Method and system for user generated keys and certificates

US 7,366,905 B2
Filed: 02/28/2002
Issued: 04/29/2008
Est. Priority Date: 02/28/2002
Status: Expired due to Term

First Claim

Patent Images

1. A method comprising:

having an identity authenticated in a first system;

a second system causing a key to be generated for use in the second system;

the second system generating a certificate for the key; and

establishing the identity of a user in the second system by signing the certificate for the key using the authenticated identity of the user in the first system,wherein the certificate for the key for use in the second system contains usage limitations, including a temporal limit on usage,wherein the temporal limit requires that once a secure socket layer session on the second system is completed, the certificate or a corresponding key is destroyed,wherein said usage limitations also include a limit on use of said key for encryption only, which excludes use of said key for signature verification; and

wherein the first system is a wireless communication system and wherein the second system is a computer connected to an Internet.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system to allow user generation of a private-public key pair and an associated user generated certificate to establish the identity of a user based upon signing the user generated certificate with a private key of a private-public key pair associated with a certificate issued by a Certification Authority (CA). The user generated certificate thereby allows the user that generated the certificate to establish a secure session with a third party without multiple use of the certificate issued by the CA, typically for use on another network infrastructure. The method and system are particularly useful for establishing a secure session, such as a Secure Socket Layer session using a personal computer, where the CA certificate is associated with a wireless identity module of a wireless device.

39 Citations

View as Search Results

57 Claims

1. A method comprising:
- having an identity authenticated in a first system;
  
  a second system causing a key to be generated for use in the second system;
  
  the second system generating a certificate for the key; and
  
  establishing the identity of a user in the second system by signing the certificate for the key using the authenticated identity of the user in the first system,wherein the certificate for the key for use in the second system contains usage limitations, including a temporal limit on usage,wherein the temporal limit requires that once a secure socket layer session on the second system is completed, the certificate or a corresponding key is destroyed,wherein said usage limitations also include a limit on use of said key for encryption only, which excludes use of said key for signature verification; and
  
  wherein the first system is a wireless communication system and wherein the second system is a computer connected to an Internet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. A method as defined in claim 1, wherein the key is generated by the second system.
  - 3. A method as defined in claim 1, wherein the key is generated by the first system.
  - 4. A method as defined in claim 1, further comprising the step of:
    - a third party communicating with the user of the second system and verifying the user of the second system by the authenticated identity of the user of the first system.
  - 5. A method as defined in claim 4, wherein the third party is a server.
  - 6. A method as defined in claim 4, wherein the key comprises a private-public key pair and where the certificate includes the public key of the key pair.
  - 7. A method as defined in claim 6, wherein the certificate further includes an identity which is the same as the authenticated identity of the user of the first system.
  - 8. A method as defined in claim 7, where the authenticated identity of the user in the first system comprises a private-public key pair and a certificate issued by a certification authority, and where the signing of the second system generated certificate is by hashing at least some data in the certificate to obtain a hash value, encrypting this hash value using the private key of the first system private-public key pair, and adding the encrypted hash value to the certificate.
  - 9. A method as defined in claim 8, wherein the private key of first system private-public key pair is stored in a wireless identity module.
  - 10. A method as defined in claim 9, wherein the private key of the first system is accessed by entry of a password.
  - 11. A method as defined in claim 6, where the identity of the user in the first system comprises a private-public key pair and an associated certificate issued by a certification authority.
  - 12. A method as defined in claim 11, wherein the private key of first system private-public key pair is stored in a wireless identity module.
  - 13. A method as defined in claim 12, wherein the private key of the first system is accessed by entry of a password.
  - 14. A method as defined in claim 1, wherein the authenticated identity of the user of the first system forming at least part of the signing of the certificate for the key for use in the second system includes encryption of data with the private key of the user of the first system, wherein the identity of the user of the first system is certified by a certification authority through a corresponding public key for the user of the first system.
  - 15. A method as defined in claim 14, wherein prior to signing the certificate for the key for use in the second system, the user of the first system obtains access to its private key by entry of a password.
  - 16. A method as defined in claim 15, wherein the password is a personal identification number.
  - 17. A method as defined in claim 1, wherein the certificate for the key includes the full certification tree for the key, said full certification tree including a certificate of the first system for the user of the first system.
  - 18. A method as defined in claim 17, wherein the second system uses a security protocol for establishing a secure session.
  - 19. A method as defined in claim 18, wherein the security protocol is selected from the group consisting of transport layer security, internet protocol security protocol and secure socket layer.
  - 20. A method as defined in claim 18, wherein the wireless communication system uses a wireless identity module in an associated wireless device of the user of the first system for establishing the identity of the user of the first system.
  - 21. A method as defined in claim 20, wherein the wireless identity module contains a private key of the user of the first system and wherein a corresponding public key of the user of the first system is certified by a certification authority.
  - 22. A method as defined in claim 1, wherein one usage limitation is that a third party of the second system should accept the key for use in the second system only for certain types of operations.
  - 23. A method as defined in claim 22, wherein an accepted operation is the use of the key for use in the second system for encryption of data but not for signature verification.
  - 24. A method as defined in claim 1, where the certificate does not contain the identity of the user associated with the user generated key, and where the signing of the certificate using the authenticated identity of the user of the first system includes appending the full certification tree of the first user to the user generated key.
  - 25. A method as defined in claim 1, where the first and second users are the same entity.

