Information security subscriber trust authority transfer system with private key history transfer

US 6,192,130 B1
Filed: 06/30/1999
Issued: 02/20/2001
Est. Priority Date: 06/19/1998
Status: Expired due to Term

First Claim

Patent Images

1. An information security subscriber trust authority transfer system comprising:

at least a first trusted authority having a security key history exportation engine operative to generate a security key history exportation packet containing at least encrypted security key history data uniquely associated with a subscriber; and

at least a second trusted authority having a security key history importation engine operative to decrypt the security key history exportation packet and store retrieved security key history data for later access by the subscriber.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first trusted authority, such as an originating certification authority, that stores key history data, such as private decryption keys for one or more subscribers, includes a key history exportation engine operative to generate a security key history exportation packet. The security key history exportation packet contains at least encrypted security key history data uniquely associated with a subscriber. A second trusted authority, such as a destination certification authority, includes a security key history importation engine operative to decrypt the security key history exportation packet. The retrieved security key history data then is stored and made accessible through the second trust authority for later access by the subscriber. The second trusted authority serves as a new trust anchor instead of the first trust authority.

197 Citations

40 Claims

1. An information security subscriber trust authority transfer system comprising:
- at least a first trusted authority having a security key history exportation engine operative to generate a security key history exportation packet containing at least encrypted security key history data uniquely associated with a subscriber; and
  
  at least a second trusted authority having a security key history importation engine operative to decrypt the security key history exportation packet and store retrieved security key history data for later access by the subscriber.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. the system of claim 1 wherein at least the second trusted authority serves as a trusted certification authority for the subscriber instead of the at least first trusted authority and provides old encryption keys from the imported key history data to the subscriber in response to a request from the subscriber.
  - 3. The system of claim 1 wherein the security key exportation engine generates an exportation signing key pair including at least a key history export private signing key and a key history import public verification key.
  - 4. The system of claim 1 wherein the security key exportation engine generates an exportation symmetric encryption key.
  - 5. The system of claim 1 wherein the security key importation engine includes an encryption key pair generator for key history transfer wherein the encryption key pair includes at least an export encryption public key and an import decryption private key and wherein the export encryption public key is used by the key history exportation engine to encrypt key history data and wherein the import decryption private key is used by the key history importation engine to decrypt encrypted key history data.
  - 6. The system of claim 1 wherein the security key exportation packet includes the security key history data that includes a plurality of subscriber private decryption keys that are encrypted using a symmetric exportation encryption key (Ks1) and wherein the key (Ks1) is encrypted using an export encryption public key (Keepk) associated with the second trust authority to form encrypted key history data.
  - 7. The system of claim 6 wherein the security key exportation engine also includes:
8. The system of claim 1 wherein the security key history data includes a plurality of private decryption keys associated with prior used public/private encryption key pairs for the subscriber.
9. The system of claim 1 wherein the key history exportation engine includes a symmetric key generator operative to generate a key history data encryption key and wherein the key history importation engine includes a symmetric decryption key generator operative to generate a symmetric decryption key to decrypt encrypted key history data.
10. The system of claim 5 wherein the key history importation engine imports private key history data and includes:
- a key history exportation packet verifier operative to receive the key history exportation packet and to verify a digital signature associated with the key history exportation packet, using an exportation public key certificate; and
  
  a key history data decryptor operatively coupled to receive encrypted key history data contained in the key history data packet by retrieving, from a storage medium, an import decryption private key based on export encryption public key identification data contained in the packet and decrypting encrypted key history data using the import decryption private key.
11. The system of claim 1 wherein the subscriber stores data representing that the second trust authority is a new originating trust authority in response to transfer of the security key exportation packet to the second trust authority.

