Method and apparatus for providing field confidentiality in digital certificates

US 6,802,002 B1
Filed: 01/14/2000
Issued: 10/05/2004
Est. Priority Date: 01/14/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method of providing confidentiality of authorization information in a digital certificate shared by multiple recipients, the method comprising the steps of:

providing cryptographic folders in the digital certificate, wherein at least one first type cryptographic folder contains at least one first type field of authorization information relevant to a first recipient and at least one second type cryptographic folder contains at least one second type field of authorization information relevant to a second recipient;

issuing the digital certificate at a certificate authority by signing the digital certificate and sending the signed digital certificate to a subject, wherein the issued digital certificate is in an unprotected form wherein the at least one first type and the at least one second type fields of authorization information are readable;

converting the digital certificate from the unprotected form to a protected form wherein the at least one first type field of authorization information is readable and the at least one second type field of authorization information is not readable;

delivering the converted signed digital certificate to the first recipient; and

verifying the authenticity of the signed digital certificate by the first recipient.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A structured digital certificate is adapted to be certified by a digital signature of a certificate authority in an unprotected form, a first protected form, and a second protected form of the digital certificate. The digital certificate includes a first type field of authorization information relevant to a first recipient and being readable in the unprotected form and the first protected form of the digital certificate, and a first cryptographic folder containing a second type field of authorization information relevant to a second recipient and being readable in the unprotected form and the second protected form of the digital certificate, but not readable in the first protected form of the digital certificate. The digital certificate is configured to permit the subject to convert the structured digital certificate from the unprotected form to at least one of the first protected form and the second protected form. The digital certificate is convertible into the first protected form to permit the first recipient to authorize the subject of the structured digital certificate, into the second protected form to permit the second recipient to authorize the subject of the structured digital certificate.

Citations

27 Claims

1. A method of providing confidentiality of authorization information in a digital certificate shared by multiple recipients, the method comprising the steps of:
- providing cryptographic folders in the digital certificate, wherein at least one first type cryptographic folder contains at least one first type field of authorization information relevant to a first recipient and at least one second type cryptographic folder contains at least one second type field of authorization information relevant to a second recipient;
  
  issuing the digital certificate at a certificate authority by signing the digital certificate and sending the signed digital certificate to a subject, wherein the issued digital certificate is in an unprotected form wherein the at least one first type and the at least one second type fields of authorization information are readable;
  
  converting the digital certificate from the unprotected form to a protected form wherein the at least one first type field of authorization information is readable and the at least one second type field of authorization information is not readable;
  
  delivering the converted signed digital certificate to the first recipient; and
  
  verifying the authenticity of the signed digital certificate by the first recipient.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 wherein the step of signing the digital certificate at a certificate authority comprises the steps of:
3. The method of claim 1 wherein the step of converting the signed digital certificate from the unprotected form to the protected form includes:
- closing any cryptographic folders in a copy of the issued unprotected digital certificate that do not have at least one first type field of authorization information.
4. The method of claim 1 wherein the step of verifying the authenticity of the digital certificate by the first recipient includes:
- obtaining a public key from the certificate authority;
  
  closing any cryptographic folders left open in the unsigned digital certificate;
  
  computing a cryptographic hash of the unsigned digital certificate with all folders closed; and
  
  verifying the signature of the digital certificate with the public key and the computed cryptographic hash of the unsigned digital certificate.

5. A method of signing a digital certificate at a certificate authority, the method comprising the steps of:
- providing cryptographic folders in the digital certificate having authorization information;
  
  closing all of the cryptographic folders in the digital certificate;
  
  computing a cryptographic hash of the digital certificate; and
  
  computing a digital certificate signature with the computed cryptographic hash of the digital certificate and a private key of the certificate authority.
- View Dependent Claims (6)
- - 6. The method of claim 5 wherein the step of closing all of the cryptographic folders in the digital certificate includes closing a cryptographic folder X according to the following steps:

