Universal secure messaging for cryptographic modules

US 20040218762A1
Filed: 04/29/2003
Published: 11/04/2004
Est. Priority Date: 04/29/2003
Status: Abandoned Application

First Claim

Patent Images

1. A secure messaging method for securely exchanging information between a host computer system and a functionally connected cryptographic module comprising the steps of:

a. generating a pair of identical session keys, b. performing a secure key exchange between said host computer system and said cryptographic module such that said host computer system and said cryptographic module each receives one session key of said pair of identical session keys, c. generating a unique session identifier, d. associating said unique session identifier with said pair of identical session keys, and e. performing counterpart cryptographic functions on at least a portion of information exchanged between said host computer system and said cryptographic module.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An anonymous secure messaging method and system for securely exchanging information between a host computer system and a functionally connected cryptographic module. The invention comprises a Host Security Manager application in processing communications with a security executive program installed inside the cryptographic module. An SSL-like communications pathway is established between the host computer system and the cryptographic module. The initial session keys are generated by the host and securely exchanged using a PKI key pair associated with the cryptographic module. The secure communications pathway allows presentation of critical security parameter (CSP) without clear text disclosure of the CSP and further allows use of the generated session keys as temporary substitutes of the CSP for the session in which the session keys were created.

125 Citations

View as Search Results

21 Claims

1. A secure messaging method for securely exchanging information between a host computer system and a functionally connected cryptographic module comprising the steps of:
- a. generating a pair of identical session keys, b. performing a secure key exchange between said host computer system and said cryptographic module such that said host computer system and said cryptographic module each receives one session key of said pair of identical session keys, c. generating a unique session identifier, d. associating said unique session identifier with said pair of identical session keys, and e. performing counterpart cryptographic functions on at least a portion of information exchanged between said host computer system and said cryptographic module.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1 wherein said counterpart cryptographic functions occur within an active session.
  - 3. The method according to claim 2 wherein said unique session identifier is further associated with a specific function performed by said cryptographic module.
  - 4. The method according to claim 1 wherein said counterpart cryptographic functions includes symmetric encryption, decryption and message authentication.
  - 5. The method according to claim 1 wherein said exchanged information includes a critical security parameter.
  - 6. The method according to claim 5 wherein said session keys are temporarily surrogates for said CSP after successfully performing a prerequisite initial authentication.
  - 7. The method according to claim 1 wherein said exchanged information includes commands sent from at least said host computer system to said cryptographic module.

8. A secure messaging method for reactivating a previously established messaging session between a host computer system and a functionally connected cryptographic module comprising the steps of:
- a. sending a unique session identifier associated with a previously exchanged pair of identical session keys from said host computer system to said cryptographic module, b. retrieving a session key associated with said unique session identifier, and c. mutually verifying said host computer system and said cryptographic module using said previously exchanged pair of identical session keys.
- View Dependent Claims (9)
- - 9. The method according to claim 8 wherein step 8.c includes the steps of:
    - a. generating a host random number, b. encrypting said host random number with one of said previously exchanged pair of identical session keys, c. sending said encrypted host random number to said cryptographic module, d. decrypting said encrypted host random number using said retrieved session key, e. generating a cryptographic module random number, f. encrypting said host random number and said cryptographic module random number with said retrieved session key to generate encrypted host and cryptographic module random numbers, g. sending said encrypted host and cryptographic module random numbers to said host computer system, h. decanting said encrypted host and cryptographic module random numbers with said one of said pair of identical session keys, i. verifying said decrypted host random number against said host random number, j. sending said decrypted cryptographic module random number to said cryptographic module, and k. verifying said decrypted cryptographic module random number against said cryptographic module random number.

