PROXY SYSTEM FOR SECURITY PROCESSING WITHOUT ENTRUSTING CERTIFIED SECRET INFORMATION TO A PROXY

US 20130086378A1
Filed: 09/28/2012
Published: 04/04/2013
Est. Priority Date: 09/29/2011
Status: Active Grant

First Claim

Patent Images

1. A security processing proxy system, wherein a proxy server which acts for a first communication unit to conduct security processing with a second communication unit, the security processing including key exchange processing, authentication processing or processing for providing compatibility of an encryption scheme,said first communication unit holding a public key of said first communication unit certified by a certification authority on a public key infrastructure (PKI) as well as a secret key of said first communication unit or its own secret information as a public key certificate of said first communication unit,said first communication unit comprising:

a delegation information generator using the secret information of said first communication unit to generate delegation information required for the security processing; and

a delegation information notifier supplying the delegation information to said proxy server,said proxy server comprising;

a delegation information acquirer acquiring the delegation information from said first communication unit; and

a security processing proxy transmitting the delegation information to said second communication unit to perform the security processing with said second communication unit,said second communication unit comprising;

a receiver receiving the delegation information from said proxy server; and

a security processor using a certification authority public key held for verifying the public key certificate as being issued by the certification authority on the PKI to certify that the delegation information is generated by said first communication unit to thereby carryout the security processing with said proxy server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

First communication units use a public key thereof certified by a certification authority on a PKI (Public Key Infrastructure), which is held by the first communication units in advance, and a secret key of the first communication units or delegation information generated by using secret information, as public key certificate, of the first communication units to thereby allow a proxy server to perform security processing, i.e. key exchange processing, authentication processing or processing for providing compatibility of encryption schemes, between the first communication units and a second communication unit on behalf of the first communication units.

Citations

23 Claims

1. A security processing proxy system, wherein a proxy server which acts for a first communication unit to conduct security processing with a second communication unit, the security processing including key exchange processing, authentication processing or processing for providing compatibility of an encryption scheme,said first communication unit holding a public key of said first communication unit certified by a certification authority on a public key infrastructure (PKI) as well as a secret key of said first communication unit or its own secret information as a public key certificate of said first communication unit,said first communication unit comprising:
- a delegation information generator using the secret information of said first communication unit to generate delegation information required for the security processing; and
  
  a delegation information notifier supplying the delegation information to said proxy server,said proxy server comprising;
  
  a delegation information acquirer acquiring the delegation information from said first communication unit; and
  
  a security processing proxy transmitting the delegation information to said second communication unit to perform the security processing with said second communication unit,said second communication unit comprising;
  
  a receiver receiving the delegation information from said proxy server; and
  
  a security processor using a certification authority public key held for verifying the public key certificate as being issued by the certification authority on the PKI to certify that the delegation information is generated by said first communication unit to thereby carryout the security processing with said proxy server.
- View Dependent Claims (2, 3)
- - 2. The security processing proxy system in accordance with claim 1, wherein said delegation information generator generates delegation information including information about a term of validity,said security processor deriving the information about the term of validity from the delegation information to determine whether or not the delegation information is valid to thereby carry out the security processing with said proxy server.
  - 3. The security processing proxy system in accordance with claim 1, wherein the delegation information includes:
    - (1) an entrust public key and/or an entrust secret key generated by said delegation information generator in conformity with an appropriate public key cryptographic algorithm;
      
      (2) an entrust public key certificate produced by said delegation information generator by attaching a signature with the secret key of said first communication unit; and
      
      (3) a public key certificate of said first communication unit,said security processor;
      
      deriving from the delegation information received by means of a receiver the entrust public key, the entrust secret key, the entrust public key certificate and the public key certificate of said first communication unit;
      
      using the held certification authority public key to certify the public key certificate of said first communication unit, thereby acquiring the public key of said first communication unit; and
      
      using the public key of said first communication unit to verify the entrust public key certificate to thereby certify that the entrust public key is generated by said first communication unit.

4. A security processing proxy system, wherein a proxy server which acts for a first communication unit to conduct security processing with a second communication unit, the security processing including key exchange processing, authentication processing or processing for providing compatibility of encryption schemes,said first communication unit holding a public key of said first communication unit certified by a certification authority on a public key infrastructure (PKI), a secret key of said first communication unit and a public key certificate of said first communication unit as well as a certification authority public key for verifying the public key certificate as being issued by the certificate authority on the PKI,said first communication unit comprising:
- a receiver receiving from said proxy server the public key certificate of said proxy server certified by the certification authority on the PKI;
  
  a delegation information generator using the certification authority public key to verify the public key certificate of said proxy server to thereby acquiring the public key of said proxy server,said delegation information generator producing an entrust public key certificate for certifying that the public key of said proxy server is signed by the secret key of said first communication unit,said delegation information generator using the entrust public key certificate and the public key certificate of said first communication unit to generate delegation information necessary for the security processing; and
  
  a delegation information notifier sending the delegation information to said proxy server,said proxy server comprising;
  
  a delegation information acquirer acquiring the delegation information from said first communication unit; and
  
