System and method for transmitting reduced information from a certificate to perform encryption operations

US 20040096055A1
Filed: 06/13/2003
Published: 05/20/2004
Est. Priority Date: 11/20/2002
Status: Active Grant

First Claim

Patent Images

1. In a network environment that includes a source client and a plurality of destination clients, the source client being capable of sending electronic messages to the plurality of destination clients, the network environment including one or more certificate servers that are capable of validating and providing certificates for at least some of the one or more destination clients to the source client, each certificate including encryption information needed to encrypt to the corresponding destination client, and including self-verification information to allow for a determination that the certificate does indeed correspond to the corresponding destination client and has not been revoked, a method for the source client encrypting a message to be sent to at least one of the destination clients, the method comprising the following:

an act of the source client accessing an electronic message to be transmitted to a destination client of the plurality of destination clients;

an act of determining that the electronic message is to be encrypted before transmission to the destination client;

an act of generating a request to access only a portion of a certificate corresponding to the destination client, the portion including encryption information needed to encrypt the electronic message so as to be decryptable by the destination client;

an act of transmitting the request to the certificate server;

an act of receiving only the requested portion of the certificate from the certificate server; and

an act of using the encryption information to encrypt the electronic message.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A certificate-based encryption mechanism in which a source client does not access the entire certificate corresponding to a destination client when encrypting an electronic message to be sent to the destination client. Instead, the source client only requests a portion of the certificate from a certificate server. That portion includes encryption information, but may lack some or even all of the self-verification information in the certificate. The certificate server preferably performs any validation of the certificate prior to sending the encryption information to the source client. The certificate need not be separately validated by the source client, especially if the certificate server is trusted by the source client.

54 Citations

View as Search Results

36 Claims

1. In a network environment that includes a source client and a plurality of destination clients, the source client being capable of sending electronic messages to the plurality of destination clients, the network environment including one or more certificate servers that are capable of validating and providing certificates for at least some of the one or more destination clients to the source client, each certificate including encryption information needed to encrypt to the corresponding destination client, and including self-verification information to allow for a determination that the certificate does indeed correspond to the corresponding destination client and has not been revoked, a method for the source client encrypting a message to be sent to at least one of the destination clients, the method comprising the following:
- an act of the source client accessing an electronic message to be transmitted to a destination client of the plurality of destination clients;
  
  an act of determining that the electronic message is to be encrypted before transmission to the destination client;
  
  an act of generating a request to access only a portion of a certificate corresponding to the destination client, the portion including encryption information needed to encrypt the electronic message so as to be decryptable by the destination client;
  
  an act of transmitting the request to the certificate server;
  
  an act of receiving only the requested portion of the certificate from the certificate server; and
  
  an act of using the encryption information to encrypt the electronic message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. A method in accordance with claim 1, wherein the request to access only a portion of a certificate is a HyperText Transport Protocol (HTTP).
  - 3. A method in accordance with claim 1, wherein the requested portion of the certificate does not include self-validation information to allow for a determination that the certificate does indeed correspond to the corresponding destination client and has not been revoked.
  - 4. A method in accordance with claim 3, wherein validation is performed by the certificate server, where the certificate server is trusted by the source client.
  - 5. A method in accordance with claim 1, further comprises the following:
    - an act of transmitting the encrypted electronic message to the destination client.
  - 6. A method in accordance with claim 1, wherein the requested portion of the certificate includes the public key of the destination client.
  - 7. A method in accordance with claim 6, wherein the encrypted electronic message includes the following:
    - a first data field that represents the electronic message encrypted using a session key; and
      
      a second data field that represents the session key encrypted using the public key
  - 8. A method in accordance with claim 6, wherein the requested portion further includes the certificate issuer and serial number of the certificate.
  - 9. A method in accordance with claim 8, wherein the encrypted electronic message includes the following:
    - a first data field that represents the electronic message encrypted using a session key; and
      
      a second data field that represents the session key, the certificate issuer, and the serial number encrypted using the public key
  - 10. A method in accordance with claim 6, wherein the requested portion further includes the key identifier of the certificate.
  - 11. A method in accordance with claim 10, wherein the encrypted electronic message includes the following:
    - a first data field that represents the electronic message encrypted using a session key; and
      
      a second data field that represents the session key and key identifier encrypted using the public key.
  - 12. A method in accordance with claim 1, wherein the destination client is a first destination client that is to be send an encrypted form of the electronic message, and the certification corresponding to the first destination client is a first certificate, wherein the electronic messages is also to be transmitted to a second destination client, the method further comprising the following:
    - an act of determining that the electronic message is to be encrypted before transmission to the second destination client;
      
      an act of generating a request to access only a portion of a second certificate corresponding to the second destination client, the portion including encryption information needed to encrypt the electronic message so as to be decryptable by the second destination client;
      
