Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-03-31
2004-08-10
Sheikh, Ayaz (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S155000, C713S156000, C713S170000, C713S171000, C713S152000, C713S152000, C709S219000, C709S229000, C705S044000, C380S030000
Reexamination Certificate
active
06775782
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Technical Field
The present invention relates generally to an improved data processing system and, in particular, to a method and system for authenticating a user of a data processing system before providing access to the data processing system to the user.
2. Description of Related Art
A certificate is a digital document that vouches for the identity and key ownership of an individual, a computer system, a specific server running on that system, or an organization. For example, a user's certificate verifies that the user owns a particular public key.
Certificates are issued by certificate authorities. These authorities are responsible for verifying the identity and key ownership of the individual before issuing the certificate.
An identity certificate is a digitally signed statement from one entity, saying that the public key of some other-entity has some particular value.
Public keys are numbers associated with a particular entity, and are intended to be known to everyone who needs to have trusted interactions with that entity.
An entity is a person, organization, program, computer, business, bank, etc.
If some data is digitally signed, it has been stored with the “identity” of an entity and a signature that proves that entity knows about the data.
A signature is computed from some data and the private key of an entity.
Private keys are numbers that are supposed to be known only to a particular entity, i.e. kept secret. In a typical public key cryptographic system, a private key corresponds to exactly one public key.
Certificates rely on public key cryptographic systems in which (a) private and public keys are paired, (b) private keys are used to sign, and (c) public keys are used to verify signatures.
A certificate authority (CA) is an entity (e.g., a business) that is trusted to sign (issue) certificates for other people (entities). It usually has some kind of legal responsibilities for its vouching of the binding between a public key and its owner that allow one to trust the entity that signed a certificate. There are many such certificate authorities, such as VeriSign, Entrust, etc.
Probably the most widely visible application of certificates today is in Web browsers, such as Netscape Navigator that support the SSL protocol. SSL (Secure Socket Layer) is a security protocol that provides privacy and authentication in network traffic. Browsers can only use this protocol with Web servers that support it.
Other technologies that rely on certificates include: various secure e-mail standards, such as Secure/Multipurpose Internet Mail Extensions (S/MIME); e-commerce protocols, such as Secure Electronic Transaction (SET); and various code-signing schemes, such as Microsoft AuthentiCode and signed Java Archives (JAR files).
There are two basic techniques used to get certificates: (1) make one oneself using the proper software, or (2) ask someone else, such as a certificate authority, to issue one. There are two main inputs to the certificate creation process. The first input is a pair of matched public and private keys generated using some special software. Only the public key is ever shown to anyone else. The private key is used to sign data; if someone improperly knows a private key, they can forge legal documents attributed to a third party. The second input is information about the entity being certified, such as an individual. This normally includes information such as a name and organization address. If a certificate authority issues a certificate, one will normally need to provide proof of identity.
If a certificate authority issues a certificate for an individual, the individual must provide a public key and some information about himself. A tool, such as Netscape Navigator 3.0, may digitally sign this information and send it to the certificate authority. The certificate authority might be a company like VeriSign that provides trusted third-party certificate authority services. The certificate authority will then generate the certificate and return it. The certificate may contain other information, such as dates during which the certificate is valid and a serial number. One part of the value provided by a certificate authority is to serve as a neutral and trusted introduction service, based in part on their verification requirements, which are openly published in their Certification Service Practices (CSP).
The X.509 standard is one of many standards that defines what information can go into a certificate and describes the data format of that information.
The “version” field indicates the X.509 version of the certificate format (1, 2, or 3), with provision for future versions of the standard. This identifies which version of the X.509 standard applies to this certificate, which affects what information can be specified in it. Thus far, three versions are defined. Version 1 of the X.509 standard for public key certificates was ratified in 1988. The version 2 standard, ratified in 1993, contained only minor enhancements to the version 1 standard. Version 3, defined in 1996, allows for flexible extensions to certificates in which certificates can be “extended” in a standardized and generic fashion to include additional information. In addition to the traditional fields in public key certificates (i.e. those defined in versions 1 and 2 of X.509), version 3 comprises extensions referred to as “standard extensions”. The term “standard extensions” refers to the fact that the version 3 X.509 standard defines some broadly applicable extensions to the version 2 certificate. However, certificates are not constrained to only the standard extensions and anyone can register an extension with the appropriate authorities (e.g., ISO). The extension mechanism itself is completely generic.
The “serial number” field specifies the unique, numerical identifier of the certificate in the domain of all public key certificates issued by a particular certificate authority (CA) in order to distinguish one certificate from another. When a certificate is revoked, it is actually the certificate serial number that is posted in a certificate revocation list signed by the certificate authority since posting the entire certificate would be wasteful and completely unnecessary. It is for this reason that the serial number for each certificate in the domain must be unique.
The “signature algorithm” field identifies the algorithm used by the certificate authority to sign the certificate. The algorithm identifier, which is a number registered with an internationally-recognized standards organization (e.g., ISO), specifies both the public-key algorithm and the hashing algorithm used by the certificate authority to sign certificates.
The “issuer name” field specifies the X.500 Distinguished Name (DN) of the certificate authority that issued the certificate. For example, the Distinguished Name “c=US, o=ACME Corporation” might be used as the Distinguished Name for the certificate authority issuing certificates to the employees of the ACME Corporation in the United States. In some cases, such as root or top-level certificate authority certificates, the issuer signs its own certificates.
The “validity period” field specifies the dates and times for the start date and the expiration date of the certificate. Every time a certificate is used, the software should examine the certificate to ensure it is still within its validity period. Each certificate is valid only for a limited amount of time, but this period can be as short as a few seconds or almost as long as a century. The validity period depends on a number of factors, such as the strength of the private key used to sign the certificate or the amount one is willing to pay for a certificate.
The “subject name” field specifies the X.500 Distinguished Name of the entity holding the private key corresponding to the public key identified in the certificate; for example, the Distinguished Name “c=US, o=ACME Corporation, cn=John M. Smith” might be the Distinguished Name for employee John M. Smith of
Buros Karen Lynn
Dobbs Bryan Douglas
Knaus Robert James
Robinson Ann Mizell
Arani Taghi
Kinslow Cathrine K.
LaBaw Jeffrey S.
Sheikh Ayaz
Yee Duke W.
LandOfFree
System and method for suspending and resuming digital... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for suspending and resuming digital..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for suspending and resuming digital... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3334405