公开(公告)号：DE69230429T2

公开(公告)日：2000-06-08

申请号：DE69230429

申请日：1992-09-11

Applicant: IBM

Inventor： MATYAS STEPHEN M ,  JOHNSON DONALD B ,  LE AN V ,  PRYMAK ROSTISLAW ,  MARTIN WILLIAM C ,  ROHLAND WILLIAM S ,  WILKINS JOHN D

IPC: G09C1/00 ,  G06F9/30 ,  H04L9/00 ,  H04L9/08

Abstract: A computer apparatus, program and method function in a data processing system to replicate a cryptographic facility. The system includes a first cryptographic facility containing a portable part which personalizes the first cryptographic facility. The system also includes a second cryptographic facility which is linked to the first cryptographic facility by a public key cryptographic system. The portable part of the first cryptographic facility is encrypted and transferred to the second cryptographic facility, where it is decrypted and used to personalize the second cryptographic facility to enable replication of the first cryptographic facility. In one application, personalization of the second cryptographic facility can be in response to the detection of a failure in the first cryptographic facility. In another application, multiple cryptographic facilities can be brought on-line for parallel operation in the data processing system.

公开(公告)号：DE69328334D1

公开(公告)日：2000-05-18

申请号：DE69328334

申请日：1993-09-08

Applicant: IBM

Inventor： ELANDER ROBERT C ,  HOLLOWAY CHRISTOPHER J ,  JOHNSON DONALD B ,  KELLY MICHAEL J ,  LE AN V ,  LUBOLD PAUL G ,  MATYAS STEPHEN M ,  RANDALL JAMES D ,  WILKINS JOHN D

IPC: G09C1/00 ,  H04L9/06 ,  H04L9/08

Abstract: A method and system are disclosed for the implementation of a weakened privacy channel. This is achieved through use of a weakened symmetric cryptographic algorithm called commercial data masking. The masked text is created from clear text at one system and may to transported electronically to another system where the masked text may be unmasked to produce the clear text. The reason to use the commercial data masking algorithm for data privacy is that it is exportable to organizations to which products which contain the Data Encryption Algorithm when used for data privacy are not exportable. In addition, a method and system is disclosed by which the key when used for commercial data masking may be transformed into a key that may be used with the Data Encryption Algorithm.

公开(公告)号：DE68926200T2

公开(公告)日：1996-10-17

申请号：DE68926200

申请日：1989-08-09

Applicant: IBM

Inventor： MATYAS STEPHEN M ,  ABRAHAM DENNIS G ,  JOHNSON DONALD B ,  KARNE RAMESH K ,  LE AN V ,  PRYMAK ROSTISLAW ,  THOMAS JULIAN ,  WILKINS JOHN D ,  YEH PHIL C

IPC: G06F9/30 ,  G06F9/302 ,  G06F9/38 ,  H04L9/00

公开(公告)号：DE68926005D1

公开(公告)日：1996-04-25

申请号：DE68926005

申请日：1989-08-09

Applicant: IBM

Inventor： MATYAS STEPHEN M ,  ABRAHAM DENNIS G ,  JOHNSON DONALD B ,  KARNE RAMESH K ,  LE AN V ,  PRYMAK ROSTISLAW ,  THOMAS JULIAN ,  WILKINS JOHN D ,  YEH PHIL C ,  SMITH RONALD M ,  WHITE STEVE R ,  ARNOLD WILLIAM C

IPC: G07F7/10 ,  H04L9/00 ,  H04L9/08 ,  H04L9/32

Abstract: Arrangements are disclosed for validating that key management functions requested for a cryptographic key by the program have been authorised by the originator of the key. The invention includes a cryptographic facility characterised by a secure boundary through which passes an input path for receiving the cryptographic service requests, cryptographic keys and their associated control vectors, and an output path for providing responses thereto. There can be included within the boundary a cryptographic instruction storage coupled to the input path, a control vector checking unit and a cryptographic processing unit coupled to the instruction storage, and a master key storage coupled to the processing means, for providing a secure location for executing key management functions in response to the received service requests. The cryptographic instruction storage receives over the input path a cryptographic service request for performing a key management function on a cryptographic key. The control vector checking unit has an input coupled to the input path for receiving a control vector associated with the cryptographic key and an input connected to the cryptographic instruction storage, for receiving control signals to initiate checking that the control vector authorises the key management function which is requested by the cryptographic service request. The control vector checking unit has an authorisation output connected to an input of the cryptographic processing means, for signalling that the key management function is authorised, the receipt of which by the cryptographic processing unit initiates the performance of the requested key management function with the cryptographic key. The invention enables the flexible control of many cryptographic key management functions in the generation, distribution and use of cryptographic keys, while maintaining a high security standard.

