-
11.发明专利
公开(公告)号:CA2071413A1
公开(公告)日:1993-05-01
申请号:CA2071413
申请日:1992-06-17
Applicant: IBM
Inventor: MATYAS STEPHEN M , JOHNSON DONALD B , LE AN V , PRYMAK ROSTISLAW , MARTIN WILLIAM C , ROHLAND WILLIAM S , WILKINS JOHN D
Abstract: Device A in a public key cryptographic network will be constrained to continue to faithfully practice a security policy dictated by a network certification center, long after device A's public key PUMa has been certified. If device A alters its operations from the limits encoded in its configuration vector, for example by loading a new configuration vector, device A will be denied participation in the network. To accomplish this enforcement of the network security policy dictated by the certification center, it is necessary for the certification center to verify at the time device A requests certification of its public key PUMa, that device A is configured with the currently authorized configuration vector. Device A is required to transmit to the certification center a copy of device A's current configuration vector, in an audit record. The certification center then compares device A's copy of the configuration vector with the authorized configuration vector for device A stored at the certification center. If the comparison is satisfactory, then the certification center will issue the requested certificate and will produce a digital signature dSigPRC on a representation of device A's public key PUMa, using the certification center's private certification key PRC. Thereafter, if device A attempts to change its configuration vector, device A's privacy key PRMa corresponding to the certified public key PUMa, will automatically become unavailable for use in communicating in the network.
-
公开(公告)号:CA2036858A1
公开(公告)日:1991-10-10
申请号:CA2036858
申请日:1991-02-21
Applicant: IBM
Inventor: MATYAS STEPHEN M , JOHNSON DONALD B , LE AN V , MARTIN WILLIAM C , PRYMAK ROSTISLAW , WILKINS JOHN D
-
公开(公告)号:DE69230489T2
公开(公告)日:2000-06-15
申请号:DE69230489
申请日:1992-09-11
Applicant: IBM
Inventor: MATYAS STEPHEN M , JOHNSON DONALD B , LE AN V , PRYMAK ROSTISLAW , MARTIN WILLIAM C , ROHLAND WILLIAM S , WILKINS JOHN D
Abstract: Device A in a public key cryptographic network will be constrained to continue to faithfully practice a security policy dictated by a network certification center, long after device A's public key PUMa has been certified. If device A alters its operations from the limits encoded in its configuration vector, for example by loading a new configuration vector, device A will be denied participation in the network. To accomplish this enforcement of the network security policy dictated by the certification center, it is necessary for the certification center to verify at the time device A requests certification of its public key PUMa, that device A is configured with the currently authorized configuration vector. Device A is required to transmit to the certification center a copy of device A's current configuration vector, in an audit record. The certification center then compares device A's copy of the configuration vector with the authorized configuration vector for device A stored at the certification center. If the comparison is satisfactory, then the certification center will issue the requested certificate and will produce a digital signature dSigPRC on a representation of device A's public key PUMa, using the certification center's private certification key PRC. Thereafter, if device A attempts to change its configuration vector, device A's privacy key PRMa corresponding to the certified public key PUMa, will automatically become unavailable for use in communicating in the network.
-
14.发明专利
公开(公告)号:CA2068488C
公开(公告)日:1998-05-19
申请号:CA2068488
申请日:1992-05-12
Applicant: IBM
Inventor: PRYMAK ROSTISLAW , JOHNSON DONALD B , WILKINS JOHN D , MATYAS STEPHEN M , LE AN V
Abstract: The patent describes a method and apparatus for securely distributing an initial Data Encryption Algorithm (DEA) key-encrypting key by encrypting a key record (consisting of the key-encrypting key and control information associated with that key-encrypting key) using a public key algorithm and a public key belonging to the intended recipient of the key record. The patent further describes a method and apparatus for securely recovering the distributed key-encrypting key by the recipient by decrypting the received key record using the same public key algorithm and private key associated with the public key and re-encrypting the key-encrypting key under a key formed by arithmetically combining the recipient's master key with a control vector contained in the control information of the received key record. Thus the type and usage attributes assigned by the originator of the key-encrypting key in the form of a control vector are cryptographically coupled to the key-encrypting key such that the recipient may only use the received key-encrypting key in a manner defined by the key originator. The patent further describes a method and apparatus to improve the integrity of the key distribution process by applying a digital signature to the key record and by including identifying information (i.e., an originator identifier) in the control information of the key record. The integrity of the distribution process is enhanced by verifying the digital signature and originator identifier at the recipient node.
