METHOD FOR GENERATING A CERTIFICATE

US 20130318354A1
Filed: 06/10/2011
Published: 11/28/2013
Est. Priority Date: 06/28/2010
Status: Active Grant

First Claim

Patent Images

1. A method for generating a certificate, comprising the following steps:

sending a transaction request for a user to carry out a transaction,checking whether the certificate is available on account of the sending of the transaction request, and, if this is not the case, executing the following steps;

generating an asymmetric key pair consisting of a private key and a public key via an ID token, wherein the ID token is associated with the user,storing the generated asymmetric key pair on the ID token, wherein at least the private key is stored in a protected memory area of the ID token,transmitting the generated public key to a first computer system, andgenerating the certificate via the first computer system for the public key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a method for generating a certificate for signing electronic documents by means of an ID token (106), having the following steps: —sending (201) a transaction request for a user to carry out a transaction, —as a result of the sending of the transaction request, a check is carried out as to whether the certificate (519) is available and if this is not the case, carrying out the following steps: generating (206) an asymmetrical key pair consisting of a private key and a public key using an ID token, said ID token (106) being assigned to the user; storing (207) the generated asymmetrical key pair on the ID token, wherein at least the private key is stored in a protected memory region of the ID token; transmitting (208; 509) the generated public key (518) to a first computer system, and generating (209) the certificate (519) by means of the first computer system for the public key.

98 Citations

View as Search Results

20 Claims

1. A method for generating a certificate, comprising the following steps:
- sending a transaction request for a user to carry out a transaction,checking whether the certificate is available on account of the sending of the transaction request, and, if this is not the case, executing the following steps;
  
  generating an asymmetric key pair consisting of a private key and a public key via an ID token, wherein the ID token is associated with the user,storing the generated asymmetric key pair on the ID token, wherein at least the private key is stored in a protected memory area of the ID token,transmitting the generated public key to a first computer system, andgenerating the certificate via the first computer system for the public key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 20)
- - 2. The method as claimed in claim 1, further comprising the following steps:
    - receiving data to be signed from a second computer system via a third computer system,signing the data to be signed with the private key via the ID token, andtransmitting the signed data from the ID token to the third computer system.
  - 3. The method as claimed in claim 1, wherein the user is authenticated to the ID token by inputting a first and a second PIN, wherein the first PIN is associated with the user and the second PIN can only be input once the first PIN has been input successfully.
  - 4. The method as claimed in claim 2, further comprising the following steps:
    - transmitting the public key from the ID token to the third computer system, wherein the public key can be transmitted as a component of the certificate,transmitting the signed data and the public key from the third computer system to the second computer system, wherein the public key can be transmitted as a component of the certificate, andchecking the signature of the signed data via the second computer system.
  - 5. The method as claimed in claim 1, further comprising the following step:
    - checking the presence of an already existing asymmetric key pair with associated valid certificate on the ID token via the first computer system,wherein the symmetric key pair and the certificate are only then produced if an existing asymmetric key pair with associated valid certificate is not already stored on the ID token.
  - 6. The method as claimed in claim 1, wherein at least one data value defines the validity of the produced certificate.
  - 7. The method as claimed in claim 6, wherein a signature request for signing the data to be signed is received, wherein the signing of the data to be signed is necessary to carry out the requested transaction, wherein the signature request is received as a response to the sending of the transaction request,wherein the signature request is sent from the second computer system to the third computer system,wherein the signature request contains the at least one data value, andwherein the at least one data value is specified by the second computer system.
  - 8. The method as claimed in claim 6, wherein the at least one data value is formed asa document number of an electronic document,an order number of the electronic document,an identifier of the operator of the second computer system, which sends the signature request,an identifier of the second computer system, which sends the signature request, or asa value, which is derived from the document number of the electronic document, the order number of the electronic document, the identifier of the operator of the second computer system, the identifier of the second computer system, or the content of the electronic document.
  - 9. The method as claimed in claim 6, wherein the at least one data value specifies the period of time during which the certificate is valid.
  - 10. The method as claimed in claim 1, wherein at least the public key is transmitted to the first computer system via a protected connection with end-to-end encryption between the ID token and the first computer system.
  - 11. The method as claimed in claim 10, further comprising the following steps:
    - authenticating the user to the ID token,authenticating the first computer system to the ID token,wherein, once the user and the first computer system have been successfully authenticated, the protected connection between the ID token and the first computer system is set up.
  - 12. The method as claimed in claim 1, wherein at least one attribute is stored in the ID token, further comprising the following step:
    - read access of the first computer system to the at least one attribute stored in the ID token to transmit the at least one attribute to the second computer system.
  - 20. A computer program product, particularly a computer-readable, non-volatile storage medium with executable program instructions for carrying out a method according to invention as claimed in claim 1.

13. An ID token, comprising:
- a key generation component capable of generating an asymmetric key pair consisting of a private key and a public key,a protected memory area for storing at least the generated private key,a user authentication component capable of authenticating a user to the ID token,a computer authentication component capable of authenticating a first computer system to the ID token, andgenerating a protected connection to the first computer system, wherein a command can be transmitted via the protected connection from the first computer system to generate an asymmetric key pair to the ID token, and wherein the public key can be transmitted via the protected connection from the ID token to the first computer system, wherein a necessary prerequisite for the generation of the asymmetric key pair and the transmission of the public key is the successful authentication of the user and of the first computer system to the ID token.
- View Dependent Claims (14, 15)
- - 14. The ID token as claimed in claim 13, further comprising an encrypting component capable of end-to-end encryption to generate the protected connection for a protected transmission at least of the public key to the first computer system.
  - 15. The ID token as claimed in claim 13, wherein the ID token is selected from the group including but not limited to an electronic appliance, a USB stick, a document, a value document, and a security document.

16. A computer system comprising:
- an authentication component capable of authenticating to an ID token,a key reading component capable of reading a public key via a network from the ID token, wherein a public key and a private key form an asymmetric key pair, and wherein the asymmetric key pair is associated with a user,a first receiver component capable of receiving a data value from a second computer system, anda generation component capable of generating a certificate for the public key, wherein the validity of the certificate is determined by the received data value, and wherein the certificate is associated with the user.
- View Dependent Claims (17, 18, 19)
- - 17. The computer system as claimed in claim 16, further comprising:
    - a reader component capable of reading at least one attribute stored in the ID token to transmit the at least one attribute to the second computer system.
  - 18. The computer system as claimed in claim 16, further comprising:
    - a second receiver component capable of receiving a request by the second computer system to block the certificate, anda blocking component capable of blocking the certificate once it has been checked that the request originates from an authority that is associated with the certificate as the owner thereof.
  - 19. The computer system as claimed in claim 16, further comprising:
    - a second receiver component capable of receiving a request from the second computer system to check the validity of the certificate, wherein the request contains at least the public key,a validity check component capable of checking the validity of the certificate, anda send component capable of sending the result of the check to the second computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bundesdruckerei GmbH (Government of Germany)
Original Assignee
Bundesdruckerei GmbH (Government of Germany)
Inventors
Entschew, Enrico, Wirth, Klaus-Dieter

Granted Patent

US 9,596,089 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/175
CPC Class Codes

G06F 21/645   using a third party

G06F 2221/2103   Challenge-response

G06F 2221/2153   Using hardware token as a s...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

METHOD FOR GENERATING A CERTIFICATE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

98 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD FOR GENERATING A CERTIFICATE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

98 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links