Method and system for establishing a trust framework based on smart key devices
First Claim
1. A data processing system comprising:
- a system unit including;
a processor for executing instructions in software modules; and
a first hardware security unit including;
means for storing a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair;
means for authenticating a software module; and
means for acting as a certificate authority to issue digital certificates to software modules; and
a first software module executable on the system unit including;
means for storing a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair; and
means for authenticating the hardware security unit.
3 Assignments
0 Petitions
Accused Products
Abstract
A mechanism is provided for securing cryptographic functionality within a host system such that it may only be used when a system administrator physically allows it via a hardware security token. In addition, a hardware security unit is integrated into a data processing system, and the hardware security unit acts as a hardware certificate authority. The hardware security unit may be viewed as supporting a trust hierarchy or trust framework within a distributed data processing system. The hardware security unit can sign software that is installed on the machine that contains the hardware security unit. Server processes that use the signed software that is run on the machine can establish mutual trust relationships with the hardware security unit and amongst the other server processes based on their common trust of the hardware security unit.
-
Citations
61 Claims
-
1. A data processing system comprising:
-
a system unit including;
a processor for executing instructions in software modules; and
a first hardware security unit including;
means for storing a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair;
means for authenticating a software module; and
means for acting as a certificate authority to issue digital certificates to software modules; and
a first software module executable on the system unit including;
means for storing a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair; and
means for authenticating the hardware security unit. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A method for performing cryptographic functions in a data processing system, the method comprising:
-
executing a software module on a system unit including a hardware security unit, wherein the hardware security unit contains a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair;
performing a mutual authentication operation between the hardware security unit and the software module, wherein the software module contains a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair; and
issuing digital certificates by the hardware security unit to software modules. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
-
-
41. A computer program product on a computer readable medium for use in a data processing system for performing cryptographic functions, the computer program product comprising:
-
means for executing a software module on a system unit including a hardware security unit, wherein the hardware security unit contains a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair;
means for performing a mutual authentication operation between the hardware security unit and the software module, wherein the software module contains a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair; and
means for issuing digital certificates by the hardware security unit to software modules. - View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61)
-
Specification