Electrical computers and digital processing systems: support – Data processing protection using cryptography – Upgrade/install encryption
Reexamination Certificate
2000-03-22
2004-03-30
Wright, Norman M. (Department: 2134)
Electrical computers and digital processing systems: support
Data processing protection using cryptography
Upgrade/install encryption
C713S189000, C713S152000
Reexamination Certificate
active
06715077
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of Invention
This invention relates to cryptographic applications incorporating Common Data Security Architecture (CDSA). More particularly, the invention relates to systems and methods to support varying maximum cryptographic strength for CDSA applications.
2. Background Discussion
Vendors that manufacture applications that require encryption/decryption incorporate cryptographic libraries in their applications. However, for export, cryptography is controlled by Government regulations. By default, cryptographic strength is constrained to weak crypto (e.g., 56 bit DES.). Special industries, for example, financial, can use “strong” crypto (e.g., 168 bit DES.). Vendors usually statically link cryptographic libraries into their applications. Vendors cannot easily change from one cryptographic library to another because the Application Programming Interfaces (APIs) vary between different vendors' libraries. The Common Data Security Architecture (CDSA) provides programmable interfaces for cryptographic and digital certificate services using a “plug and play” model. The CDSA Specification is attached as Appendix
1
and is available from the Intel Corporation, 5200 N.E. Elam Young Parkway, Hillsboro, Oreg. 97124-6497. The Specification is also available from cdsa@dbmg.com. With CDSA, security service providers may support varying strengths of cryptographic algorithms. Normally for a given implementation of CDSA, all applications will be allowed to use the union of all algorithms in cryptographic strengths provided by the registered service providers.
However, there is sometimes a need to allow the same implementation of CDSA to support the cryptographic needs of multiple applications, each of which needs to be constrained to a particular maximum cryptographic strength. For example, financial applications in non-U.S. jurisdictions may be allowed to use 168 bit strength cryptography, while non-financial applications may only be allowed to use 56 bit strength cryptography. What is needed is an improved system and a method to allow a single CDSA implementation to control the maximum cryptographic strength of various applications based on a configurable cryptographic control policy enforced by the CDSA framework.
SUMMARY OF THE INVENTION
An object of the invention is a system and method to provide an application with varying cryptographic strength based on a configurable cryptographic control policy implemented in the application.
Another object is a system and method creating a crypto context for an application implemented by the CDSA framework.
Another object is a data structure in a CDSA framework identifying exemptions or privileges contained in applications for varying the cryptographic strength of the application.
These and other objects, features and advantages are achieved in an improved CDSA system(CDSA-I) including a standard CDSA framework coupled via an Application Program Interface, to an application requiring cryptographic support. During manufacture, a cryptographic control privilege is incorporated into the application, as part of an exemption mechanism, which exemption may or may not be enforced by the CDSA framework. For maximum cryptographic strength, an application must be signed by a private key controlled by the CDSA framework vendor. Inside the CDSA framework, the corresponding public key is used to verify at runtime those application that were appropriately signed. The CDSA framework is coupled via a Service Provider Interface (SPI) to a plurality of pluggable modules for performing cryptographic operations, storing signed digital certificates for applications, and trust policies relating to cryptographic strengths. The framework is initialized to provide the cryptographic support for the application at which time it reads a vendor-signed cryptographic control policy file that determines the cryptographic key lengths at which various algorithms are considered cryptographically strong. All APIs for cryptographic operations require a crypto context so the application then requests the CDSA framework to create a crypto context given an algorithm ID, key and key length. By default, all crypto contexts are assigned the default or “weak” level of crypto. If the application has been authorized to use strong crypto by virtue of being signed, it next calls the API to request an exemption. The CDSA framework using a data structure determines if the application is signed or privileged to perform strong crypto according to the crypto context based on the previously read cryptographic control policy file. A flag is set in framework-controlled crypto context data structure if the application is entitled to strong crypto. Otherwise, the flag is not set and the application will be stopped from using strong crypto when the APIs is called to encrypt data.
REFERENCES:
patent: 5341425 (1994-08-01), Wasilewski et al.
patent: 6308266 (2001-10-01), Freeman
patent: 6378073 (2002-04-01), Davis et al.
patent: 6470447 (2002-10-01), Lambert et al.
patent: 6557020 (2003-04-01), Amano et al.
Malik Sohail
Vasudevan Narayanan
International Business Machines - Corporation
Shofi David M.
Wright Norman M.
LandOfFree
System and method to support varying maximum cryptographic... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method to support varying maximum cryptographic..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method to support varying maximum cryptographic... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3269489