Data cryptography operations using control vectors
First Claim
1. In a data processing system which processes cryptographic service requests for performing data cryptography functions on data using cryptographic keys which are associated with control vectors defining the functions which each key is allowed by its originator to perform, an apparatus for validating that the data cryptography functions requested for a cryptographic key have been authorized by the originator of the key, comprising:
- a cryptographic facility characterized by a secure boundary through which passes an input path for receiving said cryptographic service requests, data, cryptographic keys and their associated control vectors, and an output path for providing responses thereto, there being included within said boundary a cryptographic control means coupled to said input path, a control vector checking means and a cryptographic processing means coupled to said control means, and a master key storage coupled to said processing means, for providing a secure location for executing data cryptography functions in response to said received service requests;
said cryptographic control means receiving over said input path a cryptographic service request for performing a data cryptography function with a cryptographic key;
said control vector checking means having an input coupled to said input path for receiving a control vector associated with said cryptographic key and an input coupled to said cryptographic control means, for receiving control signals to initiate checking that said control vector authorizes the data cryptographic function which is requested by said cryptographic service request;
said control vector checking means having an authorization output coupled to an input of said cryptographic processing means, for signalling that said data cryptography function is authorized, the receipt of which by said cryptographic processing means initiates the performance of the requested data cryptography function with said cryptographic key.
0 Assignments
0 Petitions
Accused Products
Abstract
Data cryptography is achieved in an improved manner by associating with the data cryptography key, a control vector which provides the authorization for the uses of the key intended by the originator of the key. Among the uses specified by the control vector are limitations on encryption, decryption, authentication code generation and verification, translation of the user'"'"'s data. Complex combinations of data manipulation functions are possible using the control vectors, in accordance with the invention. The system administrator can exercise flexibility in changing the implementation of his security policy by selecting appropriate control vectors in accordance with the invention. Complex scenarios such as encrypted mail box, session protection, file protection, ciphertext translation center, peer-to-peer ciphertext translation, message authentication, message authentication with non-repudiation and many others can be easily implemented by a system designer using the control vectors, in accordance with the invention.
-
Citations
43 Claims
-
1. In a data processing system which processes cryptographic service requests for performing data cryptography functions on data using cryptographic keys which are associated with control vectors defining the functions which each key is allowed by its originator to perform, an apparatus for validating that the data cryptography functions requested for a cryptographic key have been authorized by the originator of the key, comprising:
-
a cryptographic facility characterized by a secure boundary through which passes an input path for receiving said cryptographic service requests, data, cryptographic keys and their associated control vectors, and an output path for providing responses thereto, there being included within said boundary a cryptographic control means coupled to said input path, a control vector checking means and a cryptographic processing means coupled to said control means, and a master key storage coupled to said processing means, for providing a secure location for executing data cryptography functions in response to said received service requests; said cryptographic control means receiving over said input path a cryptographic service request for performing a data cryptography function with a cryptographic key; said control vector checking means having an input coupled to said input path for receiving a control vector associated with said cryptographic key and an input coupled to said cryptographic control means, for receiving control signals to initiate checking that said control vector authorizes the data cryptographic function which is requested by said cryptographic service request; said control vector checking means having an authorization output coupled to an input of said cryptographic processing means, for signalling that said data cryptography function is authorized, the receipt of which by said cryptographic processing means initiates the performance of the requested data cryptography function with said cryptographic key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 36, 37, 38, 39, 40, 41, 42)
-
-
24. In a data processing system which processes cryptographic service requests for the performance of data cryptography functions on data using cryptographic keys which are associated with control vectors defining the functions which each key is allowed by its originator to perform, a method for validating that data cryptography functions requested for a cryptographic key have been authorized by the originator of the key, comprising the steps of:
-
receiving a cryptographic service request for performing a data cryptography function on data using a cryptographic key in a cryptographic facility characterized by a source boundary through which passes an input path and an output path; receiving a control vector associated with said cryptographic key and checking that said control vector authorizes the data cryptography function which is requested by said cryptographic service request; signalling that said data cryptography function is authorized and initiating the performance of the requested data cryptography function with said cryptographic key. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 43)
-
Specification