Cryptography – Key management – Key escrow or recovery
Reexamination Certificate
2000-08-16
2002-12-03
Barron, Jr., Gilberto (Department: 2132)
Cryptography
Key management
Key escrow or recovery
C380S030000, C380S277000, C713S159000
Reexamination Certificate
active
06490358
ABSTRACT:
REFERENCE TO APPENDIX
A text Appendix A is being submitted with this application.
BACKGROUND OF THE INVENTION
The present invention relates in general to certifying authorizations in computer networks such as public packet switched communications networks.
Certifying authorities are known that generate public key certificates, enciphered with the private key of the certifying authority, that serve as letters of introduction of a particular party to any other party that can recognize the certifying authority as an introducer. The certifying authority typically makes the party seeking the certificate of introduction prove that it is who it says it is, and then the certifying authority accepts the public key of the party and returns it in the certificate of introduction signed with the private key of the certifying authority, thereby binding the name of the particular party to the public key of the party.
SUMMARY OF THE INVENTION
One aspect of the invention features a system for certifying authorizations that includes an authorizing computer and an authorized computer interconnected by a computer network. The authorizing computer creates a public key pair comprising a new public key and a new private key, and creates an authorization certificate that certifies that a holder of the authorization certificate is authorized to perform an action referred to in the authorization certificate. The authorization certificate includes the new public key. The authorizing computer causes the authorization certificate and the new private key to be transmitted to the authorized computer. The authorized computer receives the authorization certificate and the new private key and decrypts messages using the new private key as evidence that the authorized computer has obtained the authorization certificate legitimately.
Because the authorization certificate certifies that the holder is authorized to perform a certain action, rather than certifying only the identity of the holder, the authorization certificate can be issued by any arbitrary computer having a smart token such as a smart card that uniquely and securely identifies the owner of the card and may be removable from the computer. The authorized computer can use the authorization certificate as evidence that the authorized computer is authorized by the owner of the smart token at the authorizing computer to perform the action referred to in the authorization certificate.
According to another aspect of the invention the authorizing computer receives a first authorization certificate that certifies that a holder of the authorization certificate is authorized to perform an action referred to in the first authorization certificate. The authorizing computer then create a second authorization certificate that includes the first authorization certificate and certifies that a holder of the second authorization is granted additional authority with respect to performing the action referred to in the first authorization certificate. Thus, for example, a junior officer may create a first authorization certificate for purchase of a product and send it to a senior officer at the authorizing computer, who creates a second authorization certificate that includes the first authorization certificate and also grants additional authority for the purchase in the form of a countersignature grant of purchasing power. Then the senior office sends the second authorization certificate to an electronic merchant. The temporal order of authorizations in a chain is preserved because the each successive authorization certificate is incorporated into the next authorization certificate.
According to another aspect of the invention the authorization certificate has a file structure that supports critical components and extension components. The authorized computer accepts certificates having file structures that support critical components and extension components when the authorized computer is programmed to accept the critical components but rejects certificates having file structures that support critical components and extension components when the authorized computer is not programmed to accept the critical components. The authorizing computer includes information unique to the action referred to in the authorization certificate as at least one critical component of the authorization certificate in order to prevent the authorization certificate from being accepted by computers that are not programmed to accept the information unique to the action referred to in the authorization certificate. This helps to ensure against misuse of the authorization certificate.
Another aspect of the invention features a system for escrowing private keys that includes a computer and a smart token interconnected with the computer. The smart token includes a private key of a public key pair associated with the smart token. The computer encrypts the private key of the public key pair associated with the smart token with a public key of a public key pair associated with a user of the smart token. The computer also encrypts a private key of the public key pair of the user of the smart token with a public key of the public key pair associated with the smart token. The computer transmits to an escrow agent the encrypted private key of the public key pair associated with the smart token and the encrypted private key of the public key pair associated with the user of the smart token. This ensures that if one private key is lost, the other private key can be retrieved from the escrow agent.
Numerous other features, objects, and advantages of the invention will become apparent from the following detailed description when read in connection with the accompanying drawings.
REFERENCES:
patent: 5138712 (1992-08-01), Corbin
patent: 5200999 (1993-04-01), Matyas et al.
patent: 5555309 (1996-09-01), Kruys
patent: 5590199 (1996-12-01), Krajewski, Jr. et al.
patent: 5629980 (1997-05-01), Stefik et al.
patent: 5659616 (1997-08-01), Sudia
patent: 5712914 (1998-01-01), Aucsmith et al.
patent: 5715314 (1998-02-01), Payne et al.
patent: 5724424 (1998-03-01), Gifford
patent: 5748738 (1998-05-01), Bisbee et al.
patent: 5768373 (1998-06-01), Lohstroh et al.
patent: 5790677 (1998-08-01), Fox et al.
patent: 5794207 (1998-08-01), Walker et al.
patent: 5822737 (1998-10-01), Ogram
patent: 5825300 (1998-10-01), Bathrick et al.
patent: 5841865 (1998-11-01), Sudia
patent: 5872849 (1999-02-01), Sudia
patent: WO 96/31965 (1996-10-01), None
M. Abadi et al.; “Authentication and Delegation with Smart-Cards”; Digital systems Research Center, 130 Lytton Ave., Palo Alto, CA. 94301; Oct. 22, 1990.
A.G. Anderson et al.; “Robustness Principles for Public-Key Protocols”; Advances in Cryptology—Crypto '95; Springer-Verlang, Berlin; 1995.
M. Blazc et al.; “Decentralized Trust Management”; Proceeding of the IEEE Symposium on Security and Privacy; Oakland; May 1996.
D. Chaum; “Achieving Electronic Privacy”; Scientific American; Aug. 1992, pp. 96-101.
D. Davis; “Compliance Defects in Public-Key Cryptography”; Proceedings of the Sixth USENIX Security Symposium ; Baltimore; Sep., 1992; pp. 239-242; also in ACM Operating Systems Review; v. 24, n. 4, Oct., 1990.
T. Denny, et al.; “On the Factorization of RSA-120”; Advances in Cryptology—CRYPTO '93, Ed. By Stinson, Douglas R., 1994; Springer-Verlag Lecture Notes in Comp. Sci. #773.
C. Ellison; “Establishing Identify Without Certification Authorities”; Proceedings of the Sixth USENIX Security Symposium; San Jose; Jul. 1996; pp. 67-76.
David K. Gifford; “Cryptographic Sealing for Information Secrecy and Authentication”; Communications of the ACM; vol. 25, No. 4; pp. 275-286; Apr. 1982.
VISA International; “SET Background”; http://www.visa.com/cgi-bin/vee
t/ecomm/set/bkgrnd.html?2×0; 1996.
Geer, Jr. Daniel E.
Tumblin Henry R.
Barron Jr. Gilberto
Bell Boyd & Lloyd LLC
Open Market, Inc.
LandOfFree
Enabling business transactions in computer networks does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Enabling business transactions in computer networks, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Enabling business transactions in computer networks will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2934322