Method and apparatus for providing field confidentiality in digital certificates
First Claim
1. A method of providing confidentiality of authorization information in a digital certificate shared by multiple recipients, the method comprising the steps of:
- providing cryptographic folders in the digital certificate, wherein at least one first type cryptographic folder contains at least one first type field of authorization information relevant to a first recipient and at least one second type cryptographic folder contains at least one second type field of authorization information relevant to a second recipient;
issuing the digital certificate at a certificate authority by signing the digital certificate and sending the signed digital certificate to a subject, wherein the issued digital certificate is in an unprotected form wherein the at least one first type and the at least one second type fields of authorization information are readable;
converting the digital certificate from the unprotected form to a protected form wherein the at least one first type field of authorization information is readable and the at least one second type field of authorization information is not readable;
delivering the converted signed digital certificate to the first recipient; and
verifying the authenticity of the signed digital certificate by the first recipient.
3 Assignments
0 Petitions
Accused Products
Abstract
A structured digital certificate is adapted to be certified by a digital signature of a certificate authority in an unprotected form, a first protected form, and a second protected form of the digital certificate. The digital certificate includes a first type field of authorization information relevant to a first recipient and being readable in the unprotected form and the first protected form of the digital certificate, and a first cryptographic folder containing a second type field of authorization information relevant to a second recipient and being readable in the unprotected form and the second protected form of the digital certificate, but not readable in the first protected form of the digital certificate. The digital certificate is configured to permit the subject to convert the structured digital certificate from the unprotected form to at least one of the first protected form and the second protected form. The digital certificate is convertible into the first protected form to permit the first recipient to authorize the subject of the structured digital certificate, into the second protected form to permit the second recipient to authorize the subject of the structured digital certificate.
-
Citations
27 Claims
-
1. A method of providing confidentiality of authorization information in a digital certificate shared by multiple recipients, the method comprising the steps of:
-
providing cryptographic folders in the digital certificate, wherein at least one first type cryptographic folder contains at least one first type field of authorization information relevant to a first recipient and at least one second type cryptographic folder contains at least one second type field of authorization information relevant to a second recipient;
issuing the digital certificate at a certificate authority by signing the digital certificate and sending the signed digital certificate to a subject, wherein the issued digital certificate is in an unprotected form wherein the at least one first type and the at least one second type fields of authorization information are readable;
converting the digital certificate from the unprotected form to a protected form wherein the at least one first type field of authorization information is readable and the at least one second type field of authorization information is not readable;
delivering the converted signed digital certificate to the first recipient; and
verifying the authenticity of the signed digital certificate by the first recipient. - View Dependent Claims (2, 3, 4)
closing all of the cryptographic folders in the digital certificate;
computing a cryptographic hash of the digital certificate; and
computing a digital certificate signature with computed cryptographic hash of the digital certificate and a private key of the certificate authority.
-
-
3. The method of claim 1 wherein the step of converting the signed digital certificate from the unprotected form to the protected form includes:
closing any cryptographic folders in a copy of the issued unprotected digital certificate that do not have at least one first type field of authorization information.
-
4. The method of claim 1 wherein the step of verifying the authenticity of the digital certificate by the first recipient includes:
-
obtaining a public key from the certificate authority;
closing any cryptographic folders left open in the unsigned digital certificate;
computing a cryptographic hash of the unsigned digital certificate with all folders closed; and
verifying the signature of the digital certificate with the public key and the computed cryptographic hash of the unsigned digital certificate.
-
-
5. A method of signing a digital certificate at a certificate authority, the method comprising the steps of:
-
providing cryptographic folders in the digital certificate having authorization information;
closing all of the cryptographic folders in the digital certificate;
computing a cryptographic hash of the digital certificate; and
computing a digital certificate signature with the computed cryptographic hash of the digital certificate and a private key of the certificate authority. - View Dependent Claims (6)
recursively closing all nested folders in folder X;
computing the cryptographic hash of the contents of folder X;
replacing the contents of folder X with the computed cryptographic hash of the contents of folder X; and
setting a flag in a header of folder X to indicate that folder X is closed.
-
-
7. A method of delivering a digital certificate from a subject of the digital certificate to a recipient of the digital certificate, the method comprising the steps of:
-
providing cryptographic folders in the digital certificate having authorization information;
transmitting a digital certificate signature from a certificate authority to the subject of the certificate;
transmitting an unsigned copy of the digital certificate from the certificate authority to the subject of the certificate;
closing any folders in the unsigned copy of the digital certificate that do not have authorization information relevant to the recipient; and
transmitting the unsigned copy of the digital certificate and the digital certificate signature from the subject of the digital certificate to the recipient. - View Dependent Claims (8, 9, 10)
-
-
11. A method of verifying a signature for a digital certificate sent by a subject of the digital certificate to a recipient of the digital certificate, the method comprising the steps of:
-
providing cryptographic folders in the digital certificate having authorization information;
obtaining a public key of the certificate authority corresponding to a private key used by the certificate authority to sign the digital certificate;
closing any of the cryptographic folders left open in the digital certificate by the subject of the digital certificate;
computing a cryptographic hash of the digital certificate with all cryptographic folders closed; and
verifying the signature for the digital certificate with the public key and the computed cryptographic hash of the digital certificate.
-
-
12. A computer readable medium containing instructions for controlling a computer system to perform a method of signing a digital certificate at a certificate authority, the method comprising the steps of:
-
providing cryptographic folders in the digital certificate having authorization information;
closing all of the cryptographic folders in the digital certificate;
computing a cryptographic hash of the digital certificate; and
computing a digital certificate signature with the computed cryptographic hash of the digital certificate and a private key of the certificate authority.