-
公开(公告)号:DE68926005T2
公开(公告)日:1996-10-17
申请号:DE68926005
申请日:1989-08-09
Applicant: IBM
Inventor: MATYAS STEPHEN M , ABRAHAM DENNIS G , JOHNSON DONALD B , KARNE RAMESH K , LE AN V , PRYMAK ROSTISLAW , THOMAS JULIAN , WILKINS JOHN D , YEH PHIL C , SMITH RONALD M , WHITE STEVE R , ARNOLD WILLIAM C
Abstract: Arrangements are disclosed for validating that key management functions requested for a cryptographic key by the program have been authorised by the originator of the key. The invention includes a cryptographic facility characterised by a secure boundary through which passes an input path for receiving the cryptographic service requests, cryptographic keys and their associated control vectors, and an output path for providing responses thereto. There can be included within the boundary a cryptographic instruction storage coupled to the input path, a control vector checking unit and a cryptographic processing unit coupled to the instruction storage, and a master key storage coupled to the processing means, for providing a secure location for executing key management functions in response to the received service requests. The cryptographic instruction storage receives over the input path a cryptographic service request for performing a key management function on a cryptographic key. The control vector checking unit has an input coupled to the input path for receiving a control vector associated with the cryptographic key and an input connected to the cryptographic instruction storage, for receiving control signals to initiate checking that the control vector authorises the key management function which is requested by the cryptographic service request. The control vector checking unit has an authorisation output connected to an input of the cryptographic processing means, for signalling that the key management function is authorised, the receipt of which by the cryptographic processing unit initiates the performance of the requested key management function with the cryptographic key. The invention enables the flexible control of many cryptographic key management functions in the generation, distribution and use of cryptographic keys, while maintaining a high security standard.
-
Patent Agency Ranking
公开(公告)号:DE68922884D1
公开(公告)日:1995-07-06
申请号:DE68922884
申请日:1989-08-09
Applicant: IBM
Inventor: MATYAS STEPHEN M , JOHNSON DONALD B , ABRAHAM DENNIS G , KARNE RAMESH K , LE AN V , PRYMAK ROSTISLAW , THOMAS JULIAN , WILKINS JOHN D , YEH PHIL C , SMITH RONALD M
-
公开(公告)号:DE69019593D1
公开(公告)日:1995-06-29
申请号:DE69019593
申请日:1990-03-28
Applicant: IBM
Inventor: MATYAS STEPHEN M , ABRAHAM DENNIS G , JOHNSON DONALD B , KARNE RAMESH K , LE AN V , MCCORMACK PATRICK J , PRYMAK ROSTISLAW , WILKINS JOHN D
-
公开(公告)号:CA2036858C
公开(公告)日:1994-03-01
申请号:CA2036858
申请日:1991-02-21
Applicant: IBM
Inventor: MATYAS STEPHEN M , JOHNSON DONALD B , LE AN V , MARTIN WILLIAM C , PRYMAK ROSTISLAW , WILKINS JOHN D
Abstract: SECURE KEY MANAGEMENT USING PROGRAMMABLE CONTROL VECTOR CHECKING The invention includes a control vector checking code repository located either within the same system as the cryptographic facility or alternately remotely from the system containing the cryptographic facility. The control vector checking code repository will be linked to the cryptographic facility by one of several means. A first means for linking the repository to the cryptographic facility would include a physically secure data communications link. A second means for connecting the repository to the cryptographic facility would be by using an insecure channel with authentication, wherein either a modification detection code or alternately a message authentication code would be transmitted to the cryptographic facility and then the desired control vector checking code would be transmitted over the link. The cryptographic facility will include a code authorization mechanism to compare the transmitted MAC or MDC with a corresponding value computed from the received control vector checking code. If the two values of the MDC or the MAC compare, then the control vector checking code is authenticated and loaded into the control vector checking unit for carrying out the control vector checking operations desired. The control vector checking code repository can be located in a remote system connected by means of the communications link to the crypto facility, or alternately the repository can reside in the same system as the crypto facility. This provides for the dynamic updating of control vector checking code, where improvements or alterations are made to the control vector checking sequence. This also provides for a reduced memory size in the crypto facility, being sufficiently large to accommodate subsidiary control vector checking applications, with alternate control vector checking applications requiring the reloading of the control vector checking unit from the repository.
-
公开(公告)号:DE69130658D1
公开(公告)日:1999-02-04
申请号:DE69130658
申请日:1991-06-18
Applicant: IBM
Inventor: JOHNSON DONALD B , LE AN V , MATYAS STEPHEN M , PRYMAK ROSTISLAW , WILKINS JOHN D
-
公开(公告)号:DE69217428D1
公开(公告)日:1997-03-27
申请号:DE69217428
申请日:1992-07-10
Applicant: IBM
Inventor: MATYAS STEPHEN M , JOHNSON DONALD B , LE AN V , MARTIN WILLIAM C , PRYMAK ROSTISLAW , ROHLAND WILLIAM S , WILKINS JOHN D
Abstract: The patent describes a method and apparatus for securely distributing an initial Data Encryption Algorithm (DEA) key-encrypting key by encrypting a key record (consisting of the key-encrypting key and control information associated with that key-encrypting key) using a public key algorithm and a public key belonging to the intended recipient of the key record. The patent further describes a method and apparatus for securely recovering the distributed key-encrypting key by the recipient by decrypting the received key record using the same public key algorithm and private key associated with the public key and re-encrypting the key-encrypting key under a key formed by arithmetically combining the recipient's master key with a control vector contained in the control information of the received key record. Thus the type and usage attributes assigned by the originator of the key-encrypting key in the form of a control vector are cryptographically coupled to the key-encrypting key such that the recipient may only use the received key-encrypting key in a manner defined by the key originator. The patent further describes a method and apparatus to improve the integrity of the key distribution process by applying a digital signature to the key record and by including identifying information (i.e., an originator identifier) in the control information of the key record. The integrity of the distribution process is enhanced by verifying the digital signature and originator identifier at the recipient node.
-
-
-
-
-
-
-
-
-
Search Results
37
records
(took 0.016 seconds)
