Access control and authorization system

The invention uses symmetric key cryptography for secrecy. Role-based access controls are implemented with the use of labeled splits that are combined to generate the keys used in symmetric key cryptographic algorithms. Strong user authentication is realized with CKM technology in the form of user passwords, biometric data, and tokens, such as a supercard. Data separation, with labeling and algorithm selection, provides functionality comparable to physical separation. CKM technology lends itself to data-at-rest that may be defined as objects that exist for some time, such as computer files, databases, e-mail messages, etc. However, CKM is also suited for channel or pipeline transmitted data. CKM technology can be extended beyond applications into lower levels of a network protocol, e.g., in IEEE 802 protocols or at level 2 in the OSI model of networking. The CKM encryption protocol to establish the session key for the channel can be adapted to the parameters of the communications environment. CKM imposes a hierarchical infrastructure on an organization to securely manage splits. This infrastructure also gives CKM the ability to distribute public keys thus giving it the functionality of a Public Key Infrastructure (“PKI”). The scalability of the CKM infrastructure is better than that of other proposed PKI'"'"'s which need extra bandwidth over the network to exchange certificates and public keys. In CKM, digital signatures and the Diffie-Hellman key exchange between the smart card and workstation are the principle forms of asymmetric key cryptography used.

The CKM infrastructure also gives CKM the ability to implement a key recovery method. Flexibility in algorithm management means that strong symmetric key algorithms or exportable algorithms may be used.