Secure mapping and aliasing of private keys used in public key cryptography
First Claim
1. A method for assigning a first key pair to an entity, the method comprising:
- generating a first key pair comprising a first private key and a first public key, wherein the first private key and the first public key form a key pair for use in public-key cryptography;
storing the first key pair in a cryptographic signing unit (CSU);
activating the CSU after the first key pair has been stored in the CSU;
receiving a first request for a key pair from the entity; and
responsive to the first request, assigning the first key pair to the entity without revealing the first private key.
12 Assignments
0 Petitions
Accused Products
Abstract
A method (200) for assigning a key pair to an entity, such as a certification authority (CA 102), includes the following steps. A key pair is generated (210). It includes a private key and a public key which form a key pair for use in public-key cryptography. The key pair is stored (220) in a cryptographic signing unit (CSU 140). The CSU (140) is then activated (230). A request for a key pair is received (240) from the entity (102). Responsive to the request, the key pair is assigned (250) to the entity (102). In a preferred embodiment, an identifier (312) is assigned to the key pair and preferably is different from identifiers assigned to other key pairs stored in the CSU (140). The identifier (312) is then included in a digital certificate (300) issued to the entity (102).
124 Citations
22 Claims
-
1. A method for assigning a first key pair to an entity, the method comprising:
-
generating a first key pair comprising a first private key and a first public key, wherein the first private key and the first public key form a key pair for use in public-key cryptography;
storing the first key pair in a cryptographic signing unit (CSU);
activating the CSU after the first key pair has been stored in the CSU;
receiving a first request for a key pair from the entity; and
responsive to the first request, assigning the first key pair to the entity without revealing the first private key. - View Dependent Claims (2, 3, 4, 5, 6, 7)
generating a second key pair comprising a second private key and a second public key, wherein the second private key and the second public key form a key pair for use in public-key cryptography;
s storing the second key pair in the CSU;
activating the CSU after the first and second key pairs have been stored in the CSU;
receiving a second request for a key pair from the entity; and
responsive to the second request, assigning the second key pair to the entity without revealing the second private key.
-
-
3. The method of claim 2 further comprising:
-
assigning first and second identifiers to the first and second key pairs respectively, wherein the first and second identifiers are not identical; and
the step of assigning the first and second key pairs to the entity comprises associating the first and second identifiers with the entity.
-
-
4. The method of claim 1 wherein:
-
the steps of generating the first key pair and of storing the first key pair occur remotely from a communications network on which the entity uses the first key pair; and
the step of activating the CSU comprises coupling the CSU to the communications network.
-
-
5. The method of claim 1 further comprising:
-
assigning a first identifier to the first key pair; and
the step of assigning the first key pair to the entity comprises associating the first identifier with the entity.
-
-
6. The method of claim 5 wherein the step of associating the first identifier with the entity comprises:
including the first identifier in a digital certificate issued by an issuer to the entity, wherein the digital certificate further includes the first public key, the digital certificate represents that the entity is bound to the first public key, and the digital certificate is digitally signed by the issuer.
-
7. The method of claim 6 wherein:
-
the digital certificate complies with the X.509 format; and
the step of including the first identifier in the digital certificate comprises including the first identifier in an X.509 extension.
-
-
8. A computer readable medium for assigning a key pair to an entity, the computer readable medium storing:
-
a digital certificate issued by an issuer to an entity, the digital certificate representing that the entity is bound to a public key corresponding to a private key, wherein the private key has been assigned to the entity without revealing the private key, the public key and the private key form a key pair for use in public-key cryptography, the digital certificate is digitally signed by the issuer, the key pair is stored in a cryptographic signing unit (CSU), an identifier is assigned to the key pair, and the digital certificate includes subscriber information pertaining to the entity, the public key, and the identifier assigned to the key pair. - View Dependent Claims (9, 10)
the digital certificate complies with the X.509 format; and
the identifier is included in an X.509 extension.
-
-
10. The computer readable medium of claim 9 wherein:
the identifier is included in a SubjectAltName extension.
-
11. A method for digitally signing a message with a private key of an entity, the method comprising:
-
receiving a request to digitally sign a message with a private key of an entity, wherein the private key has been assigned to the entity without revealing the private key, the private key and the public key form a key pair for use in public-key cryptography, the key pair is stored in a cryptographic signing unit (CSU), and an identifier is assigned to the key pair;
receiving the identifier; and
digitally signing the message with the private key identified by the identifier. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
identifying the identifier responsive to information included in the request.
-
-
13. The method of claim 12 wherein:
the information included in the request includes information identifying a location from which the request was made.
-
14. The method of claim 11 further comprising:
identifying the identifier responsive to a second public key, wherein the request is digitally signed using a second private key, wherein the second private key and the second public key form a key pair for use in public-key cryptography.
-
15. The method of claim 11 wherein the step of receiving the identifier comprises:
-
receiving a digital certificate issued by an issuer to the entity, wherein the digital certificate represents that the entity is bound to the public key, the digital certificate is digitally signed by the issuer, and the digital certificate includes;
subscriber information pertaining to the entity, the public key, and the identifier assigned to the key pair.
-
-
16. The method of claim 15 further comprising:
verifying the digital signature with the public key included in the digital certificate.
-
17. The method of claim 11 wherein the step of digitally signing the message comprises:
-
transmitting the message to the CSU;
the CSU generating a digital signature of the message with the private key; and
receiving the digital signature from the CSU.
-
-
18. The method of claim 11 wherein:
the message is a digital certificate to be issued by the entity.
-
19. A system for providing digital certificate services, including digitally signing a message with a private key of an entity, the system comprising:
-
a certificate services engine for;
receiving a request to digitally sign a message with a private key of an entity, wherein the private key has been assigned to the entity without revealing the private key, the private key and a corresponding public key form a key pair for use in public-key cryptography, the key pair is stored in a cryptographic signing unit (CSU), and an identifier is assigned to the key pair, receiving the identifier, and digitally signing the message with the private key identified by the identifier; and
a CSU interface, coupled to the certificate services engine, for maintaining a message that the identifier is associated with the entity. - View Dependent Claims (20, 21, 22)
a key-aliasing database coupled to the certificate services engine for maintaining a message that the identifier is associated with the entity.
-
-
21. The system of claim 19 further comprising:
a key pair generator not coupled to the certificate services engine for generating the key pair and storing the key pair in the CSU.
-
22. The system of claim 19 further comprising:
the CSU.
Specification