      an act of transmitting the request to the certificate server;
      
      an act of receiving only the requested portion of the second certificate from the certificate server; and
      
      an act of using the encryption information in the second certificate to encrypt the electronic message.
  - 13. A method in accordance with claim 12, wherein the request to access the portion of the first certificate and the request to access the portion of the second certificate are the same request.
  - 14. A method in accordance with claim 12, further comprising the following:
    - an act of transmitting the encrypted electronic message
  - 15. A method in accordance with claim 1, wherein the destination client is a first destination client that is to be send an encrypted form of the electronic message, and the certification corresponding to the first destination client is a first certificate, wherein the electronic messages is also to be transmitted to a second destination client, the method further comprising the following:
    - an act of determining that the electronic message is to be encrypted before transmission to the second destination client;
      
      an act of generating a request to access the entire second certificate corresponding to the second destination client;
      
      an act of transmitting the request to the certificate server;
      
      an act of receiving the entire second certificate from the certificate server; and
      
      an act of using the encryption information in the second certificate to encrypt the electronic message.
  - 16. A method in accordance with claim 15, wherein the request to access the portion of the first certificate and the request to access the portion of the second certificate are the same request.

17. A computer program product for use in a network environment that includes a source client and a plurality of destination clients, the source client being capable of sending electronic messages to the plurality of destination clients, the network environment including a certificate server that is capable of providing certificates for at least some of the one or more destination clients to the source client, each certificate including encryption information needed to encrypt to the corresponding destination client, and including self-verification information to allow for a determination that the certificate does indeed correspond to the corresponding destination client and has not been revoked, the computer program product comprising one or more computer-readable media having thereon computer-executable instructions that, when executed by one or more processors at the source client, cause the source client to do the following:
- an act of the source client accessing an electronic message to be transmitted a destination client of the plurality of destination clients;
  
  an act of determining that the electronic message is to be encrypted before transmission to the destination client;
  
  an act of generating a request to access only a portion of a certificate corresponding to the destination client, the portion including encryption information needed to encrypt the electronic message so as to be decryptable by the destination client;
  
  an act of transmitting the request to the certificate server;
  
  an act of receiving only the requested portion of the certificate from the certificate server; and
  
  an act of using the encryption information to encrypt the electronic message.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. A computer program product in accordance with claim 17, wherein the one or more computer-readable media further have thereon computer-executable instructions that, when executed by the one or more processors at the source client, further cause the source client to perform the following:
    - an act of transmitting the encrypted electronic message to the destination client.
  - 19. A computer program product in accordance with claim 17, wherein the destination client is a first destination client that is to be send an encrypted form of the electronic message, and the certification corresponding to the first destination client is a first certificate, wherein the electronic messages is also to be transmitted to a second destination client, the one or more computer-readable media further having thereon computer-executable instructions that, when executed by the one or more processors at the source client, further cause the source client to perform the following:
    - an act of determining that the electronic message is to be encrypted before transmission to the second destination client;
      
      an act of generating a request to access only a portion of a second certificate corresponding to the second destination client, the portion including encryption information needed to encrypt the electronic message so as to be decryptable by the second destination client;
      
      an act of transmitting the request to the certificate server;
      
      an act of receiving only the requested portion of the second certificate from the certificate server; and
      
      an act of using the encryption information in the second certificate to encrypt the electronic message.
  - 20. A computer program product in accordance with claim 19, wherein the request to access the portion of the first certificate and the request to access the portion of the second certificate are the same request.
  - 21. A computer program product in accordance with claim 17, wherein the destination client is a first destination client that is to be send an encrypted form of the electronic message, and the certification corresponding to the first destination client is a first certificate, wherein the electronic messages is also to be transmitted to a second destination client, the one or more computer-readable media further having thereon computer-executable instructions that, when executed by one or more processors at the source client, cause the source client to perform the following:
    - an act of determining that the electronic message is to be encrypted before transmission to the second destination client;
      
      an act of generating a request to access the entire second certificate corresponding to the second destination client;
      
      an act of transmitting the request to the certificate server;
      
      an act of receiving the entire second certificate from the certificate server; and
      
      an act of using the encryption information in the second certificate to encrypt the electronic message.
  - 22. A computer program product in accordance with claim 17, wherein the one or more computer-readable media are physical media.
  - 23. A computer program product in accordance with claim 17, wherein the one or more computer-readable media comprises at least in part run-time memory.
  - 24. A computer program product in accordance with claim 17, wherein the one or more computer-readable media comprise persistent memory.

