Secure distribution and protection of encryption key information
First Claim
1. A key distributing system comprising a distributing unit and a receiving unit interconnected by a communication link, said distributing unit having encryption key information to be distributed to said receiving unit, wherein:
- said distributing unit includes a first protecting circuit holding a public key of a trusted certificate authority;
said receiving unit includes a second protecting circuit holding an original private key unique for said second protecting circuit, said second protecting circuit being associated with a certificate that includes information on the type of said second protecting circuit;
wherein said first protecting circuit includes;
means for requesting the certificate of said second protecting circuit;
means for determining, by means of the public key of said certificate authority, whether the requested certificate is authentic;
means for determining based on the type information of said certificate whether said second protecting circuit represents one of a number of predetermined types of circuits that are acceptable for protecting said encryption key information, provided said certificate is determined to be authentic;
means for encrypting said encryption key information provided said second protecting circuit is determined to be acceptable; and
means for transmitting said encrypted encryption key information to said second protecting circuit via said communication link; and
wherein said second protecting circuit includes;
means for decrypting said encrypted encryption key information; and
means for storing said encryption key information.
1 Assignment
0 Petitions
Accused Products
Abstract
The invention relates to secure distribution of a private key from a distributing unit to a receiving unit, and is based on providing each of the distributing unit and the receiving unit with a protecting circuit holding an original private key unique for the protecting circuit. The protecting circuit of the receiving unit is associated with a certificate holding information on the type of the protecting circuit. The protecting circuit of the distributing unit requests this certificate to verify the authenticity by using a public key, of a certificate authority, stored in the protecting circuit. Next, the protecting circuit determines, based on the type information of the certificate, whether the protecting circuit of the receiving unit represents a type of circuit that is acceptable for protecting the private key to be distributed. If the protecting circuit is found to be acceptable, the private key is encrypted and transmitted thereto. The received key is decrypted and stored in the protecting circuit of the receiving unit. In this manner, the private key is protected during transfer and may be distributed to and securely protected in one or more receiving units.
141 Citations
22 Claims
-
1. A key distributing system comprising a distributing unit and a receiving unit interconnected by a communication link, said distributing unit having encryption key information to be distributed to said receiving unit, wherein:
-
said distributing unit includes a first protecting circuit holding a public key of a trusted certificate authority;
said receiving unit includes a second protecting circuit holding an original private key unique for said second protecting circuit, said second protecting circuit being associated with a certificate that includes information on the type of said second protecting circuit;
wherein said first protecting circuit includes;
means for requesting the certificate of said second protecting circuit;
means for determining, by means of the public key of said certificate authority, whether the requested certificate is authentic;
means for determining based on the type information of said certificate whether said second protecting circuit represents one of a number of predetermined types of circuits that are acceptable for protecting said encryption key information, provided said certificate is determined to be authentic;
means for encrypting said encryption key information provided said second protecting circuit is determined to be acceptable; and
means for transmitting said encrypted encryption key information to said second protecting circuit via said communication link; and
wherein said second protecting circuit includes;
means for decrypting said encrypted encryption key information; and
means for storing said encryption key information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
said encrypting means encrypts said encryption key information by the public key comprised in the requested certificate of said second protecting circuit, and said decrypting means decrypts said encrypted encryption key information by the private key of said second protecting circuit.
-
-
3. A key distribution system according to claim 1, wherein:
-
said first protecting circuit holds an original private key unique for said first protecting circuit, and is associated with a certificate that includes a public key of said first protecting circuit;
said second protecting circuit comprises means for requesting the certificate of said first protecting circuit and further holds a public key of a trusted certificate authority for verifying that the requested certificate is authentic;
said encrypting means two-way encrypts said encryption key information by the public key comprised in the requested certificate of said second protecting circuit and the private key of said first protecting circuit; and
said decrypting means two-way decrypts said encrypted encryption key information by the public key comprised in the requested certificate of said first protecting circuit and the private key of said second protecting circuit.
-
-
4. A key distribution system according to claim 3, wherein said second protecting circuit further comprises:
-
means for storing the certificate of said first protecting circuit provided the certificate is verified as authentic; and
means for deleting the encryption key information stored therein in response to a delete request signed by the private key of the first protecting circuit, said delete request being authenticated by means of the public key comprised in the stored certificate.
-
-
5. A key distribution system according to claim 1, wherein:
said encryption key information comprises a private key or a representation thereof.
