公开(公告)号：CA2075329C

公开(公告)日：1998-03-31

申请号：CA2075329

申请日：1992-08-05

Applicant: IBM

Inventor： WILKINS JOHN D ,  MARTIN WILLIAM C ,  ROHLAND WILLIAM S ,  JOHNSON DONALD B ,  MATYAS STEPHEN M ,  LE AN V ,  PRYMAK ROSTISLAW

IPC: G09C1/00 ,  G06F9/30 ,  H04L9/08 ,  H04L9/30

Abstract: A data processing system, method and program are disclosed, for managing a public key cryptographic system. The method includes the steps of generating a first public key and a first private key as a first pair in the data processing system, for use with a first public key algorithm and further generating a second public key and a second private key as a second pair in the data processing system, for use with a second public key algorithm. The method then continues by assigning a private control vector for the first private key and the second private key in the data processing system, for defining permitted uses for the first and second private keys. Then the method continues by forming a private key record which includes the first private key and the second private key in the data processing system, and encrypting the private key record under a first master key expression which is a function of the private control vector. The method then forms a private key token which includes the private control vector and the private key record, and stores the private key token in the data processing system. At a later time, the method receives a first key use request in the data processing system, requiring the first public key algorithm. In response to this, the method continues by accessing the private key token in the data processing system and checking the private control vector to determine if the private key record contains a key having permitted uses which will satisfy the first request. The method then decrypts the private key record under the first master key expression in the data processing system and extracts the first private key from the private key record. The method selects the first public key algorithm in the data processing system for the first key use request and executes the first public key algorithm in the data processing system using the first private key to perform a cryptographic operation to satisfy the first key use request.

公开(公告)号：DE69217428T2

公开(公告)日：1997-07-17

申请号：DE69217428

申请日：1992-07-10

Applicant: IBM

Inventor： MATYAS STEPHEN M ,  JOHNSON DONALD B ,  LE AN V ,  MARTIN WILLIAM C ,  PRYMAK ROSTISLAW ,  ROHLAND WILLIAM S ,  WILKINS JOHN D

IPC: G06F21/20 ,  G06F9/30 ,  G09C1/00 ,  H04L9/08

Abstract: The patent describes a method and apparatus for securely distributing an initial Data Encryption Algorithm (DEA) key-encrypting key by encrypting a key record (consisting of the key-encrypting key and control information associated with that key-encrypting key) using a public key algorithm and a public key belonging to the intended recipient of the key record. The patent further describes a method and apparatus for securely recovering the distributed key-encrypting key by the recipient by decrypting the received key record using the same public key algorithm and private key associated with the public key and re-encrypting the key-encrypting key under a key formed by arithmetically combining the recipient's master key with a control vector contained in the control information of the received key record. Thus the type and usage attributes assigned by the originator of the key-encrypting key in the form of a control vector are cryptographically coupled to the key-encrypting key such that the recipient may only use the received key-encrypting key in a manner defined by the key originator. The patent further describes a method and apparatus to improve the integrity of the key distribution process by applying a digital signature to the key record and by including identifying information (i.e., an originator identifier) in the control information of the key record. The integrity of the distribution process is enhanced by verifying the digital signature and originator identifier at the recipient node.

公开(公告)号：DE68926200D1

公开(公告)日：1996-05-15

申请号：DE68926200

申请日：1989-08-09

Applicant: IBM

Inventor： MATYAS STEPHEN M ,  ABRAHAM DENNIS G ,  JOHNSON DONALD B ,  KARNE RAMESH K ,  LE AN V ,  PRYMAK ROSTISLAW ,  THOMAS JULIAN ,  WILKINS JOHN D ,  YEH PHIL C

