Computer system and method for generating a digital certificate

US 6,988,196 B2
Filed: 12/22/2000
Issued: 01/17/2006
Est. Priority Date: 12/22/2000
Status: Active Grant

First Claim

Patent Images

1. A method in a computer system for employing a digital certificate, for use only within said computer system, to authenticate operations internal to said computer system, said method comprising:

storing a master key pair and data specifying an authentication code in a protected storage within a security subsystem, wherein said master key pair comprises a first private key and a first public key and said first private key and said authentication code are inaccessible outside of said security subsystem;

receiving a request to generate a digital certificate at said security subsystem;

generating a user prompt for said authentication code in response to a receipt of said request to generate said digital certificate;

receiving a reply from a user in response to a generation of said user prompt; and

processing said request to generate said digital certificate in response to a receipt of said reply, wherein said processing comprisesgenerating said digital certificate utilizing said first private key only if said reply is determined to correctly specify said authentication code, whereinsaid digital certificate comprises data specifying a second public key of a target key pair.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system and method are disclosed for generating a certificate that can be validated against a trusted hardware subsystem within a computer system. A security subsystem is established within the computer system. A master key pair including a master public key and master private key are established. The master private key is stored in protected storage within the security subsystem such that the master private key is inaccessible outside of the security subsystem. Generation of a self-verifying certificate is requested. A user of the computer system is then prompted to enter an authentication code in response to the request for generation of the certificate. A certificate is generated utilizing the master key pair only in response to a correct entry of the authentication code. The certificate is used only internally within the computer system.

47 Citations

View as Search Results

18 Claims

1. A method in a computer system for employing a digital certificate, for use only within said computer system, to authenticate operations internal to said computer system, said method comprising:
- storing a master key pair and data specifying an authentication code in a protected storage within a security subsystem, wherein said master key pair comprises a first private key and a first public key and said first private key and said authentication code are inaccessible outside of said security subsystem;
  
  receiving a request to generate a digital certificate at said security subsystem;
  
  generating a user prompt for said authentication code in response to a receipt of said request to generate said digital certificate;
  
  receiving a reply from a user in response to a generation of said user prompt; and
  
  processing said request to generate said digital certificate in response to a receipt of said reply, wherein said processing comprisesgenerating said digital certificate utilizing said first private key only if said reply is determined to correctly specify said authentication code, whereinsaid digital certificate comprises data specifying a second public key of a target key pair.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein said request to generate said digital certificate comprises said data specifying said second public key.
  - 3. The method of claim 1, wherein generating said digital certificate comprises:
    - comparing data of said reply to said authentication code; and
      
      generating said digital certificate in response to a comparison of said data of said reply and said authentication code.
  - 4. The method of claim 1, wherein generating said digital certificate comprises:
    - performing a bashing operation on said data specifying said second public key to produce a hashed value;
      
      performing an encryption operation on said hashed value utilizing said first private key to produce an digital signature; and
      
      appending said digital signature to said second public key to produce said digital certificate.
  - 5. The method of claim 1, wherein generating said digital certificate comprises:
    - appending a certificate identifier to said second public key to produce security data, wherein said certificate identifier uniquely identifies said digital certificate within said computer system;
      
      performing a hashing operation on said security data to produce a hashed value;
      
      performing an encryption operation on said hashed value utilizing said first private key to produce an digital signature; and
      
      appending said digital signature to said security data to produce said digital certificate.
  - 6. The method of claim 4, further comprising:
    - receiving a request to validate said digital certificate;
      
      accessing said first public key within said protected storage;
      
      performing a decryption operation on said digital signature utilizing said first public key to produce a first hashed value;
      
      performing said hashing operation on said second public key to produce a second hashed value; and
      
      comparing said first bashed value and said second hashed value.

7. A computer system for employing a digital certificate for use only within said computer system to authenticate operations internal to said computer system, said computer system comprising:
- means for storing a master key pair and data specifying an authentication code in a protected storage within a security subsystem, wherein said master key pair comprises a first private key and a first public key and said first private key and said authentication code are inaccessible outside of said security subsystem;
  
  means for receiving a request to generate a digital certificate at said security subsystem;
  
  means for generating a user prompt for said authentication code in response to a receipt of said request to generate said digital certificate;
  
  means for receiving a reply from a user in response to a generation of said user prompt; and
  
  means for processing said request to generate said digital certificate in response to a receipt of said reply, wherein said means for processing comprisesmeans for generating said digital certificate utilizing said first private key only if said reply is determined to correctly specify said authentication code, whereinsaid digital certificate comprises data specifying a second public key of a target key pair.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer system of claim 7, wherein said request to generate said digital certificate comprises said data specifying said second public key.
  - 9. The computer system of claim 7, wherein means for generating said digital certificate comprises:
    - means for comparing data of said reply to said authentication code; and
      
