Method and system for restricting access to the private key of a user in a public key infrastructure
First Claim
1. An encryption/decryption authentication system for encrypting/decrypting data, authenticating data, and/or authenticating a sender, decrypting and/or verifying data or the sender for a recipient, the encryption/decryption/authentication system comprising:
- (a) at least one key storage medium for storing a plurality of keys, each key being useable by an associated user in a public key infrastructure to encrypt and decrypt data; and
(b) a computer accessible to the associated, linked to the at least one key storage medium, and further linked to an encryption/decryption/authentication facility within a browser, wherein the encryption/decryption/authentication facility is adapted within browser to;
(i) authenticate user identification data of the associated user thereby enabling access to a private in the plurality of keys usable by the associated user, obtained from the at least one key storage medium; and
(ii) encrypt/decrypt data, authenticate data, and/or authenticate sender, decrypt and/or verify the data or the sender for a recipient by accessing the associated private key or public key in the plurality of keys.
3 Assignments
0 Petitions
Accused Products
Abstract
An encryption/decryption system for providing restricted use of each key in a plurality of keys to preserve confidentiality of the plurality of keys. Each key is usable by an associated user in a public key infrastructure to encrypt and decrypt data. The encryption/decryption system comprises a key storage means for storing a plurality of keys, user authentication means for determining whether a prospective user of a key in the plurality of keys is the associated user of the key, and an encryption/decryption means for encrypting and decrypting data using the plurality of keys when the user authentication means authenticates the prospective user. The encryption/decryption means is operable in a browser on a client computer.
-
Citations
31 Claims
-
1. An encryption/decryption authentication system for encrypting/decrypting data, authenticating data, and/or authenticating a sender, decrypting and/or verifying data or the sender for a recipient, the encryption/decryption/authentication system comprising:
-
(a) at least one key storage medium for storing a plurality of keys, each key being useable by an associated user in a public key infrastructure to encrypt and decrypt data; and
(b) a computer accessible to the associated, linked to the at least one key storage medium, and further linked to an encryption/decryption/authentication facility within a browser, wherein the encryption/decryption/authentication facility is adapted within browser to;
(i) authenticate user identification data of the associated user thereby enabling access to a private in the plurality of keys usable by the associated user, obtained from the at least one key storage medium; and
(ii) encrypt/decrypt data, authenticate data, and/or authenticate sender, decrypt and/or verify the data or the sender for a recipient by accessing the associated private key or public key in the plurality of keys. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
(a) measuring the selected feature of the associated user;
(b) determining if the selected feature as measured sufficiently corresponds to the biometric standard;
(c) granting use of the key to the associated user if the selected feature as measured sufficiently corresponds to the biometric standard; and
(d) denying use of the key to the associated user if the selected feature as measured insufficiently corresponds to the biometric standard wherein the encryption/decryption/authentication facility encrypts and/or decrypts data using the associated private key or public key if the selected feature as measured sufficiently corresponds to the biometric standard.
-
-
3. The system as defined in claim 2, further comprising means for impeding viewing and copying of the associated private key and/or public key such that use of the key for encrypting/decrypting data, authenticating data, and/or authenticating a sender, decrypting and/or verifying data or the sender for a recipient, is grantable to the associated user without the associated user learning the key.
-
4. The system as defined in claim 1, wherein the encryption/decryption/authentication facility includes a key control facility for requiring the selected feature of the associated user to be measured and determined within the browser to sufficiently correspond to the biometric standard each time use of the key is granted to the associated user.
-
5. The system as defined in claim 4, wherein the encryption/decryption/authentication system includes a biometric device for measuring the selected feature of the associated user;
- and the encryption/decryption/authentication facility within the browser obtains the biometric standard and determines if the selected feature as measured by the biometric device sufficiently corresponds to the biometric standard.
-
6. The system as defined in claim 5, further comprising a plurality of biometric devices for measuring the selected feature of the associated user;
- and a plurality of remote computers, each remote computer in the plurality of remote computers being electronically linked to an associated biometric device and to the at least one key storage medium.
