Role assignments in a cryptographic module for secure processing of value-bearing items

US 7,236,956 B1
Filed: 10/16/2000
Issued: 06/26/2007
Est. Priority Date: 10/18/1999
Status: Expired due to Term

First Claim

Patent Images

1. A security system for securing data in a computer network comprising:

a plurality of user terminals coupled to the computer network;

a plurality of cryptographic devices remote from the plurality of user terminals and coupled to the computer network, wherein each cryptographic device includes a computer executable code for authenticating one or more users and verifying that the authenticated user is authorized to assume a role, and wherein each cryptographic device is capable of performing value management functions for one or more users; and

a plurality of security device transaction data for ensuring authenticity of the one or more users, wherein each security device transaction data is related to a user,wherein each cryptographic device is not dedicated to particular user terminals, andwherein each cryptographic device is programmable to service any of the plurality of user terminals.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An on-line value bearing item (VBI) printing system that includes one or more cryptographic modules and a central database is disclosed. The cryptographic modules are capable of implementing the USPS Information Based Indicia Program Postal Security Device Performance Criteria and other required VBI standards. The modules encipher the information stored in the central database for all of the on-line VBI system customers and are capable of preventing access to the database by unauthorized users. Additionally, the cryptographic module is capable of preventing unauthorized and undetected modification, including the unauthorized modification, substitution, insertion, and deletion of VBI related data and cryptographically critical security parameters.

172 Citations

29 Claims

1. A security system for securing data in a computer network comprising:
- a plurality of user terminals coupled to the computer network;
  
  a plurality of cryptographic devices remote from the plurality of user terminals and coupled to the computer network, wherein each cryptographic device includes a computer executable code for authenticating one or more users and verifying that the authenticated user is authorized to assume a role, and wherein each cryptographic device is capable of performing value management functions for one or more users; and
  
  a plurality of security device transaction data for ensuring authenticity of the one or more users, wherein each security device transaction data is related to a user,wherein each cryptographic device is not dedicated to particular user terminals, andwherein each cryptographic device is programmable to service any of the plurality of user terminals.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 2. The system of claim 1, wherein the security device transaction data related to a user is loaded into one of the plurality of cryptographic devices when the user requests to operate on a value bearing item.
  - 3. The system of claim 1, wherein the assumed role includes one or more corresponding operations to be performed by the authenticated user.
  - 4. The system of claim 1, wherein the assumed role is a security officer role to initiate a key management function.
  - 5. The system of claim 1, wherein the assumed role is a key custodian role to take possession of shares of keys.
  - 6. The system of claim 1, wherein the assumed role is an administrator role to manage a user access control database.
  - 7. The system of claim 1, wherein the assumed role is an auditor role to manage audit logs.
  - 8. The system of claim 1, wherein the assumed role is a provider role to withdraw from a user account.
  - 9. The system of claim 1, wherein the assumed role is a user role to operate on a VBI.
  - 10. The system of claim 1, wherein the assumed role is a certificate authority role to allow a public key certificate to be loaded and verified.
  - 11. The system of claim 1, wherein each cryptographic device includes a state machine for determining a state corresponding to availability of one or more commands in conjunction with the role.
  - 12. The system of claim 1, wherein each cryptographic device is stateless.
  - 13. The system of claim 1, wherein each cryptographic device includes a computer executable code for preventing unauthorized modification of data.
  - 14. The system of claim 1, wherein each cryptographic device includes a computer executable code for ensuring the proper operation of cryptographic security and VBI related meter functions.
  - 15. The system of claim 1, wherein at least one of the user is an enterprise account.
  - 16. The system of claim 1, wherein each cryptographic device includes a computer executable code for supporting multiple concurrent users and maintaining a separation of roles and operations performed by each user.
  - 17. The system of claim 2, wherein the value bearing item is a mail piece.
  - 18. The system of claim 17, wherein the mail piece comprises a digital signature.
  - 19. The system of claim 1, wherein one of the plurality of cryptographic devices encrypts validation information according to a user request for printing a VBI.
  - 20. The system of claim 17, wherein one of the plurality of cryptographic devices generates data sufficient to print a postal indicium in compliance with postal service regulation on the mail piece.
  - 21. The system of claim 2, wherein the value bearing item is a ticket.
  - 22. The system of claim 2, wherein a bar code is printed on the value bearing item.
  - 23. The system of claim 1, wherein each security device transaction data includes an ascending register value, a descending register value, a respective cryptographic device ID, an indicium key certificate serial number, a licensing ZIP code, a key token for an indicium signing key, user secrets, a key for encrypting user secrets, data and time of last transaction, last challenge received from a respective client subsystem, an operational state of the respective device, expiration dates for keys, and a passphrase repetition list.
  - 24. The system of claim 1, wherein each security device transaction data includes a private key, a public key, and a public key certificate, wherein the private key is used to sign device status responses and a VBI which, in conjunction with a public key certificate, demonstrates that the device and the VBI are authentic.
  - 25. The system of claim 1 further comprising at least one more cryptographic device remote from the plurality of user terminals coupled to the computer network, wherein the at least one more cryptographic device includes a computer executable code for authenticating any of the plurality of users.
  - 26. The system of claim 25, wherein one of the plurality of cryptographic devices shares a secret with the at least one more cryptographic device.
  - 27. The system of claim 25, wherein one of the plurality of cryptographic devices is a master device and generates a master key set (MKS).
  - 28. The system of claim 27, wherein the MKS includes a Master Encryption Key (MEK) used to encrypt keys when stored outside the device and a Master Authentication Key (MAK) used to compute a DES MAC for signing keys when stored outside of the device.
  - 29. The system of claim 27, wherein the MKS is exported to other cryptographic devices by any cryptographic device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Stamps.com, Inc.
Original Assignee
Stamps.com, Inc.
Inventors
Ogg, Craig L., Chow, William W.
Primary Examiner(s)
Backer; Firmin

Application Number

US09/688,452
Time in Patent Office

2,444 Days
Field of Search

705/50, 705/60, 705/62, 705/63, 705/35, 713/183, 713/200, 380/232, 380/228
US Class Current

705/50
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/608   Secure printing

G06F 2221/2105   Dual mode as a secondary as...

G06Q 20/382   insuring higher security of...

G06Q 20/401   Transaction verification

G06Q 50/06   Energy or water supply

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

Role assignments in a cryptographic module for secure processing of value-bearing items

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

172 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Role assignments in a cryptographic module for secure processing of value-bearing items

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

172 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links