machines Corporation

2024 JAN 19 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- From Alexandria, Virginia, NewsRx journalists report that a patent by the inventors Chen, Wan Yue (Beijing, CN), Chen, Xiao Ling (Beijing, CN), Jiang, Peng Hui (Beijing, CN), Li, Jing (Beijing, CN), Liu, Chen Guang (Beijing, CN), Wang, Heng (Beijing, CN), filed on August 25, 2021, was published online on January 2, 2024.

The patent’s assignee for patent number 11861023 is International Business Machines Corporation (Armonk, New York, United States).

News editors obtained the following quote from the background information supplied by the inventors: “The present invention relates generally to programmable computer systems. More specifically, the present invention relates to computer systems, computer-implemented methods, and computer program products that automatically match or scale cryptographic computing resources to the predicted and/or mandatory requirements for decrypting encrypted communications, including, for example, encrypted connection requests such as hypertext transfer protocol secure (HTTPS) messages.

“HTTPS is the secure version of HTTP, which is the primary protocol used to send data between a web browser and a website server. HTTPS is encrypted in order to increase security of data transfer. This is particularly important when users transmit sensitive data, such as by logging into a website of a financial account, an email service, or a health insurance provider. HTTPS uses an encryption protocol to encrypt communications. The protocol is known as transport layer security (TLS) and was formerly known as secure sockets layer (SSL). The TLS (or SSL) protocol secures communications by using what is known as an asymmetric public key infrastructure. This type of security system uses two different keys to encrypt communications between two parties, namely a private key and a public key. The private key is controlled by the owner of a website and is kept private. The private key lives on a web-server and is used to decrypt information encrypted by the public key. The public key is available to everyone who wants to interact with the server in a way that is secure. Information that is encrypted by the public key can only be decrypted by the private key.

“Sensitive application data can be sealed by a secure enclave on a worker node. A secure enclave is an isolated and trusted area of memory where critical aspects of application functionality are protected, which helps keep sensitive application data confidential and unmodified. In other words, the secure enclave is an encrypted portion of main memory. The secure enclave is hardened by processor-based security mechanisms. Tagging security to a sealed cryptographic key derived from a given machine’s hardware (e.g., the worker node’s processor chip) is highly secure.

“The operational performance of the computer processing unit(s) (CPUs) of a computer system can be slowed down by the amount and nature of the processing tasks the CPU must perform. Cryptographic acceleration and coprocessors attempt to improve hardware performance by assisting the CPU with its required tasks. Cryptographic acceleration is a software-based tool that attempts to speed up overall system performance by providing additional hardware, such as a coprocessor, where cryptographic algorithms can perform cryptographic operations (or functions) separately from the CPU processing core, thereby freeing up CPU processing cores to focus on other functions and operations. Coprocessors are supplementary processors in that they can be configured to take over the performance of selected processor-intensive tasks of an associated CPU in order to allow the CPU to focus its computing resources on tasks that are essential to the overall system.

“Known cryptographic acceleration and coprocessors do not address the efficiency of cryptographic operations. For example, web-servers usually utilize open-source software (e.g., OpenSSL®) to perform HTTPS decryption due to performance and key protection considerations. Suitable open-source software (OSS) can include an engine that delivers or routes encrypted connection requests received at the web-server to a determined cryptographic computing resource. However, the determined cryptographic computing resource is not specifically aligned to (or matched with) the cryptographic operations required by the encrypted connection request. For example, under some conditions, the appropriate cryptographic processing for the encrypted connection request must be performed in a high security computing resource (e.g., a cloud HSM (hardware security module)), and under other conditions, the appropriated cryptographic processing for the encrypted connection request does not need to be performed in a high security computing resource.

“Accordingly, known techniques for performing cryptographic operations do not improve the efficiency of such cryptographic operations, which results in the wasteful and inefficient over-usage of cryptographic computing resources, including specifically high-security cryptographic computing resources.”