-
7. The system as defined in claim 6, wherein the at least one key storage medium includes at least one key storage server for storing a plurality of public and private keys and biometric standards, the at least one key storage server being electronically linked to the plurality of remote computers, wherein the plurality of public and private keys includes a plurality of private keys each having an associated public key, each of the plurality of keys being useable to decrypt data encrypted using the associated public or private key.
-
8. The system as defined in claim 7, wherein the plurality of private keys are stored to a private key storage server, the plurality of public keys are stored to a public key storage server, and the plurality of biometric standards are stored to a biometric standard storage server.
-
9. The system as defined in claim 1 wherein the encryption/decryption/authentication facility is adapted in the browser to selectively encrypt/decrypt data, authenticate data, and/or authenticate a sender, decrypt and/or verify data or the sender for a recipient.
-
10. The system as defined in claim 9, wherein the encryption/decryption/authentication facility is adapted to selectively process tagged data so as to within the browser encrypt/decrypt data, authenticate data, and/or authenticate a sender, decrypt and/or verify data or the sender for a recipient.
-
11. The system as defined in claim 2, wherein the encryption/decryption/authentication facility is adapted in the browser to selectively at the field level encrypt/decrypt data, authenticate data, and/or authenticate a sender, decrypt and/or verify data or the sender for a recipient.
-
12. The system as defined in claim 11, wherein the encryption/decryption/authentication facility is adapted in the browser to selectively encrypt/decrypt data, authenticate data, and/or authenticate a sender, decrypt and/or verify data or the sender for a recipient, at the form field level, database field level and/or file field level.
-
13. The system as defined in claim 1, wherein the encryption/decryption/authentication facility is adapted in the browser to sign and/or verify a digital signature associated with a web page.
-
14. The system as defined in claim 1 wherein the encryption/decryption/authentication facility is adapted to encrypt/decrypt one or more images.
-
15. A computer program product for use on a computer system for encrypting/decrypting data, authenticating data, and/or authenticating a sender, decrypting and/or verifying data or the sender for a recipient, the computer program product comprising:
-
(e) a computer usable medium; and
(f) computer readable program code recorded on the computer useable medium, including;
(i) program code that stores a plurality of keys to at least one key storage medium linked to the computer system, each key being useable by an associated user in a public key infrastructure to encrypt and decrypt data; and
(ii) program code that within a browser linked to the computer system;
(1) authenticates user identification data of the associated user thereby enabling access to a private key in the plurality of keys useable by the associated user, obtained from the at least one key storage medium; and
(2) encrypts/decrypts data, authenticates data, and/or authenticates a sender, decrypts and/or verifies the data or the sender for a recipient, by accessing the associated private key or public key in the plurality of keys. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
(a) measure the selected feature of the associated user;
(b) determine if the selected feature as measured sufficiently corresponds to the biometric standard;
(c) grant use of the key to the associated user if the selected feature as measured sufficiently corresponds to the biometric standard; and
(d) deny use of the key to the associated user if the selected feature as measured insufficiently corresponds to the biometric standard wherein the computer program code instructs the computer system to encrypts and/or decrypt data using the key if the selected feature as measured sufficiently corresponds to the biometric standard.
-
-
18. The computer program product as defined in claim 16, further including computer program code for instructing the computer system to impede viewing and copying of the associated public key and/or private key such that use of the associated public key and/or private key for encrypting/decrypting data, authenticating data, and/or authenticating a sender, decrypting and/or verifying data or the sender for a recipient, is grantable to the associated user without the associated user learning the key.
-
19. The computer program product as defined in claim 18, further including program code defining a key control facility for instructing the computer system to require the selected feature of the associated user to be measured and determined within the browser to sufficiently correspond to the biometric standard each time use of the key is granted to the associated user.