26. A method comprising:
- generating a key for use in a network environment by a user having an authenticated identity not associated with said network environment;
  
  generating a certificate for the key; and
  
  establishing the identity of the user in said network environment by signing the certificate for the key using the user'"'"'s authenticated identity,wherein the certificate for the key for use in the network environment contains usage limitations, including a temporal limit on usage,wherein the temporal limit requires that once a secure socket layer session on the second system is completed, the certificate or a corresponding key is destroyed, wherein said usage limitations also include a limit on use of said key for encryption only, which excludes use of said key for signature verification; and
  
  wherein the first system is a wireless communication system and wherein the second system is a computer connected to an Internet.

27. A system comprising:
- a device forming part of a second system, the device having means for causing a key to be generated for use in the second system by a user having an authenticated identity in a first system,said device of the second system having means for generating a certificate for the key; and
  
  a second device forming part of the first system, the second device having means for storing information regarding the authenticated identity of the user in the first system,said second device further having means for communicating said information; and
  
  wherein the device of the second system has means for receipt of said information from the second device, and further has means for establishing the identity of the user in the second system by signing the certificate for the key using the authenticated identity of the user in the first system,wherein the certificate for the key for use in the second system contains usage limitations, including a temporal limit on usage,wherein the temporal limit requires that once a secure socket layer session on the second system is completed, the certificate or a corresponding key is destroyed,wherein said usage limitations also include a limit on use of said key for encryption only, which excludes use of said key for signature verification; and
  
  wherein the first system is a wireless communication system and wherein the second system is a computer connected to an Internet.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 28. A system as defined in claim 27, wherein the device of the second system further comprises means for generating said key.
  - 29. A system as defined in claim 27, wherein the second device forming part of the first system further comprises means for generating said key.
  - 30. A system as defined in claim 27, wherein a third party communicates with the user of the second system, said third party communicating via a third device, said third device having means for verifying the user of the second system by the authenticated identity of the user of the first system.
  - 31. A system as defined in claim 30, wherein the third device is a server.
  - 32. A system as defined in claim 27, wherein the key comprises a private-public key pair and where the certificate includes the public key of the key pair.
  - 33. A system as defined in claim 32, wherein the certificate further includes an identity which is the same as the authenticated identity of the user of the first system.
  - 34. A system as defined in claim 33, where the authenticated identity of the user in the first system comprises a private-public key pair and a certificate issued by a certification authority, and where the means for signing the second system generated certificate is by encrypting this second system generated certificate using the private key of the first system private-public key pair.
  - 35. A system as defined in claim 34, wherein the private key of the first system private-public key pair is stored in a wireless identity module forming part of the second device.
  - 36. A system as defined in claim 35, wherein the second device includes means for user entry of information, wherein the private key of the first system is accessed by entry of a password via said user entry means.
  - 37. A system as defined in claim 32, where the identity of the user in the first system comprises a private-public key pair and an associated certificate issued by a certification authority.
  - 38. A system as defined in claim 37, wherein the private key of the first system private-public key pair is stored in a wireless identity module forming part of the second device.
  - 39. A system as defined in claim 38, wherein the private key of the first system is accessed by entry of a password.
  - 40. A system as defined in claim 27, where the user of the first system authenticated identity includes a private-public key pair, where the identity of the user of the first system is certified by a certification authority through a corresponding public key for the user of the first system, and wherein the means for signing the certificate includes signing the certificate for the key for use in the second system by encryption of data with the private key of the user of the first system.
  - 41. A system as defined in claim 40, wherein the second device includes means for user entry of information, and wherein the user of the first system obtains access to its private key by entry of a password via said user entry means.
  - 42. A system as defined in claim 41, wherein the password is a personal identification number.
  - 43. A system as defined in claim 41, wherein the second system uses a security protocol for establishing a secure session.
  - 44. A system as defined in claim 43, wherein the security protocol is selected from the group consisting of transport layer security, internet protocol security protocol and secure socket layer.
  - 45. A system as defined in claim 43, wherein the second device forming part of the wireless communication system includes a wireless identity module for storing information used to establish the identity of the user of the first system.
  - 46. A system as defined in claim 45, wherein the wireless identity module contains a private key of the user of the first system and wherein a corresponding public key of the user of the first system is certified by a certification authority.
  - 47. A system as defined in claim 27, wherein the certificate for the key includes the full certification tree for the key, said full certification tree including a certificate of the first system for the user of the first system.
  - 48. A system as defined in claim 27, wherein one usage limitation is that a third party of the second system should accept the key for use in the second system only for certain types of operations.
  - 49. A system as defined in claim 48, wherein an accepted operation is the use of the key for use in the second system for encryption of data but not for signature verification.
  - 50. A system as defined in claim 27, where the certificate does not contain the identity of the user associated with the user generated key, and where the means for signing of the certificate using the authenticated identity of the user of the first system including appending the full certification tree of the first user to the user generated key.
  - 51. A system as defined in claim 27, where the first and second users are the same entity.

