Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Particular communication authentication technique
Reexamination Certificate
1999-12-14
2004-08-03
Smithers, Matthew (Department: 2137)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Particular communication authentication technique
C713S155000, C713S156000, C713S159000, C380S028000, C380S029000
Reexamination Certificate
active
06772341
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Technical Field
The present invention relates generally to an improved data processing system and, in particular, to a method and apparatus for processing cryptographic data objects formatted according to interoperable standards.
2. Description of Related Art
Public-key cryptography is the technology in which encryption and decryption involve different keys. The two keys are the public key and the private key, and either can encrypt or decrypt data. A user gives his or her public key to other users, keeping the private key to himself or herself. Data encrypted with a public key can be decrypted only with the corresponding private key, and vice versa.
As public-key cryptography has gained acceptance, standards have become necessary so that software at two different sites could work together even when the software is developed by different vendors. In particular, standards have been developed to allow agreement on digital signatures, digital enveloping, digital certification, and key agreement. However, interoperability requires strict adherence to communicable formats, and PKCS, or “Public Key Cryptography Standard,” provides a basis for interoperable standards in heterogeneous environments.
PKCS is a set of documents published by RSA Laboratories that serves to define data types and algorithms used in public-key cryptography. The first set of ten PKCS standards was released in 1991. In the 1993 release PKCS #2 and #4 were incorporated into PKCS #1, so the set of standards included:
PKCS #1: RSA Encryption Standard;
PKCS #3: Diffie-Hellman Key Agreement Standard;
PKCS #5: Password-Based Encryption Standard;
PKCS #6: Extended-Certificate Syntax Standard;
PKCS #7: Cryptographic Message Syntax Standard;
PKCS #8: Private-Key Information Syntax Standard;
PKCS #9: Selected Attribute Types; and
PKCS #10: Certification Request Syntax Standard.
PKCS continues to evolve and the following standards have been added since 1993:
PKCS #11: Cryptographic Token Interface Standard;
PKCS #12: Personal Information Exchange Syntax Standard;
PKCS #13: Elliptic Curve Cryptography Standard; and
PKCS #15: Cryptographic Token Information Format Standard.
Two independent levels of abstraction have been provided by these standards. The first level is message syntax, and the second level is specific algorithms. The intention has been that message syntax and specific algorithms should be orthogonal. In other words, a standard for the syntax of digitally signed messages should be able to work with any public-key algorithm, not just RSA, the public-key algorithm invented by Rivest, Shamir, and Adleman involving exponentiation modulo the product of two large prime numbers; and a standard for RSA should be applicable to many different message syntax standards.
One of these standard documents, PKCS #9, defines a set of attributes that can be used in other PKCS standards. In particular, PKCS #9 defines selected attribute types for use in PKCS #6 extended certificates, PKCS #7 digitally signed messages, PKCS #8 private-key information, PKCS #12 personal information, and PKCS #15 cryptographic token information.
PKCS
190
7 describes a general syntax for data that may have cryptography applied to it. In other words, PKCS #7 defines the syntax for several cryptographically protected messages, including encrypted messages and messages with digital signatures. The syntax admits recursion, so that one envelope can be nested inside another or one party can sign previously enveloped digital data. PKCS
190
7 also allows arbitrary attributes, such as signing time, to be authenticated along with the content of a message, and it also provides for other attributes, such as countersignatures, to be associated with a signature. A degenerate case of the syntax provides a means for disseminating certificates and certificate-revocation lists. PKCS
190
7 can also support a variety of architectures for certificate-based key management.
Originally an outgrowth of Internet Privacy-Enhanced Mail, PKCS
190
7 has become the basis for the widely implemented Secure/Multipurpose Internet Mail Extensions (S/MIME) secure electronic mail specification, an Internet e-mail security standard that employs public key encryption. PKCS
190
7 has become a basis for message security in systems as diverse as the Secure Electronic Transaction (SET) specification for bank systems.
PKCS
190
7 is compatible with Privacy-Enhanced Mail (PEM) in that signed-data and signed-and-enveloped data content, constructed in a PEM-compatible mode, can be converted into PEM messages without any cryptographic operations. A PEM message can similarly be converted into the signed-data and signed-and-enveloped data content types, i.e. a form that can be processed by applications including or implementations including PKCS #7 without any cryptographic operations. The conversion process is “flat” in the sense that the encapsulated text of the PEM message becomes the “inner” content of the PKCS
190
7 data. If the encapsulated text happens to contain privacy-enhanced messages, those messages are not implemented in the conversion process. PEM can effectively be viewed as a set of encoding rules analogous to the Basic Encoding Rules for ASN.1, abbreviated BER, for PKCS
190
7 data with these restrictions. Conversion from PKCS
190
7 to PEM may involve omission of attributes from PKCS #6 extended certificates, which is acceptable since the attributes are not essential to PEM.
The values produced according to PKCS
190
7 are intended to be BER-encoded. Abstract Syntax Notation One, abbreviated ASN.1, is a notation for describing abstract types and values. The Basic Encoding Rules for ASN.1 give one or more ways to represent any ASN.1 value as an octet string. The Distinguished Encoding Rules for ASN.1, abbreviated DER, are a subset of BER, and give exactly one way to represent any ASN.1 value as an octet string. DER is intended for applications in which a unique octet string encoding is needed, as is the case when a digital signature is computed on an ASN.1 value. ASN.1 and DER encoding are general purpose methods that can be applied to many domains in addition to PKCS.
A PKCS #7 SignedData object and the objects that may be contained within a SignedData object are defined in RFC 2630, “Cryptographic Message Syntax,” June 1999. Within this standard, the attribute definition includes the object version number, a set of message digest algorithms, the content that is signed, a set of certificates, a set of Certificate Revocation Lists (CRLs), and a set of SignerInfo objects that, among other attributes, each contain the signature of the contents for a given certificate.
SignedData objects were designed for a heterogeneous environment in which the SignedData object and the objects within it can be DER-encoded into a stream of bytes. The DER encoding can be transferred from one system to a completely different system and decoded to reform the SignedData object.
With all the attributes that are part of a SignedData object, administrators, applications developers, and other users can easily be lost in details. They may have access to all the integral objects used in creating a SignedData object, such as the text file to be signed, a certificate file, and a private key file, but they may lack the application or means to merge the objects together to create a SignedData object. In other situations, users may receive a SignedData object as an external file or as part of an S/MIME object for which they do not have a targeted application or that they do not wish to be automatically included in a targeted application.
Therefore, it would be advantageous to have an improved method and system for presenting and manipulating secure data objects using interoperable standards within heterogeneous environments, such as using PKCS within a distributed computing environment. It would be still more advantageous to provide users with a method and system to
London Shrader Theodore Jack
Nadalin Anthony Joseph
Rich Bruce Arland
Yarsa Julianne
Emile Volel
Fields Courtney D.
Smithers Matthew
Walder, Jr. Stephen J.
Yee Duke W.
LandOfFree
Method and system for presentation and manipulation of PKCS... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and system for presentation and manipulation of PKCS..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and system for presentation and manipulation of PKCS... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3293837