Universal secure messaging for cryptographic modules
First Claim
1. A secure messaging method for securely exchanging information during a session between a host computer system and a functionally connected cryptographic module, the cryptographic module comprising one or more critical security parameter (CSP) protected applications each requiring a corresponding critical security parameter in order to access the CSP protected application, the method comprising:
- generating a pair of identical session keys for the session;
performing a secure key exchange between the host computer system and the cryptographic module using a public key from a digital certificate associated with the cryptographic module for encrypting information used with the secure key exchange, the host computer system and the cryptographic module each provided with one session key of said pair of identical session keys;
generating a unique session identifier at the cryptographic module for the session;
associating the unique session identifier with the session key at the cryptographic module;
associating the unique session identifier with a critical security parameter, the critical security parameter provided to the host computer system by a user requesting access to the one or more CSP protected applications, the critical security parameter provided by the host computer system to the cryptographic module for initial authentication;
determining availability of the critical security parameter to exchange at least a portion of information between the host computer system and the cryptographic module;
using the unique session identifier to select the associated session key;
performing one or more counterpart cryptographic functions on at least a portion of information exchanged between the host computer system and the cryptographic module during the session using the selected session key as a surrogate for the critical security parameter in response to the critical security parameter not being available; and
granting permission to access one or more of the CSP protected applications requiring the critical security parameter for a duration of the session using the session key.
3 Assignments
0 Petitions
Accused Products
Abstract
An anonymous secure messaging method and system for securely exchanging information between a host computer system and a functionally connected cryptographic module. The invention comprises a Host Security Manager application in processing communications with a security executive program installed inside the cryptographic module. An SSL-like communications pathway is established between the host computer system and the cryptographic module. The initial session keys are generated by the host and securely exchanged using a PKI key pair associated with the cryptographic module. The secure communications pathway allows presentation of critical security parameter (CSP) without clear text disclosure of the CSP and further allows use of the generated session keys as temporary substitutes of the CSP for the session in which the session keys were created.
136 Citations
14 Claims
-
1. A secure messaging method for securely exchanging information during a session between a host computer system and a functionally connected cryptographic module, the cryptographic module comprising one or more critical security parameter (CSP) protected applications each requiring a corresponding critical security parameter in order to access the CSP protected application, the method comprising:
-
generating a pair of identical session keys for the session; performing a secure key exchange between the host computer system and the cryptographic module using a public key from a digital certificate associated with the cryptographic module for encrypting information used with the secure key exchange, the host computer system and the cryptographic module each provided with one session key of said pair of identical session keys; generating a unique session identifier at the cryptographic module for the session; associating the unique session identifier with the session key at the cryptographic module; associating the unique session identifier with a critical security parameter, the critical security parameter provided to the host computer system by a user requesting access to the one or more CSP protected applications, the critical security parameter provided by the host computer system to the cryptographic module for initial authentication; determining availability of the critical security parameter to exchange at least a portion of information between the host computer system and the cryptographic module; using the unique session identifier to select the associated session key; performing one or more counterpart cryptographic functions on at least a portion of information exchanged between the host computer system and the cryptographic module during the session using the selected session key as a surrogate for the critical security parameter in response to the critical security parameter not being available; and granting permission to access one or more of the CSP protected applications requiring the critical security parameter for a duration of the session using the session key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of securely exchanging information during a session between a host computer system and a cryptographic module for which a unique session identifier and a session key for the session have been established between the host computer and the cryptographic module, the method comprising:
-
associating the unique session identifier with the at least one session key; associating the unique session identifier with a critical security parameter, the critical security parameter provided by a user to the host computer system and by the host computer system to the cryptographic module for initial authentication; after initial authentication of the critical security parameter, determining availability of the critical security parameter to exchange at least a portion of information between the host computer system and the cryptographic module; and using the at least one session key as a substitute for the critical security parameter during the session to exchange at least a portion of information between the host computer system and the cryptographic module in response to the critical security parameter not being available, wherein the unique session identifier is used to select the associated session key for use as the substitute; wherein using the at least one session key as the substitute includes granting permission to unlock one or more applications authorized for the critical security parameter for a duration of the session using the at least one session key. - View Dependent Claims (10, 11, 12, 13, 14)
-
Specification