Cryptography – Key management – Key distribution
Reexamination Certificate
2000-10-25
2004-08-24
Jung, David (Department: 2134)
Cryptography
Key management
Key distribution
C380S286000, C713S152000
Reexamination Certificate
active
06782103
ABSTRACT:
BACKGROUND OF THE INVENTION
This invention relates to cryptographic key management and in particular to the scheduling of changes to cryptographic keys in a business system.
Such a business system may simply involve flow of business data from one computer system (a source system) to another computer system (a destination system), although in practice the data flow may be part of a much more complex system. Various techniques, such as symmetric or asymmetric encryption, or digital signatures, may be used to protect the integrity (confidentiality) of the data. Digital signatures also provide authentication of data, i.e. that it came from a particular source.
In symmetric encryption the same key is used to decrypt data as was used to encrypt it, so the key must be known only to the sender and the recipient.
In asymmetric encryption data is encrypted with one key and decrypted with another, these being the private key and the public key. Only the owner of the private key can decrypt data encrypted with the public key. Thus anyone can encrypt a message with the public key and be sure that the encrypted message can only be decrypted by the intended recipient. However, if the owner of the private key encrypts data with the private key, it can be decrypted by anyone using the public key. The fact that the process yields valid data proves that the message came from the owner of the private key and thus the encrypted data can be construed as a signature of the private key owner.
Digital signatures are similar to asymmetric encryption in that a two-part key is used, one being public and the other private. The owner of the private key uses it to generate a signature which it attaches to some other data. A recipient of the data can use the public key to verify the data came from the owner of the private key. Thus when using digital signatures (DS), the source system may use a private key DSPR to sign outgoing data and the destination system may use a public key DSPU to verify incoming data.
In practice the cryptography may be more complex. For example, the source system may embed a public key certificate in the signature it sends with each message. This certificate would be used to verify the data and would itself be verified against a Certification Authority public key, which effectively plays the same role as the DSPU.
The management of all keys is under the control of a security officer of the business system, who uses automated or manual procedures and protocols to arrange for delivery and installation of key material.
Good cryptographic practice requires all keys be changed at regular intervals, but if a key becomes compromised then it needs to be changed at other than the appropriate regular interval. The present invention is concerned with scheduling changes to keys which can take into account the possibility of unscheduled changes having occurred.
SUMMARY OF THE INVENTION
According to one aspect of the present invention there is provided a cryptographic key management method for use with a computer system including a first computer system and a second computer system, data flow from the first computer system to the second computer system being protected by cryptographic means employing one or more keys, wherein the or each key is scheduled to be changed at a respective scheduled time, but can be changed earlier at an unscheduled time if required, and wherein the or each key has a respective lifetime, the method including the step of calculating, for each key, a respective expiry time from its key lifetime, and the step of calculating a respective scheduled change time comprising a predetermined time before the expiry time.
According to another aspect of the present invention there is provided a computer system including a first computer system and a second computer system, data flow from the first computer system to the second computer system in use thereof being protected by cryptographic means employing one or more keys, the computer system further including a central system for generating the keys and delivering them to the first and second computer systems, the or each key having a respective lifetime and being scheduled to be changed at a respective scheduled time, although earlier unscheduled changes are possible, and comprising means for calculating, for each key, a respective expiry time from its key lifetime, and for calculating a respective scheduled change time comprising a predetermined time before the expiry time.
REFERENCES:
patent: 4972472 (1990-11-01), Brown
patent: 5404403 (1995-04-01), Bright
patent: 5761306 (1998-06-01), Lewis
patent: 5867578 (1999-02-01), Brickell
patent: 6745330 (2004-06-01), Maillot
patent: 6745331 (2004-06-01), Silverbrook
patent: 6745334 (2004-06-01), Ikegami
patent: 1 011 223 (2000-06-01), None
patent: 2 324 449 (1998-10-01), None
patent: WO 00/25475 (2000-05-01), None
Kim et al., Design and implementation of a private and public key crypto processor and its application to a security system, Consumer Electronics, IEEE Transactions on, vol. 50, Issue 1, Feb. 2004, pp. 214-224.*
Jeong et al., VLSI array algorithms and architectures for RSA modular multiplication, VLSI Systems, IEEE Transactions on, vol. 5, Issue 2, Jun. 1997, pp. 211-217.*
McLoone et al., High-performance FPGA implementation of DES using novel method for implementing the key schedule, Circuits, Devices and Systems, IEE Proceedings, vol. 150, Issue 5, Oct. 6, 2003, pp. 373-378.
Arthan Robin Denis
Parker Thomas Anthony
Robinson Alexander James
Barnes & Thornburg LLP
Fujitsu Services Limited
Jung David
LandOfFree
Cryptographic key management does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Cryptographic key management, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Cryptographic key management will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3296975