Extensions for using a digital certificate with multiple cryptosystems

US 10,425,401 B1
Filed: 10/31/2018
Issued: 09/24/2019
Est. Priority Date: 10/31/2018
Status: Active Grant

First Claim

Patent Images

1. A method of issuing a digital certificate, the method comprising:

receiving, at a certificate authority node in a communication system, a certificate request comprising;

a first public key of an entity, the first public key being associated with a first cryptosystem; and

a second public key of the entity, the second public key being associated with a second cryptosystem;

generating a digital certificate comprising unpopulated fields;

populating a first public key field of the digital certificate with the first public key of the entity;

populating a second public key field in an extension of the digital certificate with the second public key of the entity;

populating a policy field in the extension of the digital certificate with a policy comprising;

instructions for processing a second digital signature of a certificate authority, the second digital signature of the certificate authority being associated with the second cryptosystem; and

instructions for processing a digital signature of the entity using the second public key of the entity;

generating, by one or more processors of the certificate authority node, the second digital signature using a second private key of the certificate authority, the second private key of the certificate authority being associated with the second cryptosystem, the second digital signature generated from the digital certificate comprising the first public key, the second public key, and the policy;

populating a second signature value field in the extension of the digital certificate with the second digital signature of the certificate authority;

generating, by one or more processors of the certificate authority node, a first digital signature of the certificate authority using a first private key of the certificate authority, the first private key of the certificate authority being associated with the first cryptosystem, the first digital signature generated from the digital certificate comprising the first public key, the second public key, the policy, and the second digital signature;

populating a first signature value field of the digital certificate with the first digital signature of the certificate authority; and

transmitting the digital certificate from the certificate authority node to a node associated with the entity in response to the certificate request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a general aspect, a digital certificate can be used with multiple cryptography systems (“cryptosystems”). In some cases, the digital certificate includes a public key field, which contains a first public key of an entity associated with a first cryptosystem. The digital certificate includes a signature value field, which contains a first digital signature of a certificate authority associated with the first cryptosystem. The digital certificate includes an extension. The extension contains a second public key of the entity, a second digital signature of the certificate authority, or both, associated with a second cryptosystem. The extension contains a policy field that includes instructions for processing the fields associated with the second cryptosystem.

Citations

17 Claims

1. A method of issuing a digital certificate, the method comprising:
- receiving, at a certificate authority node in a communication system, a certificate request comprising;
  
  a first public key of an entity, the first public key being associated with a first cryptosystem; and
  
  a second public key of the entity, the second public key being associated with a second cryptosystem;
  
  generating a digital certificate comprising unpopulated fields;
  
  populating a first public key field of the digital certificate with the first public key of the entity;
  
  populating a second public key field in an extension of the digital certificate with the second public key of the entity;
  
  populating a policy field in the extension of the digital certificate with a policy comprising;
  
  instructions for processing a second digital signature of a certificate authority, the second digital signature of the certificate authority being associated with the second cryptosystem; and
  
  instructions for processing a digital signature of the entity using the second public key of the entity;
  
  generating, by one or more processors of the certificate authority node, the second digital signature using a second private key of the certificate authority, the second private key of the certificate authority being associated with the second cryptosystem, the second digital signature generated from the digital certificate comprising the first public key, the second public key, and the policy;
  
  populating a second signature value field in the extension of the digital certificate with the second digital signature of the certificate authority;
  
  generating, by one or more processors of the certificate authority node, a first digital signature of the certificate authority using a first private key of the certificate authority, the first private key of the certificate authority being associated with the first cryptosystem, the first digital signature generated from the digital certificate comprising the first public key, the second public key, the policy, and the second digital signature;
  
  populating a first signature value field of the digital certificate with the first digital signature of the certificate authority; and
  
  transmitting the digital certificate from the certificate authority node to a node associated with the entity in response to the certificate request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein a cryptographic signing technique is associated with each cryptosystem used in producing the digital certificate, and the method further comprises:
    - examining a policy database to identify each cryptographic signing technique required to process one or more of the digital signatures in the digital certificate;
      
      generating the policy corresponding to the cryptographic signing techniques.
  - 3. The method of claim 1, wherein the digital certificate comprises a plurality of signatures of the certificate authority, the plurality of signatures comprising the first and second digital signatures of the certificate authority, andwherein the policy comprises instructions indicating one or more of the plurality of signatures to be verified.
  - 4. The method of claim 3, wherein the policy comprises instructions indicating a priority order for verifying the one or more of the plurality of signatures to be verified.
  - 5. The method of claim 1, further comprising:
    - generating, by one or more processors of the certificate authority node, a third digital signature using a third private key of the certificate authority, the third private key of the certificate authority associated with a third cryptosystem different from the first and second cryptosystems;
      
      populating a third signature value field in the extension of the digital certificate with the third digital signature prior to populating the second and first digital signature fields, andwherein the policy further comprises instructions for processing the third digital signature.
  - 6. The method of claim 1, wherein the policy comprises instructions received in the certificate request.
  - 7. The method of claim 1, wherein the policy comprises instructions provided by the certificate authority.
  - 8. The method of claim 1, wherein the first cryptosystem comprises a quantum-vulnerable cryptosystem, and the second cryptosystem comprises a quantum-resistant cryptosystem.

