System and Method for Sequential Data Signatures

US 20150295720A1
Filed: 04/11/2015
Published: 10/15/2015
Est. Priority Date: 04/11/2014
Status: Active Grant

First Claim

Patent Images

1. A method for signing a digital message, comprising:

computing a password sequence comprising a plurality of passwords such that each respective password corresponds to an index unit;

receiving the message;

submitting a current request to a signature server, said current request being computed as a first function of the message and a current one of the passwords; and

if the request is approved, receiving from the signature server a current time-stamp for the current request and forming a signature for the message to include at least the current time-stamp.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A digital message is signed and, if a request is approved, receives a time stamp. The request is computed as a first function of the message and a current one of a sequence of passwords computed such that each password corresponds to an index unit. Each of the passwords may be computed as a function, such as a hash function, pseudo-random function, or encryption function, of the subsequent password, whereby the sequence terminates with an initial password that forms a public key parameter for the password sequence. At least one hash tree uses at least a subset of the passwords as inputs to a hash tree used to verify the passwords.

Citations

44 Claims

1. A method for signing a digital message, comprising:
- computing a password sequence comprising a plurality of passwords such that each respective password corresponds to an index unit;
  
  receiving the message;
  
  submitting a current request to a signature server, said current request being computed as a first function of the message and a current one of the passwords; and
  
  if the request is approved, receiving from the signature server a current time-stamp for the current request and forming a signature for the message to include at least the current time-stamp.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method of claim 1, further comprising computing each of the plurality of passwords as a second function of a respective subsequent password, said sequence terminating with an initial password that forms a public key parameter for the password sequence.
  - 3. The method of claim 2, in which the second function is a cryptographic hash function.
  - 4. The method of claim 1, further comprising computing each of the plurality of passwords as a pseudo-random function including, as at least one input parameter, a respective one of the index units.
  - 5. The method of claim 4, in which the pseudo-random function is a cryptographic hash function.
  - 6. The method of claim 4, in which the pseudo-random function is an encryption function.
  - 7. The method of claim 1, in which the current password is verified only if its position in the password sequence correctly corresponds to the index unit during which the current request is submitted, whereby the signature for the message is valid and verifiable only if the corresponding password used in the computation of the current request is verified.
  - 8. The method of claim 7, further comprising computing for the password sequence a verification hash tree comprising a plurality of leaf nodes and a single root node, such that the lowest-level leaf nodes include at least a subset of the passwords of the sequence in order, each node above the lowest-level nodes being computed as a hash of the values of two immediately lower-level nodes, and the uppermost node being the root node, which has a root hash value that forms a public key parameter for the password sequence.
  - 9. The method of claim 8, in which the current password is valid if, used as input to a lowest level node of the verification hash tree, and given sibling node values in the verification hash tree, re-computes upward through the verification hash tree to the root hash value.
  - 10. The method of claim 8, in which:
    - each of the plurality of passwords is computed as a function of the subsequent password; and
      
      the current password is valid if, as determined by backwards computation of the password sequence, it is in the correct index order relative to one of the subset of passwords in the password sequence that, used as input to a lowest level node of the verification hash tree, and given sibling node values in the verification hash tree, re-computes upward through the verification hash tree to the root hash value.
  - 11. The method of claim 8, further comprising:
    - generating a public key certificate including a client ID, identifying a client entity that submits the request, and a server ID, identifying a signature server authorized to receive requests from the client entity;
      
      along with the request, including the client ID; and
      
      whereby the time stamp is received only if the public key certificate has not been revoked for the client entity identified by the client ID.
  - 12. The method of claim 11, in which the signature further includes at least two of the values chosen from the group consisting of:
    - the client ID, a position indicator indicating the position of the current password in the password sequence, the current password, re-computation parameters enabling re-computation of the root hash value from the current password, and the time-stamp.
  - 13. The method of claim 7, further comprising revealing the current password only after verifying the corresponding signature, whereby the subsequent password in the password sequence is set as the current password for a subsequent request.
  - 14. The method of claim 13, further comprising estimating a response delay from the signature server and adjusting a validity time of the current password as a function of the estimated response delay.
  - 15. The method of claim 1, in which the index units are non-temporal.
  - 16. The method of claim 1, in which the index units are time units.
  - 17. The method of claim 1, in which the current password, after the signature is formed, forms a self-revocation notice to the signature server such that the current password can no longer be used to request another signature.
  - 18. The method of claim 1, further comprising:
    - dividing the password sequence into a plurality of validity time periods;
      
