System and method for message encryption and signing in a transaction processing system
First Claim
1. A method for secure communication of data from a sender process to a recipient process in a transaction processing system, comprising the steps of:
- storing data from a series of electronic messages containing transaction data in a message buffer;
marking said message buffer for encryption;
marking said message buffer for attachment of a digital signature;
creating an encryption envelope by encrypting said message buffer, and signing the encrypted contents of said message buffer with a digital signature using a signed data content type, wherein a time stamp is attached to the digital signature;
sending said encryption envelope from said sender process to said recipient process;
receiving said encryption envelope from said sender process;
checking a policy to determine if said message buffer as received will be honored, wherein the policy comprises requiring at least one valid digital signature on the message buffer, requiring that the message buffer is encrypted, and limits on the acceptable range of timestamps associated with the digital signature;
rejecting said message buffer if said message buffer will not be honored based on said policy; and
accepting said message buffer if said message buffer will be honored based on said policy by decrypting said encryption envelope to retrieve said data and verifying the identity of said sender process by retrieving said digital signature from said encryption envelope; and
wherein the recipient process can be a client, a particular service, a server group, a gateway group, a particular server machine, or an entire domain of servers.
2 Assignments
0 Petitions
Accused Products
Abstract
The invention provides a system and a method which utilizes a combination of message-based encryption and message-based digital signing to ensure the security and authenticity of a message or message buffer sent from one party or process to another in a transaction processing system. In one embodiment the invention includes a method comprising the steps of: creating an encryption envelope by encrypting a message buffer, signing the encrypted contents of said message buffer with a digital signature, sending said encryption envelope from the sender process to the recipient process, receiving the encryption envelope at the recipient process, decrypting said encryption envelope to retrieve said message, and verifying the identity of the sender process by retrieving the digital signature from the encryption envelope. The invention allows intermediate recipients to inspect the message, and provides for reliable authentication, confidentiality, integrity, and non-repudiation, of communicated messages.
119 Citations
26 Claims
-
1. A method for secure communication of data from a sender process to a recipient process in a transaction processing system, comprising the steps of:
-
storing data from a series of electronic messages containing transaction data in a message buffer; marking said message buffer for encryption; marking said message buffer for attachment of a digital signature; creating an encryption envelope by encrypting said message buffer, and signing the encrypted contents of said message buffer with a digital signature using a signed data content type, wherein a time stamp is attached to the digital signature; sending said encryption envelope from said sender process to said recipient process; receiving said encryption envelope from said sender process; checking a policy to determine if said message buffer as received will be honored, wherein the policy comprises requiring at least one valid digital signature on the message buffer, requiring that the message buffer is encrypted, and limits on the acceptable range of timestamps associated with the digital signature; rejecting said message buffer if said message buffer will not be honored based on said policy; and accepting said message buffer if said message buffer will be honored based on said policy by decrypting said encryption envelope to retrieve said data and verifying the identity of said sender process by retrieving said digital signature from said encryption envelope; and wherein the recipient process can be a client, a particular service, a server group, a gateway group, a particular server machine, or an entire domain of servers.
-
-
2. A method for secure communication of data from a sender process to a recipient process in a transaction processing system, comprising the steps of:
-
storing data from a series of electronic messages containing transaction data in a message buffer; exporting the contents of said message buffer to an external representation of said message buffer, said step of exporting includes the substeps of marking said message buffer for encryption, marking said message buffer for attachment of a digital signature identifying said sender process, wherein a time stamp is attached to the digital signature, and, creating an encryption envelope by encrypting said message buffer, and signing the encrypted contents of said message buffer with a digital signature; sending said encryption envelope from said sender process to said recipient process; and importing said encryption envelope by said recipient process, said step of importing includes the substeps of checking a policy to determine if said message buffer as received will be honored, wherein the policy comprises requiring at least one valid digital signature on the message buffer, requiring that the message buffer is encrypted, and limits on the acceptable range of timestamps associated with the digital signature; if said message buffer will not be honored based on said policy, rejecting said message buffer, otherwise the step of importing includes the substeps of decrypting said encryption envelope to retrieve said data, wherein the data is readable by said recipient process; and
,verifying the identity of said sender process by retrieving said digital signature from said encryption envelope; and wherein the recipient process can be a client, a particular service, a server group, a gateway group, a particular server machine, or an entire domain of servers. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system for secure communication of data from a sender process to a recipient process in a transactions processing system, comprising computer-readable instructions for performing the steps of:
-
storing data from a continuous stream of transaction data in a message buffer; exporting the contents of said message buffer to an external representation of said message buffer, said step of exporting includes the substeps of marking said message buffer for encryption, marking said message buffer for attachment of a digital signature in said sender process, wherein a time stamp is attached to the digital signature, and, creating an encryption envelope by encrypting said message buffer, and signing the encrypted contents of said message buffer with a digital signature; sending said encryption envelope from said sender process to said recipient process; and importing said encryption envelope by said recipient process, said step of importing includes the substeps of checking a policy to determine if said message buffer as received will be honored, wherein the policy comprises requiring at least one valid digital signature on the message buffer, requiring that the message buffer is encrypted, and limits on the acceptable range of timestamps associated with the digital signature; if said message buffer will not be honored based on said policy, rejecting said message buffer, otherwise the step of importing includes the substeps of decrypting said encryption envelope to retrieve said data, wherein the data is readable by said recipient process; and
,verifying the identity of said sender process by retrieving said digital signature from said encryption envelope; and wherein the recipient process can be a client, a particular service, a server group, a gateway group, a particular server machine, or an entire domain of servers. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
Specification