Public cryptographic control unit and system therefor

US 6,449,720 B1
Filed: 05/17/1999
Issued: 09/10/2002
Est. Priority Date: 05/17/1999
Status: Active Grant

First Claim

Patent Images

1. In a cryptographic key distribution system, including a user computer having a cryptographic control unit, a software developer computer and a cryptographic operations center, a method comprising:

generating a first security applet at said software developer computer;

transmitting said first security applet from said software developer computer to said cryptographic operations center;

receiving a first cryptographic key from said cryptographic operations center at said software developer computer;

receiving a first serial number from said cryptographic operations center at said software developer computer;

using said first cryptographic key in a process to encrypt said first security applet to form a first encrypted security applet;

appending said first serial number to said first encrypted security applet to form a first secure packet; and

distributing said first secure packet to said user computer.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A universally available, public cryptographic control unit (crypto unit) is used in a cryptographic system shared by multiple independent users. The crypto unit, which is installed as a peripheral device to a general-purpose computer, loads and unloads encrypted security applets into an onboard RAM memory of the crypto unit, where each security applet is run. The crypto unit and the system of which it is a part, provides a secure internal environment in which only pre-approved security applets are granted permission to load and run. The computing environment within the crypto unit is secured by a cryptographic operation center (OPC) which communicates with each crypto unit. The software developer submits a proposed security applet to the OPC prior to distributing a given security applet in order to obtain the necessary permission for the given security applet. Only if all necessary permissions are obtained from the OPC will a given security applet be allowed to load and run in the crypto unit. When a first security applet is finished running, the crypto unit unloads (swaps out) the presently loaded first security applet in encrypted form to the PC hard drive, and loads (swaps in) the next security applet. The cryptographic context of each security applet is preserved in the file stored on the PC hard drive. In such manner, a single crypto unit is shared among a plurality of independent users.

Citations

26 Claims

1. In a cryptographic key distribution system, including a user computer having a cryptographic control unit, a software developer computer and a cryptographic operations center, a method comprising:
- generating a first security applet at said software developer computer;
  
  transmitting said first security applet from said software developer computer to said cryptographic operations center;
  
  receiving a first cryptographic key from said cryptographic operations center at said software developer computer;
  
  receiving a first serial number from said cryptographic operations center at said software developer computer;
  
  using said first cryptographic key in a process to encrypt said first security applet to form a first encrypted security applet;
  
  appending said first serial number to said first encrypted security applet to form a first secure packet; and
  
  distributing said first secure packet to said user computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method in accordance with claim 1, wherein said cryptographic control unit includes a program control memory, said method further comprising:
3. A method in accordance with claim 2, wherein said software developer computer further includes a programmer key encrypted under said first cryptographic key to form a first encrypted programmer key in said first encrypted security applet, and said step of using said first cryptographic key in a process to decrypt said first security applet from said first encrypted security applet at said user computer comprises:
- receiving said first secure packet including said first programmer encrypted security applet at said user computer;
  
  decrypting said first encrypted programmer key at said user computer under said first cryptographic key to form a recovered programmer key; and
  
  decrypting said first programmer encrypted security applet under said recovered programmer key to recover said first security applet.
4. A method in accordance with claim 2, wherein said user computer includes a first user identification number, said method further comprising:
- transmitting said first user identification number from said user computer to said cryptographic operations center;
  
  storing a security applet registry table recording the correspondence between a plurality of security applets, cryptographic keys, serial numbers and user identification numbers, said security applet registry table having an entry indicating that said first serial number, said first cryptographic key and said first user identification number correspond to said first security applet.
5. A method in accordance with claim 2, wherein said user computer further includes a user computer hard drive memory, and said system further includes a second software developer computer, a second security applet having a respective second serial number and second cryptographic key corresponding thereto, said method further comprising:
- encrypting the contents of said program control memory in a process using a first user computer key to form a first encrypted security context;
  
  storing said first encrypted security context on said user computer hard drive memory; and
  
  loading said second security applet in said program control memory.
6. A method in accordance with claim 5, further comprising:
- encrypting the contents of said program control memory in a process using a second user computer key to form a second encrypted security context;
  
  storing said second encrypted security context on said user computer hard drive memory;
  
  decrypting said first encrypted security context in a process using said first user computer key to recover said first security context; and
  
  loading said first security context in said program control memory.
7. A method in accordance with claim 1, wherein said step of using said first cryptographic key in a process to encrypt said first security applet to form a first encrypted security applet further comprises:
- encrypting said first security applet at said software developer computer under a programmer key to form a first programmer encrypted security applet;
  
  encrypting said programmer key at said software developer computer under said first cryptographic key to form a first encrypted programmer key;
  
  appending said first encrypted programmer key and said first programmer encrypted security applet to form said first encrypted security applet.
8. A method in accordance with claim 1, further comprising:
- storing a security applet registry table recording the correspondence between a plurality of security applets, cryptographic keys and serial numbers, said security applet registry table having an entry indicating that said first serial number and said first cryptographic key correspond to said first security applet.