  a security processing proxy transmitting the delegation information to said second communication unit to perform the security processing with said second communication unit,said second communication unit comprising;
  
  a receiver receiving the delegation information from said proxy server; and
  
  a security processor using the certification authority public key acquired beforehand for verifying the public key certificate as being issued by the certification authority on the PKI to certify that the delegation information is generated by said first communication unit to thereby carry out the security processing with said proxy server.
- View Dependent Claims (5, 6)
- - 5. The security processing proxy system in accordance with claim 4, whereinsaid delegation information generator generates delegation information including information about a term of validity,said security processor deriving the information about the term of validity from the delegation information to determine whether or not the delegation information is valid to thereby carry out the security processing with said proxy server.
  - 6. The security processing proxy system in accordance with claim 4, wherein said security processor uses the certification authority public key to verify the public key certificate of said first communication unit and the entrust public key certificate to thereby acquire the public key of said first communication unit and the public key of said proxy server,said security processor using the public key of said first communication unit to verify the entrust public key certificate to thereby certify that the entrust public key is produced by said first communication unit.

7. A communication unit which permits a proxy server to act for said communication unit to conduct security processing with another communication unit, the security processing including key exchange processing, authentication processing or processing for providing compatibility of an encryption scheme, whereinsaid communication unit holding a public key of said communication unit certified by a certification authority on a public key infrastructure (PKI) as well as a secret key of said communication unit or its own secret information as a public key certificate of said communication unit,said communication unit comprising:
- a delegation information generator using the secret information of said communication unit to generate delegation information required for the security processing; and
  
  a delegation information notifier supplying the delegation information to said proxy server.
- View Dependent Claims (8)
- - 8. The communication unit in accordance with claim 7, wherein said delegation information generator generates delegation information that includes information on a term of validity.

9. A communication unit which permits a proxy server to act for said communication unit to conduct security processing with another communication unit, the security processing including key exchange processing, authentication processing or processing for providing compatibility of an encryption scheme, whereinsaid communication unit holding a public key of said communication unit certified by a certification authority on a public key infrastructure (PKI), a secret key of said communication unit and a public key certificate of said communication unit as well as a certification authority public key to be used for certifying the public key certificate as being issued by the certificate authority on the PKI,said communication unit comprising:
- a receiver receiving from said proxy server the public key certificate of said proxy server certified by the certification authority on the PKI;
  
  a delegation information generator using the certification authority public key to verify the public key certificate of the proxy server to thereby acquire the public key of the proxy server,said delegation information generator producing an entrust public key certificate for certifying that the public key of said proxy server is signed by the secret key of said communication unit,said delegation information generator using the entrust public key certificate and the public key certificate of said communication unit to generate delegation information necessary for the security processing; and
  
  a delegation information notifier sending the delegation information to said proxy server.
- View Dependent Claims (10)
- - 10. The communication unit in accordance with claim 9, wherein said delegation information generator generates delegation information that includes information on a term of validity.

11. A proxy server for performing proxy of security processing on an encrypted communication between a first communication unit and another communication unit, the security processing including key exchange processing, authentication processing or processing for providing compatibility of an encryption scheme, said proxy server comprising:
- a delegation information acquirer acquiring from the first communication unit delegation information necessary for performing the security processing; and
  
  a security processing proxy transmitting the delegation information to the other communication unit to conduct the security processing with the other communication unit.
- View Dependent Claims (12)
- - 12. The proxy server in accordance with claim 11, wherein said proxy server holds a public key of said proxy server which is certified by a certification authority on a public key infrastructure (PKI), a secret key of said proxy server and a public key certificate of said proxy server,said proxy server comprising a transmitter transmitting the public key certificate of said proxy server to the first communication unit.

13. A communication unit for performing security processing with a proxy server, the security processing including key exchange processing, authentication processing or processing for providing compatibility of an encryption scheme, said communication unit comprising:
- a receiver receiving delegation information from the proxy server; and
  
  a security processor using a certification authority public key held for verifying a public key certificate as being issued by a certification authority on a public key infrastructure (PKI) to verify that the delegation information is produced by another communication unit to thereby carry out the security processing with the proxy server.
- View Dependent Claims (14, 15)
- - 14. The communication unit in accordance with claim 13, wherein the delegation information includes:
    - (1) an entrust public key and/or an entrust secret key generated by a delegation information generator in conformity with an appropriate public key cryptographic algorithm;
      
      (2) an entrust public key certificate produced by the delegation information generator by attaching a signature with the secret key of the other communication unit; and
      
      (3) a public key certificate of the other communication unit,said security processor;
      
      deriving from the delegation information received by means of a receiver the entrust public key, the entrust secret key, the entrust public key certificate and the public key certificate of the other communication unit;
      
      using the held certification authority public key to certify the public key certificate of the other communication unit, thereby acquiring the public key of the other communication unit; and
      
      using the public key of the other communication unit to verify the entrust public key certificate to thereby certify that the entrust public key is generated by the other communication unit.
  - 15. The communication unit in accordance with claim 13, whereinsaid security processor uses the certification authority public key to verify the public key certificate of the other communication unit and the entrust public key certificate to thereby acquire the public key of the other communication unit and the public key of the proxy server,said security processor using the public key of the other communication unit to verify the entrust public key certificate to thereby certify that the entrust public key is produced by the other communication unit.

