Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-06-30
2001-03-13
Peeso, Thomas R. (Department: 2767)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S151000, C713S162000, C713S164000
Reexamination Certificate
active
06202159
ABSTRACT:
CROSS-REFERENCE TO RELATED APPLICATION
This application is related to Ser. No. 09/223,766 entitled “Secure Server Using Public Key Registration And Methods Of Operation”, filed Dec. 31, 1998 (SE9-98-003/1963-7246), assigned to the same assignee as that of the present invention and fully incorporated herein by reference.
This application is further related to the following co-pending applications, all assigned to the same assignee as that of the present invention and fully incorporated herein by reference:
1. Ser. No. 09/223,764, entitled “A Secure Communication System And Method Of Operation For Conducting Electronic Commerce Using Remote Vault Agents Interacting With A Vault Controller”, filed Dec. 31, 1998 (SE9-98-021/1963-7260).
2. Ser. No. 09/223,834, entitled “Vault Controller Based Registration Application Serving Web Based Registration Authorities and End Users for Conducting Electronic Commerce In A Secure End-to-End Distributed Information System”, filed Dec. 31, 1998 (SE9-98-2/1963-7261).
3. Ser. No. 09/223,765, entitled “Vault Controller Supervisor And Method Of Operation For Managing Multiple Independent Vault Processes & Browser Sessions For Users In An Electronic Business System”, filed Dec. 31, 1998 (SE-98-017/1963-7256).
4. Ser. No. 09,343,231, entitled “Vault Controller Secure Depositor For Secure Communication”, filed Jun. 30, 1998 (SE9-98-019/1963-7259).
BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention relates to a secure end-to-end communication system and methods of operation for conducting electronic business. More particularly, the invention relates to a vault controller dispatcher and methods of operation for processing requests to applications executable in a secure manner within a vault.
2. Background Discussion
Traditionally, organizations such as retailers, banks, and insurance companies, in conducting electronic business, register their customers or users and control their access to business software applications with a user identification (“user ID”) and password. The user ID and password establish a user's identity for accessing secured information. The password is the “virtual key” that authenticates a user. However, a password does not provide the security needed for electronic business. Passwords have the following limitations:
(a) can be compromised during log-on by on-lookers;
(b) can be easily intercepted on the Internet if the transaction is not secured with a secure web protocol, such as secure sockets layer;
(c) authenticate a user to a host, but not a host to a user;
(d) can be discovered using automated “trial and error” techniques;
(e) do not protect transmitted information; and
(f) do not ensure that access is limited to authorized entities and applications.
A new approach to conducting electronic business on the Internet is described in the cross-referenced application. In this approach, digital keys replaced user identification-password pairs. Public key cryptography uses mathematically related public-private key pairs. Only the private key can decrypt the information the public key has encrypted. Only the public key can verify signature performed by the private key. The public key can be made available to any one. The private key is kept secret by the holder.
Just as digital keys are replacing user identification-password pairs in electronic business, digital signatures are replacing physical signatures. A digital signature is a coded message affixed to a document or data that helps guarantee the identity of the sender, thereby providing a greater level of security than a physical signature. A digital signature identifies the sender because only the sender's private key can create the signature. The key also helps ensure the content of the signed message cannot be altered without the recipient being able to discover that the message has been altered.
Digital certificates are also replacing their physical counterpart—hard copy credentials—in electronic business. A digital certificate, issued by a certification authority, vouches for (or certifies) the key of an individual, software application, organization or business. The certificate performs a role similar to that of a driver's license or medical diploma—the certificate certifies that the bearer of the corresponding private key is authorized (by an organization) to conduct certain activities with that organization.
However, the life cycle of digital certificates is similar to that of physical certificates. Digital certificates are issued for a specific amount of time. The certificate may be temporarily suspended under certain conditions and reissued at a later time. The certificate may be permanently revoked by the organization. Finally, digital certificates expire. For secure end-to-end communication in electronic business, the certificate must be validated to determine whether the certificate has expired, been revoked or suspended.
Digital certificates are issued through authorized registrars known as Registration Authorities (RAs). The authorities determine whether the applicant should be authorized to access secure applications or services and set in motion the processes to issue a certificate. A Certification Authority (CA) issues the digital certificate after approval by the Registration Authority. The certificate is a binding between a public key and an identity, e.g. a person, organization or computer device. The certitude includes a subject name; issuer name; public key; validity period; unique serial number; CA digital signature. The CA guarantees the authenticity of the certificate through its digital signature. The certificate may be revoked at any time. The serial numbers of revoked certificates are added to a Certification Revoked List (“CRL”) published in an X.500 Directory based on a standard defined by the International Telecommunications Union (“ITU”). The X.500 standard is now being used to implement a “white pages” for the Internet service. That is, a directory of people, computers, services, and of course electronic mail addresses. This on-line directory provides a single, global source of information that is constantly updated.
IBM “Vault” technology, described in the related application Ser. No. 08/980,022, supra provides strong authentication of clients and servers using digital keys and digital certificates for conducting electronic business. “Vault” technology is described in the above cross-related application. Briefly stated, “Vault” technology provides a secure environment in a web server using a vault controller (hereinafter, web server-vault controller) for running a secure web-based registration process and enabling secure application execution. The controller provides security from other processes running on the same server and secure areas or personal storage vaults to which only the owner has a key. System operators, administrators, certificate authorities, registration authorities and others cannot get to stored information or secure processes in such personal vaults. Combined with a Secure Sockets Layer (SSL) protocol, the controller enables secure registration transactions that require multiple sessions using personal vaults. SSL, an IETF standard communication protocol, has built-in security services that are as transparent as possible to the end user and provides a digitally secure communication channel. The personal vault is owned by a particular platform Identification (ID), e.g. a UNIX ID account that is linked to a user with a specific vault access certificate. The vault is encrypted and contains an encryption key pair and signing key pair, both of which are password protected. The content of the vault is encrypted using the vault encryption key. Each vault has a unique distinguished name in an X.500 directory that provides storage for specific items essential to a Public Key Infrastructure (PKI) using digital certificates, certificate authorities, registration authorities, certificate management services, and distributed directory services used to verify the identity and authority of each party invo
Ghafir Hatem
Poetzschke Dieter
International Business Machines - Corporation
Morgan & Finnegan L.L.P.
Peeso Thomas R.
Redmond, Jr. Joseph C.
LandOfFree
Vault controller dispatcher and methods of operation for... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Vault controller dispatcher and methods of operation for..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Vault controller dispatcher and methods of operation for... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2439641