System and method to transparently integrate private key operations from a smart card with host-based encryption services

US 5,778,072 A
Filed: 07/07/1995
Issued: 07/07/1998
Est. Priority Date: 07/07/1995
Status: Expired due to Term

First Claim

Patent Images

1. A computer system integrating at least one encryption service that provides at least one key operation with a smart card providing at least one key operation, comprising:

at least one smart card that provides at least one key operation for a private key of a user, and that non-readably stores the private key of the user; and

,a computer including;

at least one computer executable application program capable of requesting a key operation; and

,a key store manager that communicatively couples to the application program and receives therefrom a request for a key operation for a first user, the key store manager determining whether the first user has a first smart card, and responsive to the first user having first smart card, the key store manager communicatively coupling to the first smart card and providing thereto the request for a key operation on a first private key of the first user, the first smart card providing a key operation on the first private key; and

responsive to the first user not having the first smart card, the key store manager communicatively coupling to a first encryption service, the first encryption service providing a key operation on the first private key.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method provide transparent integration of a smart card private key operations with an existing set of encryption services and system applications. A key store manager manages user key data, and handles requests for key operations from the system applications. A user information file stores user data, including user private keys for users that do not have smart cards, and an indication of those users that have smart cards. A set of system applications interfaces with the key store manager through encryption protocol specific application programming interfaces. Users connect to the system through terminals or remote computers that may be equipped with smart card readers. For users having smart cards, the key store manager forwards to the smart cards requests for private key operations, such as encryption or decryption with the user'"'"'s private key, from the system applications. In this manner the user'"'"'s private key cannot be compromised by exposure to the computer system. For users without smart cards the key store manager forwards the request for private key operation to an encryption service for handling. The key store manager may handle only requests for private key operations, with the system applications identifying and handling directly public key operations, or the key store manager may handle both private key and public key operations.

303 Citations

18 Claims

1. A computer system integrating at least one encryption service that provides at least one key operation with a smart card providing at least one key operation, comprising:
- at least one smart card that provides at least one key operation for a private key of a user, and that non-readably stores the private key of the user; and
  
  ,a computer including;
  
  at least one computer executable application program capable of requesting a key operation; and
  
  ,a key store manager that communicatively couples to the application program and receives therefrom a request for a key operation for a first user, the key store manager determining whether the first user has a first smart card, and responsive to the first user having first smart card, the key store manager communicatively coupling to the first smart card and providing thereto the request for a key operation on a first private key of the first user, the first smart card providing a key operation on the first private key; and
  
  responsive to the first user not having the first smart card, the key store manager communicatively coupling to a first encryption service, the first encryption service providing a key operation on the first private key.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer system of claim 1, further comprising:
    - a computer readable storage facility that stores user data for selected users, the user data identifying the user and whether the user has a smart card;
      
      wherein the key store manager communicatively couples to and determines from the storage facility whether the first user has a first smart card.
  - 3. The computer system of claim 1, wherein each application program determines whether a key operation is a private key operation or a public key operation, and provides to the key store manager only private key operations.
  - 4. The computer system of claim 1, wherein each application program requests the key store manager both private key operations and public key operations.
  - 5. The computer system of claim 1, wherein responsive to the first user not having the first smart card, the key store manager obtains the first private key and provides it to the first encryption service.
  - 6. The computer system of claim 1, wherein responsive to the first user not having the first smart card, the first encryption service obtains the first private key.

7. In a computer system having at least one smart card providing at least one key operation for a private key of a user, and non-readably storing the private key of a user, a computer readable storage facility that stores user data for selected users, the user data indicating whether a user has been authenticated to the computer system by a smart card, at least one computer executable encryption service providing at least one key operation, and at least one computer executable application program capable of requesting a key operation, a computer readable medium including a computer executable program controlling the operation of the computer to provide smart card and host-based encryption, and comprising:
- a key store manager capable of communicatively coupling to the application program and receiving therefrom a request for a key operation for a first user, the key store manager capable of communicatively coupling to and determining from the storage facility whether the first user has a first smart card, and responsive to the first user having a first smart card, the key store manager capable of communicatively coupling to the first smart card and providing thereto a request for a key operation on a first private key of the first user; and
  
  responsive to the first user not having the first smart card, the key store manager capable of communicatively coupling to a first encryption service, the first encryption service providing a key operation on the first private key.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The computer readable medium of claim 7, further comprising:
    - a computer readable storage facility that stores user data for selected users, the user data identifying the user and whether the user has a smart card; and
      
      ,wherein the key store manager is capable of communicatively couples to and determining from the storage facility whether the first user has a first smart card.
  - 9. The computer system of claim 7, wherein each application program determines whether a key operation is a private key operation or a public key operation, and provides to the key store manager only private key operations.
  - 10. The computer system of claim 7, wherein each application program provides to the key store manager both private key operations and public key operations.
  - 11. The computer system of claim 7, wherein responsive to the first user not having the first smart card, the first encryption service obtains the first private key.

12. In a computer system having at least one encryption service providing at least one key operation, a computer implemented method of providing a user smart card capable of providing at least one private key operation on a user private key stored thereon, comprising the steps of:
- receiving a request from an application program for a private key operation on the private key of the user;
  
  determining whether the user has a smart card;
  
  responsive to the user having a smart card, transmitting the request to the smart card, the smart card providing the private key operation; and
  
  ,responsive to the user not having a smart card, performing the step of;
  
  transmitting the request to the encryption service, the encryption service providing the private key operation.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The method of claim 12, further comprising the step of:
    - storing in a computer readable medium user data identifying the user and indicating whether a user has a smart card; and
      
      ,wherein the step of determining whether the user has a smart card further comprises reading from the computer readable medium the user data.
  - 14. The method of claim 12, further comprising the steps of:
    - connecting the user to the computer system;
      
      determining whether the user has a smart card;
      
      responsive to the user having a smart card, performing the steps of;
      
      coupling the smart card to the computer system; and
      
      ,storing in the computer readable medium data indicating that the user has a smart card.
  - 15. The method of claim 14, further comprising the steps of:
    - responsive to the user not having a smart card, performing the step of;
      
      storing in a computer readable medium facility data identifying the user and a private key of the user.
  - 16. The method of claim 14, further comprising the steps of:
    - determining whether the smart card is uncoupled from the computer system; and
      
      responsive to the smart card being uncoupled from the computer system, disconnecting the user from the computer system.
  - 17. The method of claim 15, further comprising the step of:
    - obtaining a private key of the user from a storage facility.
  - 18. The method of claim 12, further comprising the step of:
    - returning to the application program a result of the private key operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Samar, Vipin
Primary Examiner(s)
Cain, David C.

Application Number

US08/499,485
Time in Patent Office

1,096 Days
Field of Search

380/21, 380/23, 380/24, 380/25, 380/49, 380/30, 380/28, 380/29, 380/3, 380/4
US Class Current

380/30
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 2221/2103   Challenge-response

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/40975   using encryption therefor

G07F 7/1008   Active credit-cards provide...

System and method to transparently integrate private key operations from a smart card with host-based encryption services

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

303 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

System and method to transparently integrate private key operations from a smart card with host-based encryption services

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

303 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others