System and method for message encryption and signing in a transaction processing system

US 7,363,495 B2
Filed: 02/21/2002
Issued: 04/22/2008
Est. Priority Date: 02/22/2001
Status: Active Grant

First Claim

Patent Images

1. A method for secure communication of data from a sender process to a recipient process in a transaction processing system, comprising the steps of:

storing data from a series of electronic messages containing transaction data in a message buffer;

marking said message buffer for encryption;

marking said message buffer for attachment of a digital signature;

creating an encryption envelope by encrypting said message buffer, and signing the encrypted contents of said message buffer with a digital signature using a signed data content type, wherein a time stamp is attached to the digital signature;

sending said encryption envelope from said sender process to said recipient process;

receiving said encryption envelope from said sender process;

checking a policy to determine if said message buffer as received will be honored, wherein the policy comprises requiring at least one valid digital signature on the message buffer, requiring that the message buffer is encrypted, and limits on the acceptable range of timestamps associated with the digital signature;

rejecting said message buffer if said message buffer will not be honored based on said policy; and

accepting said message buffer if said message buffer will be honored based on said policy by decrypting said encryption envelope to retrieve said data and verifying the identity of said sender process by retrieving said digital signature from said encryption envelope; and

wherein the recipient process can be a client, a particular service, a server group, a gateway group, a particular server machine, or an entire domain of servers.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides a system and a method which utilizes a combination of message-based encryption and message-based digital signing to ensure the security and authenticity of a message or message buffer sent from one party or process to another in a transaction processing system. In one embodiment the invention includes a method comprising the steps of: creating an encryption envelope by encrypting a message buffer, signing the encrypted contents of said message buffer with a digital signature, sending said encryption envelope from the sender process to the recipient process, receiving the encryption envelope at the recipient process, decrypting said encryption envelope to retrieve said message, and verifying the identity of the sender process by retrieving the digital signature from the encryption envelope. The invention allows intermediate recipients to inspect the message, and provides for reliable authentication, confidentiality, integrity, and non-repudiation, of communicated messages.

119 Citations

View as Search Results

26 Claims

1. A method for secure communication of data from a sender process to a recipient process in a transaction processing system, comprising the steps of:
- storing data from a series of electronic messages containing transaction data in a message buffer;
  
  marking said message buffer for encryption;
  
  marking said message buffer for attachment of a digital signature;
  
  creating an encryption envelope by encrypting said message buffer, and signing the encrypted contents of said message buffer with a digital signature using a signed data content type, wherein a time stamp is attached to the digital signature;
  
  sending said encryption envelope from said sender process to said recipient process;
  
  receiving said encryption envelope from said sender process;
  
  checking a policy to determine if said message buffer as received will be honored, wherein the policy comprises requiring at least one valid digital signature on the message buffer, requiring that the message buffer is encrypted, and limits on the acceptable range of timestamps associated with the digital signature;
  
  rejecting said message buffer if said message buffer will not be honored based on said policy; and
  
  accepting said message buffer if said message buffer will be honored based on said policy by decrypting said encryption envelope to retrieve said data and verifying the identity of said sender process by retrieving said digital signature from said encryption envelope; and
  
  wherein the recipient process can be a client, a particular service, a server group, a gateway group, a particular server machine, or an entire domain of servers.

2. A method for secure communication of data from a sender process to a recipient process in a transaction processing system, comprising the steps of:
- storing data from a series of electronic messages containing transaction data in a message buffer;
  
  exporting the contents of said message buffer to an external representation of said message buffer, said step of exporting includes the substeps ofmarking said message buffer for encryption,marking said message buffer for attachment of a digital signature identifying said sender process, wherein a time stamp is attached to the digital signature, and,creating an encryption envelope by encrypting said message buffer, and signing the encrypted contents of said message buffer with a digital signature;
  
  sending said encryption envelope from said sender process to said recipient process; and
  
  importing said encryption envelope by said recipient process, said step of importing includes the substeps ofchecking a policy to determine if said message buffer as received will be honored, wherein the policy comprises requiring at least one valid digital signature on the message buffer, requiring that the message buffer is encrypted, and limits on the acceptable range of timestamps associated with the digital signature;
  
  if said message buffer will not be honored based on said policy, rejecting said message buffer, otherwise the step of importing includes the substeps ofdecrypting said encryption envelope to retrieve said data, wherein the data is readable by said recipient process; and
  
  ,verifying the identity of said sender process by retrieving said digital signature from said encryption envelope; and
  
  wherein the recipient process can be a client, a particular service, a server group, a gateway group, a particular server machine, or an entire domain of servers.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 3. The method of claim 2 wherein said step of creating an encryption envelope includes the substeps of:
    - generating at said sender process a message key;
      
      combining said message key with the contents of said message buffer to create an encrypted message buffer;
      
      generating a decryption key from a public key associated with said recipient process; and
      
      ,placing said encrypted message buffer and said decryption key in said encryption envelope.
  - 4. The method of claim 2 wherein said step of signing includes the steps of:
    - generating a message digest from said message buffer;
      
      retrieving a private key associated with said sender process; and
      
      ,combining said message digest with said private key to create a digital signature; and
      
      ,placing said digital signature in said encryption envelope.
  - 5. The method of claim 3 wherein said step of decrypting includes the steps of:
    - receiving said encryption envelope;
      
      combining said encryption envelope with a private key associated with said recipient process;
      
      retrieving said decryption key;
      
      using said decryption key to retrieve said encrypted message buffer; and
      
      ,decrypting said encrypted message buffer to retrieve said data.
  - 6. The method of claim 4 wherein said step of verifying includes the steps of:
    - receiving data including said digital signature;
      
      generating a first message digest from said digital signature;
      
      generating a second message digest, said step of generating a second message digest including the steps ofretrieving a public key associated with said sender process, and,combining said senders public key with said digital signature to generate a second message digest; and
      