As a supplement to the background information on this patent, NewsRx correspondents also obtained the inventors’ summary information for this patent: “Embodiments of the invention include a computer-implemented method that uses a processor system to access an operation policy (OP) of resource-scaling (RS) data associated with an encrypted message, wherein the OP defines cryptographic-operation constraints. Based at least in part on a determination that the cryptographic-operation constraints do not include mandatory cryptographic computing resource requirements, first resource-scaling operations are performed that include performing an analysis of cryptographic metrics associated with the processor system. The cryptographic metrics include information associated with the encrypted message, along with performance measurements that result from cryptographic operations performed by the processor system. The cryptographic-operation constraints and results of the analysis of the cryptographic metrics are used to determine cryptographic processing requirements of the encrypted message, and are further used to match the determined cryptographic processing requirements to selected ones of a set of available cryptographic computing resources, thereby identifying or selecting a customized set of cryptographic computing resources that match the cryptographic processing requirements of the encrypted message. The customized set of cryptographic computing resources is used to perform customized cryptographic operations on the encrypted message.

“Technical benefits provided by the above-described embodiments of the invention include segmenting out any mandatory cryptographic resource requirements to ensure that the mandatory requirements are applied properly because mandatory cryptographic resource requirements are typically applied to encrypted messages with higher security levels that require more secure cryptographic resources. By segmenting out the messages with mandatory cryptographic resource requirements, the remaining message types can be more efficiently matched with the cryptographic computing resources they need. By using both cryptographic constraints and cryptographic metrics to match the remaining message types to the cryptographic computing resources they need, the actual historical performance of the cryptographic hardware can be leveraged to improve this matching operation.

“The above-described embodiments of the invention can further include configuring open-source cryptographic software to receive a request to perform cryptographic operations on the encrypted message; and route the request to the processor system instead of performing the request.

“Technical benefits provided by the above-described embodiments of the invention include allowing existing open-source software to be efficiently modified to incorporate features and functionality of the various embodiments of the invention.

“The above-described embodiments of the invention can further include having the first resource-scaling operations include capturing a first set of updated cryptographic metrics that result from using the customized set of cryptographic computing resources to perform the customized cryptographic operations on the encrypted message; and updating the cryptographic metrics with the first set of updated cryptographic metrics.”

The claims supplied by the inventors are:

“1. A computer-implemented method for performing cryptographic operations, the computer-implemented method comprising: receiving, using a processor system, resource-scaling (RS) data associated with an encrypted message accessing, using the processor system, an operation policy (OP) of the RS data, wherein the OP defines cryptographic-operation constraints; based at least in part on a determination that the cryptographic-operation constraints do not include mandatory cryptographic resource requirements, performing first resource-scaling operations comprising: using the processor system to perform an analysis of cryptographic metrics associated with the processor system; wherein the cryptographic metrics comprise: information associated with the encrypted message; and performance measurements of cryptographic operations performed by the processor system; using the cryptographic-operation constraints and results of the analysis of the cryptographic metrics to: determine cryptographic processing requirements of the encrypted message; and match the cryptographic processing requirements to selected ones of a set of available cryptographic computing resources to identify a customized set of cryptographic computing resources that have been selected to match the cryptographic processing requirements of the encrypted message; and using the customized set of cryptographic computing resources to perform customized cryptographic operations on the encrypted message.

“2. The computer-implemented method of claim 1 further comprising: based at least in part on a determination that the cryptographic-operation constraints include the mandatory cryptographic computing resource requirements, performing second resource-scaling operations comprising: routing the encrypted message to a set of mandatory cryptographic computing resources identified by the mandatory cryptographic computing resource requirements; and using the set of mandatory cryptographic computing resources to perform mandatory cryptographic operations on the encrypted message.

“3. The computer-implemented method of claim 1 further comprising configuring open-source cryptographic software to: receive a request to perform cryptographic operations on the encrypted message; and route the request to the processor system instead of performing the request.

“4. The computer-implemented method of claim 3, wherein the open-source cryptographic software comprises open-source secure sockets layer (SSL) software.

“5. The computer-implemented method of claim 1, wherein: the first resource-scaling operations further comprise capturing a first set of updated cryptographic metrics that result from using the customized set of cryptographic computing resources to perform the customized cryptographic operations on the encrypted message; and updating the cryptographic metrics with the first set of updated cryptographic metrics.