      for each time period, generating a respective secondary password sequence; and
      
      signing a public key parameter of each secondary password sequence using a respective one of the passwords in the password sequence.
  - 19. The method of claim 18, further comprising generating the respective secondary password in the sequence by applying a hash function recursively backwards from a respective final secondary password value until reaching an initial secondary password value.
  - 20. The method of claim 1, further comprising:
    - computing for the password sequence a verification hash tree comprising a plurality of leaf nodes and a single root node, such that the lowest-level leaf nodes include at least a subset of the passwords of the password sequence in order, each node above the lowest-level nodes being computed as a hash of the values of two immediately lower-level nodes, and the uppermost node being the root node, which has a root hash value;
      
      for each of a plurality of the passwords in the password sequence, computing a secondary password sequence such that each secondary password in the sequence is computed as a hash of a subsequent secondary password, each secondary password sequence terminating with an initial secondary password; and
      
      signing each initial secondary password with a respective one of the passwords in the password sequence.
  - 21. The method of claim 1, further comprising forming the signature by:
    - creating a digital input record including the message and current password;
      
      submitting the digital record as part of a request for digital signature to a hash tree-based, keyless signature infrastructure; and
      
      receiving from the signature infrastructure a digital signature for the digital record;
      
      in which the digital signature encodes a signature time; and
      
      in which a purported copy of the digital record is identical to the digital record only if iterative, pairwise hashing of the purported copy with sibling hash values within the digital signature leads to recomputation of a calendar value for a calendar period in which the digital signature was created, said calendar value being an uppermost current hash value of the hash tree-based, keyless signature infrastructure.
  - 22. The method of claim 1, further comprising:
    - submitting the message from a client server to a signature device (600) along with a corresponding index unit value; and
      
      receiving the request back to the client server from the signature device;
      
      said passwords being computed within the signature device, whereby the passwords remain unknown to the client server.

23. The method of claim 23, further comprising receiving from the signature device a hash chain corresponding to a hash tree computation path from at least a subset of the passwords to a verifying root value, said subset of passwords including previously used passwords and a current password, but only within a predetermined period relative to the submitted index unit value.

24. A system for signing a digital message, comprising:
- a processor;
  
  a memory;
  
  a password module comprising computer-executable code including instructions which, upon execution by the processor, cause the processorto compute a password sequence comprising a plurality of passwords such that each respective password corresponds to an index unit; and
  
  to compute a current request as a first function of a message (m) and a current one of the passwords;
  