-
-
13. A computer readable medium containing instructions for controlling a computer system to perform a method of delivering a digital certificate from a subject of the digital certificate to a recipient of the digital certificate, the method comprising the steps of:
-
providing cryptographic folders in the digital certificate having authorization information;
transmitting a digital certificate signature from a certificate authority to the subject of the certificate;
transmitting an unsigned copy of the digital certificate from the certificate authority to the subject of the certificate;
closing any folders in the unsigned copy of the digital certificate that do not have authorization information relevant to the recipient; and
transmitting the unsigned copy of the digital certificate and the digital certificate signature from the subject of the digital certificate to the recipient.
-
-
14. A computer readable medium containing instructions for controlling a computer system to perform a method of verifying a signature for a digital certificate sent by a subject of the digital certificate to a recipient of the digital certificate, the method comprising the steps of:
-
providing cryptographic folders in the digital certificate having authorization information;
obtaining a public key of the certificate authority corresponding to a private key used by the certificate authority to sign the digital certificate;
closing any of the cryptographic folders left open in the digital certificate by the subject of the digital certificate;
computing a cryptographic hash of the digital certificate with all cryptographic folders closed; and
verifying the signature for the digital certificate with the public key and the computed cryptographic hash of the digital certificate.
-
-
15. A structured digital certificate adapted to be certified by a digital signature of a certificate authority in an unprotected form, a first protected form, and a second protected form of the digital certificate, the digital certificate comprising:
-
a first type field of authorization information relevant to a first recipient and being readable in the unprotected form and the first protected form of the digital certificate; and
a first cryptographic folder containing a second type field of authorization information relevant to a second recipient and being readable in the unprotected form and the second protected form of the digital certificate, but not readable in the first protected form of the digital certificate;
wherein the digital certificate is configured to permit the subject to convert the structured digital certificate from the unprotected form to at least one of the first protected form and the second protected form;
wherein the digital certificate is convertible into the first protected form to permit the first recipient to authorize the subject of the structured digital certificate; and
wherein the digital certificate is convertible into the second protected form to permit the second recipient to authorize the subject of the structured digital certificate. - View Dependent Claims (16, 17, 18, 19, 20, 21)
a second cryptographic folder containing a plurality of nested fields and/or folders.
-
-
17. The structured digital certificate of claim 15, wherein the digital certificate further comprises:
a subject name.
-
18. The structured digital certificate of claim 15, wherein the digital certificate further comprises:
a public key associated with the subject.
-
19. The structured digital certificate of claim 15, wherein the first type field of authorization information is contained outside of any cryptographic folder.
-
20. The structured digital certificate of claim 15, comprising:
a second cryptographic folder containing the first type field of authorization information.
-
21. The structured digital certificate of claim 15, wherein the digital certificate configured in the unprotected form includes the first cryptographic folder, wherein the first cryptographic folder contains an encrypted hash value based at least partially on the second type field of authorization information.
-
22. A method of providing confidentiality of authorization information in a digital certificate, the method comprising:
-
providing, in an unprotected form of the digital certificate, at least one first type field of authorization information relevant to a first recipient and at least one second type field of authorization information relevant to a second recipient;
providing at least one cryptographic folder in the digital certificate, wherein the at least one cryptographic folder includes a first cryptographic folder containing at least one second type field of authorization information relevant to a second recipient;
issuing the digital certificate at a certificate authority by protecting from read access the at least one first type and the at least one second type fields with a one-way protection algorithm, generating a digital signature based on the protected fields and sending the digital signature and the unprotected form of the digital certificate to a subject;
preventing read access to the at least one second type field of the digital certificate using the one-way protection algorithm;
delivering to the first recipient the digital signature and the digital certificate having the at least one second type field prevented from read access, wherein the at least one first type field of authorization information is readable by the first recipient, and the at least one second type field of authorization information is not readable by the first recipient; and
verifying the authenticity of the digital certificate by the first recipient. - View Dependent Claims (23, 24, 25, 26)
preventing read access to the at least one first type field of the digital certificate using the one way protection algorithm;
delivering the digital signature and the digital certificate having the at least one first type field prevented from read access, wherein the at least one second type field of authorization information is readable by the second recipient, and the at least one first type field of authorization information is not readable by the second recipient; and
verifying the authenticity of the digital certificate by the second recipient.
-
-
25. The method of claim 22, wherein the generating of the signature for the digital certificate at the certificate authority further comprises:
-
closing all of the cryptographic folders in the digital certificate;
computing a cryptographic hash of the digital certificate; and
computing a digital signature with the computed cryptographic hash of the digital certificate.
-
-
26. The method of claim 22, wherein the preventing read access to a field includes closing any cryptographic folders that do not have at least one type field of authorization information that is not to be prevented from read access.
-
27. A system for enabling certified authorization of a subject by multiple relying parties, the system comprising:
-
a subject;
a first relying party and a second relying party;
a trusted certificate authority; and
a structured digital certificate including;
a first type field of authorization information relevant to the first relying party and being readable in an unprotected form and a first protected form of the digital certificate;
a first cryptographic folder containing a second type field of authorization information relevant to the second relying party and being readable in the unprotected form and a second protected form of the digital certificate, but not readable in the first protected form of the digital certificate; and
a certification by the certificate authority that certifies the digital certificate in the unprotected form and in the first and second protected forms;
wherein the digital certificate is convertible, after issuance, from the unprotected form to at least one of the first protected form and the second protected form, wherein in the first protected form, the digital certificate permits the first relying party to authorize the subject and in the second protected form, the digital certificate permits the second relying party to authorize the subject.
-
Specification