公开(公告)号：CA1317677C

公开(公告)日：1993-05-11

申请号：CA602904

申请日：1989-06-15

Applicant: IBM

Inventor： MATYAS STEPHEN M ,  ABRAHAM DENNIS G ,  JOHNSON DONALD B ,  KARNE RAMESH K ,  LE AN V ,  PRYMAK ROSTISLAW ,  THOMAS JULIAN ,  WILKINS JOHN D ,  YEH PHIL C

IPC: G09C1/00 ,  G06F9/30 ,  H04L9/00 ,  H04L9/08 ,  H04L9/10 ,  H04L9/32

Abstract: MA988-011 of the Invention SECURE MANAGEMENT OF KEYS USING CONTROL VECTORS The invention is an apparatus and method for validating that key management functions requested for a cryptographic key by the program have been authorized by the originator of the key. The invention includes a cryptographic facility characterized by a secure boundary through which passes an input path for receiving the cryptographic service requests, cryptographic keys and their associated control vectors, and an output path for providing responses thereto. There can be included within the boundary a cryptographic instruction storage coupled to the input path, a control vector checking unit and a cryptographic processing unit coupled to the instruction storage, and a master key storage coupled to the processing means, for providing a secure location for executing key management functions in response to the received service requests. The cryptographic instruction storage receives over the input path a cryptographic service request for performing a key management function on a cryptographic key. The control vector checking unit has an input coupled to the input path for receiving a control vector associated with the cryptographic key and an input connected to the cryptographic instruction storage, for receiving control signals to initiate checking that the control vector authorizes the key management function which is requested by the cryptographic service request. The control vector checking unit has an authorization output connected to an input of the cryptographic processing means, for signalling that the key management function is authorized, the receipt of which by the cryptographic processing unit initiates the performance of the requested key management function with the cryptographic key. The invention enables the flexible control of many cryptographic key management functions in the generation, distribution and use of cryptographic keys, while maintaining a high security standard.

公开(公告)号：CA2075254A1

公开(公告)日：1993-03-28

申请号：CA2075254

申请日：1992-08-05

Applicant: IBM

Inventor： MATYAS STEPHEN M ,  JOHNSON DONALD B ,  LE AN V ,  PRYMAK ROSTISLAW ,  WILKINS JOHN D

IPC: G09C1/00 ,  G06F9/30 ,  H04L9/08 ,  H04L9/30 ,  G06F12/14 ,  H04K1/06 ,  G06F9/44

Abstract: BT9-91-027 A data processing system, program and method are disclosed for managing a public key cryptographic system which includes a public key, private key pair generator. The method includes the step of generating a first public key, private key pair using a first seed value known to a user, the first seed value being generated from a passphrase. A first random number is generated using the first seed value and applied to generating the first key pair. The method then generates a first control vector defining a first use of the first public key, private key pair. The method then continues with the step of generating a second public key, private key pair using a second seed value unknown to the user, the second seed value being a true random number. The second random number is generated using the second seed value in a pseudorandom number generator and applied to generating the second key pair. The method generates a second control vector defining a second use of the second public key, private key pair. The method then controls the use of the first public key, private key pair using the first control vector and controls the use of the second public key, private key pair with the second control vector.