  a certificate software module comprising computer-executable code including instructions which, upon execution by the processor, cause the processor to submit the current request to a signature server and, if the request is approved, to receive from the signature server a current time-stamp for the current request and forming a signature for the message to include at least the current time-stamp.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 25. The system of claim 24, in which the password module includes instructions causing the processor to compute each of the plurality of passwords as a second function of a respective subsequent password, said sequence terminating with an initial password that forms a public key parameter for the password sequence.
  - 26. The system of claim 25, in which the second function is a cryptographic hash function.
  - 27. The system of claim 24, in which the password module includes instructions causing the processor to compute each of the plurality of passwords as a pseudo-random function including, as at least one input parameter, a respective one of the index units.
  - 28. The system of claim 27, in which the pseudo-random function is a cryptographic hash function.
  - 29. The system of claim 27, in which the pseudo-random function is an encryption function.
  - 30. The system of claim 24, further comprising a verification module comprising computer-executable code including instructions which, upon execution by the processor, cause the processor to indicate that the current password is verified only if its position in the password sequence correctly corresponds to the index unit during which the current request is submitted, whereby the signature for the message is valid and verifiable only if the corresponding password used in the computation of the current request is verified.
  - 31. The system of claim 30, further comprising a hash tree module comprising computer-executable code including instructions which, upon execution by the processor, cause the processor to compute for the password sequence a verification hash tree comprising a plurality of leaf nodes and a single root node, such that the lowest-level leaf nodes include at least a subset of the passwords of the sequence in order, each node above the lowest-level nodes being computed as a hash of the values of two immediately lower-level nodes, and the uppermost node being the root node, which has a root hash value that forms a public key parameter for the password sequence.
  - 32. The system of claim 31, in which the current password is valid if, used as input to a lowest level node of the verification hash tree, and given sibling node values in the verification hash tree, re-computes upward through the verification hash tree to the root hash value.
  - 33. The system of claim 31, in whicheach of the plurality of passwords is computed as a function of the subsequent password;
    - andthe current password is valid if, as determined by backwards computation of the password sequence, it is in the correct index order relative to one of the subset of passwords in the password sequence that, used as input to a lowest level node of the verification hash tree, and given sibling node values in the verification hash tree, re-computes upward through the verification hash tree to the root hash value.
  - 34. The system of claim 31, in which the password module is further configured to generate a public key certificate including a client ID, identifying a client entity that submits the request, and a server ID, identifying a signature server authorized to receive requests from the client entity;
    - andto include the client ID along with the request; and
      
      whereby the time stamp is received only if the public key certificate has not been revoked for a client entity identified by the client ID.
  - 35. The system of claim 34, in which the signature module is provided to include, in the signature, at least two of the values chosen from the group consisting of:
    - the client ID, a position indicator indicating the position of the current password in the password sequence, the current password, re-computation parameters enabling re-computation of the root hash value from the current password, and the time-stamp.
  - 36. The system of claim 30, in which the current password is revealed only after verifying the corresponding signature, whereby the subsequent password in the password sequence is set as the current password for a subsequent request.
  - 37. The system of claim 36, further comprising estimating a response delay from the signature server and adjusting a validity time of the current password as a function of the estimated response delay.
  - 38. The system of claim 24, in which the index units are non-temporal.
  - 39. The system of claim 24, in which the index units are time units.
  - 40. The system of claim 24, in which the current password, after the signature is formed, forms a self-revocation notice to the signature server such that the current password can no longer be used to request another signature.
  - 41. The system of claim 24, in which:
    - the password sequence is divided into a plurality of validity time periods;
      
      for each time period, a respective secondary password sequence is generated; and
      
      a public key parameter of each secondary password sequence is signed using a respective one of the passwords in the password sequence.
  - 42. The system of claim 41, in which the respective secondary password in the sequence is generated by applying a hash function recursively backwards from a respective final secondary password value until reaching an initial secondary password value.

43. A password generation system comprising:
- a client server that includes a processor and a non-volatile memory, said client server communicating with a signature device and a signature server;
  
  said client server being configuredto receive a message,to submit the message along with an index value to the signature device;
  
  to receive the request back from the signature device, said request being computed as a cryptographic function of the message and a password corresponding to the index value; and
  
  to submit the request to the signature server and, if the request is approved, to receive from the signature server a current time-stamp for the current request and to a signature for the message to include at least the current time-stamp.
- View Dependent Claims (44)
- - 44. The system of claim 43, in which the client server is synchronized with the signature device to within a predetermined margin, said client server receiving from the signature device a hash chain corresponding to a hash tree computation path from at least a subset of the passwords to a verifying root value, said subset of passwords including previously used passwords and a current password, but only within a predetermined period relative to the submitted index unit value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Guardtime SA
Original Assignee
Guardtime IP Holdings Limited
Inventors
BULDAS, Ahto, LAANOJA, Risto, TRUU, Ahto

Granted Patent

US 9,614,682 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2209/64   Self-signed certificates

H04L 2209/72   Signcrypting, i.e. digital ...

H04L 9/321   involving a third party or ...

H04L 9/3239   involving non-keyed hash fu...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04L 9/3297   involving time stamps, e.g....

H04L 9/50   using hash chains, e.g. blo...

System and Method for Sequential Data Signatures

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Sequential Data Signatures

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links