Client controlled data recovery management

US 7,050,589 B2
Filed: 08/17/2001
Issued: 05/23/2006
Est. Priority Date: 08/17/2001
Status: Active Grant

First Claim

Patent Images

1. A method in a data processing system for requesting a digital certificate from a certificate authority and archiving an encryption key outside of the certificate authority, comprising:

receiving, at a registration manager, a request from a user for a digital certificate, the request including an encryption key associated with the user;

encrypting the user'"'"'s encryption key with a first archival key;

providing, by the registration manager, the user'"'"'s encryption key that is encrypted with the first archival key;

storing, by a recovery manager, the encrypted user'"'"'s encryption key in a database;

providing, by the recovery manager to the registration manager, an indication of proof of storing the encrypted user'"'"'s encryption key, wherein the indication of proof is signed with a second archival key;

verifying, by the registration manager, the signed indication of proof based on the first archival key; and

providing, by the registration manager, the request to the certificate authority based on the verification of the signed indication of proof.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems in accordance with the present invention allow users'"'"' private keys corresponding to their digital certificates to be stored and archived outside of the control of a Certificate Authority (“CA”). A CA may have a policy that a user'"'"'s private key must be archived in order to receive a digital certificate upon a registration request from the user. Typically, the CA knows that the user'"'"'s private key is archived because it implements the archival of the key, for example, on a data recovery manager and associated internal database that the CA controls. Methods and systems in accordance with the present invention allow for the enforcement of such a policy while allowing the archival of the private keys to be outside of the control of the CA by having a data recovery manager supply a digitally signed proof of archival token with a digital certificate request to a CA. The CA is assured that the key has been archived. Methods and systems allow for the data recovery manager and a database of archived keys to be controlled by other entities, including the user or client, for example.

72 Citations

View as Search Results

10 Claims

1. A method in a data processing system for requesting a digital certificate from a certificate authority and archiving an encryption key outside of the certificate authority, comprising:
- receiving, at a registration manager, a request from a user for a digital certificate, the request including an encryption key associated with the user;
  
  encrypting the user'"'"'s encryption key with a first archival key;
  
  providing, by the registration manager, the user'"'"'s encryption key that is encrypted with the first archival key;
  
  storing, by a recovery manager, the encrypted user'"'"'s encryption key in a database;
  
  providing, by the recovery manager to the registration manager, an indication of proof of storing the encrypted user'"'"'s encryption key, wherein the indication of proof is signed with a second archival key;
  
  verifying, by the registration manager, the signed indication of proof based on the first archival key; and
  
  providing, by the registration manager, the request to the certificate authority based on the verification of the signed indication of proof.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising the step of sending a digital certificate from the certificate authority to the user in response to the certificate authority receiving a second request from the registration manager.
  - 3. The method of claim 1, further comprising:
    - encrypting, by a client associated with the user, the request with a transport key; and
      
      sending the transport encrypted request to the registration manager.
  - 4. The method of claim 3, further comprising:
    - decrypting, by the recovery manager, the transport encrypted request.
  - 5. The method of claim 1, wherein the second archival key is a data recovery manager private key.
  - 6. The method of claim 1, wherein the user'"'"'s encryption key is archived under control of the user.

7. A method in a data processing system for requesting a digital certificate from a certificate authority and archiving an encryption key outside of the certificate authority, comprising:
- receiving a request for a digital certificate from a user to a registration manager, the request including an encryption key associated with the user;
  
  providing, by the registration manager to a recovery manager, the user'"'"'s encryption key that is encrypted with a first archival key;
  
  digitally signing, at a recovery manager, an indication of proof of archival of the encryption key for the user in a database;
  
  verifying, by the registration manager, the digitally signed indication of proof based on a first archival key;
  
  sending, by the registration manager to the certificate authority, a request for a digital certificate based on the verifying; and
  
  receiving, from the certificate authority, a digital certificate in response to the request.

8. A data processing system for requesting a digital certificate from a certificate authority and archiving an encryption key under control of an entity other than the certificate authority, comprising:
- a registration manager configured to receive a digital certificate request including a user'"'"'s encryption key, send the user'"'"'s encryption key, and in response receive an indication of proof of archival of the user'"'"'s encryption key;
  
  a data recovery manager configured to receive the user'"'"'s encryption key, send the user'"'"'s encryption key to a database controlled by an entity other than the certificate authority for archiving, create the indication of proof of archival, and send the indication of proof of archival to the registration manager; and
  
  a certificate authority configured to receive, from the registration manager, a request for a digital certificate for the user, the request including the indication of proof of archival, and issue a digital certificate when it is determined that the indication proof of archival was received.

9. A computer-readable medium containing instructions for controlling a data processing system to perform a method for requesting a digital certificate from a certificate authority and archiving an encryption key outside of the certificate authority, the method comprising the steps of:
- receiving, at a recovery manager, a user encryption key from a registration manager that manages certificates for the user, the encryption key being signed by a first archival key;
  
  digitally signing, by the recovery manager, an indication of proof of archival of the user'"'"'s encryption key in a database under the control of an entity separate from the certificate authority, wherein the indication of proof is signed with a second archival key;
  
  providing, by the recovery manager, the signed indication of proof to the registration manager;
  
  verifying, by the registration manager, the digitally signed indication of proof based on the first archival key;
  
  sending, by the registration manager, a request for a digital certificate based on the verified digitally signed indication of proof; and
  
  receiving, by the registration manager, a digital certificate in response to the request.

10. A data processing system for requesting a digital certificate from a certificate authority and archiving an encryption key outside of the certificate authority, comprising:
- a registration manager including;
  
  means for receiving a request from a user for a digital certificate, the request including an encryption key associated with the user that is encrypted using a first archival key;
  
  a recovery manager including;
  
  means for storing the encrypted user'"'"'s encryption key in a database;
  
  means for providing an indication of proof of storing the encrypted user'"'"'s encryption key, wherein the indication of proof is signed with a second archival key;
  
  wherein the registration manager further includes means for verifying the signed indication of proof based on the first archival key, and means for providing the request to the certificate authority based on the verification of the signed indication of proof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Kwan, Nang Kon
Primary Examiner(s)
Revak, Christopher
Assistant Examiner(s)
Chai, Longbit

Application Number

US09/931,004
Publication Number

US 20030035548A1
Time in Patent Office

1,740 Days
Field of Search

713200-202, 713155-158, 713/178, 713168-172, 713175-176, 380277-286, 726/10
US Class Current

380/286
CPC Class Codes

H04L 63/04   for providing a confidentia...

H04L 63/0823   using certificates cryptogr...

H04L 63/18   using different networks or...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3263   involving certificates, e.g...

Client controlled data recovery management

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

72 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Client controlled data recovery management

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

72 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links