25. In a network environment that includes a source client and a plurality of destination clients, the source client being capable of sending electronic messages to the plurality of destination clients, the network environment including a certificate server that is capable of providing certificates for at least some of the one or more destination clients to the source client, each certificate including encryption information needed to encrypt to the corresponding destination client, and including self-verification information to allow for a determination that the certificate does indeed correspond to the corresponding destination client and has not been revoked, a method for the source client encrypting a message to be sent to at least one of the destination clients, the method comprising the following:
- an act of the source client accessing an electronic message to be transmitted a destination client of the plurality of destination clients;
  
  an act of determining that the electronic message is to be encrypted before transmission to the destination client;
  
  a step for performing certificate-based encryption encrypting to the destination client without having local access to the entire certificate corresponding to the destination client.
- View Dependent Claims (26)
- - 26. A method in accordance with claim 25, wherein the step for performing certificate-based encryption encrypting to the destination client without having local access to the entire certificate corresponding to the destination client comprises the following:
    - an act of generating a request to access only a portion of a certificate corresponding to the destination client, the portion including encryption information needed to encrypt the electronic message so as to be decryptable by the destination client;
      
      an act of transmitting the request to the certificate server;
      
      an act of receiving only the requested portion of the certificate from the certificate server; and
      
      an act of using the encryption information to encrypt the electronic message.

27. In a network environment that includes a source client and a plurality of destination clients, the source client being capable of sending electronic messages to the plurality of destination clients, the network environment including a certificate server that is capable of providing certificates for at least some of the one or more destination clients to the source client, each certificate including encryption information needed to encrypt to the corresponding destination client, and including self-verification information to allow for a determination that the certificate does indeed correspond to the corresponding destination client and has not been revoked, a method for the certificate server helping the source client to encrypt a message to be sent to at least one of the destination clients, the method comprising the following:
- an act of receiving a request from the source client;
  
  an act of determining that the request is to access only a portion of a certificate corresponding to the destination client, the portion including encryption information needed to encrypt the electronic message so as to be decryptable by the destination client; and
  
  an act of responding to the request from the source client by returning the requested portion of the certificate to the source client.
- View Dependent Claims (28, 29, 30, 31)
- - 28. A method in accordance with claim 27, wherein the request is an HTTP request.
  - 29. A method in accordance with claim 27, wherein the destination client is a first destination client and the certificate is a first certificate, the method further comprising the following:
    - an act of determining that the request is also to access only a portion of a second certificate corresponding to the second destination client, the encryption information needed to encrypt the electronic message so as to be decryptable by the second destination client; and
      
      an act of responding to the request from the source client by returning the requested portion of the second certificate to the source client.
  - 30. A method in accordance with claim 29, wherein the requested portion of the first certificate and the requested portion of the second certificate are returned in the same response to the request.
  - 31. A method in accordance with claim 30, wherein the response is an HTTP response.

32. A computer program product for use in a network environment that includes a source client and a plurality of destination clients, the source client being capable of sending electronic messages to the plurality of destination clients, the network environment including a certificate server that is capable of providing certificates for at least some of the one or more destination clients to the source client, each certificate including encryption information needed to encrypt to the corresponding destination client, and including self-verification information to allow for a determination that the certificate does indeed correspond to the corresponding destination client and has not been revoked, the computer program product for implementing a method for the certificate server helping the source client to encrypt a message to be sent to at least one of the destination clients, the computer program product comprising one or more computer-readable media having thereon computer-executable that, when executed by one or more processors at the certificate server, cause the certificate server to perform the following:
- an act of receiving a request from the source client;
  
  an act of determining that the request is to access only a portion of a certificate corresponding to the destination client, the portion including encryption information needed to encrypt the electronic message so as to be decryptable by the destination client; and
  
  an act of responding to the request from the source client by returning the requested portion of the certificate to the source client.
- View Dependent Claims (33, 34, 35, 36)
- - 33. A computer program product in accordance with claim 32, wherein the destination client is a first destination client and the certificate is a first certificate, the one or more computer-readable media further having thereon computer-executable instructions that, when executed by the one or more processors at the certificate server, further cause the certificate server to perform the following:
    - an act of determining that the request is also to access only a portion of a second certificate corresponding to the second destination client, the encryption information needed to encrypt the electronic message so as to be decryptable by the second destination client; and
      
      an act of responding to the request from the source client by returning the requested portion of the second certificate to the source client.
  - 34. A computer program product in accordance with claim 32, wherein the one or more computer-readable media are physical media.
  - 35. A computer program product in accordance with claim 34, wherein the one or more computer-readable media comprise at least in part run-time memory.
  - 36. A computer program product in accordance with claim 34, wherein the one or more computer-readable media comprise persistent memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Roy Williams
Inventors
Williams, Roy, Hallin, Philip J., Pereira, Jorge, Sie, Yu Lin, Batthish, Karim Michel

Granted Patent

US 7,284,121 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/1
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 2209/80   Wireless network architectu...

H04L 9/3263   involving certificates, e.g...

System and method for transmitting reduced information from a certificate to perform encryption operations

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

54 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for transmitting reduced information from a certificate to perform encryption operations

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links