Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Central trusted authority provides computer authentication
Reexamination Certificate
1996-11-15
2001-04-03
Laufer, Pinchus M. (Department: 2766)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Central trusted authority provides computer authentication
C713S167000, C713S152000, C380S280000, C705S076000
Reexamination Certificate
active
06212634
ABSTRACT:
BACKGROUND OF THE INVENTION
The present invention relates in general to certifying authorizations in computer networks such as public packet switched communications networks.
Certifying authorities are known that generate public key certificates, enciphered with the private key of the certifying authority, that serve as letters of introduction of a particular party to any other party that can recognize the certifying authority as an introducer. The certifying authority typically makes the party seeking the certificate of introduction prove that it is who it says it is, and then the certifying authority accepts the public key of the party and returns it in the certificate of introduction signed with the private key of the certifying authority, thereby binding the name of the particular party to the public key of the party.
SUMMARY OF THE INVENTION
One aspect of the invention features a system for certifying authorizations that includes an authorizing computer and an authorized computer interconnected by a computer network. The authorizing computer creates a public key pair comprising a new public key and a new private key, and creates an authorization certificate that certifies that a holder of the authorization certificate is authorized to perform an action referred to in the authorization certificate. The authorization certificate includes the new public key. The authorizing computer causes the authorization certificate and the new private key to be transmitted to the authorized computer. The authorized computer receives the authorization certificate and the new private key and decrypts messages using the new private key as evidence that the authorized computer has obtained the authorization certificate legitimately.
Because the authorization certificate certifies that the holder is authorized to perform a certain action, rather than certifying only the identity of the holder, the authorization certificate can be issued by any arbitrary computer having a smart token such as a smart card that uniquely and securely identifies the owner of the card and may be removable from the computer. The authorized computer can use the authorization certificate as evidence that the authorized computer is authorized by the owner of the smart token at the authorizing computer to perform the action referred to in the authorization certificate.
According to another aspect of the invention the authorizing computer receives a first authorization certificate that certifies that a holder of the authorization certificate is authorized to perform an action referred to in the first authorization certificate. The authorizing computer then created a second authorization certificate that includes the first authorization certificate and certifies that a holder of the second authorization is granted additional authority with respect to performing the action referred to in the first authorization certificate. Thus, for example, a junior officer may create a first authorization certificate for purchase of a product and send it to a senior officer at the authorizing computer, who creates a second authorization certificate that includes the first authorization certificate and also grants additional authority for the purchase in the form of a countersignature grant of purchasing power. Then the senior officer sends the second authorization certificate to an electronic merchant. The temporal order of authorizations in a chain is preserved because the each successive authorization certificate is incorporated into the next authorization certificate.
According to another aspect of the invention the authorization certificate has a file structure that supports critical components and extension components. The authorized computer accepts certificates having file structures that support critical components and extension components when the authorized computer is programmed to accept the critical components but rejects certificates having file structures that support critical components and extension components when the authorized computer is not programmed to accept the critical components. The authorizing computer includes information unique to the action referred to in the authorization certificate as at least one critical component of the authorization certificate in order to prevent the authorization certificate from being accepted by computers that are not programmed to accept the information unique to the action referred to in the authorization certificate. This helps to ensure against misuse of the authorization certificate.
Another aspect of the invention features a system for escrowing private keys that includes a computer and a smart token interconnected with the computer. The smart token includes a private key of a public key pair associated with the smart token. The computer encrypts the private key of the public key pair associated with the smart token with a public key of a public key pair associated with a user of the smart token. The computer also encrypts a private key of the public key pair of the user of the smart token with a public key of the public key pair associated with the smart token. The computer transmits to an escrow agent the encrypted private key of the public key pair associated with the smart token and the encrypted private key of the public key pair associated with the user of the smart token. This ensures that if one private key is lost, the other private key can be retrieved from the escrow agent.
Numerous other features, objects, and advantages of the invention will become apparent from the following detailed description when read in connection with the accompanying drawings.
REFERENCES:
patent: 5138712 (1992-08-01), Corbin
patent: 5555309 (1996-09-01), Kruys
patent: 5590199 (1996-12-01), Krajewski, Jr. et al.
patent: 5629980 (1997-05-01), Stefik et al.
patent: 5659616 (1997-08-01), Sudia
patent: 5712914 (1998-01-01), Aucsmith et al.
patent: 5715314 (1998-02-01), Payne et al.
patent: 5724424 (1998-03-01), Gifford
patent: 5748738 (1998-05-01), Bisbee et al.
patent: 5790677 (1998-08-01), Fox et al.
patent: 5794207 (1998-08-01), Walker et al.
patent: 5822737 (1998-10-01), Ogram
patent: 5825300 (1998-10-01), Bathrick et al.
patent: 5841865 (1998-11-01), Sudia
patent: WO 96/31965 (1996-10-01), None
Abadi, M.; Burrows, M.; Kaufman, C.; Lampson, B.; “Authentication and Delegation with Smart-Cards”; Digital Systems Research Center, 130 Lytton Avenue, Palo Alto, California 94301; Oct. 22, 1990.
Anderson, R.G. and Needham, R.M.; “Robustness Principles for Public-Key Protocols”; Advances in Cryptology-CRYPTO '95; Springer-Verlag, Berlin; 1995.
Blazc, M.; Feigenbaum, J.; Lacy, J.; “Decentralized Trust Management”; Proceedings of the IEEE Symposium on Security and Privacy; Oakland; May, 1996.
Chaum, D.; “Achieving Electronic Privacy”; Scientific American; Aug., 1992; pp. 96-101.
Davis, D.; “Compliance Defects in Public-Key Cryptography”; Proceedings of the Sixth USENIX Security Symposium; San Jose, California; Jul., 1996; pp. 171-178.
Davis, D. and Swick, R.; “Network Security via Private-Key Certificates”; Proc. of the third USENIX Security Symposium; Baltimore; Sep., 1992; pp. 239-242; also in ACM Operating Systems Review; v. 24, n. 4, Oct., 1990.
Denny, T.; Dodson, B.; Lenstra, A.K.; Manasse, M.S.; “On the Factorization of RSA-120”; Advances in Cryptology—CRYPTO '93, Ed. by Stinson, Douglas R., 1994; Springer-Verlag Lecture Notes in Comp. Sci. #773.
Ellison, C.; “Establishing Identity Without Certification Authorities”; Proceedings of the Sixth USENIX Security Symposium; San Jose; Jul., 1996; pp. 67-76.
Gifford, David K.; “Cryptographic Sealing for Information Secrecy and Authentication”; Communications of the ACM; vol. 25, No. 4; pp. 275-286; Apr., 1982.
Gifford, D.; Payne, A.; Stewart, L.; Treese, W.; “Payment Switches for Open Networks”; Proceedings of the First USENIX Workshop on Electronic Commerce; New York City, New York; Jul., 1995, pp. 69-75.
Lampson, B.; Abadi, M.; Burrows, M.; Wobber, E.; “Authentication in Distributed Systems: Theory and Practice”; Thirteenth ACM
Geer, Jr. Daniel E.
Tumblin Henry R.
Fish & Richardson P.C.
Laufer Pinchus M.
Open Market, Inc.
LandOfFree
Certifying authorization in computer networks does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Certifying authorization in computer networks, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Certifying authorization in computer networks will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2447395