Password exposure elimination for digital signature coupling with a host identity

US 7,143,285 B2
Filed: 05/22/2001
Issued: 11/28/2006
Est. Priority Date: 05/22/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method of creating a proof of possession confirmation for inclusion by a certification authority into a digital certificate, the digital certificate for use by an end user, the method comprising:

receiving, from the certification authority in response to a certificate request by the end user, a plurality of data fields corresponding to a target host system, the identity of the end user, and a proof of identity possession by the end user, said plurality of data fields Further comprising a host name, a subject identification, a subject public key information, and a scaled proof of possession;

analyzing the content of said plurality of data fields by decrypting a proof of possession structure from said scaled proof of possession, extracting a password from said sealed proof of possession structure, extracting a key identifier from said proof of possession stricture and calculating a correct key identifier from said subject public key information;

verifying the accuracy of said plurality of data fields; and

if said plurality of data fields is verified as accurate, sending a signed object to the certification authority, said signed object comprising the proof of possession confirmation, wherein said proof of possession confirmation is constructed in a manner so as to prevent replay attacks by an impostor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for creating a proof of possession confirmation for inclusion by a certification authority into a digital certificate, the digital certificate for use by an end user, is disclosed. In an exemplary embodiment of the invention, the method includes receiving from the certification authority, in response to a certificate request by the end user, a plurality of data fields corresponding to a target host system, the end user, and a form of proof of identity possession by the end user. The content of the plurality of data fields is analyzed and the accuracy thereof is verified. If the plurality of data fields is verified as accurate, then a signed object is sent to the certification authority, the signed object comprising the proof of possession confirmation.

30 Citations

View as Search Results

12 Claims

1. A method of creating a proof of possession confirmation for inclusion by a certification authority into a digital certificate, the digital certificate for use by an end user, the method comprising:
- receiving, from the certification authority in response to a certificate request by the end user, a plurality of data fields corresponding to a target host system, the identity of the end user, and a proof of identity possession by the end user, said plurality of data fields Further comprising a host name, a subject identification, a subject public key information, and a scaled proof of possession;
  
  analyzing the content of said plurality of data fields by decrypting a proof of possession structure from said scaled proof of possession, extracting a password from said sealed proof of possession structure, extracting a key identifier from said proof of possession stricture and calculating a correct key identifier from said subject public key information;
  
  verifying the accuracy of said plurality of data fields; and
  
  if said plurality of data fields is verified as accurate, sending a signed object to the certification authority, said signed object comprising the proof of possession confirmation, wherein said proof of possession confirmation is constructed in a manner so as to prevent replay attacks by an impostor.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the accuracy of said plurality of data fields is verified if:
    - said host name is matched with an identity of said target host system;
      
      said extracted password is validated as a valid password for the end user; and
      
      said extracted key identifier is matched with said correct key identifier calculated from said subject public key information.
  - 3. The method of claim 1, wherein said extracted password and said extracted key identifier are initially symmetrically encrypted.
  - 4. The method of claim 1, wherein said extracted password and said extracted key identifier are initially asymmetrically encrypted.
  - 5. The method of claim 1, wherein:
    - said plurality of data fields includes a password; and
      
      said signed object does not include said password.
  - 6. The method of claim 1, wherein said sealed proof of possession is verifiable for compatibility with at least one other of said plurality of data fields of said certificate request.

7. A computer-readable storage medium comprising:
- a computer readable program code for creating, a proof of possession confirmation for inclusion by a certification authority into a digital certificate, the digital certificate for use by an end user; and
  
  instructions for causing a computer to implement a method, the method further comprising;
  
  receiving, from the certification authority in response to a certificate request by the end user, a plurality of data fields corresponding to a target host system, the identity of the end user, and a proof of identity possession by the end user, said plurality of data fields further comprising a host name, a subject identification, a subject public key information, and a sealed proof of possession;
  
  analyzing the content of said plurality of data fields by decrypting a proof of possession structure from said sealed proof of possession, extracting a password from said sealed proof of possession structure extracting a key identifier from said proof of possession structure and calculating a correct key identifier from said subject public key information;
  
  verifying the accuracy of said plurality of data fields; and
  
  if said plurality of data fields is verified as accurate, sending a signed object to the certification authority, said signed object comprising the proof of possession confirmation, wherein said proof of possession confirmation is constructed in a manner so as to prevent replay attacks by an impostor.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The storage medium of claim 7, wherein the accuracy of said plurality of data fields is verified if:
    - said host name is matched with an identity of said target host system;
      
      said extracted password is validated as a valid password for the end user; and
      
      said extracted key identifier is matched with said correct key identifier calculated from said subject public key information.
  - 9. The storage medium of claim 7, wherein said extracted password and said extracted key identifier are initially symmetrically encrypted.
  - 10. The storage medium of claim 7, wherein said extracted password and said extracted key identifier are initially asymmetrically encrypted.
  - 11. The storage medium of claim 7, wherein:
    - said plurality of data fields includes a password; and
      
      said signed object does not include said password.
  - 12. The storage medium of claim 7, wherein said sealed proof of possession is verifiable for compatibility with at least one other of said plurality of data fields of said certificate request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Dayka, John C., Benantar, Messaoud, Sweeny, James W., Gindin, Thomas L.
Primary Examiner(s)
Vu, Kim
Assistant Examiner(s)
Son, Linh LD

Application Number

US09/862,797
Publication Number

US 20030009662A1
Time in Patent Office

2,016 Days
Field of Search

713/156, 713/175
US Class Current

713/156
CPC Class Codes

G06F 21/33 using certificates

Password exposure elimination for digital signature coupling with a host identity

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

30 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Password exposure elimination for digital signature coupling with a host identity

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links