-
20. The computer program product as defined in claim 19, wherein the computer program code provides instructions to the computer system to:
-
(a) receive the selected feature of the associated user measured by at least one biometric device; and
(b) within the browser obtain the biometric standard and determine if the selected feature as measured by the at least one biometric device sufficiently corresponds to the biometric standard.
-
-
21. The computer program product as defined in claim 20, wherein the plurality of public and private keys includes a plurality of private keys each having an associated public key, each of the plurality of keys being useable to decrypt data encrypted using the associated public or private key.
-
22. The computer program product as defined in claim 21, wherein the plurality of private keys are stored to a private key storage server, the plurality of public keys are stored to a public key storage server, and the plurality of biometric standards are stored to a biometric standard storage server;
- and wherein the computer program product includes computer program code for linking the computer system to the private key storage server, the public key storage server, and the biometric standard storage server.
-
23. The computer program product as defined in claim 15, including computer program code for instructing the computer system in the browser to selectively encrypt/decrypt data, authenticate data, and/or authenticate a sender, decrypt and/or verify data or the sender for a recipient.
-
24. The computer program product as defined in claim 23, including computer program code for instructing the computer system in the browser to selectively process tagged data so as to within the browser encrypt/decrypt data, authenticate data, and/or authenticate a sender, decrypt and/or verify data or the sender for a recipient.
-
25. The computer program product as defined in claim 15, including computer program code for instructing the computer system in the browser to selectively at the field level encrypt/decrypt data, authenticate data, and/or authenticate a sender, decrypt and/or verify data or the sender for a recipient.
-
26. The computer program product as defined in claim 23, including computer program code for instructing the computer system in the browser to selectively encrypt/decrypt data, authenticate data, and/or authenticate a sender, decrypt and/or verify data or the sender for a recipient, at the form field level, database field level and/or file field level.
-
27. The computer program product as defined in claim 15, including computer program code for instructing the computer system in the browser to sign and/or verify a digital signature associated with a web page.
-
28. The computer program product as defined in claim 15, including computer program code for instructing the computer system in the browser to encrypt/decrypt one or more images.
-
29. An encryption/decryption/authentication system for encrypting/decrypting data, authenticating data, and/or authenticating a sender, decrypting and/or verifying data or the sender for a recipient, the encryption/decryption/authentication system comprising:
-
(a) a key storage server for storing a plurality of keys, each key being useable by an associated user in a public key infrastructure to encrypt and decrypt data; and
(b) a client computer accessible to the associated user, linked to the key storage server, and further linked to an encryption/decryption/authentication facility within a browser, wherein the encryption/decryption/authentication facility is adapted within the browser to;
(i) authenticate user identification data of the associated user thereby enabling access to a private key in the plurality of keys useable by the associated user, obtained from the at least one key storage medium; and
(ii) encrypt/decrypt data, authenticate data, and/or authenticate a sender, decrypt and/or verify the data or the sender for a recipient, by accessing the associated private key or public key in the plurality of keys. - View Dependent Claims (30)
-
-
31. A method of encrypting/decrypting data, authenticating data, and/or authenticating a sender, decrypting and/or verifying data or the sender for a recipient in a browser, comprising the steps of:
-
(a) requesting at least one of encrypting/decrypting data, authenticating data, and/or authenticating a sender, decrypting and/or verifying data at a computer accessible to an associated user, the computer including an encryption/decryption/authentication facility adapted within a browser to;
(i) authenticate user identification data of the associated user thereby enabling access to a private key useable by the associated user, obtained from at least one key storage medium linked to the computer; and
(ii) encrypt/decrypt data, authenticate data, and/or authenticate a sender, decrypt and/or verify the data or the sender for a recipient, by accessing the associated private key or public key of the associated user from the at least one key storage medium (b) making a request for user identification data and the private key of the associated user from the at least key storage medium;
(c) authenticating the user identification data by means of the encryption/decryption/authentication facility; and
(d) encrypting/decrypting data, authenticating data, and/or authenticating a sender, decrypting and/or verifying data or the sender for a recipient in the browser by accessing the associated private key or public key of the associated user.
-
Specification