公开(公告)号：CA2068488A1

公开(公告)日：1993-02-23

申请号：CA2068488

申请日：1992-05-12

Applicant: IBM

Inventor： MATYAS STEPHEN M ,  JOHNSON DONALD B ,  LE AN V ,  PRYMAK ROSTISLAW ,  WILKINS JOHN D

IPC: G06F21/20 ,  G06F9/30 ,  G09C1/00 ,  H04L9/08 ,  G06F13/38

Abstract: The patent describes a method and apparatus for securely distributing an initial Data Encryption Algorithm (DEA) key-encrypting key by encrypting a key record (consisting of the key-encrypting key and control information associated with that key-encrypting key) using a public key algorithm and a public key belonging to the intended recipient of the key record. The patent further describes a method and apparatus for securely recovering the distributed key-encrypting key by the recipient by decrypting the received key record using the same public key algorithm and private key associated with the public key and re-encrypting the key-encrypting key under a key formed by arithmetically combining the recipient's master key with a control vector contained in the control information of the received key record. Thus the type and usage attributes assigned by the originator of the key-encrypting key in the form of a control vector are cryptographically coupled to the key-encrypting key such that the recipient may only use the received key-encrypting key in a manner defined by the key originator. The patent further describes a method and apparatus to improve the integrity of the key distribution process by applying a digital signature to the key record and by including identifying information (i.e., an originator identifier) in the control information of the key record. The integrity of the distribution process is enhanced by verifying the digital signature and originator identifier at the recipient node.

公开(公告)号：CA1264855A

公开(公告)日：1990-01-23

申请号：CA498312

申请日：1985-12-20

Applicant: IBM

Inventor： MATYAS STEPHEN M

IPC: G07F7/12 ,  G06Q20/40 ,  G07D1/00 ,  G07D9/00 ,  G07F7/10 ,  H04L9/32 ,  H04L9/02

Abstract: A method of offline personal authentication in a multiterminal system uses a secret user PIN, a secret key and other nonsecret data stored on a customer memory card and a nonsecret validation value stored in each terminal connected in a network. The technique of "tree authentication" is used which employs an authentication tree with an authentication tree function comprising a one-way function. An authentication parameter is calculated as a function of a personal key and a user identifier read from the user's card and the PIN entered by the user. The calculated authentication parameter is mapped to a verification value using the one-way function to the root of the authentication tree. The verification value obtained by mapping the calculated authentication parameter is then compared with a global verification value stored at the terminal. If the comparison is favorable, the system is enabled for the user; otherwise, the user is rejected.

公开(公告)号：CA1103358A

公开(公告)日：1981-06-16

申请号：CA314677

申请日：1978-10-30

Applicant: IBM

Inventor： MATYAS STEPHEN M ,  MEYER CARL H ,  TUCHMAN WALTER L

IPC: G09C1/00 ,  H04L9/32 ,  H04L9/00

Abstract: DIGITAL SIGNATURE SYSTEM AND APPARATUS A digital signature machine provides a simplified method of forming and verifying a signature that is appended to a digital message. A sender transmits a signature with the usual signature keys and with validation table entries that correspond to the unsent keys and with the compressed encoding of the next validation table. The receiver uses the compressed encoding of the next validation table to form validation table entries from the signature keys so that the receiver has a full validation table. This validation table is compressed and compared with the compressed encoding which was received from the sender in a preceding message.

公开(公告)号：DE69328334T2

公开(公告)日：2000-10-19

申请号：DE69328334

申请日：1993-09-08

Applicant: IBM

Inventor： ELANDER ROBERT C ,  HOLLOWAY CHRISTOPHER J ,  JOHNSON DONALD B ,  KELLY MICHAEL J ,  LE AN V ,  LUBOLD PAUL G ,  MATYAS STEPHEN M ,  RANDALL JAMES D ,  WILKINS JOHN D

IPC: G09C1/00 ,  H04L9/06 ,  H04L9/08

Abstract: A method and system are disclosed for the implementation of a weakened privacy channel. This is achieved through use of a weakened symmetric cryptographic algorithm called commercial data masking. The masked text is created from clear text at one system and may to transported electronically to another system where the masked text may be unmasked to produce the clear text. The reason to use the commercial data masking algorithm for data privacy is that it is exportable to organizations to which products which contain the Data Encryption Algorithm when used for data privacy are not exportable. In addition, a method and system is disclosed by which the key when used for commercial data masking may be transformed into a key that may be used with the Data Encryption Algorithm.