      ,comparing said first and second message digest to determine the validity of the digital signature sent with the data.
  - 7. The method of claim 2, wherein an encrypted message buffer is signed using a signed data content type.
  - 8. The method of claim 2, wherein more than one digital encryption envelope can be associated with an encrypted message buffer.
  - 9. The method of claim 8, wherein multiple processes with different private keys can receive and decrypt an encrypted message buffer.
  - 10. The method of claim 2 wherein said step of sending includes sending said message via an intermediate process, said step of sending said message via an intermediate process includes the substeps ofplacing at said send process said encryption envelope in a second encryption envelope;
    - receiving at said intermediate process said encryption envelope;
      
      verifying the identity of the sender process by retrieving said digital signature from said encryption envelope; and
      
      ,if said identity is valid, forwarding said encryption envelope to said recipient process.
  - 11. The method of claim 2, wherein digital signatures are generated and verified when crossing process boundaries.
  - 12. The method of claim 2, wherein an intermediate process can route a message based on partial application content data, while maintaining confidentiality of the remaining data.
  - 13. The method of claim 2, wherein encryption is performed when crossing process boundaries.
  - 14. The method of claim 2, wherein an intermediate process can decrypt an entire message in order to route a message based on complete application data.

15. A system for secure communication of data from a sender process to a recipient process in a transactions processing system, comprising computer-readable instructions for performing the steps of:
- storing data from a continuous stream of transaction data in a message buffer;
  
  exporting the contents of said message buffer to an external representation of said message buffer, said step of exporting includes the substeps ofmarking said message buffer for encryption,marking said message buffer for attachment of a digital signature in said sender process, wherein a time stamp is attached to the digital signature, and,creating an encryption envelope by encrypting said message buffer, and signing the encrypted contents of said message buffer with a digital signature;
  
  sending said encryption envelope from said sender process to said recipient process; and
  
  importing said encryption envelope by said recipient process, said step of importing includes the substeps ofchecking a policy to determine if said message buffer as received will be honored, wherein the policy comprises requiring at least one valid digital signature on the message buffer, requiring that the message buffer is encrypted, and limits on the acceptable range of timestamps associated with the digital signature;
  
  if said message buffer will not be honored based on said policy, rejecting said message buffer, otherwise the step of importing includes the substeps ofdecrypting said encryption envelope to retrieve said data, wherein the data is readable by said recipient process; and
  
  ,verifying the identity of said sender process by retrieving said digital signature from said encryption envelope; and
  
  wherein the recipient process can be a client, a particular service, a server group, a gateway group, a particular server machine, or an entire domain of servers.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 16. The system of claim 15 wherein said instructions for creating an encryption envelope includes the substeps of:
    - generating at said sender process a message key;
      
      combining said message key with the contents of said message buffer to create an encrypted message buffer;
      
      generating a decryption key from a public key associated with said recipient process; and
      
      ,placing said encrypted message buffer and said decryption key in said encryption envelope.
  - 17. The system of claim 15 wherein said instructions for signing includes the steps of:
    - generating a message digest from said message buffer;
      
      retrieving a private key associated with said sender process; and
      
      ,combining said message digest with said private key to create a digital signature; and
      
      ,placing said digital signature in said encryption envelope.
  - 18. The system of claim 16 wherein said instructions for decrypting includes the steps of:
    - receiving said encryption envelope;
      
      combining said encryption envelope with a private key associated with said recipient process;
      
      retrieving said decryption key;
      
      using said decryption key to retrieve said encrypted message buffer; and
      
      ,decrypting said encrypted message buffer to retrieve said data.
  - 19. The system of claim 17 wherein said instructions for verifying includes the steps of:
    - receiving data including said digital signature;
      
      generating a first message digest from said digital signature;
      
      generating a second message digest, said step of generating a second message digest including the steps ofretrieving a public key associated with said sender process, and,combining said senders public key with said digital signature to generate a second message digest; and
      
      ,comparing said first and second message digest to determine the validity of the digital signature sent with data.
  - 20. The system of claim 15, wherein the external representation of the message buffer is signed using a SignedData content type.
  - 21. The system of claim 15, wherein more than one digital encryption envelope can be associated with an encrypted message buffer.
  - 22. The system of claim 21, wherein multiple processes with different private keys can receive and decrypt an encrypted message buffer.
  - 23. The system of claim 15, wherein digital signatures are generated and verified when crossing process boundaries.
  - 24. The system of claim 15, wherein an intermediate process can route a message based on partial application content data, while maintaining confidentiality of the remaining data.
  - 25. The system of claim 15, wherein encryption is performed when crossing process boundaries.
  - 26. The system of claim 15, wherein an intermediate process can decrypt an entire message in order to route a message based on complete application data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
BEA Systems Incorporated (Oracle Corporation)
Inventors
Wells, John R.
Primary Examiner(s)
Tran; Ellen

Application Number

US10/080,358
Publication Number

US 20020138735A1
Time in Patent Office

2,252 Days
Field of Search

713/170,185,150,176,181
US Class Current

713/170
CPC Class Codes

G06Q 20/3829   involving key management

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/60   Digital content management,...

H04L 63/0428   wherein the data content is...

H04L 63/126   the source of the received ...

H04L 9/3247   involving digital signatures

System and method for message encryption and signing in a transaction processing system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for message encryption and signing in a transaction processing system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links