-
6. A key distribution system according to claim 5, wherein:
a certificate associated with said private key is transferred from said distributing unit to said receiving unit.
-
7. A key distribution system according to claim 1, wherein:
each one of said acceptable types of circuits handles said encryption key according to a number of predetermined rules.
-
8. A key distribution system according to claim 1, wherein:
an acceptable type of circuit holds said encryption key information within the protecting circuit.
-
9. A key distribution system according to claim 8, wherein:
an acceptable type of circuit further deletes the encryption key information stored therein if it receives a delete request from the unit that distributed the encryption key information.
-
10. A key distribution system according to claim 1, wherein:
-
said encryption key information comprises a symmetric key;
said first protecting circuit includes;
means for encrypting a private key by said symmetric key;
means for transmitting said symmetrically encrypted private key to said second protecting circuit; and
said second protecting circuit includes;
means for decrypting said symmetrically encrypted private key by said symmetric key; and
means for storing said private key.
-
-
11. A key distribution system according to claim 1, wherein:
said first protecting circuit has an engine for asymmetric cryptography and a persistent memory for storing the encryption key information to be distributed, the public key of said trusted certificate authority, as well as an original private key unique for said first protecting circuit.
-
12. A key distribution system according to claim 1, wherein:
said second protecting circuit has an engine for asymmetric cryptography and a persistent memory for storing the private key of said second protecting circuit, the received encryption key information, as well as a public key of a trusted certificate authority.
-
13. A key distribution system according to claim 1, wherein:
the requested certificate of said second protecting circuit is stored in said key distributing unit.
-
14. A key distribution system according to claim 1, wherein:
the certificate of said second protecting circuit has information on the identity of the second protecting circuit, and said key distributing unit stores the identity of said second protecting circuit.
-
15. A method for protected distribution of encryption key information from a key distributing unit to a key receiving unit via a communication link, comprising the steps of:
-
providing said distributing unit with a first protecting circuit holding a public key of a trusted certificate authority;
providing said receiving unit with a second protecting circuit holding an original private key unique for said second protecting circuit;
associating said second protecting circuit of said receiving unit with a certificate having information on the type of said second protecting circuit;
said first protecting circuit requesting the certificate of said second protecting circuit, and determining, by using the public key of said certificate authority, whether the requested certificate is authentic, and determining, based on the type information of said certificate, whether said second protecting circuit represents a type of circuit that is acceptable for protecting said encryption key information; and
provided said requested certificate is determined to be authentic and said second protecting circuit is determined to be acceptable, then;
encrypting said encryption key information in said first protecting circuit;
transmitting said encrypted encryption key information from said first protecting circuit to said second protecting circuit via said communication link;
decrypting said encrypted encryption key information in said second protecting circuit; and
storing said encryption key information in said second protecting circuit. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
said encryption key information is encrypted by the public key comprised in the requested certificate of said second protecting circuit, and said encrypted encryption key information is decrypted by the private key of said second protecting circuit.
-
-
17. A method according to claim 15, wherein:
-
said first protecting circuit holds an original private key unique for said first protecting circuit, and is associated with a certificate that includes a public key of said first protecting circuit;
said second protecting circuit requests the certificate of said first protecting circuit, and further holds a public key of a trusted certificate authority for verifying that the requested certificate is authentic;
said encryption key information is two-way encrypted by the public key comprised in the certificate of said second protecting circuit and the private key of said first protecting circuit; and
said encrypted encryption key information is two-way decrypted by the public key comprised in the certificate of said first protecting circuit and the private key of said second protecting circuit.
-
-
18. A method according to claim 17, wherein:
said second protecting circuit-stores the certificate of said first protecting circuit provided the certificate is verified as authentic, and deletes the encryption key information stored therein in response to a delete request signed by the private key of said first protecting circuit, said delete request being authenticated by means of the public key comprised in the stored certificate.
-
19. A method according to claim 15, wherein:
said encryption key information comprises a private key or a representation thereof.
-
20. A method according to claim 15, wherein:
an acceptable type of circuit handles said encryption key according to a number of predetermined rules.
-
21. A method according to claim 15, wherein:
an acceptable type of circuit holds said encryption key information within the protecting circuit.
-
22. A method according to claim 15, wherein:
said encryption key information comprises a symmetric encryption key, which is subsequently used for securely distributing a private asymmetric encryption key from said first protecting circuit to said second protecting circuit.
Specification