7. A method of delivering a digital certificate from a subject of the digital certificate to a recipient of the digital certificate, the method comprising the steps of:
- providing cryptographic folders in the digital certificate having authorization information;
  
  transmitting a digital certificate signature from a certificate authority to the subject of the certificate;
  
  transmitting an unsigned copy of the digital certificate from the certificate authority to the subject of the certificate;
  
  closing any folders in the unsigned copy of the digital certificate that do not have authorization information relevant to the recipient; and
  
  transmitting the unsigned copy of the digital certificate and the digital certificate signature from the subject of the digital certificate to the recipient.
- View Dependent Claims (8, 9, 10)
- - 8. The method of claim 7 wherein the step of transmitting the unsigned copy of the digital certificate from the certificate authority to the subject of the certificate is performed over a secure delivery channel.
  - 9. The method of claim 8 wherein the secure delivery channel is protected via Internet Protocol Security (IPSEC).
  - 10. The method of claim 8 wherein the secure delivery channel is protected by Secure Sockets Layer (SSL).

11. A method of verifying a signature for a digital certificate sent by a subject of the digital certificate to a recipient of the digital certificate, the method comprising the steps of:
- providing cryptographic folders in the digital certificate having authorization information;
  
  obtaining a public key of the certificate authority corresponding to a private key used by the certificate authority to sign the digital certificate;
  
  closing any of the cryptographic folders left open in the digital certificate by the subject of the digital certificate;
  
  computing a cryptographic hash of the digital certificate with all cryptographic folders closed; and
  
  verifying the signature for the digital certificate with the public key and the computed cryptographic hash of the digital certificate.

12. A computer readable medium containing instructions for controlling a computer system to perform a method of signing a digital certificate at a certificate authority, the method comprising the steps of:
- providing cryptographic folders in the digital certificate having authorization information;
  
  closing all of the cryptographic folders in the digital certificate;
  
  computing a cryptographic hash of the digital certificate; and
  
  computing a digital certificate signature with the computed cryptographic hash of the digital certificate and a private key of the certificate authority.

13. A computer readable medium containing instructions for controlling a computer system to perform a method of delivering a digital certificate from a subject of the digital certificate to a recipient of the digital certificate, the method comprising the steps of:
- providing cryptographic folders in the digital certificate having authorization information;
  
  transmitting a digital certificate signature from a certificate authority to the subject of the certificate;
  
  transmitting an unsigned copy of the digital certificate from the certificate authority to the subject of the certificate;
  
  closing any folders in the unsigned copy of the digital certificate that do not have authorization information relevant to the recipient; and
  
  transmitting the unsigned copy of the digital certificate and the digital certificate signature from the subject of the digital certificate to the recipient.

14. A computer readable medium containing instructions for controlling a computer system to perform a method of verifying a signature for a digital certificate sent by a subject of the digital certificate to a recipient of the digital certificate, the method comprising the steps of:
- providing cryptographic folders in the digital certificate having authorization information;
  
  obtaining a public key of the certificate authority corresponding to a private key used by the certificate authority to sign the digital certificate;
  
  closing any of the cryptographic folders left open in the digital certificate by the subject of the digital certificate;
  
  computing a cryptographic hash of the digital certificate with all cryptographic folders closed; and
  
  verifying the signature for the digital certificate with the public key and the computed cryptographic hash of the digital certificate.

15. A structured digital certificate adapted to be certified by a digital signature of a certificate authority in an unprotected form, a first protected form, and a second protected form of the digital certificate, the digital certificate comprising:
- a first type field of authorization information relevant to a first recipient and being readable in the unprotected form and the first protected form of the digital certificate; and
  
  a first cryptographic folder containing a second type field of authorization information relevant to a second recipient and being readable in the unprotected form and the second protected form of the digital certificate, but not readable in the first protected form of the digital certificate;
  
  wherein the digital certificate is configured to permit the subject to convert the structured digital certificate from the unprotected form to at least one of the first protected form and the second protected form;
  
