System and Method for Distributed Security
First Claim
1. A method for authorizing, at a client, a plurality of key servers, comprising the steps of:
- a. determining whether a public key of a first key server is authorized;
b. determining whether a second key server requires authorization; and
c. if so, signing the public key of the second key server to authorize the second key server and the public key of the second key server, so that the public key of the first key server or the public key of the second key server can be used to authorize an additional key server.
7 Assignments
0 Petitions
Accused Products
Abstract
A security architecture in which a security module is integrated in a client machine, wherein the client machine includes a local host that is untrusted. The security module performs encryption and decryption algorithms, authentication, and public key processing. The security module also includes separate key caches for key encryption keys and application keys. A security module can also interface a cryptographic accelerator through an application key cache. The security module can authorize a public key and an associated key server. That public key can subsequently be used to authorize additional key servers. Any of the authorized key servers can use their public keys to authorize the public keys of additional key servers. Secure authenticated communications can then transpire between the client and any of these key servers. Such a connection is created by a secure handshake process that takes place between the client and the key server. A time value can be sent from the key server to the client, allowing for secure revocation of keys. In addition, secure configuration messages can be sent to the security module.
-
Citations
17 Claims
-
1. A method for authorizing, at a client, a plurality of key servers, comprising the steps of:
-
a. determining whether a public key of a first key server is authorized;
b. determining whether a second key server requires authorization; and
c. if so, signing the public key of the second key server to authorize the second key server and the public key of the second key server, so that the public key of the first key server or the public key of the second key server can be used to authorize an additional key server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of establishing an authenticated connection between a client and a key server through a handshake process that comprises the steps of:
-
a. generating a client random number;
b. saving a copy of the client random number in a security module;
c. sending the client random number to the key server;
d. receiving a server random number, a signed session public key, and a certificate from key server;
e. sending the signed session public key to a security module;
f. verifying the signed session public key; and
g. verifying the handshake process. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
Specification