Cryptography system and method for providing cryptographic services for a computer application
First Claim
1. A cryptography system to support an application requiring cryptographic functions, the cryptography system comprising:
- a cryptographic application program interface (CAPI) to interface with the application and handle its requests for a cryptographic function;
at least one cryptography service provider (CSP) independent from, but dynamically accessible by, the CAPI;
the CSP providing the cryptographic function requested by the application, the CSP also managing and protecting at least one encryption key used in the cryptographic function to prevent exposure of the encryption key in a non-encrypted form to the CAPI and application; and
a private application program interface (PAPI) to interface the CSP with a user, the PAPI enabling the user to observe, confirm, or reject the requested cryptographic function.
2 Assignments
0 Petitions
Accused Products
Abstract
A cryptography system architecture provides cryptographic functionality to support an application requiring encryption, decryption, signing, and verification of electronic messages. The cryptography system has a cryptographic application program interface (CAPI) which interfaces with the application to receive requests for cryptographic functions. The cryptographic system further includes at least one cryptography service provider (CSP) that is independent from, but dynamically accessible by, the CAPI. The CSP provides the cryptographic functionality and manages the secret cryptographic keys. In particular, the CSP prevents exposure of the encryption keys in a non-encrypted form to the CAPI or application. The cryptographic system also has a private application program interface (PAPI) to provide direct access between the CSP and the user. The PAPI enables the user to confirm or reject certain requested cryptographic functions, such as digitally signing the messages or exportation of keys.
347 Citations
49 Claims
-
1. A cryptography system to support an application requiring cryptographic functions, the cryptography system comprising:
-
a cryptographic application program interface (CAPI) to interface with the application and handle its requests for a cryptographic function; at least one cryptography service provider (CSP) independent from, but dynamically accessible by, the CAPI; the CSP providing the cryptographic function requested by the application, the CSP also managing and protecting at least one encryption key used in the cryptographic function to prevent exposure of the encryption key in a non-encrypted form to the CAPI and application; and a private application program interface (PAPI) to interface the CSP with a user, the PAPI enabling the user to observe, confirm, or reject the requested cryptographic function. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. In a computer system having a processing unit and a computer-readable medium, a computer-implemented cryptography service provider stored on the computer-readable medium for execution on the processing unit as part of a cryptography system used to support a computer executable application requiring encryption or decryption of electronic messages to be sent or received by a user, the cryptography service provider comprising:
-
a key manager to manage encryption keys used to encrypt messages and to prevent the encryption keys from being exported in a non-encrypted form from the cryptography service provider; an encryption/decryption device to encrypt or decrypt messages using the encryption keys; and the cryptography service provider being configured as a dynamic linked library, software module which is dynamically accessible as needed by the application to receive a plaintext message and to return an encrypted message, or to receive an encrypted message and to return a plaintext message, without exposing the encryption keys in their non-encrypted form to the application. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
-
-
28. A method for supporting cryptographic functions requested by an application, the method comprising the following steps:
-
supplying a request for a cryptographic function to a cryptographic application program interface (CAPI); selecting a cryptography service provider (CSP) to perform the desired cryptographic function; establishing communication between the CAPI and the CSP; verifying an authenticity of the CSP; performing the cryptographic function at the CSP using at least one cryptographic key; and preventing exposure of the encryption key in a non-encrypted form to the CAPI or application. - View Dependent Claims (29, 30, 45)
-
-
31. A method for encrypting a message comprising the following steps:
-
supplying a plaintext message to a cryptographic application program interface (CAPI); selecting a cryptography service provider (CSP) for encrypting the message; establishing communication between the CAPI and the CSP; verifying an authenticity of the CSP; passing the plaintext message from the CAPI to the CSP; encrypting the message at the CSP using an encryption key maintained by the CSP to produce an encrypted message; and passing the encrypted message from the CSP back to the CAPI without exposing the encryption key in its non-encrypted form. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 46)
-
-
47. A computer-readable medium having a computer-executable instructions for implementing a cryptography system, comprising:
-
a cryptographic application program interface (CAPI) configured as a software module to interface with a computer-implemented application and to handle requests from the application for a cryptographic function; at least one cryptography service provider (CSP) configured as a software module independent from, but dynamically accessible by, the CAPI; the CSP providing the cryptographic function requested by the software application, the CSP also managing and protecting at least one encryption key used in the cryptographic function to prevent exposure of the encryption key in a non-encrypted form to the CAPI and software application. - View Dependent Claims (48, 49)
-
Specification