Information security subscriber trust authority transfer system with private key history transfer
First Claim
1. An information security subscriber trust authority transfer system comprising:
- at least a first trusted authority having a security key history exportation engine operative to generate a security key history exportation packet containing at least encrypted security key history data uniquely associated with a subscriber; and
at least a second trusted authority having a security key history importation engine operative to decrypt the security key history exportation packet and store retrieved security key history data for later access by the subscriber.
6 Assignments
0 Petitions
Accused Products
Abstract
A first trusted authority, such as an originating certification authority, that stores key history data, such as private decryption keys for one or more subscribers, includes a key history exportation engine operative to generate a security key history exportation packet. The security key history exportation packet contains at least encrypted security key history data uniquely associated with a subscriber. A second trusted authority, such as a destination certification authority, includes a security key history importation engine operative to decrypt the security key history exportation packet. The retrieved security key history data then is stored and made accessible through the second trust authority for later access by the subscriber. The second trusted authority serves as a new trust anchor instead of the first trust authority.
-
Citations
40 Claims
-
1. An information security subscriber trust authority transfer system comprising:
-
at least a first trusted authority having a security key history exportation engine operative to generate a security key history exportation packet containing at least encrypted security key history data uniquely associated with a subscriber; and
at least a second trusted authority having a security key history importation engine operative to decrypt the security key history exportation packet and store retrieved security key history data for later access by the subscriber. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
a key history data signing key pair generator that generates an export signing public key (ESPK) and a key history export signing private key (KHSPK); and
a key history data signor operative to digitally sign the encrypted key history data using at least the export private signing key generated.
-
-
8. The system of claim 1 wherein the security key history data includes a plurality of private decryption keys associated with prior used public/private encryption key pairs for the subscriber.
-
9. The system of claim 1 wherein the key history exportation engine includes a symmetric key generator operative to generate a key history data encryption key and wherein the key history importation engine includes a symmetric decryption key generator operative to generate a symmetric decryption key to decrypt encrypted key history data.
-
10. The system of claim 5 wherein the key history importation engine imports private key history data and includes:
-
a key history exportation packet verifier operative to receive the key history exportation packet and to verify a digital signature associated with the key history exportation packet, using an exportation public key certificate; and
a key history data decryptor operatively coupled to receive encrypted key history data contained in the key history data packet by retrieving, from a storage medium, an import decryption private key based on export encryption public key identification data contained in the packet and decrypting encrypted key history data using the import decryption private key.
-
-
11. The system of claim 1 wherein the subscriber stores data representing that the second trust authority is a new originating trust authority in response to transfer of the security key exportation packet to the second trust authority.
-
12. An information security subscriber trust authority transfer method comprising:
-
at least a first trusted authority having a first security key history exportation engine operative to generate a first security key history exportation packet containing at least encrypted security key history data uniquely associated with a first subscriber and further having a first security key history importation engine operative to decrypt a received first security key history exportation packet and store retrieved security key history data for later access by a second subscriber; and
at least a second trusted authority having a second security key history importation engine operative to decrypt the first security key history exportation packet generated by the first trusted authority and to store retrieved security key history data for later access by the first subscriber, and further having a second security key history exportation engine operative to generate a second security key history exportation packet containing at least encrypted security key history data uniquely associated with the second subscriber. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
a key history data signing key pair generator that generates an export signing public key (ESPK) and a key history export signing private key (KHSPK); and
a key history data signor operative to digitally sign at least the encrypted key history data using the export private signing key generated.
-
-
19. The system of claim 12 wherein the first security key history data includes a plurality of private decryption keys associated with prior used public/private encryption key pairs for the first subscriber.
-
20. The system of claim 12 wherein each of the first and second key history exportation engine includes a symmetric key generator operative to generate a key history data encryption key and wherein the first key history importation engine includes a symmetric decryption key generator operative to generate a symmetric decryption key to decrypt encrypted first key history data.
-
21. The system of claim 16 wherein the first key history importation engine imports private key history data associated with the second subscriber and includes:
-
a key history exportation packet verifier operative to receive the second key history exportation packet and to verify a digital signature associated with the second key history exportation packet, using an exportation public key certificate; and
a key history data decryptor operatively coupled to receive encrypted key history data contained in the second key history exportation packet by retrieving, from a storage medium, an import decryption private key based on export encryption public key identification data contained in the second key history exportation packet and decrypting encrypted key history data using the import decryption private key.
-
-
22. The system of claim 12 wherein the subscriber stores data representing that the second trust authority is a new originating trust authority in response to transfer of the security key exportation packet to the second trust authority.
-
23. An information security subscriber trust authority transfer method comprising:
-
generating, by a first certification authority, a security key history exportation packet containing at least encrypted security key history data uniquely associated with a subscriber; and
decrypting, by a second certification authority, the security key history exportation packet; and
storing retrieved security key history data for later access by the subscriber. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
generating an export signing public key (ESPK) and a key history export signing private key (KHSPK); and
digitally signing at least the encrypted key history data using the export private signing key generated.
-
-
30. The method of claim 23 wherein the security key history data includes a plurality of private decryption keys associated with prior used public/private encryption key pairs for the subscriber.
-
31. The method of claim 23 including generating a key history data encryption key and generating, using a symmetric decryption key generator, a symmetric decryption key to decrypt encrypted key history data.
-
32. The method of claim 27 including:
-
receiving the key history exportation packet;
verifying a digital signature associated with the key history exportation packet, using an exportation public key certificate; and
decrypting encrypted key history data contained in the key history data packet by retrieving, from a storage medium, an import decryption private key based on export encryption public key identification data contained in the packet and decrypting encrypted key history data using the import decryption private key.
-
-
33. The method of claim 23 including storing, by the subscriber, data representing that the second trust authority is a new originating trust authority in response to transfer of the security key exportation packet to the second trust authority.
-
34. A storage medium comprising:
-
memory containing executable program instructions that when read by one or more processing units, causes one or more processing units to;
generate a security key history exportation packet containing at least encrypted security key history data uniquely associated with a subscriber;
decrypt the security key history exportation packet; and
store retrieved security key history data for later access by a security information system subscriber. - View Dependent Claims (35, 36, 37, 38, 39, 40)
generate an export signing public key (ESPK) and a key history export signing private key (KHSPK); and
digitally sign at least the encrypted key history data using the export private signing key generated.
-
-
40. The storage medium of claim 34 wherein the security key history data includes a plurality of private decryption keys associated with prior used public/private encryption key pairs for the subscriber.
Specification