Method and apparatus for public key management
First Claim
1. A method for public key management, the method comprises the steps of:
- a) from time to time, providing, in a trustworthy manner by an associated authority, a list of at least a plurality of trusted public keys of a plurality of different trusted certification authorities to at least one client, wherein at least one of the plurality of trusted certification authorities is not associated with a locale that the at least one client is associated with and wherein a certificate chain is not necessary to trust the plurality of trusted public keys on the list; and
providing trusted public keys via an on-line communication path or a stored and forward communication path;
b) by maintaining, by the at least one client, the trusted public keys of the trusted certification authorities in a storage medium associated with a client cryptographic engine;
c) evoking the client cryptographic engine by a client application to perform a security related operation;
d) determining, by the client cryptographic engine, whether a public key certificate associated with the security related operation is verified as authentic based on the trusted public keys of the trusted certification authorities;
e) when the public key certificate associated with the security related operation was verified as authentic, performing the security related operation using a subject public key of the public key certificate associated with the security related operation;
f) providing, by the client cryptographic engine to the client application, an indication that the security operation was performed successfully; and
g) when the public key certificate associated with the security related operation was not verified as authentic, providing, by the client cryptographic engine to the client application, an indication that the security operation was not performed successfully.
5 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for public key management is accomplished when an associated authority provides, from time to time, a public key of at least one of a plurality of certificate authorities to a client. The associated authority provides the public key in a trustworthy manner over an on-line communication path and/or a store and forward communication path, which may be done using a self-signed signature public key certificate. Upon receiving the public key, the client maintains it in a storage medium associated with a client cryptographic engine. When a client application needs a security-related operation to be performed, it evokes the client cryptographic engine via an application program interface. Upon being evoked the client cryptographic engine determines whether a public key certificate associated with the security-related operation is verified as authentic based on the public key of at least one of the plurality of certification authorities. This is done by verifying the signature of the certification authority that signed the public key certificate associated with the security related operation. Once the signature is verified, the contents of the public key certificate can be authenticated. When the public key certificate is authenticated, the client cryptographic engine performs the security-related operation using a subject public key of the public key certificate associated with the security-related operation. Having done so, the client cryptographic engine provides an indication to the client application that it has successfully performed the security-related operation. If, however, the public key certificate was not authenticated, the client cryptographic engine provides the client application an indication that the security-related operation was not successfully performed.
-
Citations
37 Claims
-
1. A method for public key management, the method comprises the steps of:
-
a) from time to time, providing, in a trustworthy manner by an associated authority, a list of at least a plurality of trusted public keys of a plurality of different trusted certification authorities to at least one client, wherein at least one of the plurality of trusted certification authorities is not associated with a locale that the at least one client is associated with and wherein a certificate chain is not necessary to trust the plurality of trusted public keys on the list; and
providing trusted public keys via an on-line communication path or a stored and forward communication path;
b) by maintaining, by the at least one client, the trusted public keys of the trusted certification authorities in a storage medium associated with a client cryptographic engine;
c) evoking the client cryptographic engine by a client application to perform a security related operation;
d) determining, by the client cryptographic engine, whether a public key certificate associated with the security related operation is verified as authentic based on the trusted public keys of the trusted certification authorities;
e) when the public key certificate associated with the security related operation was verified as authentic, performing the security related operation using a subject public key of the public key certificate associated with the security related operation;
f) providing, by the client cryptographic engine to the client application, an indication that the security operation was performed successfully; and
g) when the public key certificate associated with the security related operation was not verified as authentic, providing, by the client cryptographic engine to the client application, an indication that the security operation was not performed successfully. - View Dependent Claims (2, 3, 4)
-
-
5. A method for an associated authority to facilitate public key management, the method comprises the steps of:
-
a) obtaining a set of public keys of different trusted associated authorities for at least one client, wherein each public key of the set of public keys is based on a separate trusted path between the at least one client and one of the different trusted associated authorities, wherein at least one of the different trusted associated authorities is not associated with a locale that the at least one client is associated with and wherein a certificate chain is not necessary to trust the plurality of trusted public keys on the list;
b) providing the set of public keys to the at least one client in a trustworthy manner;
c) from time to time, updating the set of public keys to produce an updated set of public keys; and
d) providing the updated set of public keys to the at least one client. - View Dependent Claims (6, 7, 8, 9, 10)
-
-
11. An associated authority comprises:
-
a processing unit; and
memory that is operably coupled to the processing unit, wherein the memory stores programming instructions that, when read by the processing unit, causes the processing unit to (a) obtain a set of public keys of trusted associated authorities for at least one client, wherein each public key of the set of public keys is based on a separate trusted path between the at least one client and one of a set of different certification authorities;
wherein at least one of the different trusted associated authorities is not associated with a locale that the at least one client is associated with and wherein a certificate chain is not necessary to trust the plurality of trusted public keys on the list;
(b) provide the set of public keys to the at least one client in a trustworthy manner;
(c) from time to time, update the set of public keys to produce an updated set of public keys; and
(d) provide the updated set of public keys to the at least one client.- View Dependent Claims (12, 13, 14)