“6. The computer-implemented method of claim 2, wherein: the first resource-scaling operations further comprise: capturing a first set of updated cryptographic metrics that result from using the customized set of cryptographic computing resources to perform the customized cryptographic operations on the encrypted message; and updating the cryptographic metrics with the first set of updated cryptographic metrics; and the second resource-scaling operations further comprise: capturing a second set of updated cryptographic metrics that result from using the set of mandatory cryptographic computing resources to perform mandatory cryptographic operations on the encrypted message; and updating the cryptographic metrics with the second set of updated cryptographic metrics.

“7. The computer-implemented method of claim 1, wherein: the processor system comprises a predictive model trained to utilize machine learning algorithms to determine the cryptographic processing requirements of the encrypted message the information associated with the encrypted message includes cryptographic computing resource patterns comprising static data; and the performance measurements include cryptographic metrics comprising dynamic data that changes.

“8. A computer system comprising a memory communicatively coupled to a processor system, wherein the processor system is configured to perform processor system operations comprising: receiving resource-scaling (RS) data associated with an encrypted message; accessing an operation policy (OP) of the RS data, wherein the OP defines cryptographic-operation constraints; based at least in part on a determination that the cryptographic-operation constraints do not include mandatory cryptographic computing resource requirements, performing first resource-scaling operations comprising: an analysis of cryptographic metrics associated with the processor system; wherein the cryptographic metrics comprise: information associated with the encrypted message; and performance measurements of cryptographic operations performed by the processor system; using the cryptographic-operation constraints and results of the analysis of the cryptographic metrics to: determine cryptographic processing requirements of the encrypted message; and match the cryptographic processing requirements to selected ones of a set of available cryptographic computing resources to identify a customized set of cryptographic computing resources that have been selected to match the cryptographic processing requirements of the encrypted message; and using the customized set of cryptographic computing resources to perform customized cryptographic operations on the encrypted message.

“9. The computer system of claim 8, wherein the processor system is configured to perform processor system operations further comprising: based at least in part on a determination that the cryptographic-operation constraints include the mandatory cryptographic computing resource requirements, performing second resource-scaling operations comprising: routing the encrypted message to a set of mandatory cryptographic computing resources identified by the mandatory cryptographic computing resource requirements; and using the set of mandatory cryptographic computing resources to perform mandatory cryptographic operations on the encrypted message.

“10. The computer system of claim 8, wherein the processor system is configured to perform processor system operations further comprising configuring open-source cryptographic software to: receive a request to perform cryptographic operations on the encrypted message; and route the request to the processor system instead of performing the request.

“11. The computer system of claim 10, wherein the open-source cryptographic software comprises open-source secure sockets layer (SSL) software.

“12. The computer system of claim 8, wherein: the first resource-scaling operations further comprise capturing a first set of updated cryptographic metrics that result from using the customized set of cryptographic computing resources to perform the customized cryptographic operations on the encrypted message; and updating the cryptographic metrics with the first set of updated cryptographic metrics.

“13. The computer system of claim 9, wherein: the first resource-scaling operations further comprise: capturing a first set of updated cryptographic metrics that result from using the customized set of cryptographic computing resources to perform the customized cryptographic operations on the encrypted message; and updating the cryptographic metrics with the first set of updated cryptographic metrics; and the second resource-scaling operations further comprise: capturing a second set of updated cryptographic metrics that result from using the set of mandatory cryptographic computing resources to perform mandatory cryptographic operations on the encrypted message; and updating the cryptographic metrics with the second set of updated cryptographic metrics.

“14. The computer system of claim 8, wherein: the processor system comprises a predictive model trained to utilize machine learning algorithms to determine the cryptographic processing requirements of the encrypted message; the information associated with the encrypted message includes cryptographic computing resource patterns comprising static data; and the performance measurements include cryptographic metrics comprising dynamic data that changes.”

There are additional claims. Please visit full patent to read further.

For additional information on this patent, see: Chen, Wan Yue. Matching cryptographic computing resources to the predicted requirements for decrypting encrypted communications. U.S. Patent Number 11861023, filed August 25, 2021, and published online on January 2, 2024. Patent URL (for desktop use only): https://ppubs.uspto.gov/pubwebapp/external.html?q=(11861023)&db=USPAT&type=ids

(Our reports deliver fact-based news of research and discoveries from around the world.)