System and method to transparently integrate private key operations from a smart card with host-based encryption services
First Claim
1. A computer system integrating at least one encryption service that provides at least one key operation with a smart card providing at least one key operation, comprising:
- at least one smart card that provides at least one key operation for a private key of a user, and that non-readably stores the private key of the user; and
,a computer including;
at least one computer executable application program capable of requesting a key operation; and
,a key store manager that communicatively couples to the application program and receives therefrom a request for a key operation for a first user, the key store manager determining whether the first user has a first smart card, and responsive to the first user having first smart card, the key store manager communicatively coupling to the first smart card and providing thereto the request for a key operation on a first private key of the first user, the first smart card providing a key operation on the first private key; and
responsive to the first user not having the first smart card, the key store manager communicatively coupling to a first encryption service, the first encryption service providing a key operation on the first private key.
0 Assignments
0 Petitions
Accused Products
Abstract
A system and method provide transparent integration of a smart card private key operations with an existing set of encryption services and system applications. A key store manager manages user key data, and handles requests for key operations from the system applications. A user information file stores user data, including user private keys for users that do not have smart cards, and an indication of those users that have smart cards. A set of system applications interfaces with the key store manager through encryption protocol specific application programming interfaces. Users connect to the system through terminals or remote computers that may be equipped with smart card readers. For users having smart cards, the key store manager forwards to the smart cards requests for private key operations, such as encryption or decryption with the user'"'"'s private key, from the system applications. In this manner the user'"'"'s private key cannot be compromised by exposure to the computer system. For users without smart cards the key store manager forwards the request for private key operation to an encryption service for handling. The key store manager may handle only requests for private key operations, with the system applications identifying and handling directly public key operations, or the key store manager may handle both private key and public key operations.
303 Citations
18 Claims
-
1. A computer system integrating at least one encryption service that provides at least one key operation with a smart card providing at least one key operation, comprising:
-
at least one smart card that provides at least one key operation for a private key of a user, and that non-readably stores the private key of the user; and
,a computer including; at least one computer executable application program capable of requesting a key operation; and
,a key store manager that communicatively couples to the application program and receives therefrom a request for a key operation for a first user, the key store manager determining whether the first user has a first smart card, and responsive to the first user having first smart card, the key store manager communicatively coupling to the first smart card and providing thereto the request for a key operation on a first private key of the first user, the first smart card providing a key operation on the first private key; and
responsive to the first user not having the first smart card, the key store manager communicatively coupling to a first encryption service, the first encryption service providing a key operation on the first private key. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. In a computer system having at least one smart card providing at least one key operation for a private key of a user, and non-readably storing the private key of a user, a computer readable storage facility that stores user data for selected users, the user data indicating whether a user has been authenticated to the computer system by a smart card, at least one computer executable encryption service providing at least one key operation, and at least one computer executable application program capable of requesting a key operation, a computer readable medium including a computer executable program controlling the operation of the computer to provide smart card and host-based encryption, and comprising:
a key store manager capable of communicatively coupling to the application program and receiving therefrom a request for a key operation for a first user, the key store manager capable of communicatively coupling to and determining from the storage facility whether the first user has a first smart card, and responsive to the first user having a first smart card, the key store manager capable of communicatively coupling to the first smart card and providing thereto a request for a key operation on a first private key of the first user; and
responsive to the first user not having the first smart card, the key store manager capable of communicatively coupling to a first encryption service, the first encryption service providing a key operation on the first private key.- View Dependent Claims (8, 9, 10, 11)
-
12. In a computer system having at least one encryption service providing at least one key operation, a computer implemented method of providing a user smart card capable of providing at least one private key operation on a user private key stored thereon, comprising the steps of:
-
receiving a request from an application program for a private key operation on the private key of the user; determining whether the user has a smart card; responsive to the user having a smart card, transmitting the request to the smart card, the smart card providing the private key operation; and
,responsive to the user not having a smart card, performing the step of; transmitting the request to the encryption service, the encryption service providing the private key operation. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
Specification