16. A non-transitory computer-readable medium on which is stored a communication program for having a computer operate as a communication unit which allows a proxy server to perform proxy of security processing with another communication unit, the security processing including key exchange processing, authentication processing or processing for providing compatibility of an encryption scheme, whereinthe computer is arranged to hold a public key of said communication unit certified by a certification authority on a public key infrastructure (PKI) as well as a secret key of said communication unit or secret information as a public key certificate of said communication unit,said program controlling the computer to function as using the secret information of said communication unit to generate delegation information required for the security processing, and supplying the delegation information to the proxy server.
- View Dependent Claims (17)
- - 17. The communication program in accordance with claim 16, wherein the program produces delegation information including information on a term of validity.

18. A non-transitory computer-readable medium on which is stored a program for having a computer operate as a communication unit which allows a proxy server to perform proxy of security processing with another communication unit, the security processing including key exchange processing, authentication processing or processing for providing compatibility of an encryption scheme, whereina computer is arranged to hold a public key of said communication unit certified by a certification authority on a public key infrastructure (PKI), a secret key of said communication unit and a public key certificate of said communication unit as well as a certification authority public key to be used for certifying the public key certificate as being issued by the certificate authority on the PKI,said program controlling the computer to function as:
- receiving from the proxy server the public key certificate of the proxy server certified by the certification authority on the PKI;
  
  using the certification authority public key to verify the public key certificate of the proxy server to thereby acquire the public key of the proxy server;
  
  producing an entrust public key certificate for certifying that the public key of the proxy server is signed by the secret key of said communication unit;
  
  using the entrust public key certificate and the public key certificate of said communication unit to generate delegation information necessary for the security processing; and
  
  sending the delegation information to the proxy server.

19. A non-transitory computer-readable medium on which is stored a program for having a computer operate as a proxy server performing a proxy operation of security processing to be conducted between a first communication unit and another communication unit in an encrypted communication, the security processing including key exchange processing, authentication processing or processing for providing compatibility of encryption scheme, whereinsaid program controls the computer to function as acquiring delegation information required for the security processing from the first communication unit and transmitting the delegation information to the other communication unit to thereby perform the security processing with the other communication unit.
- View Dependent Claims (20)
- - 20. The computer-readable medium in accordance with claim 19, wherein the program controls the computer to further function as holding an own proxy server public key of the proxy server certified by a certification authority on a public key infrastructure (PKI), a proxy server secret key and a proxy server public key certificate, and supplying the proxy server public key certificate to the first communication unit.

21. A non-transitory computer-readable medium on which is stored a program for having a computer operate as a communication unit for conducting security processing with a proxy server, the security processing including key exchange processing, authentication processing or processing for providing compatibility of encryption scheme, whereinsaid program controls the computer to function as acquiring delegation information from the proxy server, using a certification authority public key held for verifying a public key certificate as being issued by a certification authority on a public key infrastructure (PKI) to certify that the delegation information is generated by another communication unit to thereby carryout the security processing with the proxy server.
- View Dependent Claims (22, 23)
- - 22. The computer-readable medium in accordance with claim 21, wherein the delegation information includes:
    - (1) an entrust public key and/or an entrust secret key generated by the delegation information generator in conformity with an appropriate public key cryptographic algorithm;
      
      (2) an entrust public key certificate produced by the delegation information generator by attaching a signature with the secret key of the other communication unit; and
      
      (3) a public key certificate of the other communication unit,said program controlling the computer to function as;
      
      deriving from the delegation information the entrust public key, the entrust secret key, the entrust public key certificate and the public key certificate of the other communication unit;
      
      using the held certification authority public key to certify the public key certificate of the other communication unit, thereby acquiring the public key; and
      
      using the public key of the other communication unit to verify the entrust public key certificate to thereby certify that the entrust public key is generated by the other communication unit.
  - 23. The computer-readable medium in accordance with claim 21, wherein said program controls the computer to function as:
    - using the certification authority public key to verify the public key certificate of the other communication unit and the entrust public key certificate to thereby acquire the public key of the other communication unit and the public key of the proxy server; and
      
      using the public key of the other communication unit to verify the entrust public key certificate to thereby certify that the entrust public key is generated by the other communication unit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OKI Electric Industry Company Limited
Original Assignee
OKI Electric Industry Company Limited
Inventors
Yao, Taketsugu, Nakashima, Jun, Fukui, Kiyoshi

Granted Patent

US 9,729,311 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0281   Proxies

H04L 63/0884   by delegation of authentica...

H04L 9/006   involving public key infras...

PROXY SYSTEM FOR SECURITY PROCESSING WITHOUT ENTRUSTING CERTIFIED SECRET INFORMATION TO A PROXY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

PROXY SYSTEM FOR SECURITY PROCESSING WITHOUT ENTRUSTING CERTIFIED SECRET INFORMATION TO A PROXY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links