Trusted and unsupervised digital certificate generation using a security token

US 20050138386A1
Filed: 12/22/2003
Published: 06/23/2005
Est. Priority Date: 12/22/2003
Status: Active Grant

First Claim

Patent Images

1. A method for issuing a trustworthy digital certificate comprising the steps of:

a. performing at least one security transaction between a security token and at least a registration authority which at least confirms that a pre-established critical security parameter is operatively stored within said security token, b. operatively storing a PKI key pair inside said security token, and c. responsively returning a public key associated with said PKI key pair from said security token to at least said registration authority.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system and computer program product for ensuring PKI key pairs are operatively installed within a secure domain of a security token prior to generating a digital certificate. The public key component of the PKI key pair is incorporated into a digital certificate which is returned to the security token for storage. The arrangement included herein incorporates the use of a critical security parameter to ensure a chain of trust with an issuing entity such as a registration authority. Furthermore, the arrangement does not require security officer or system administrator oversight during digital certificate generation as the critical security parameter provides a sufficient level of trust to ensure that digital certificate generation is being performed in conjunction with a designated security token rather than a rogue application. Lastly, separate inventive embodiments allow alternate communications and verification arrangements to be implemented.

Citations

33 Claims

1. A method for issuing a trustworthy digital certificate comprising the steps of:
- a. performing at least one security transaction between a security token and at least a registration authority which at least confirms that a pre-established critical security parameter is operatively stored within said security token, b. operatively storing a PKI key pair inside said security token, and c. responsively returning a public key associated with said PKI key pair from said security token to at least said registration authority.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 33)
- - 2. The method according to claim 1 further including the step of generating an entity specific digital certificate which incorporates said public key.
  - 3. The method according to claim 2 further including the step of operatively storing said entity specific digital certificate in at least said security token.
  - 4. The method according to claim 1 wherein said PKI key pair is generated externally to said security token.
  - 5. The method according to claim 1 wherein said PKI key pair is generated internally by said security token.
  - 6. The method according to claim 1 wherein said at least one security transaction comprises a challenge/response protocol, a keyed hashed message authentication code, a digital signature or a combination thereof.
  - 7. The method according to claim 2 wherein generating said entity specific digital certificate is performed by a certificate authority.
  - 8. The method according to claim 7 wherein said certificate authority and said registration authority are separate entities.
  - 9. The method according to claim 7 wherein said certificate authority and said registration authority is a unified entity.
  - 10. The method according to claim 1 further including the step of generating a secure end-to-end communications channel between said security token and said registration authority.
  - 11. The method according to claim 10 wherein said asymmetric secure end-to-end communications channel incorporates an APDU communications pipe.
  - 12. The method according to claim 1 wherein said at least one security transaction incorporates said critical security parameter.
  - 33. A computer program product embodied in a tangible form readable by a processor to perform the steps of claim 1 or 13.

13. A method for issuing a trustworthy digital certificate comprising the steps of:
- a. sending a first command from a registration authority to a security token which causes a PKI key pair to be operatively installed inside said security token, b. enciphering at least a second command using a critical security parameter associated with said security token by said registration authority forming a cryptogram, c. sending said cryptogram to said security token, d. deciphering said cryptogram using a pre-established critical security parameter operatively stored inside said security token, and e. returning to at least said registration authority at least one datagram derived from said cryptogram.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method according to claim 13 wherein said at least a second command includes a sign command.
  - 15. The method according to claim 14 wherein said at least one datagram includes a public key associated with said PKI key pair and a digital signature of said public key.
  - 16. The method according to claim 15 further including the step of verifying said digital signature by at least said registration authority.
  - 17. The method according to claim 13 wherein said at least a second command includes a retrieve public key command.
  - 18. The method according to claim 17 further including the step of incorporating a public key associated with said PKI key pair into said at least one datagram by said security token.
  - 19. The method according to claim 15, 16 or 18 further including the steps of;
    - a. enciphering said at least one datagram using said pre-established critical security parameter by said security token, b. deciphering said at least on datagram using said critical security parameter by at least said registration authority,
  - 20. The method according to claim 19 further including the steps of;
    - a. generating an entity specific digital certificate which incorporates said public key, and b. operatively storing said entity specific digital certificate in at least said security token.

