Access control and authorization system
First Claim
1. A method for providing data security, comprising:
- CKM software presents a dialog box to the user for selection of labels and algorithms.
1 Assignment
0 Petitions
Accused Products
Abstract
The invention uses symmetric key cryptography for secrecy. Role-based access controls are implemented with the use of labeled splits that are combined to generate the keys used in symmetric key cryptographic algorithms. Strong user authentication is realized with CKM technology in the form of user passwords, biometric data, and tokens, such as a supercard. Data separation, with labeling and algorithm selection, provides functionality comparable to physical separation. CKM technology lends itself to data-at-rest that may be defined as objects that exist for some time, such as computer files, databases, e-mail messages, etc. However, CKM is also suited for channel or pipeline transmitted data. CKM technology can be extended beyond applications into lower levels of a network protocol, e.g., in IEEE 802 protocols or at level 2 in the OSI model of networking. The CKM encryption protocol to establish the session key for the channel can be adapted to the parameters of the communications environment. CKM imposes a hierarchical infrastructure on an organization to securely manage splits. This infrastructure also gives CKM the ability to distribute public keys thus giving it the functionality of a Public Key Infrastructure (“PKI”). The scalability of the CKM infrastructure is better than that of other proposed PKI'"'"'s which need extra bandwidth over the network to exchange certificates and public keys. In CKM, digital signatures and the Diffie-Hellman key exchange between the smart card and workstation are the principle forms of asymmetric key cryptography used.
The CKM infrastructure also gives CKM the ability to implement a key recovery method. Flexibility in algorithm management means that strong symmetric key algorithms or exportable algorithms may be used.
-
Citations
12 Claims
-
1. A method for providing data security, comprising:
CKM software presents a dialog box to the user for selection of labels and algorithms.
-
2. The label selections are sent to the supercard.
-
3. The workstation applies a cryptographic hash algorithm to the object. This is sent to the supercard.
-
4. The supercard generates a 512 bit random number, i.e., the Random Split. New Random Splits are generated for each object encrypted. All random numbers generated are tested for randomness according to FIPS 140-1.
-
5. The Organization Split, Maintenance Split, the Label Splits, and the Random Split are combined in the CKM combiner process, which results in a 512 bit Working Split. This Working Split is used like a session key for encrypting one object.
-
6. The Organization Split, Maintenance Split, and Label Splits are combined in the CKM combiner process. This results in a 512-bit integer that is used to encrypt the Random Split that will appear in the CKM header.
-
7. The supercard encrypts the hash of the object with a digital signature algorithm using the user'"'"'s private key. This results in a digital signature.
-
8. The Digital Signature, Credential Manager Signed Certificate, Label Indexes, Algorithm, encrypted Random Split, and Working Split are sent to the workstation.
-
9. The workstation encrypts the object using the algorithm selected with the working split as the working key.
-
10. The workstation forms the CKM header. The CKM header contains all of the information needed to decrypt the object and verify the digital signature except for the Label Split values and Credential Managers public keys. The data in the CKM header includes:
-
Organization Name Label Indexes Algorithm Encrypted Random Split User ID User'"'"'s Credential Manager ID Object encryption date and time The digital signature Credential Manager Signed Certificate Other information that may be specific to the object that was encrypted. For example, file name and attributes if the object that was encrypted was a file.
-
-
11. The CKM header is sent to the supercard where it is encrypted with the Header Split used as the key.
-
12. The encrypted CKM header is sent back to the workstation where it is added to the encrypted object.
Specification