9. A computer system comprising:
- a data processing apparatus; and
  
  a computer-readable medium storing instructions that are operable when executed by the data processing apparatus to perform operations comprising;
  
  receiving a certificate request comprising;
  
  a first public key of an entity, the first public key being associated with a first cryptosystem, anda second public key of the entity, the second public key being associated with a second cryptosystem;
  
  generating a digital certificate comprising unpopulated fields;
  
  populating a first public key field of the digital certificate with the first public key of the entity;
  
  populating a second public key field in an extension of the digital certificate with the second public key of the entity;
  
  populating a policy field in the extension of the digital certificate with a policy comprising;
  
  instructions for processing a second digital signature of a certificate authority, the second digital signature being associated with the second cryptosystem; and
  
  instructions for processing a digital signature of the entity using the second public key of the entity;
  
  generating the second digital signature using a second private key of the certificate authority, the second private key of the certificate authority being associated with the second cryptosystem, the second digital signature generated from the digital certificate comprising the first public key, the second public key, and the policy;
  
  populating a second signature value field in the extension of the digital certificate with the second digital signature of the certificate authority;
  
  generating a first digital signature of the certificate authority using a first private key of the certificate authority, the first private key of the certificate authority being associated with the first cryptosystem, the first digital signature generated from the digital certificate comprising the first public key, the policy, and the second digital signature;
  
  populating a first signature value field of the digital certificate with the first digital signature of the certificate authority; and
  
  transmitting the digital certificate to a node associated with the entity in response to the certificate request.
- View Dependent Claims (10, 11, 12)
- - 10. The system of claim 9, wherein a cryptographic signing technique is associated with each cryptosystem used in producing the digital certificate, and the operations further comprise:
    - examining a policy database to identify each cryptographic signing technique required to process one or more of the digital signatures in the digital certificate;
      
      generating the policy corresponding to the cryptographic signing techniques.
  - 11. The system of claim 9, wherein the digital certificate comprises a plurality of signatures of the certificate authority, the plurality of signatures comprising the first and second digital signatures of the certificate authority, andwherein the policy comprises instructions indicating one or more of the plurality of signatures to be verified.
  - 12. The non-transitory computer readable medium of claim 10, wherein the digital signature comprises a plurality of signatures, the plurality of signatures comprising the first and second digital signatures, andwherein the policy comprises instructions indicating an identity of one or more of the plurality of signatures in the hybrid signature to be verified.

13. A non-transitory computer readable medium comprising instructions, which when executed by one or more processors, perform operations comprising:
- receiving a certificate request comprising;
  
  a first public key of an entity, the first public key being associated with a first cryptosystem, anda second public key of the entity, the second public key being associated with a second cryptosystem;
  
  generating a digital certificate comprising unpopulated fields;
  
  populating a first public key field of the digital certificate with the first public key of the entity;
  
  populating a second public key field in an extension of the digital certificate with the second public key of the entity;
  
  populating a policy field in the extension of the digital certificate with a policy comprising;
  
  instructions for processing a second digital signature of a certificate authority associated with the second cryptosystem, andinstructions for processing a digital signature of the entity using the second public key of the entity;
  
  generating the second digital signature using a second private key of the certificate authority, the second private key of the certificate authority being associated with the second cryptosystem, the second digital signature generated from the digital certificate comprising the first public key, the second public key, and the policy;
  
  populating a second signature value field in the extension of the digital certificate with the second digital signature of the certificate authority;
  
  generating a first digital signature of the certificate authority using a first private key of the certificate authority, the first private key being associated with the first cryptosystem, the first digital signature generated from the digital certificate comprising the first public key, the second public key, the policy, and the second digital signature;
  
  populating a first signature value field of the digital certificate with the first digital signature of the certificate authority; and
  
  transmitting the digital certificate to a node associate with the entity in response to the certificate request.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The non-transitory computer readable medium of claim 13, wherein a cryptographic signing technique is associated with each cryptosystem used in producing the digital certificate, and the operations further comprise:
    - examining a policy database identify each cryptographic signing technique required to process the second digital signature in the digital certificate;
      
      generating the policy corresponding to the cryptographic signing techniques.
  - 15. The non-transitory computer readable medium of claim 13, wherein the digital certificate comprises a plurality of signatures of the certificate authority, the plurality of signatures comprising the first and second digital signatures of the certificate authority, andwherein the policy comprises instructions indicating one or more of the plurality of signatures to be verified.
  - 16. The non-transitory computer readable medium of claim 15, wherein the policy comprises instructions indicating a priority order for verifying the one or more ofthe plurality of signatures to be verified.
  - 17. The non-transitory computer readable medium of claim 13, the operations further comprising:
    - generating a third digital signature using a third private key of the certificate authority, the third private key being associated with a third cryptosystem different from the first and second cryptosystems; and
      
      populating a third signature value field in the extension of the digital certificate with the third digital signature prior to populating the second and first digital signature fields; and
      
      wherein the policy further comprises instructions for processing the third digital signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ISARA Corporation
Original Assignee
ISARA Corporation
Inventors
Pecen, Mark, Brown, Michael Kenneth, Truskovsky, Alexander
Primary Examiner(s)
Ho, Dao Q

Application Number

US16/176,274
Time in Patent Office

328 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/205   involving negotiation or de...

H04L 9/0852   Quantum cryptography transm...

H04L 9/3247   involving digital signatures

H04L 9/3268   using certificate validatio...

Extensions for using a digital certificate with multiple cryptosystems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Extensions for using a digital certificate with multiple cryptosystems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links