Method and apparatus for managing keys for cryptographic operations

US 6,839,437 B1
Filed: 01/31/2000
Issued: 01/04/2005
Est. Priority Date: 01/31/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method in data processing system for performing an operation using a key comprising;

receiving a call from an application to perform the operation using the key;

in response to receiving the call, automatically identifying a routine to perform the operation;

in response to receiving the call, automatically identifying a keystore containing the key;

creating a data structure used by the routine to execute the operation, wherein the data structure includes parameters of the call received from the application;

sending the data structure to the routine, wherein the routine and the keystore are identified using the data structure.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cryptographic system for use in a data processing system. The system includes a security layer and a plurality of cryptographic routines, wherein the plurality of cryptographic routines are accessed through the security layer. Also included is a keystore and a keystore application program interface layer coupled to the security layer. The keystore application program interface layer receives a call from an application to perform a cryptographic operation, identifies a routine, calls the routine to perform the cryptographic operation, receives a result from the routine, and returns the result to the application.

61 Citations

View as Search Results

24 Claims

1. A method in data processing system for performing an operation using a key comprising;
- receiving a call from an application to perform the operation using the key;
  
  in response to receiving the call, automatically identifying a routine to perform the operation;
  
  in response to receiving the call, automatically identifying a keystore containing the key;
  
  creating a data structure used by the routine to execute the operation, wherein the data structure includes parameters of the call received from the application;
  
  sending the data structure to the routine, wherein the routine and the keystore are identified using the data structure.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising:
    - determining whether the key is located in the keystore; and
      
      responsive to the key being absent from the keystore, inhibiting the sending step.
  - 3. The method of claim 1, wherein the data structure is a configuration associated with an application originating the call.
  - 4. The method of claim 1, wherein the keystore is one of a virtual keystore, a keystore, an adapter, and a keystore in a smart card.
  - 5. The method of claim 1, wherein the routine is a Common Data Security Architecture plug-in.
  - 6. The method of claim 1 further comprising initializing the routine prior to sending the data structure to the routine.
  - 7. The method of claim 1, wherein the call is received from an application and further comprising:
    - receiving a result from the operation; and
      
      returning the result to the application.
  - 8. The method of claim 7 further comprising:
    - responsive to receiving the result, performing any necessary updates to objects in the keystore.

9. A cryptographic system for use in a data processing system comprising:
- a security layer;
  
  a plurality of cryptographic routines, wherein the plurality of cryptographic routines are access through the security layer;
  
  a keystore; and
  
  a keystore application program interface layer coupled to the security layer, wherein the keystore application program interface layer receives a call from an application to perform a cryptographic operation, in response to receiving the call automatically identifies a routine, calls the routine to perform the cryptographic operation, receives a result from the routine, and returns the result to the application, wherein the routine uses a data structure that includes parameters of the call received from the application to execute the operation, and wherein the routine and the keystore are identified using the data structure.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The cryptographic system of claim 9, wherein the security layer is a Common Data Security Architecture layer.
  - 11. The cryptographic system claim 9, wherein the plurality of cryptographic routines are a plurality of plug-ins.
  - 12. The cryptographic system of claim 9, wherein the keystore is one of a plurality of keystores and wherein the keystore application program interface layer identifies the keystore from the plurality of keystores.
  - 13. The cryptographic system of claim 9, wherein the routine and the keystore are identified in the data processing system accessed by the keystore application program interface layer.
  - 14. The cryptographic system of claim 9, wherein the keystore application program interface layer performs updates to the keystore in response to receiving the result from the routine.
  - 15. The cryptographic system claim 9, wherein the keystore application program interface layer initializes the routine used to perform the cryptographic operation.

16. A data processing system for performing an operation using a key comprising;
- receiving means for receiving a call from an application to perform the operation using the key;
  
  in response to receiving the call, first identifying means for automatically identifying a routine to perform the operation;
  
  in response to receiving the call, second identifying means for automatically identifying a keystore containing the key;
  
  creating means for creating a data structure used by the routine to execute the operation, wherein the data structure includes parameter of the call received from the application;
  
  sending means for sending the data structure to the routine, wherein the routine and the keystore are identified using the data structure.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The data processing system of claim 16 further comprising:
    - determining means for determining whether the key is located in the keystore; and
      
      responsive to the key being absent from the keystore, for inhibiting the sending step.
  - 18. The data processing system of claim 16, wherein the data structure is a configuration associated with an application originating the call.
  - 19. The data processing system of claim 16, wherein the keystore is one of a virtual keystore, a keystore, an adapter, and a keystore in a smart card.
  - 20. The data processing system of claim 16, wherein the routine is a Common Data Security Architecture plug-in.
  - 21. The data processing system of claim 16 further comprising initializing the routine prior to sending the data structure to the routine.
  - 22. The data processing system of claim 16, wherein the call is received from an application, and wherein the receiving means is a first receiving means, further comprising:
    - second receiving means for receiving a result from the operation; and
      
      returning means for returning the result to the application.
  - 23. The data processing system of claim 22 further comprising:
    - performing means responsive to receiving the result, for performing any necessary updates to objects in the keystore.

24. A computer program product in a computer readable medium for performing an operation using a key, the computer program product comprising;
- first instructions for receiving a call from an application to perform the operation using the key;
  
  in response to receiving the call, second instructions for automatically identifying a routine to perform the operation;
  
  in response to receiving the call, third instructions for automatically identifying a keystore containing the key;
  
  fourth instructions for creating a data structure used by the routine to execute the operation, wherein the data structure includes parameters of the call received from the application;
  
  fifth instructions for sending the data structure to the routine, wherein the routine and the keystore are identified using the data structure.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Crane, Michael A., Malik, Sohail H., Wray, John Clay Richard
Primary Examiner(s)
Morse, Gregory
Assistant Examiner(s)
Simitoski, Michael J.

Application Number

US09/494,876
Time in Patent Office

1,800 Days
Field of Search

380/286, 380/282, 380/277, 380/45, 713/175, 713/187, 713/159, 713/167, 713/171, 713/172, 713/163
US Class Current

380/286
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 2221/2153   Using hardware token as a s...

G06Q 20/02   involving a neutral party, ...

G06Q 20/3829   involving key management

G07F 7/1016   Devices or methods for secu...

H04L 2209/56   Financial cryptography, e.g...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3263   involving certificates, e.g...

Method and apparatus for managing keys for cryptographic operations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

61 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for managing keys for cryptographic operations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links