21. A system for issuing a trustworthy digital certificate comprising:
- a security token functionally coupled to a computer system and in processing communications with at least a registration authority via said computer system wherein said security token is adapted to at least operatively store a PKI key pair and perform at least one security transaction which incorporates at least a pre-established critical security parameter;
  
  a computer system adapted to at least receive input from an entity, initiate a digital certification generation process between said security token and said at least a registration authority and exchange communications between said security token and said least at least a registration authority; and
  
  a registration authority adapted to at least cause said PKI key pair to be stored in said security token, cause said security token to perform said at least one security transaction and confirm that said pre-established critical security parameter is operatively stored within said security token.
- View Dependent Claims (22, 23, 24)
- - 22. The system according to claim 21 wherein said security token is further adapted to send a public key associated with said PKI key pair to at least said registration authority and operatively store a digital certificate which incorporates said public key.
  - 23. The system according to claim 22 wherein said registration authority is further adapted to cause said digital certificate to be generated and cause said digital certificate to be operatively stored by said security token.
  - 24. The system according to claim 21 wherein said at least one security transaction comprises a challenge/response protocol, a keyed hashed message authentication code, a digital signature or a combination thereof.

25. A system for issuing a trustworthy digital certificate comprising:
- a security token including;
  
  a token processor, a token memory coupled to said token processor, a pre-established critical security parameter operatively stored in at least a portion of said token memory, and one or more token applications operatively stored in a second portion of said token memory having instructions executable by said token processor to at least;
  
  operatively store a PKI key pair in a third portion of said token memory, and perform at least one security transaction which incorporates at least said pre-established critical security parameter. a local computer system including;
  
  a computer processor, a computer memory coupled to said computer processor, a token interface coupled to said computer processor and operative to functionally couple said security token to said computer system, a computer communications interface coupled to said computer processor and operative to facilitate communications with at least a registration authority, and one or more computer applications operatively stored in a portion of said computer memory having instructions executable by said computer processor to at least;
  
  initiate a digital certification generation process between said security token and said registration authority, exchange communications between said security token and at least a registration authority; and
  
  a registration authority including;
  
  an authority processor, a authority memory coupled to said authority processor, a data store coupled to said authority processor, said data store including at least one critical security parameter associated with said pre-established critical security parameter, an authority communications interface coupled to said authority processor and operative to facilitate communications with at least said computer system, and one or more authority applications operatively stored in a portion of said authority memory having instructions executable by said authority processor to at least;
  
  cause said PKI key pair to be stored in said token memory, cause said security token to perform said at least one security transaction, and confirm that said pre-established critical security parameter is operatively stored within said security token.
- View Dependent Claims (26, 27, 28)
- - 26. The system according to claim 25 wherein said one or more token applications includes instructions executable by said token processor to send a public key associated with said PKI key pair to at least said registration authority and operatively store a digital certificate which incorporates said public key.
  - 27. The system according to claim 26 wherein said one or more authority applications further includes instructions executable by said authority processor to cause said digital certificate to be generated and cause said digital certificate to be operatively stored by said security token.
  - 28. The system according to claim 25 wherein said at least one security transaction comprises a challenge/response protocol, a keyed hashed message authentication code, a digital signature or a combination thereof.

29. A computer program product embodied in a tangible form readable by a first processing system having executable instructions stored thereon for causing said first processing system to;
- perform at least one security transaction with a security token which at least confirms that a pre-established critical security parameter is operatively stored within said security token, cause a PKI key pair to be operatively stored in said security token, and cause said security token to responsively return a public key associated with said PKI key pair from said security token.
- View Dependent Claims (30, 31, 32)
- - 30. The computer program product according to claim 29 further including the executable instructions for causing said first processing system to;
    - cause an entity specific digital certificate which incorporates said public key to be generated, and cause said entity specific digital certificate to be stored in at least said security token.
  - 31. The computer program product according to claim 29 wherein said tangible form includes magnetic media, optical media or logical media.
  - 32. The computer program product according to claim 29 wherein said executable instructions are stored in a code format including byte code, compiled, interpreted, compliable or interpretable.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Assa Abloy AB
Original Assignee
Assa Abloy AB
Inventors
Le Saint, Eric F.

Granted Patent

US 9,331,990 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/185
CPC Class Codes

G06F 2221/2103   Challenge-response

G06F 2221/2115   Third party

G06F 2221/2153   Using hardware token as a s...

G06Q 20/38215   Use of certificates or encr...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless

H04L 63/062   for key distribution, e.g. ...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

H04L 63/12   Applying verification of th...

H04L 9/006   involving public key infras...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0861   Generation of secret inform...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/321   involving a third party or ...

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247 : involving digital signatures

H04L 9/3263 : involving certificates, e.g...

H04L 9/3268 : using certificate validatio...

H04L 9/3271 : using challenge-response

View All

Trusted and unsupervised digital certificate generation using a security token

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Trusted and unsupervised digital certificate generation using a security token

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links