Encryption key exchange system and method
First Claim
1. In a network including a key exchange system and a plurality of network devices, a computer-implemented communication sender verification method comprising:
- creating, in the key exchange system, a user account for a communication sender, the user account storing user identification information, user authentication criteria and user indicia;
verifying, by at least one of an administrative user of the key exchange system and a certificate authority and a third party application, that the user identification information associated with the user account identifies the communication sender;
specifying, by at least one of an administrative user of the key exchange system and a certificate authority and a third party application, a classification of the communication sender and associating the classification with the user account;
preferably associating a certificate for generating encryption key pairs to the user account;
associating the private key of a key pair to a network device of the communication sender;
associating, to the user account of the communication sender on the key exchange system, the public key of a key pair;
receiving, from a network device of a communication recipient, a request for at least one public key and user indicia associated to at least one user account; and
,transmitting, to the network device of the communication recipient, at least one public key and user indicia associated to at least one user account.
0 Assignments
0 Petitions
Accused Products
Abstract
The present invention is a computer-implemented key exchange system and methods for improving the usability of encryption technologies such as Public Key Infrastructure (PKI). One aspect of the present invention includes registering users, verifying user identity, and classifying users such that the users may send a communications such that communication recipients can verify the user identity and classification of the communication sender. Another aspect of the present invention includes users initiating relationships with other users, approving the establishment of relationships, and exchanging encryption keys between users after the establishment of a relationship.
711 Citations
32 Claims
-
1. In a network including a key exchange system and a plurality of network devices, a computer-implemented communication sender verification method comprising:
-
creating, in the key exchange system, a user account for a communication sender, the user account storing user identification information, user authentication criteria and user indicia; verifying, by at least one of an administrative user of the key exchange system and a certificate authority and a third party application, that the user identification information associated with the user account identifies the communication sender; specifying, by at least one of an administrative user of the key exchange system and a certificate authority and a third party application, a classification of the communication sender and associating the classification with the user account; preferably associating a certificate for generating encryption key pairs to the user account; associating the private key of a key pair to a network device of the communication sender; associating, to the user account of the communication sender on the key exchange system, the public key of a key pair; receiving, from a network device of a communication recipient, a request for at least one public key and user indicia associated to at least one user account; and
,transmitting, to the network device of the communication recipient, at least one public key and user indicia associated to at least one user account. - View Dependent Claims (2, 3, 4, 5)
-
-
6. In a network including a key exchange server and a plurality of network devices, a network device of a communication sender comprising:
-
a network interface for facilitating network communication, preferably facilitating communication using a secure communication protocol; a processor for executing and a program memory for storing therein user authentication logic for managing at least one of user authentication information and user authentication criteria to authenticate at least one user with the key exchange server, signing logic for adding at least one attribute to a communication header and signing a communication with the private key of a key pair wherein the key pair provides the communication recipient with a means of verifying, by a public key retrieved from the key exchange system, the identity of the communication sender and a classification of the communication sender, and at least one of certificate requester logic for retrieving a certificate associated to a user account on the key exchange server, the certificate identifying a communication sender, the user indicia of the communication sender and a classification of the communication sender, private key requester logic for retrieving a private key of at least one key pair associated to a user account on the key exchange server, the key pair identifying a communication sender, the user indicia of the communication sender and a classification of the communication sender, security zone indicia requester logic for retrieving security zone indicia from the key exchange server, key generation logic for generating a key pair from a certificate whereby the private key is stored in at least one of the data storage and the program memory of the network device and the public key is transmitted to the key exchange server and associated to a user account on the key exchange server, the key pair identifying a communication sender, the user indicia of the communication sender and a classification of the communication sender, key rotation logic for invoking the key generation logic automatically on a periodic basis; and
,a communication application capable of invoking signing logic to sign a communication with the private key of a key pair, the key pair identifying a communication sender, the user indicia of the communication sender and a classification of the communication sender. - View Dependent Claims (7, 8, 9, 10)
-
-
11. In a network including a key exchange server and a plurality of network devices, a network device of a communication recipient comprising:
-
a network interface for facilitating network communication, preferably facilitating communication using a secure communication protocol; a processor for executing and a program memory for storing therein verifying logic for verifying a communication with the public key of a key pair retrieved from the key exchange server wherein the key pair provides the communication recipient with a means of verifying, a communication sender, the user indicia of the communication sender and a classification of the communication sender, sender verification panel logic for presenting to the communication recipient a sender verification panel in juxtaposition to a verified communication, the sender verification panel presenting the identity of the communication sender, the user indicia of the communication sender, the classification of the communication sender, and at least one of public key requester logic for retrieving at least one public key of at least one key pair associated to a user account on the key exchange server, the key pair identifying a communication sender, the user indicia of the communication sender and a classification of the communication sender, security zone indicia requester logic for retrieving security zone indicia from the key exchange server, key rotation logic for invoking the public key requester logic automatically on a periodic basis; and
