Management of certificates for public key infrastructure
First Claim
1. A certificate for Public Key Infrastructure (PKI), the certificate validity being determined by the amount of ciphertext associated with the certificate,wherein when the amount of ciphertext generated is below a predetermined value, the certificate is valid, and when the amount of ciphertext generated reaches a predetermined value, the certificate is invalid, comprising:
- an extension including a Certificate Ciphertext Entitlement (CCE) value defining the amount of data that it is permissible for a certificate to encrypt before it must be rendered invalid;
an object identifier defining the units for ciphertext entitlement; and
an associated Ciphertext Generated Index (GCI) defining the count of how much cyphertext has been encrypted by the key, the certificate validity also being dependent on the elapsed time and revocation status wherein the certificate validity is defined by wherein k is a constant value representing the assurance level of the keys in use.
6 Assignments
0 Petitions
Accused Products
Abstract
Management of ciphertext devaluation in public key infrastructure is addressed by providing system and method using a certificate having a validity dependent on the amount of ciphertext associated with the certificate, i.e. a ciphertext limited certificate (CLC). Thus when the amount of ciphertext reaches or exceeds a predetermined value, the certificate is invalid. The CCE may be expressed as a non critical extension to a X.509 certificate to allow for interoperability with conventional validity conditions based on validity period or revocation. Ciphertext limited certificates may be implemented in an X.509 standard environment based on a method of assigning and determining a certificate ciphertext entitlement (CCE), calculating a generated Ciphertext index (CGI) and performing a CCE threshold detection, and when the GCI reaches or exceeds the CCE, causing a key update, e.g. a rollover of the certificate. Assurance levels may be set based on assigning different CCE default values.
21 Citations
23 Claims
-
1. A certificate for Public Key Infrastructure (PKI), the certificate validity being determined by the amount of ciphertext associated with the certificate,
wherein when the amount of ciphertext generated is below a predetermined value, the certificate is valid, and when the amount of ciphertext generated reaches a predetermined value, the certificate is invalid, comprising: -
an extension including a Certificate Ciphertext Entitlement (CCE) value defining the amount of data that it is permissible for a certificate to encrypt before it must be rendered invalid;
an object identifier defining the units for ciphertext entitlement; and
an associated Ciphertext Generated Index (GCI) defining the count of how much cyphertext has been encrypted by the key, the certificate validity also being dependent on the elapsed time and revocation status wherein the certificate validity is defined by wherein k is a constant value representing the assurance level of the keys in use. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method of managing ciphertext devaluation in a PKI, comprising:
-
determining a certificate ciphertext entitlement (CCE) calculating a generated ciphertext index (GCI) wherein calculating the generated ciphertext index (GCI) comprises decrypting and verifying the decryption log performing a certificate ciphertext entitlement threshold detection and when the GCI reaches or exceeds the CCE causing a key update. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A method of managing ciphertext devaluation in a PKI, comprising:
-
determining a certificate ciphertext entitlement (CCE);
calculating a generated ciphertext index (GCI);
performing a certificate ciphertext entitlement threshold detection and when the GCI reaches or exceeds the CCE, causing a key update, wherein the step of performing a certificate ciphertext entitlement threshold detection comprises decrypting the GCI, verifying the digital signature, converting the GCI to units stipulated in the CCE extension, comparing the GCI to the CCE ad if GCI is greater than or equal to the CCE, requesting a key update in accordance with policy requirements. - View Dependent Claims (21)
-
-
22. A system for managing ciphertext devaluation in a PKI, comprising:
-
means for determining a certificate ciphertext entitlement (CCE) means for calculating a generated ciphertext index (GCI) means for performing a certificate ciphertext entitlement threshold detection comprising means for decrypting the GCI, verifying the digital signature, converting the GCI to units stipulated in the CCE extension, and comparing the GCI to the CCE and means for causing a key update when the GCI reaches or exceeds the CCE.
-
-
23. A computer readable medium for implementing a method of managing ciphertext devaluation in a PKI, comprising:
-
determining a certificate ciphertext entitlement (CCE) calculating a generated ciphertext index (GCI) and performing a certificate ciphertext entitlement threshold detection comprising decrypting the GCI, verifying the digital signature, converting the GCI to units stipulated in the CCE extension, and comparing the GCI to the CCE and, when the GCI reaches or exceeds the CCE, causing a key update.
-
Specification