12. An information security subscriber trust authority transfer method comprising:
- at least a first trusted authority having a first security key history exportation engine operative to generate a first security key history exportation packet containing at least encrypted security key history data uniquely associated with a first subscriber and further having a first security key history importation engine operative to decrypt a received first security key history exportation packet and store retrieved security key history data for later access by a second subscriber; and
  
  at least a second trusted authority having a second security key history importation engine operative to decrypt the first security key history exportation packet generated by the first trusted authority and to store retrieved security key history data for later access by the first subscriber, and further having a second security key history exportation engine operative to generate a second security key history exportation packet containing at least encrypted security key history data uniquely associated with the second subscriber.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12 wherein the at least second trusted authority serves as a trusted certification authority for the first subscriber instead of the at least first trusted authority and provides an old encryption key from the imported key history data to the first subscriber in response to a request from the first subscriber.
  - 14. The system of claim 12 wherein each of the first and second security key exportation engines generates an exportation signing key pair including at least a key history export private signing key and a key history import public verification key.
  - 15. The system of claim 12 wherein each of the first and second security key exportation engines generates an exportation symmetric encryption key.
  - 16. The system of claim 12 wherein each of the first and second security key importation engines includes an encryption key pair generator for key history transfer wherein the encryption key pair includes at least an export encryption public key and an import decryption private key and wherein the export encryption public key is used by a respective key history exportation engine to encrypt key history data and wherein the import decryption key is used by a respective key history importation engine to decrypt encrypted key history data.
  - 17. The system of claim 12 wherein the first security key exportation packet includes the security key history data uniquely associated with the first subscriber that includes a plurality of subscriber private decryption keys that are encrypted using a symmetric exportation encryption key (Ks1) and wherein the key (Ks1) is encrypted using an export encryption public key (Keepk) associated with the second trust authority to form encrypted key history data.
  - 18. The system of claim 17 wherein each of the first and second security key exportation engines also includes:
19. The system of claim 12 wherein the first security key history data includes a plurality of private decryption keys associated with prior used public/private encryption key pairs for the first subscriber.
20. The system of claim 12 wherein each of the first and second key history exportation engine includes a symmetric key generator operative to generate a key history data encryption key and wherein the first key history importation engine includes a symmetric decryption key generator operative to generate a symmetric decryption key to decrypt encrypted first key history data.
21. The system of claim 16 wherein the first key history importation engine imports private key history data associated with the second subscriber and includes:
- a key history exportation packet verifier operative to receive the second key history exportation packet and to verify a digital signature associated with the second key history exportation packet, using an exportation public key certificate; and
  
  a key history data decryptor operatively coupled to receive encrypted key history data contained in the second key history exportation packet by retrieving, from a storage medium, an import decryption private key based on export encryption public key identification data contained in the second key history exportation packet and decrypting encrypted key history data using the import decryption private key.
22. The system of claim 12 wherein the subscriber stores data representing that the second trust authority is a new originating trust authority in response to transfer of the security key exportation packet to the second trust authority.

23. An information security subscriber trust authority transfer method comprising:
- generating, by a first certification authority, a security key history exportation packet containing at least encrypted security key history data uniquely associated with a subscriber; and
  
  decrypting, by a second certification authority, the security key history exportation packet; and
  
  storing retrieved security key history data for later access by the subscriber.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The method of claim 23 wherein the second certification authority serves as a subsequent trusted certification authority for the subscriber instead of the at least first trusted authority and provides an old encryption key from the imported key history data to the subscriber in response to a request from the subscriber.
  - 25. The method of claim 23 including generating, by the first certification authority, an exportation signing key pair including at least a key history export private signing key and a key history import public verification key.
  - 26. The method of claim 23 including, generating, by the first certification authority, an exportation symmetric encryption key.
  - 27. The method of claim 23 including generating, by the second certification authority, an encryption key pair for key history transfer wherein the encryption key pair includes at least an export encryption public key and an import decryption private key and wherein the export encryption public key is used by the second certification authority to encrypt key history data and wherein the import decryption key is used by the second certification authority to decrypt encrypted key history data.
  - 28. The method of claim 23 wherein the security key exportation packet includes the security key history data that includes a plurality of subscriber private decryption keys that are encrypted using a symmetric exportation encryption key (Ks1) and wherein the key (Ks1) is encrypted using an export encryption public key (Keepk) associated with the second certification authority to form encrypted key history data.
  - 29. The method of claim 28 including:
30. The method of claim 23 wherein the security key history data includes a plurality of private decryption keys associated with prior used public/private encryption key pairs for the subscriber.
31. The method of claim 23 including generating a key history data encryption key and generating, using a symmetric decryption key generator, a symmetric decryption key to decrypt encrypted key history data.
32. The method of claim 27 including:
- receiving the key history exportation packet;
  