IPC: G06F9/30 ,  G06F9/302 ,  G06F9/38 ,  H04L9/00

公开(公告)号：DE69026034D1

公开(公告)日：1996-04-25

申请号：DE69026034

申请日：1990-10-15

Applicant: IBM

Inventor： MATYAS STEPHEN M ,  ABRAHAM DENNIS G ,  JOHNSON DONALD B ,  LE AN V ,  PRYMAK ROSTISLAW ,  WILKINS JOHN D ,  YEH PHIL C

IPC: G09C1/00 ,  H04L9/08 ,  H04L9/10

公开(公告)号：CA2071771A1

公开(公告)日：1993-05-01

申请号：CA2071771

申请日：1992-06-22

Applicant: IBM

Inventor： MATYAS STEPHEN M ,  JOHNSON DONALD B ,  LE AN V ,  PRYMAK ROSTISLAW ,  MARTIN WILLIAM C ,  ROHLAND WILLIAM S ,  WILKINS JOHN D

IPC: G09C1/00 ,  G06F9/30 ,  H04L9/00 ,  H04L9/08 ,  G06F12/14 ,  G09C5/00

Abstract: CRYPTOGRAPHIC FACILITY ENVIRONMENT BACKUP/RESTORE AND REPLICATION IN A PUBLIC KEY CRYPTOSYSTEM A computer apparatus, program and method function in a data processing system to replicate a cryptographic facility. The system includes a first cryptographic facility containing a portable part which personalizes the first cryptographic facility. The system also includes a second cryptographic facility which is linked to the first cryptographic facility by a public key cryptographic system. The portable part of the first cryptographic facility is encrypted and transferred to the second cryptographic facility, where it is decrypted and used to personalize the second cryptographic facility to enable replication of the first cryptographic facility. In one application, personalization of the second cryptographic facility can be in response to the detection of a failure in the first cryptographic facility. In another application, multiple cryptographic facilities can be brought on-line for parallel operation in the data processing system.

公开(公告)号：CA2075329A1

公开(公告)日：1993-03-28

申请号：CA2075329

申请日：1992-08-05

Applicant: IBM

Inventor： MATYAS STEPHEN M ,  JOHNSON DONALD B ,  LE AN V ,  PRYMAK ROSTISLAW ,  MARTIN WILLIAM C ,  ROHLAND WILLIAM S ,  WILKINS JOHN D

IPC: G09C1/00 ,  G06F9/30 ,  H04L9/08 ,  H04L9/30

Abstract: A data processing system, method and program are disclosed, for managing a public key cryptographic system. The method includes the steps of generating a first public key and a first private key as a first pair in the data processing system, for use with a first public key algorithm and further generating a second public key and a second private key as a second pair in the data processing system, for use with a second public key algorithm. The method then continues by assigning a private control vector for the first private key and the second private key in the data processing system, for defining permitted uses for the first and second private keys. Then the method continues by forming a private key record which includes the first private key and the second private key in the data processing system, and encrypting the private key record under a first master key expression which is a function of the private control vector. The method then forms a private key token which includes the private control vector and the private key record, and stores the private key token in the data processing system. At a later time, the method receives a first key use request in the data processing system, requiring the first public key algorithm. In response to this, the method continues by accessing the private key token in the data processing system and checking the private control vector to determine if the private key record contains a key having permitted uses which will satisfy the first request. The method then decrypts the private key record under the first master key expression in the data processing system and extracts the first private key from the private key record. The method selects the first public key algorithm in the data processing system for the first key use request and executes the first public key algorithm in the data processing system using the first private key to perform a cryptographic operation to satisfy the first key use request.

公开(公告)号：CA2007409A1

公开(公告)日：1990-10-27

申请号：CA2007409

申请日：1990-01-09

Applicant: IBM

Inventor： MATYAS STEPHEN M ,  ABRAHAM DENNIS G ,  JOHNSON DONALD B ,  KARNE RAMESH K ,  LE AN V ,  MCCORMACK PATRICK J ,  PRYMAK ROSTISLAW ,  WILKINS JOHN D

IPC: G06F9/00 ,  G06F9/46