  wherein the digital certificate is convertible into the first protected form to permit the first recipient to authorize the subject of the structured digital certificate; and
  
  wherein the digital certificate is convertible into the second protected form to permit the second recipient to authorize the subject of the structured digital certificate.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The structured digital certificate of claim 15, further comprising:
17. The structured digital certificate of claim 15, wherein the digital certificate further comprises:
- a subject name.
18. The structured digital certificate of claim 15, wherein the digital certificate further comprises:
- a public key associated with the subject.
19. The structured digital certificate of claim 15, wherein the first type field of authorization information is contained outside of any cryptographic folder.
20. The structured digital certificate of claim 15, comprising:
- a second cryptographic folder containing the first type field of authorization information.
21. The structured digital certificate of claim 15, wherein the digital certificate configured in the unprotected form includes the first cryptographic folder, wherein the first cryptographic folder contains an encrypted hash value based at least partially on the second type field of authorization information.

22. A method of providing confidentiality of authorization information in a digital certificate, the method comprising:
- providing, in an unprotected form of the digital certificate, at least one first type field of authorization information relevant to a first recipient and at least one second type field of authorization information relevant to a second recipient;
  
  providing at least one cryptographic folder in the digital certificate, wherein the at least one cryptographic folder includes a first cryptographic folder containing at least one second type field of authorization information relevant to a second recipient;
  
  issuing the digital certificate at a certificate authority by protecting from read access the at least one first type and the at least one second type fields with a one-way protection algorithm, generating a digital signature based on the protected fields and sending the digital signature and the unprotected form of the digital certificate to a subject;
  
  preventing read access to the at least one second type field of the digital certificate using the one-way protection algorithm;
  
  delivering to the first recipient the digital signature and the digital certificate having the at least one second type field prevented from read access, wherein the at least one first type field of authorization information is readable by the first recipient, and the at least one second type field of authorization information is not readable by the first recipient; and
  
  verifying the authenticity of the digital certificate by the first recipient.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The method of claim 22, wherein the preventing read access is performed at the subject, and wherein the delivering to the first recipient is from the subject.
  - 24. The method of claim 22, and further comprising:
25. The method of claim 22, wherein the generating of the signature for the digital certificate at the certificate authority further comprises:
- closing all of the cryptographic folders in the digital certificate;
  
  computing a cryptographic hash of the digital certificate; and
  
  computing a digital signature with the computed cryptographic hash of the digital certificate.
26. The method of claim 22, wherein the preventing read access to a field includes closing any cryptographic folders that do not have at least one type field of authorization information that is not to be prevented from read access.

27. A system for enabling certified authorization of a subject by multiple relying parties, the system comprising:
- a subject;
  
  a first relying party and a second relying party;
  
  a trusted certificate authority; and
  
  a structured digital certificate including;
  
  a first type field of authorization information relevant to the first relying party and being readable in an unprotected form and a first protected form of the digital certificate;
  
  a first cryptographic folder containing a second type field of authorization information relevant to the second relying party and being readable in the unprotected form and a second protected form of the digital certificate, but not readable in the first protected form of the digital certificate; and
  
  a certification by the certificate authority that certifies the digital certificate in the unprotected form and in the first and second protected forms;
  
  wherein the digital certificate is convertible, after issuance, from the unprotected form to at least one of the first protected form and the second protected form, wherein in the first protected form, the digital certificate permits the first relying party to authorize the subject and in the second protected form, the digital certificate permits the second relying party to authorize the subject.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Corella, Francisco
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
MOISE, EMMANUEL LIONEL

Application Number

US09/483,189
Time in Patent Office

1,726 Days
Field of Search

713/155, 713/156, 713/157, 713/158, 713/159, 713/175, 705/76
US Class Current

713/175
CPC Class Codes

G06F 21/33   using certificates

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/60   Digital content management,...

H04L 9/3263   involving certificates, e.g...

Method and apparatus for providing field confidentiality in digital certificates

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing field confidentiality in digital certificates

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links