  verifying a digital signature associated with the key history exportation packet, using an exportation public key certificate; and
  
  decrypting encrypted key history data contained in the key history data packet by retrieving, from a storage medium, an import decryption private key based on export encryption public key identification data contained in the packet and decrypting encrypted key history data using the import decryption private key.
33. The method of claim 23 including storing, by the subscriber, data representing that the second trust authority is a new originating trust authority in response to transfer of the security key exportation packet to the second trust authority.

34. A storage medium comprising:
- memory containing executable program instructions that when read by one or more processing units, causes one or more processing units to;
  
  generate a security key history exportation packet containing at least encrypted security key history data uniquely associated with a subscriber;
  
  decrypt the security key history exportation packet; and
  
  store retrieved security key history data for later access by a security information system subscriber.
- View Dependent Claims (35, 36, 37, 38, 39, 40)
- - 35. The storage medium of claim 34 including memory containing executable program instructions that when read by one or more processing units, causes one or more processing units to serve as a subsequent trusted certification authority for the subscriber instead of an at least first trusted authority and provides an old encryption key from the imported key history data to the subscriber in response to a request from the subscriber.
  - 36. The storage medium of claim 34 including memory containing executable program instructions that when read by one or more processing units, causes one or more processing units to generate an exportation signing key pair including at least a key history export private signing key and a key history import public verification key.
  - 37. The storage medium of claim 34 including memory containing executable program instructions that when read by one or more processing units, causes one or more processing units to generate an encryption key pair for key history transfer wherein the encryption key pair includes at least an export encryption public key and an import decryption private key and wherein the export encryption public key is used by another processing unit to encrypt key history data and wherein the import decryption key is used by the second certification authority to decrypt encrypted key history data.
  - 38. The storage medium of claim 37 wherein the security key exportation packet includes the security key history data that includes a plurality of subscriber private decryption keys that are encrypted using a symmetric exportation encryption key (Ks1) and wherein the key (Ks1) is encrypted using an export encryption public key (Keepk) associated with the second certification authority to form encrypted key history data.
  - 39. The storage medium of claim 38 including memory containing executable program instructions that when read by one or more processing units, causes one or more processing units to:
40. The storage medium of claim 34 wherein the security key history data includes a plurality of private decryption keys associated with prior used public/private encryption key pairs for the subscriber.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Entrust Incorporated (Entrust Corp.), Entrust Technologies Limited
Original Assignee
Entrust Technologies Limited
Inventors
Otway, Josanne
Primary Examiner(s)
Swann, Tod
Assistant Examiner(s)
Sulpizio, Jr., Ronald F.

Application Number

US09/345,234
Time in Patent Office

601 Days
Field of Search

380/1, 380/286, 380/277, 380/280, 705/76, 705/66, 705/77, 713/157, 713/158, 713/178
US Class Current

380/277
CPC Class Codes

G06Q 20/3672   initialising or reloading t...

G06Q 20/3821   Electronic credentials

G06Q 20/3829   involving key management

H04L 9/083   involving central third par...

H04L 9/321   involving a third party or ...

H04L 9/3263   involving certificates, e.g...

Information security subscriber trust authority transfer system with private key history transfer

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

197 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Information security subscriber trust authority transfer system with private key history transfer

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

197 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links