,a communication application capable of invoking verifying logic to verify a communication with the public key of a key pair, the key pair identifying a communication sender, the user indicia of the communication sender and a classification of the communication sender. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. In a network including a key exchange system and a plurality of network devices, a computer-implemented server verification method comprising:
-
creating, in the key exchange system, a user account for a server provider, the user account storing server identification information, user authentication criteria and preferably user indicia; verifying, by at least one of an administrative user of the key exchange system and a certificate authority, that the server identification information associated with the user account identifies a server of the server provider; specifying, by at least one of an administrative user of the key exchange system and a certificate authority, a classification of the server provider and associating the classification with the user account; preferably associating a certificate for generating encryption key pairs to the user account; associating the first key of a key pair to a server of the server provider; associating, to the user account of the server provider on the key exchange system, the second key of a key pair; receiving, from a communication application of a network device, a request for at least one second key and preferably user indicia associated to at least one user account; and
,transmitting, to the communication application of the network device, at least one second key and preferably user indicia of at least one user account. - View Dependent Claims (20, 21)
-
-
22. In a network including a key exchange system and a plurality of network devices, a computer-implemented key exchange method comprising:
-
receiving, at the key exchange system, user registration information from a first network device; creating, in the key exchange system, a user account, the user account storing user authentication criteria; generating a unique user identifier for the user account; associating the unique user identifier to the user account; transmitting the unique user identifier to the first network device; receiving, at the key exchange system, a request from a second network device of a first user to establish a relationship with a second user, the request including first user authentication information and first user authentication criteria associated with a first user account and the user identifier of the second user; authenticating the first user request as a request from the first user using the first user authentication criteria and the first user authentication information prior to processing the request; establishing a link between the first user account and the second user account on the key exchange system, the link including a time of the request from the first network device and an approval status; determining whether the request of the first user to establish a relationship with the second user satisfies a second user approval criteria; associating one key of an encryption key pair to the link whereby the key enables the first user to at least one of sign and encrypt a communication intended for the second user; and
,transmitting, from the key exchange system to the second network device, the key associated with the link, the key enabling the first user to at least one of encrypt and sign a communication intended for the second user. - View Dependent Claims (23, 24, 25)
-
-
26. In a network including a key exchange server, a network device comprising:
-
data storage for storing encryption keys; a network interface facilitating communication with the key exchange server; and
,a communication application, wherein the communication application is programmed to at least one of send, from the communication application to the key exchange system, a request from a first user to establish a relationship with a second user, the request including first user authentication information associated with a first user account on the key exchange system and the user identifier of the second user of the key exchange system, respond to the establishment of a relationship on the key exchange system initiated by the first user with the second user by storing, in the network device, the first key of an asymmetric key pair, the first key facilitating at least one of secured and authenticated communication with the second user, where the network device or communication application generates the asymmetric key pair, respond to the establishment of a relationship on the key exchange system initiated by the first user with the second user by transmitting the second key of an asymmetric key pair to the key exchange system, wherein it is stored in a link record associated to the first user and the second user in the key exchange system, respond to the establishment of a relationship on the key exchange system initiated by the second user with the first user by retrieving from the key exchange system and storing in the network device the second key of an asymmetric key pair, the second key facilitating at least one of secured and authenticated communication with the second user, identify the first user as a sender of a communication and identify the second user as the addressee of a communication, select an encryption key associated to the first user and the second user, and at least one of sign and encrypt the communication with the selected encryption key, and identify the first user as the addressee of a communication and identify the second user as the sender of a communication, select an encryption key associated to the first user and second user, and at least one of verify and decrypt the communication with the selected encryption key. - View Dependent Claims (27, 28, 29)
-
-
30. In a network including a key exchange server, a network appliance and a client application, a computer-implemented key exchange method comprising:
-
presenting in the user interface of the client application to an authenticated user of the client application a means of at least one of initiating and approving a relationship between the first user of the key exchange system and a second user of the key exchange system; and
,the client application at least one of initiating and approving a relationship between the first user of the key exchange system and the second user of the key exchange system by at least one of communicating directly with the key exchange system and communicating with a network appliance capable of communicating with the key exchange system. - View Dependent Claims (31, 32)
-
Specification