Data management system and method for a limited capacity cryptographic storage unit

US 6,393,565 B1
Filed: 08/03/1998
Issued: 05/21/2002
Est. Priority Date: 08/03/1998
Status: Expired due to Term

First Claim

Patent Images

1. Data management system for interfacing to a portable limited capacity cryptographic storage unit comprising:

a cryptographic data manager adapted to the portable limited capacity cryptographic storage unit; and

a data overflow storage device, operatively coupled to the cryptographic data manager, wherein the cryptographic data manager stores cryptographic data from the limited capacity storage unit in the data overflow storage device based on a limited capacity storage unit update condition.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data management system and method for a limited cryptographic storage unit, such as a smartcard or other hardware token, includes a cryptographic data manager that interfaces with the limited capacity cryptographic storage unit and a data overflow memory coupled to the cryptographic data manager. The cryptographic data manager stores cryptographic data, such as decryption private keys or other secret cryptographic data, in the overflow memory from the limited capacity cryptographic storage unit based on a limited capacity storage unit data update condition. The cryptographic data manager may serve as a secondary cryptographic data manager that receives the cryptographic data from an original cryptographic data storage device, or primary storage device such as a server that generates the cryptographic data, that stores a history of the cryptographic data.

105 Citations

49 Claims

1. Data management system for interfacing to a portable limited capacity cryptographic storage unit comprising:
- a cryptographic data manager adapted to the portable limited capacity cryptographic storage unit; and
  
  a data overflow storage device, operatively coupled to the cryptographic data manager, wherein the cryptographic data manager stores cryptographic data from the limited capacity storage unit in the data overflow storage device based on a limited capacity storage unit update condition.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. The data management system of claim 1 wherein the cryptographic data manager determines the limited capacity storage unit data update condition and bases the decision on a determination of a data overflow condition for the limited capacity storage unit.
  - 3. The data management system of claim 1 wherein the limited capacity storage unit data update condition is a condition where new data is to be stored in the limited capacity cryptographic storage unit.
  - 4. The data management system of claim 1 wherein the cryptographic data manager manages decryption private key storage between the portable limited capacity storage unit and the data overflow storage device.
  - 5. The data management system of claim 1 wherein the cryptographic data manager stores decryption private key history data in the data overflow storage device in response to generation of a new decryption private key.
  - 6. The data management system of claim 1 including an encryption key pair generator, operatively coupled to the cryptographic data manager.
  - 7. The data management system of claim 1 wherein the limited capacity cryptographic storage unit stores redundant cryptographic data.
  - 8. The data management system of claim 1 wherein the data overflow storage device stores cryptographic data from the limited capacity cryptographic storage unit and wherein the limited capacity cryptographic storage unit stores non-redundant cryptographic data.
  - 9. The data management system of claim 1 wherein the data over flow storage device stores decryption private key history data obtained from the limited capacity cryptographic storage unit and wherein the limited capacity cryptographic storage unit also stores decryption private key history data.
  - 10. The data management system of claim 9 wherein the data overflow storage device and the limited capacity cryptographic storage unit store redundant decryption private key history data.
  - 11. The data management system of claim 9 wherein the data overflow storage device and the limited capacity cryptographic storage unit store non-redundant decryption private key history data.
  - 12. The data management system of claim 1 wherein the cryptographic data manager includes:
13. The data management system of claim 1 wherein the limited capacity cryptographic storage unit stores first cryptographic key identification data and wherein the overflow storage unit stores second cryptographic key identification data.
14. The data management system of claim 13 including a selector, operatively responsive to the first and second cryptographic key identification data, that selects stored cryptographic data from either the limited capacity cryptographic storage unit or from the overflow storage unit, based on the identification data.
15. The data management system of claim 14 including a data decryptor, operatively coupled to the selector, wherein the data decryptor decrypts received encrypted data using the selected stored cryptographic data.
16. The data management system of claim 15 wherein cryptographic data includes decryption private key data and wherein the limited capacity cryptographic data storage unit and overflow unit includes decryption private key history data to facilitate decryption of received data encrypted using a non-current public encryption key.
17. The data management system of claim 12 wherein the encryptor encrypts key data from the data router using a symmetric key stored in the limited capacity cryptographic data storage unit.
18. The data management system of claim 17 wherein the key data includes decryption private key data removed from the limited capacity cryptographic storage unit.
19. The data management system of claim 12 wherein the encryptor encrypts key data from the data router using a symmetric key.
20. The data management system of claim 1 wherein the cryptographic data manager temporarily stores new data to be stored in the limited capacity cryptographic data storage unit until sufficient space is available in the limited capacity cryptographic data storage unit.
21. The data management system of claim 1 wherein the cryptographic data is latest previous decryption key history data.
22. The data management system of claim 1 wherein the cryptographic data is Nth previous cryptographic data from a stored history of cryptographic data, where N is a number of cryptographic keys stored by the limited capacity cryptographic storage unit.
23. The data management system of claim 1 wherein the limited capacity cryptographic storage unit stores cryptographic data in a first in first out (FIFO) manner.
24. The data management system of claim 23 wherein the cryptographic data manager provides memory size data of the limited capacity cryptographic storage unit for a primary key history data manager.
25. The data management system of claim 24 wherein the primary key history data manager obtains at least one of a plurality of non-current decryption private keys based on the memory data.

