System and method to support varying maximum cryptographic strength for common data security architecture (CDSA) applications
First Claim
1. An improved cryptographic system for varying maximum cryptographic strength in common data security architecture applications, comprising:
- (a) a common data security architecture framework;
(b) an application requiring cryptographic support and containing an exemption mechanism;
(c) an application program interface coupling the framework to the application;
(d) a plurality of pluggable modules defining cryptographic operations, digital certificates, and certificate revocation lists, and implementing crypto security policies defined by authorities and institutions;
(e) a service provider interface for coupling the pluggable modules to the common data security architecture framework;
(f) means for selectively digitally signing an application with an exempt privilege; and
(g) means for allowing digitally signed applications to use strong crypto while unsigned digital applications are allowed to use weak crypto.
1 Assignment
0 Petitions
Accused Products
Abstract
An Improved CDSA system (CDSA-I) includes a standard CDSA framework coupled via an Application Program Interface to an application requiring cryptographic support. During manufacture, a cryptographic control privilege is incorporated into the application, as part of an exemption mechanism, which exemption may or may not be enforced by the CDSA framework. For maximum cryptographic strength, an application must be signed by a private key controlled by the CDSA framework vendor. Inside the CDSA framework, the corresponding public key is used to verify at runtime those applications that were appropriately signed. The CDSA framework is coupled via a Service Provider Interface (SPI) to a plurality of pluggable modules for performing cryptographic operations, storing signed digital certificates for applications, and trust policies relating to cryptographic strengths. The framework is initialized to provide the cryptographic support for the application. The application requests a a crypto context representing the algorithm ID, key and key length from the CDSA framework at runtime to be used in subsequent API calls to the CDSA framework. The application requests a privilege status and the CDSA framework uses its internal public key at runtime to determine if the application is privileged to perform strong crypto for the current thread using the current crypto context; this is determined by verifying that the application and its credentials were signed by the private key controlled by the CDSA framework vendor. A flag is set in the application if the application will be entitled to strong crypto when the application actually calls the APIs to encrypt data. Otherwise, the flag is not set and it will be stopped from using strong crypto when it calls the APIs to encrypt data.
-
Citations
10 Claims
-
1. An improved cryptographic system for varying maximum cryptographic strength in common data security architecture applications, comprising:
-
(a) a common data security architecture framework;
(b) an application requiring cryptographic support and containing an exemption mechanism;
(c) an application program interface coupling the framework to the application;
(d) a plurality of pluggable modules defining cryptographic operations, digital certificates, and certificate revocation lists, and implementing crypto security policies defined by authorities and institutions;
(e) a service provider interface for coupling the pluggable modules to the common data security architecture framework;
(f) means for selectively digitally signing an application with an exempt privilege; and
(g) means for allowing digitally signed applications to use strong crypto while unsigned digital applications are allowed to use weak crypto. - View Dependent Claims (2, 3, 4, 5)
(h) means for providing signing the application with a private key.
-
-
3. The improved cryptographic system of claim 1 further comprising:
(i) means for creating a crypto context in the application.
-
4. The improved cryptographic system of claim 1 further comprising:
(j) means for initializing the common data security architecture framework and reading the application for cryptographic strength information.
-
5. The improved cryptographic system of claim 1 further comprising:
(k) a data structure in the framework for processing exemption requests provided by the application.
-
6. In an improved cryptographic system supporting common data security architecture applications and including a common data security architecture framework coupled to an application requiring cryptographic support through an application interface and further coupled to a plurality of pluggable modules through a service provider interface, a method for varying cryptographic strength for the common data security architecture applications, comprising the steps of:
-
(a) initializing the common data security architecture framework including reading and checking configuration files for crypto strength and signature;
(b) creating a crypto context in the application with an algorithm ID and key length provided by the common data security architecture framework;
(c) returning a crypto context handle to the application;
(d) requesting an exempt all privilege for the current thread;
(e) checking the application credentials for signatures;
(f) extracting a privilege set from signed credentials;
(g) determining if the privileged set includes an exempt all privilege;
(h) setting a strong crypto allowed flag to true for a privilege application;
(i) determining if the crypto strength is greater than the default crypto strength of the application;
(j) determining if the strong crypto allowed flag is set to true; and
(k) encrypting the application with strong crypto strength when the strong crypto allowed flag is set to true or returning and error code when the flag is not true. - View Dependent Claims (7, 8, 9, 10)
(l) providing an exemption mechanism for the common data security architecture application.
-
-
8. The method of claim 7 further comprising the step of:
(m) digitally signing the application.
-
9. The method of claim 8 further comprising the step of;
(n) providing a private key for use in signing the application.
-
10. The method of claim 9 further comprising the step of:
(o) checking a digitally signed application with an exemption attribute for cryptographic support of the application.
Specification
-
- Resources
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsMalik, Sohail, Vasudevan, Narayanan
-
Primary Examiner(s)Wright, Norman M.
-
Application NumberUS09/533,073Time in Patent Office1,469 DaysField of Search713/191, 713/189, 713/187, 713/200US Class Current713/191CPC Class CodesH04L 63/0428 wherein the data content is...