      means for generating said digital certificate in response to a comparison of said data of said reply and said authentication code.
  - 10. The computer system of claim 7, wherein said means for generating said digital certificate comprises:
    - means for performing a hashing operation on said data specifying said second public key to produce a hashed value;
      
      means for performing an encryption operation on said hashed value utilizing said first private key to produce an digital signature; and
      
      means for appending said digital signature to said second public key to produce said digital certificate.
  - 11. The computer system of claim 7, wherein said means for generating said digital certificate comprises:
    - means for appending a certificate identifier to said second public key to produce security data, wherein said certificate identifier uniquely identifies said digital certificate within said computer system;
      
      means for performing a hashing operation on said security data to produce a hashed value;
      
      means for performing an encryption operation on said hashed value utilizing said first private key to produce an digital signature; and
      
      means for appending said digital signature to said security data to produce said digital certificate.
  - 12. The computer system of claim 10, further comprising:
    - means for receiving a request to validate said digital certificate;
      
      means for accessing said first public key within said protected storage;
      
      means for performing a decryption operation on said digital signature utilizing said first public key to produce a first hashed value;
      
      means for performing said hashing operation on said second public key to produce a second hashed value; and
      
      means for comparing said first hashed value and said second bashed value.

13. A computer-readable medium encoded with a computer program, which when executed by a processor, causes said processor to implement a method in a computer system for employing a digital certificate, for use only within said computer system, to authenticate operations internal to said computer system, said method comprising:
- storing a master key pair and data specifying an authentication code in a protected storage within a security subsystem, wherein said master key pair comprises a first private key and a first public key and said first private key and said authentication code are inaccessible outside of said security subsystem;
  
  receiving a request to generate a digital certificate at said security subsystem;
  
  generating a user prompt for said authentication code in response to a receipt of said request to generate said digital certificate;
  
  receiving a reply from a user in response to a generation of said user prompt; and
  
  processing said request to generate said digital certificate in response to a receipt of said reply, wherein said processing comprisesgenerating said digital certificate utilizing said first private key only if said reply is determined to correctly specify said authentication code, whereinsaid digital certificate comprises data specifying a second public key of a target key pair.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer-readable medium of claim 13, wherein said request to generate said digital certificate comprises said data specifying said second public key.
  - 15. The computer-readable medium of claim 13, wherein generating said digital certificate comprises:
    - comparing data of said reply to said authentication code; and
      
      generating said digital certificate in response to a comparison of said data of said reply and said authentication code.
  - 16. The computer-readable medium of claim 13, wherein generating said digital certificate comprises:
    - performing a hashing operation on said data specifying said second public key to produce a hashed value;
      
      performing an encryption operation on said hashed value utilizing said first private key to produce an digital signature; and
      
      appending said digital signature to said second public key to produce said digital certificate.
  - 17. The computer-readable medium of claim 13, wherein generating said digital certificate comprises:
    - appending a certificate identifier to said second public key to produce security data, wherein said certificate identifier uniquely identifies said digital certificate within said computer system;
      
      performing a bashing operation on said security data to produce a hashed value;
      
      performing an encryption operation on said hashed value utilizing said first private key to produce an digital signature; and
      
      appending said digital signature to said security data to produce said digital certificate.
  - 18. The computer-readable medium of claim 16, said method further comprising:
    - receiving a request to validate said digital certificate;
      
      accessing said first public key within said protected storage;
      
      performing a decryption operation on said digital signature utilizing said first public key to produce a first hashed value;
      
      performing said bashing operation on said second public key to produce a second hashed value; and
      
      comparing said first hashed value and said second hashed value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lenovo PC International Limited (Lenovo Group Ltd.)
Original Assignee
Lenovo Singapore Pte Limited (Lenovo Group Ltd.)
Inventors
Cromer, Daryl Carvis, Locker, Howard Jeffrey, Ward, James Peter, Ellison, Brandon Jon, Trotter, Andy Lloyd
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Ho, Thomas

Application Number

US09/748,654
Publication Number

US 20020080973A1
Time in Patent Office

1,852 Days
Field of Search

713/200, 713/174, 713/156, 713/167, 713/175, 713189-194, 713/155
US Class Current

713/156
CPC Class Codes

G06F 21/31 User authentication

Computer system and method for generating a digital certificate

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

47 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Computer system and method for generating a digital certificate

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links