10. An secure messaging system for securely exchanging information between a host computer system and a functionally connected cryptographic module comprising:
- said host computer system including;
  
  a Host Security Manager application including means for;
  
  generating a session key pair, associating at least one session key of said session key pair with a unique session identifier, performing a secure key exchange with said cryptographic module, wherein a session key associated with said unique session identifier is securely transferred to said cryptographic module, and performing counterpart cryptographic functions on at least a portion of information exchanged between said host computer system and said cryptographic module;
  
  said cryptographic module including;
  
  a Security Executive application including means for;
  
  generating said unique session identifier, associating said unique session identifier with said exchanged key, and performing counterpart cryptographic functions on at least a portion of information exchanged between said host computer system and said cryptographic module.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The system according to claim 10 wherein said Security Executive application further includes means for sharing said unique session identifier with said Host Security Manager application.
  - 12. The system according to claim 10 wherein said cryptographic functions includes encryption, decryption and message authentication.
  - 13. The system according to claim 10 wherein at least a portion of said cryptographic functions are performed using said session key pair.
  - 14. The system according to claim 10 wherein said exchanged information includes a critical security parameter.
  - 15. The system according to claim 14 wherein said Security Executive application further includes means for allowing said session key pair to act as a temporary surrogate of said CSP after successfully performing a prerequisite initial authentication using said CSP.
  - 16. The system according to claim 15 wherein said temporary surrogate remains valid for at least a portion of a session.
  - 17. The system according to claim 16 wherein said session may be reactivated.

18. A computer program product embodied in a tangible form readable by a processor having executable instructions stored thereon for causing a host computer system to establish an secure messaging session with a cryptographic module for the secure exchange of information, said executable instructions comprising computer readable program code means for causing said computer to, a. generate a pair of identical session keys, b. perform a secure key exchange between said host computer system and said cryptographic module such that said host computer system and said cryptographic module each receives one session key of said pair of identical session keys, c. generate a unique session identifier, d. associate said unique session identifier with said pair of identical session keys, and e. perform counterpart cryptographic functions on at least a portion of information exchanged between said host computer system and said cryptographic module.
- View Dependent Claims (19)
- - 19. The computer program product according to claim 18 wherein said executable instructions further includes executable instructions for causing said computer to allow said session key pair to act as a temporary surrogate for a CSP after successful performance of a prerequisite initial authentication using said CSP.

20. A computer program product embodied in a tangible form readable by a processor having executable instructions stored thereon for causing a host computer system to reestablish an secure messaging session with a cryptographic module for the secure exchange of information, said executable instructions comprising computer readable program code means for causing said computer to:
- a. send a unique session identifier associated with a previously exchanged pair of identical session keys from said host computer system to said cryptographic module, b. retrieve a session key associated with said unique session identifier, and c. mutually verify said host computer system and said cryptographic module using said previously exchanged pair of identical session keys.
- View Dependent Claims (21)
- - 21. The computer program product according to claim 20 wherein executable instructions 20.c further includes the executable instructions for causing said computer to:
    - a. generate a host random number, b. encrypt said host random number with one of said previously exchanged pair of identical session keys, c. send said encrypted host random number to said cryptographic module, d. decrypt said encrypted host random number using said retrieved session key, e. generate a cryptographic module random number f. encrypt said host random number and said cryptographic module random number with said retrieved session key to generate encrypted host and cryptographic module random numbers, g. send said encrypted host and cryptographic module random numbers to said host computer system, h. decrypt said encrypted host and cryptographic module random numbers with said one of said pair of identical session keys, i. verify said decrypted host random number against said host random number, j. send said decrypted cryptographic module random number to said cryptographic module, and k. verify said decrypted cryptographic module random number against said cryptographic module random number.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Activcard Ireland, Limited
Original Assignee
ActivIdentity, Inc. (Assa Abloy AB)
Inventors
Le Saint, Eric, Wen, Wu

Application Number

US10/424,783
Publication Number

US 20040218762A1
Time in Patent Office

Days
Field of Search
US Class Current

380/277
CPC Class Codes

H04L 2209/42   Anonymization, e.g. involvi...

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0421   Anonymous communication, i....

H04L 63/045   wherein the sending and rec...

H04L 63/0853   using an additional device,...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0844   with user authentication or...

Universal secure messaging for cryptographic modules

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

125 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Universal secure messaging for cryptographic modules

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

125 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others