Cryptography – Key management
Reissue Patent
1999-08-30
2003-04-08
Cangialosi, Salvatore (Department: 2661)
Cryptography
Key management
C380S278000
Reissue Patent
active
RE038070
ABSTRACT:
TECHNICAL FIELD
This invention relates to cryptography systems. More particularly, this invention relates to a computer implemented architecture for performing cryptographic primitives including encrypting, decrypting, signing and verifying/ authenticating functions.
BACKGROUND OF THE INVENTION
Cryptography is the an and science of keeping messages secure from eavesdroppers and adversaries. Historically, valuable messages were kept secure by personal envoys who hand carried sensitive information from a sending party to a receiving party. While useful in its time, this protection method is not very practical in a modem world where information flows freely and changes rapidly.
In more recent history, with the advent of computers, wireless communication, and other technological advances, information can be exchanged very quickly among many different individuals who were often spread all over the world. To provide a secure interchange of information in the electronic arena, one traditional approach to mitigating the risk of having sensitive information intercepted was to institute proprietary computerized systems that were closed to the general public. Such proprietary systems promoted security simply by restricting physical access through high security protocols. A private communication network linked only those terminals that were authorized, and only participants to the system with the appropriate security clearance were permitted access to the terminals. Hence, participants and information were authenticated by definition, and the integrity and value of the information were preserved within the confines of the closed processing system. Unfortunately, proprietary systems are not useful in a grander context which envisions the interchange of information among virtually any individuals without limitation.
Cryptography has evolved in the electronic setting as a means to securely transfer information over a communication system that is presumed to be insecure, like the telephone lines or a public communications network (e.g., the Internet). In this electronic computerized context, cryptography provides the necessary tools to digitally secure sensitive and valuable electronic messages in a manner that insures privacy between the authenticate sender and authenticate recipient of the communiqué, even though the message is subject to interception on the insecure communication system.
Before sending an electronic message, the sender encrypts it. “Encryption” transforms the message from its plaintext into some meaningless ciphertext that is not understandable in its raw form and cannot be deciphered by an eavesdropper. To ensure the recipient that the true sender originated the message, and not some impostor, the sender “digitally signs” the message with its own unique digital signature. The signed encrypted message is then transmitted over the insecure network to the intended recipient. The recipient receives and decrypts the encrypted message. “Decryption” transforms the message from its ciphertext back to its plaintext. Only the recipient is presumed to have the ability to decipher the message. The recipient also “verifies” the authenticity of the digital signature to assure itself that the contents are from the legitimate sender and have not been subsequently altered.
Encryption, decryption, digital signing, and verification are principal cryptographic primitives that are used in an electronic network setting to facilitate the security, privacy, authenticity, and integrity of information being exchanged. These cryptographic primitives commonly involve the use of secret cryptographic keys. “Keys” are a numerical value, often expressed digitally as a number of bits, which are used in the cryptographic algorithms that encrypt and decrypt messages. The keys are uniquely associated with a particular identity, such as a person, group, physical object, business, or institution. The keys are kept secret and used selectively by the identity to perform the cryptographic primitives as required. For example, a person might use a key to encrypt and sign a purchase order message intended for a merchant. The merchant might then use a key to decrypt the message and verify the authenticity of the signature.
In a network setting, it is desirable to locate cryptographic functions in the computer operating system so that they are available to other applications executing on the computer. Furthermore, it is desirable to define an application program interface (API) which allows the applications access to the cryptographic functions in a standardized way.
A cryptographic API raises a number of important security issues. Cryptographic functions, such as encryption and signing, can be performed using a number of different algorithms and formats. Security can vary widely among the different approaches. A single module of the operating system cannot possibly implement all possible algorithms and formats that a user or application might want to use in a given situation.
On the other hand, cryptographic functionality involves the handling of sensitive information and the maintenance of secure keys. It would be advantageous for a user or application to be able to trust the cryptographic system on the same level that an operating system is typically trusted.
There are also potential hazards of using cryptographic functions in the computerized network setting. Since the functions are carried out electronically, the user might assume the cryptographic routines are operating as expected, yet not be aware of ignorant or sophisticated electronic attacks. Careless applications might use cryptographic encryption or signature keys in ways that jeopardize the keys' secrecy. Moreover, malicious applications might even deliberately compromise the user's secrecy, or worse, perform unauthorized cryptographic operations. For instance, a malicious application might attempt to decrypt the user's secret files and transmit them to some adverse party. Another situation might involve an application attempting to digitally sign notes or IOUs on behalf of the user without the user's knowledge or consent. A computer implemented cryptographic system must therefore provide the needed security to prevent attack from poorly devised or malicious applications.
Today, there are several electronic systems that provide cryptographic services in the computer forum. These include “Bsafe libraries” by RSA Data Security Inc., “X/Open CAPI”, and “PKCS#”. However, each of these systems permit direct access of the application to keying material. There is no protection of these cryptographic resources from electronic attack. Furthermore, the Bsafe system, which is the most widely used cryptography system, directly attaches the cryptographic code to the application. There is no contemplation of protecting the cryptographic functions within the computer from ignorant or malicious attacks from other software applications.
It would therefore be advantageous to provide a computer implemented architecture for performing cryptographic primitives that maintains and protects the user's keys and prevents undesired access and use of cryptographic functions without authorization from the user.
SUMMARY OF THE INVENTION
This invention provides a cryptographic system and method that protect a user's keys and prevents undesired access and use of crytographic functions without authorization from the user. The cryptographic system is a unique tri-layer architecture. It includes a cryptographic application program interface (CAPI) which provides functionality to an application, one or more cryptographic service providers (CSPs) which implement the functionality presented by the CAPI to the application, and one or more private application program interfaces (PAPI) which allow the CSPs to communicate directly with a user.
The CAPI layer provides the interface with an application that requests cryptographic functions such as encryption, decryption, signing, or verification. The CAPI selects the appropriate CSP for performing the requested
Simon Daniel R.
Spelman Jeffrey F.
Spies Terrence R.
Cangialosi Salvatore
Lee & Hayes PLLC
Microsoft Corporation
LandOfFree
Cryptography system and method for providing cryptographic... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Cryptography system and method for providing cryptographic..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Cryptography system and method for providing cryptographic... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3066696