Electrical computers and digital processing systems: support – Reconfiguration
Reexamination Certificate
1997-12-19
2001-06-12
Powell, Mark R. (Department: 2122)
Electrical computers and digital processing systems: support
Reconfiguration
Reexamination Certificate
active
06247127
ABSTRACT:
TECHNICAL FIELD OF THE INVENTION
This invention relates generally to secured communications and more particularly to a method and apparatus for extending secure communications to off-line devices, such as laptop computers.
BACKGROUND OF THE INVENTION
As is known, to securely transmit data from one party to another in a secure communication system, the data needs to be encrypted via an encryption key and an encryption algorithm. The encryption algorithm may be a symmetric key algorithm such as the data encryption standard (“DES”), while the encryption key may be a corresponding symmetric key. The sending party encrypts the data using the symmetric key algorithm and transmits the encrypted message over a transmission medium to a receiving party. Upon receiving the encrypted message, the receiving party decrypts the message using the same symmetric key, which must be transmitted to the receiving party or derived by the receiving party by some appropriate security means.
Encrypting data using public key algorithms is somewhat more expensive than using a symmetric key algorithm, but, the cost is generally justified because of the difficulty in securely providing the symmetric key to both parties. To obtain the cost saving benefits of symmetric key encryption and the key distribution advantages of public/private key pairs, a wrapped session key is provided to the receiving party, or parties, along with the data that is encrypted using the symmetric key. The wrapped session key is the symmetric key that has been encrypted using the public key (of the public/private key pair) of the receiving party. When the receiving party receives the encrypted message, it decrypts the wrapped session key using its private key to recapture the symmetric key. Having recaptured the symmetric key, the receiving party utilizes it to decrypt the message. Typically, symmetric keys are used for a relatively short duration (e.g., a communication, a set number of communications, an hour, a day, a few days, etc.), while encryption public keys are used for longer durations (e.g., a week, a month, a year, or more).
To further enhance security of encrypted data transmissions in the secured communication system, the sending party provides its digital signature with encrypted messages that it transmits. The signature of the sending party consists of a tag computed as a function of both the data being signed and the signature private key of the sender. The receiving party using a corresponding signature public key of the sending party can validate the signature. To ensure that the receiving party is using an authentic public key of the sending party, it obtains a signature public key certificate from the directory or a certification authority. The signature public key certificate includes the signature public key of the sending party and the signature of the certification authority. After obtaining the certificate, the receiving party first verifies the signature of the certification authority using a locally stored trusted public key of the certification authority. Once the signature of the certification authority has been verified, the receiving party can trust any message that was signed by the certification authority. Thus, the signature public key certificate that the receiving party obtained is verified and the signature public key of the sending party can be trusted to verify the signature of the sending party of the message.
The above process works well when the end-users, via a computer or similar device, are directly coupled, i.e., on-line, with the communication system. When on-line with the communication system, an end-user has access to the directory such that it may obtain the encryption public key certificate of a targeted recipient and the signature public key certificate of a sending party. In addition, the end-user has access, via the directory, to certificate revocation lists and authority revocation list. The end-user utilizes the certificate and authority revocation lists, which are issued periodically (e.g., daily), to verify that the certificates it has obtained are valid, i.e., have not been revoked and have not been signed by a certification authority that has had it authority revoked. Thus, as long as an end-user has access to the directory, it can retrieve and utilize encryption public key certificates and signature public key certificates with confidence.
If a lap-top end-user is off-line from the communication system, i.e., does not have access to the directory, it cannot confidently utilize the encryption public key certificates and signature public key certificates that it has stored. The lack of confidence results when the end-user's local copies of the certificate and authority revocation lists are expired, i.e., the period for reissue has past. This, of course, assumes that the end-user has a local copy of the revocation lists. As such, the locally stored certificates are untrustworthy. While untrustworthy certificates do not prevent the physical act of encrypting and verifying, they do defeat the spirit of encrypting and verifying which devoid the security system of its integrity. As such, off-line users, especially laptop computer users, cannot securely verify signatures of received messages (e.g., e-mail messages) and cannot securely prepare outgoing messages.
Therefore, a need exists for a method and apparatus that provides off-line secure communications.
REFERENCES:
patent: 4807224 (1989-02-01), Naron et al.
patent: 5191611 (1993-03-01), Lang
patent: 5201000 (1993-04-01), Matyas et al.
patent: 5261002 (1993-11-01), Perlman et al.
patent: 5265164 (1993-11-01), Matyas et al.
patent: 5657390 (1997-08-01), Elgamal et al.
patent: 5825890 (1998-10-01), Elgamal et al.
patent: 5850442 (1998-12-01), Muftic et al.
patent: 5872847 (1999-02-01), Boyle et al.
patent: 5892900 (1999-04-01), Ginter et al.
patent: 5910987 (1999-06-01), Ginter et al.
patent: 5915019 (1999-06-01), Ginter et al.
patent: 5917912 (1999-06-01), Ginter et al.
patent: 5949876 (1999-09-01), Ginter et al.
patent: 5982891 (1999-11-01), Ginter et al.
patent: 6035402 (2000-03-01), Vaeth et al.
patent: 6044349 (2000-03-01), Tolopka et al.
Microsoft Press, Computer Dictionary, Third Edition, 84-85, 1997.*
Merriam Webster's Collegiate Dictionary, Tenth Edition, 993, 1185, 1997.*
Bruce Schneier, Applied Cryptography, 29-37, 42-65, 147-53, 425-36, 1994.
Entrust Technologies Ltd.
Pender Michael
Powell Mark R.
Vedder Price Kaufman & Kammholz
LandOfFree
Method and apparatus for providing off-line secure... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and apparatus for providing off-line secure..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and apparatus for providing off-line secure... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2513097