Cryptography – Key management
Reexamination Certificate
1998-05-19
2001-05-15
Peeso, Thomas R. (Department: 2767)
Cryptography
Key management
C277S377000, C713S175000, C713S156000, C713S158000
Reexamination Certificate
active
06233341
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention relates generally to computer networks, and more particularly provides a system and method for installing a temporary certificate at a remote site.
2. Description of the Background Art
The Internet has become one of the most popular tools used by businesses and individuals for obtaining services and needed information. When a web client, e.g., a user operating a network browser, communicates via the Internet with a web server (i.e., a web site), the web server recognizes the web client based on information received in a certificate that was installed on the web client and that was downloaded to the web server. The conventional certificate identifies the user, provides information needed to establish secure network communications between the client and the server, and includes a signature from a certifying authority such as VeriSign, Inc. of Mountain View, Calif. that provides certificate integrity, authenticity and origin.
More particularly, a user typically requests a certificate from a certifying authority, i.e., a third party mutually trusted by the user and the web server. The user operates pre-installed software for generating a public/private key pair, and sends a certificate request including the public key to the certifying authority. The certifying authority verifies the identity and any other information needed about the user, packages the user's name, the public key, a validity period and an assigned serial number together, and digitally signs the package, thereby creating a signed certificate. The certifying authority then sends the signed certificate to the user, who installs the signed certificate and the private key associated with the packaged public key in one or more web clients.
For completeness, a brief review of public/private key cryptography is provided. Mathematically, a public and private key pair are generated to encrypt and decrypt messages. That is, either key can be used to encrypt a message, but only the other key of the key pair can be used to decrypt the message. The owner keeps the private key private, but allows everyone to know the public key. Accordingly, anyone can encrypt a message using the public key, but only the owner can decrypt the message, because the owner is the only one who knows the private key. Similarly, the owner can encrypt a message using the private key, and thus everyone can use the public key to decrypt the message. A user that uses a public key to decrypt an encrypted message can be sure that the message was encrypted by someone who has the corresponding private key. So long as the private key is kept private, the user can be assured that the owner of the private key sent the message. If both parties to a communication have public/private key pairs, then each party can communicate privately with the other by encrypting messages with the recipient's public key.
However, how can the sender be confident that they are using the correct public key for the recipient? Exchanging keys personally may be too inconvenient. Instead, both parties present their public keys, other identifying information and proof of their identity to a mutually trusted certificate authority. The certificate authority verifies the user's identity and issues a public key certificate containing the user's public key and distinguished name. If both parties wish to communicate privately via web clients, then they may install their private keys and public key certificates in their respective web clients. The certificate authority may also issue certificates to identify web servers, showing that a given server name such as “www.briefcase.com” was issued to Visto Corporation of Mountain View, Calif.
When a web client connects to a web server, the web client and web server identify and authenticate each other and negotiate a secure communications channel. For identification, both parties exchange public key certificates. Accordingly, each party uses the public key of the certificate authority to verify the signature of the other party's certificate. As stated above, the public key certificate binds a public key to a subject name (i.e., distinguished name) such as the client's name or server's name. The parties recognize each other by the subject name included in the certificate. To authenticate this identity, each party proves to the other that they possess the private key associated with the public key included in the certificate. One method of authenticating, employed by Secure Sockets Layer (SSL) technology, includes the steps of choosing a random number and encrypting it using the other party's public key. The encrypted number is sent to the other party who decrypts it and returns the decrypted value, thereby proving that they possess the private key.
After authenticating each other's identity, both parties exchange one or more symmetric keys used to encrypt the bulk of their communications. “The SSL Protocol, Version 3.0” by Netscape Communications Corporation., attached hereto and incorporated herein, describe additional details of a session-oriented protocol, such as how parties agree upon cryptographic algorithm and what key length to use. S/MIME by RSA Data Security and PEM encryption techniques illustrate example systems for sending individual messages encrypted under symmetric keys communicated with public key encryption and public key certificates.
Conventional certificates do not solve all problems and concerns for the roaming user. For example, transporting a private key to and installing the private key at every temporary terminal used by the roaming user is unsafe because the private key may be stolen or hacked from the temporary terminal. Still further, sending an owner's private key over the Internet or reading it from a floppy disk or other storage media also pose substantial security risks. SmartCards such as those made Litronic Inc. can be used to transport private keys safely but are not widely deployed and are subject to physical loss. Further, SmartCard readers are not available at most kiosks.
Therefore, a system and method for facilitating the use of public key certificates by the roaming user are needed.
SUMMARY OF THE INVENTION
The present invention provides a system for installing and enabling the use of a temporary certificate at a remote site. Temporary certificates can safely be installed because they expire quickly and can be revoked when the user leaves the remote site. The system comprises a global server site, a temporary client site and a web site. The global server site includes a security module that identifies and authenticates the user at the client site, and a web server engine that upon user authentication downloads a key generation downloadable and a certificate request engine downloadable to the client site. It will be appreciated that the global server site may include its own certificate authority or may interact with a third party certificate authority to establish client trust and generate temporary certificates.
The temporary client site includes a web engine that executes the key generation downloadable to generate a public and private key pair, and that executes the certificate request engine downloadable to send a temporary certificate request (including the public key) to the global server site. The global server site further includes a temporary certificate generator for generating a signed temporary certificate having the public key, a short term validity period (e.g., expiration date and time), a subject name (e.g., user identity) and other information. The temporary certificate's validity period is set to limit the usefulness of the temporary certificate to a desired lifetime. This can be made arbitrarily short if additional temporary certificates are generated and installed with extensions as needed.
Upon request by the temporary client site, the web server on the global server site sends the temporary certificate and a certificate installation downloadable to the web engi
Jack Todd
Peeso Thomas R.
Squire Sanders & Dempsey L.L.P.
Visto Corporation
LandOfFree
System and method for installing and using a temporary... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for installing and using a temporary..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for installing and using a temporary... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2570480