9. In a cryptographic key distribution system, including a user computer having a cryptographic control unit, a software developer computer and a cryptographic operations center, an apparatus comprising:
- means for generating a first security applet at said software developer computer;
  
  means for transmitting said first security applet from said software developer computer to said cryptographic operations center;
  
  means for receiving a first cryptographic key from said cryptographic operations center at said software developer computer;
  
  means for receiving a first serial number from said cryptographic operations center at said software developer computer;
  
  means for using said first cryptographic key in a process to encrypt said first security applet to form a first encrypted security applet;
  
  means for appending said first serial number to said first encrypted security applet to form a first secure packet; and
  
  means for distributing said first secure packet to said user computer.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. An apparatus in accordance with claim 9, wherein said cryptographic control unit includes a program control memory, said apparatus further comprising:
11. An apparatus in accordance with claim 10, wherein said software developer computer further includes a programmer key encrypted under said first cryptographic key to form a first encrypted programmer key in said first encrypted security applet, and said means for using said first cryptographic key in a process to decrypt said first security applet from said first programmer encrypted security applet at said user computer comprises:
- means for receiving said first secure packet including said first programmer encrypted security applet at said user computer;
  
  means for decrypting said first encrypted programmer key at said user computer under said first cryptographic key to form a recovered programmer key; and
  
  means for decrypting said first programmer encrypted security applet under said recovered programmer key to recover said first security applet.
12. An apparatus in accordance with claim 10, wherein said user computer includes a first user identification number, said apparatus further comprising:
- means for transmitting said first user identification number from said user computer to said cryptographic operations center;
  
  means for storing a security applet registry table recording the correspondence between a plurality of security applets, cryptographic keys, serial numbers and user identification numbers, said security applet registry table having an entry indicating that said first serial number, said first cryptographic key and said first user identification number correspond to said first security applet.
13. An apparatus in accordance with claim 10, wherein said user computer further includes a user computer hard drive memory, and said system further includes a second software developer computer, a second security applet having a respective second serial number and second cryptographic key corresponding thereto, said apparatus further comprising:
- means for encrypting the contents of said program control memory in a process using a first user computer key to form a first encrypted security context;
  
  means for storing said first encrypted security context on said user computer hard drive memory; and
  
  means for loading said second security applet in said program control memory.
14. An apparatus in accordance with claim 13, further comprising:
- means for encrypting the contents of said program control memory in a process using a second user computer key to form a second encrypted security context;
  
  means for storing said second encrypted security context on said user computer hard drive memory;
  
  means for decrypting said first encrypted security context in a process using said first user computer key to recover said first security context; and
  
  means for loading said first security context in said program control memory.
15. An apparatus in accordance with claim 9, wherein said means for using said first cryptographic key in a process to encrypt said first security applet to form a first encrypted security applet further comprises:
- means for encrypting said first security applet at said software developer computer under a programmer key to form a first programmer encrypted security applet;
  
  means for encrypting said programmer key at said software developer computer under said first cryptographic key to form a first encrypted programmer key;
  
  means for appending said first encrypted programmer key and said first programmer encrypted security applet to form said first encrypted security applet.
16. An apparatus in accordance with claim 9, further comprising:
- means for storing a security applet registry table recording the correspondence between a plurality of security applets, cryptographic keys and serial numbers, said security applet registry table having an entry indicating that said first serial number and said first cryptographic key correspond to said first security applet.