26. Data management system for interfacing to a portable limited capacity cryptographic storage unit comprising:
- a receiver other than the portable limited capacity cryptographic storage unit that receives new data for storage in the portable limited capacity cryptographic storage unit; and
  
  a data router operatively coupled to the receiver wherein the data router routes cryptographic data to a data overflow storage device based on a portable limited capacity storage unit data update condition.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 27. The data management system of claim 26 including the data overflow storage device, operatively coupled to the data router.
  - 28. The data management system of claim 26 wherein the limited capacity storage unit data update condition is a condition where new data is to be stored in the limited capacity cryptographic storage unit.
  - 29. The data management system of claim 26 wherein the cryptographic data manager manages decryption private key storage among the limited capacity storage unit and the data overflow storage device.
  - 30. The data management system of claim 26 wherein the cryptographic data manager stores decryption private key history data in the data overflow storage device in response to generation of a new decryption private key.
  - 31. The data management system of claim 26 including an encryption key pair generator, operatively coupled to the cryptographic data manager.
  - 32. The data management system of claim 27 wherein the data overflow unit stores decryption private key history data obtained from the limited capacity cryptographic storage unit and wherein the limited capacity cryptographic storage unit also stores decryption private key history data.
  - 33. The data management system of claim 26 wherein the cryptographic data manager includes:
34. The data management system of claim 26 wherein the limited capacity cryptographic storage unit stores first decryption private key identification data and wherein the overflow storage unit stores second decryption private key identification data.
35. The data management system of claim 34 including a selector, operatively responsive to the first and second decryption private key identification data, that selects stored cryptographic data from either the limited capacity cryptographic storage unit or from the overflow storage unit, based on the identification data.
36. The data management system of claim 35 including a data decryptor, operatively coupled to the selector, wherein the data decryptor decrypts received encrypted data using the selected stored cryptographic data.
37. The data management system of claim 36 wherein cryptographic data includes decryption private key data and wherein the limited capacity cryptographic data storage unit and overflow unit includes decryption private key history data to facilitate decryption of received data encrypted using a non-current public encryption key.
38. The data management system of claim 33 wherein the encryptor encrypts key data from the data router using a symmetric key stored in the limited capacity cryptographic data storage unit.

39. Data management system for interfacing to a portable limited capacity cryptographic storage unit comprising:
- a receiver other than the portable limited capacity cryptographic storage unit that receives new data for storage in the portable limited capacity cryptographic storage unit;
  
  a data router operatively coupled to the receiver wherein the data router routes cryptographic data to a data overflow storage device based on a portable limited capacity storage unit data update condition; and
  
  a primary key history data manager, operatively coupled to the receiver, that provides new cryptographic key data to the receiver for storage on the limited capacity cryptographic storage unit and maintains a decryption key history associated with a given portable limited capacity cryptographic storage unit.
- View Dependent Claims (40)
- - 40. The data management system of claim 39 wherein the data router provides memory size data of the limited capacity cryptographic storage unit for the primary key history data manager and wherein the primary key history data manager sends at least one non-current decryption key to the receiver in response thereto.

41. Data management method for interfacing to a portable limited capacity cryptographic storage unit comprising the steps of:
- determining a portable limited capacity storage unit data update condition; and
  
  storing cryptographic data in the data overflow storage device received from the portable limited capacity cryptographic storage unit based on the portable limited capacity storage unit data update condition.
- View Dependent Claims (42, 43, 44, 45, 46, 47)
- - 42. The data management method of claim 41 wherein determining the limited capacity storage unit data update condition includes determining a data overflow condition for the limited capacity storage unit.
  - 43. The data management method of claim 41 including managing decryption private key storage among the limited capacity storage unit and the data overflow storage device.
  - 44. The data management method of claim 41 including storing decryption private key history data in the data overflow storage device in response to generation of a new decryption private key.
  - 45. The data management method of claim 41 including storing cryptographic data from the limited capacity cryptographic storage unit and wherein the limited capacity cryptographic storage unit stores non-redundant cryptographic data.
  - 46. The data management method of claim 41 including the steps of:
47. The data management method of claim 41 including selecting stored cryptographic data from either the limited capacity cryptographic storage unit or from the overflow storage unit, based on key identification data.

48. Data management method for a limited capacity cryptographic storage unit comprising:
- receiving new data for storage in the limited capacity cryptographic storage unit;
  
  routing cryptographic data to a data overflow storage device based on a limited capacity storage unit data update condition;
  
  providing new cryptographic key data to the receiver for storage on the limited capacity cryptographic storage unit; and
  
  maintaining a decryption key history associated with a given limited capacity cryptographic storage unit.
- View Dependent Claims (49)
- - 49. The data management method of claim 48 including providing memory size data of the limited capacity cryptographic storage unit for a primary key history data manager and wherein the primary key history data manager sends at least one non-current decryption key to the receiver in response thereto.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Entrust Corp.
Original Assignee
Entrust Technologies Limited
Inventors
Wiener, Michael J., Lockhart, Roland T.
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US09/128,321
Time in Patent Office

1,387 Days
Field of Search

713/172, 713/185, 380/277, 380/278
US Class Current

713/172
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/3576   Multiple memory zones on card

G07F 7/1008   Active credit-cards provide...

G07F 7/1016   Devices or methods for secu...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

Data management system and method for a limited capacity cryptographic storage unit

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

105 Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

Data management system and method for a limited capacity cryptographic storage unit

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

105 Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links