-
-
15. A digital storage medium that stores programming instructions that, when read by a processing unit, causes the processing unit to function as a client cryptographic engine, the digital storage medium comprises:
-
first means for storing programming instructions that, when read by the processing unit, causes the processing unit to obtain a set of public keys of trusted associated authorities for at least one client, wherein each public key of the set of public keys is based on a separate trusted path between the at least one client and one of a set of different certification authorities, wherein at least one of the different trusted associated authorities is not associated with a locale that the at least one client is associated with and wherein a certificate chain is not necessary to trust the plurality of trusted public keys on the list;
second means for storing programming instructions that, when read by the processing unit, causes the processing unit to provide the set of public keys to the at least one client in a trustworthy manner;
third means for storing programming instructions that, when read by the processing unit, causes the processing unit to, from time to time, update the set of public keys to produce an updated set of public keys; and
fourth means for storing programming instructions that, when read by the processing unit, causes the processing unit to provide the updated set of public keys to the at least one client. - View Dependent Claims (16, 17, 18)
-
-
19. A method for a client cryptographic engine to facilitate public keys management, the method comprises the steps of:
-
a) from time to time receiving, via a trustworthy manner, a list of trusted public keys of trusted certification authorities of a plurality of different certification authorities, wherein at least one of the different trusted certification authorities is not associated with a locale that the client cryptographic engine is associated with and wherein a certificate chain is not necessary to trust the plurality of trusted public keys on the list;
b) maintaining the trusted public keys of the trusted certification authorities in a local storage medium;
c) initiating execution of a security related operation when requested by a client application, wherein the client application interfaces with the client cryptographic engine via an application program interface;
d) as part of the initiating execution, determining whether a public key certificate associated with the security related operation is verified as authentic based on the trusted keys of the trusted certification authorities;
e) when the public key certificate associated with the security related operation was verified as authentic, performing the security related operation using a subject public key of the public key certificate associated with the security related operation;
f) providing an indication that the security operation was performed successfully to the client application; and
g) when the public key certificate associated with the security related operation was not verified as authentic, providing an indication that the security operation was not performed successfully to the client application. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
-
-
27. A client cryptographic engine comprising:
-
first memory means for storing programming instructions that, when read by a processor, causes the processor to interface with at least one application;
second memory means for storing trusted public keys of trusted certification authorities of a plurality of certification authorities, wherein the at least one public key of the trusted public keys is a signature verification public key of one of a plurality of different certification authorities, wherein at least one of the trusted certification authorities is not associated with a locale that the client cryptographic engine is associated with and wherein a certificate chain is not necessary to trust the plurality of trusted public keys on the list;
a processing unit; and
third memory means for storing programming instructions that, when read by the processing unit, causes the processing unit to (I) initiate execution of a security related operation when requested by the at least one application;
(ii) as part of the initiating execution, determine whether a public key certificate associated with the security related operation is verified as authentic based on the trusted public keys of the trusted certification authorities;
(iii) perform the security related operation when the public key certificate associated with the security related operation was verified as authentic;
(iv) provide, to the at least one application, an indication that the security related operation was performed successfully and (v) provide, to the at least one application, an indication that the security related operation was not performed successfully when the public key certificate associated with the security related operation was not verified as authentic.- View Dependent Claims (28, 29, 30, 31, 32)
-
-
33. A digital storage medium that stores programming instructions that, when read by a processing unit, causes the processing unit to function as a client cryptographic engine, the digital storage medium comprises:
-
first means for storing programming instructions that, when read by the processing unit, causes the processing unit to, from time to time, receive, via a trustworthy manner, a list of trusted public keys of trusted certification authorities of a plurality of different certification authorities, wherein at least one of the different trusted certification authorities is not associated with a locale that the at least one client is associated with and wherein a certificate chain is not necessary to trust the plurality of trusted public keys on the list;
second means for storing programming instructions that, when read by the processing unit, causes the processing unit to maintain the trusted public keys in a local storage medium;
third means for storing programming instructions that, when read by the processing unit, causes the processing unit to initiate execution of a security related operation when requested by a client application, wherein the client application includes an application program interface to the client cryptographic engine;
fourth means for storing programming instructions that, when read by the processing unit, causes the processing unit to, as part of the initiating execution, determine whether a public key certificate associated with the security related operation is verified as authentic based on the trusted public keys;
fifth means for storing programming instructions that, when read by the processing unit, causes the processing unit to perform the security related operation using a subject public key of the public key certificate associated with the security related operation when the public key certificate associated with the security related operation was verified as authentic;
sixth means for storing programming instructions that, when read by the processing unit, causes the processing unit to provide an indication that the security operation was performed successfully to the client application; and
seventh means for storing programming instructions that, when read by the processing unit, causes the processing unit to provide an indication that the security operation was not performed successfully to the client application when the public key certificate associated with the security related operation was not verified as authentic. - View Dependent Claims (34, 35, 36, 37)
-
Specification