17. In a cryptographic key distribution system, including a user computer having a cryptographic control unit, a software developer computer and a cryptographic operations center, said software developer computer generating a first security applet and encrypting said first security applet in a process using a first cryptographic key to form a first encrypted security applet and distributing said first encrypted security applet to said user computer, a cryptographic key distribution method at said cryptographic operations center comprising:
- receiving said first security applet from said software developer computer at said cryptographic operations center;
  
  transmitting a first serial number from said cryptographic operations center to said software developer computer;
  
  transmitting a first cryptographic key from said cryptographic operations center at said software developer computer;
  
  receiving said first serial number from said cryptographic control unit at said cryptographic operations center;
  
  transmitting said first cryptographic key from said cryptographic operations center to said cryptographic control unit.
- View Dependent Claims (18)
- - 18. A method in accordance with claim 17, wherein said cryptographic control unit includes a program control memory, said method further comprising:

19. In a cryptographic key distribution system, having a software developer computer and a cryptographic operations center, said software developer computer generating a first security applet identified by a first serial number, and encrypting said first security applet in a process using a first cryptographic key to form a first encrypted security applet, said system further including a user computer having a cryptographic control unit with a program control memory, a method comprising:
- receiving said first security applet including said first serial number at said cryptographic control unit;
  
  transmitting said first serial number to said cryptographic operations center;
  
  receiving said first cryptographic key from said cryptographic operations center at said cryptographic control unit;
  
  using said first cryptographic key in a process to decrypt said first security applet from said first encrypted security applet; and
  
  loading said first security applet in said program control memory.

20. In a cryptographic key distribution system, including a user computer having a cryptographic control unit, a software developer computer and a cryptographic operations center, said software developer computer generating a first security applet and encrypting said first security applet in a process using a first cryptographic key to form a first encrypted security applet and distributing said first encrypted security applet to said user computer, a cryptographic key distribution apparatus at said cryptographic operations center comprising:
- means for receiving said first security applet from said software developer computer at said cryptographic operations center;
  
  means for transmitting a first serial number from said cryptographic operations center to said software developer computer;
  
  means for transmitting a first cryptographic key from said cryptographic operations center at said software developer computer;
  
  means for receiving said first serial number from said cryptographic control unit at said cryptographic operations center;
  
  means for transmitting said first cryptographic key from said cryptographic operations center to said cryptographic control unit.
- View Dependent Claims (21)
- - 21. An apparatus in accordance with claim 20, wherein said cryptographic control unit includes a program control memory, said apparatus further comprising:

22. In a cryptographic key distribution system, having a software developer computer and a cryptographic operations center, said software developer computer generating a first security applet identified by a first serial number, and encrypting said first security applet in a process using a first cryptographic key to form a first encrypted security applet, said system further including a user computer having a cryptographic control unit with a program control memory, an apparatus comprising:
- means for receiving said first security applet including said first serial number at said cryptographic control unit;
  
  means for transmitting said first serial number to said cryptographic operations center;
  
  means for receiving said first cryptographic key from said cryptographic operations center at said cryptographic control unit;
  
  means for using said first cryptographic key in a process to decrypt said first security applet from said first encrypted security applet; and
  
  loading said first security applet in said program control memory.

23. In a cryptographic key distribution system, including a user computer having a cryptographic control unit, said cryptographic control unit including a program control memory, a method comprising:
- loading a first security applet in the program control memory;
  
  encrypting the content of the program control memory in a process using a first user computer key to form a first encrypted security context;
  
  storing the first encrypted security context on a memory external to the cryptographic control unit; and
  
  loading a second security applet in the program control memory.
- View Dependent Claims (24)
- - 24. A method in accordance with claim 23, further comprising:

25. In a cryptographic key distribution system, including a user computer having a cryptographic control unit, said cryptographic control unit including a program control memory, a system comprising:
- a first security applet loadable in the program control memory;
  
  a first user computer key for encrypting the content of the program control memory to form a first encrypted security context;
  
  a memory external to the cryptographic control unit for storing the first encrypted security context; and
  
  a second security applet loadable in the program control memory.
- View Dependent Claims (26)
- - 26. A system in accordance with claim 25, further comprising;

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ESW Holdings, Inc. (ESW Capital, LLC)
Original Assignee
Wave Systems Corporation
Inventors
Kazmierczak, Gregory J, Sprague, Steven K
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US09/313,295
Time in Patent Office

1,212 Days
Field of Search

713/160, 713/168, 713/171, 713/200, 713/201, 380/255, 380/277, 380/283, 380/28
US Class Current

713/171
CPC Class Codes

G06F 21/602 Providing cryptographic fac...

G06F 2211/007 Encryption, En-/decode, En-...

Public cryptographic control unit and system therefor

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Public cryptographic control unit and system therefor

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links