52. A wireless device comprising:
- means for storing information regarding an authenticated identity of a user in a first system associated with the wireless device;
  
  means for receipt of a certificate from a second device that is part of a second system, the certificate being for a key that is for use in the second system; and
  
  means for establishing the identity of the user in the second system by signing the certificate using the authenticated identity of the user in the first system and transferring the signed certificate to the device of the second system wherein the certificate for the key for use in the second system contains usage limitations, including a temporal limit on usage,wherein the temporal limit requires that once a secure socket layer session on the second system is completed, the certificate or a corresponding key is destroyed,wherein said usage limitations also include a limit on use of said key for encryption only, which excludes use of said key for signature verification;
  
  wherein the second device includes means for generating the key to be used in said second system; and
  
  wherein the first system is a wireless communication system and wherein the second system is a computer connected to an Internet.
- View Dependent Claims (53, 54, 55)
- - 53. A wireless device as defined in claim 52, wherein the wireless device further comprises means for generating the key to be used in the second system.
  - 54. A wireless device as defined in claim 52, where the authenticated identity of the user in the first system comprises a private-public key pair and a certificate issued by a certification authority, and where the means for signing the second system generated certificate is by encrypting this second system generated certificate using the private key of the first system private-public key pair, wherein the wireless device includes a wireless identity module for storing said private key of the first system private-public key pair.
  - 55. A wireless device as defined in claim 54, wherein the wireless device includes means for user entry of information, wherein the private key of the first system is accessed by entry of a password via said user entry means.

56. A program stored on a computer readable medium for execution by a processor, the program having code for:
- generating a key for use in a network environment by a user having an authenticated identity not associated with said network environment;
  
  generating a certificate for the key; and
  
  establishing the identity of the user in said network environment by signing the certificate for the key using the user'"'"'s authenticated identity,wherein the certificate for the key for use in the network environment contains usage limitations, including a temporal limit on usage,wherein the temporal limit requires that once a secure socket layer session on the second system is completed, the certificate or a corresponding key is destroyed,wherein said usage limitations also include a limit on use of said key for encryption only, which excludes use of said key for signature verification; and
  
  wherein the first system is a wireless communication system and wherein the second system is a computer connected to an Internet.

57. A wireless device comprising:
- storage module configured to store information regarding an authenticated identity of a user in a first system associated with the wireless device;
  
  receiving module, configured to receive a certificate from a second device that is part of a second system, the certificate being for a key that is for use in the second system; and
  
  signing module configured to establish the identity of the user in the second system by signing the certificate using the authenticated identity of the user in the first system and transferring the signed certificate to the device of the second system,wherein the certificate for the key for use in the second system contains usage limitations, including a temporal limit on usage,wherein the temporal limit requires that once a secure socket layer session on the second system is completed, the certificate or a corresponding key is destroyed,wherein said usage limitations also include a limit on use of said key for encryption only, which excludes use of said key for signature verification; and
  
  wherein the second device includes a generating module configured to generate the key to be used in said second system, andwherein the first system is a wireless communication system and wherein the second system is a computer connected to an Internet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
WSOU Investments, LLC (WSOU Holdings, LLC)
Original Assignee
Nokia Corporation
Inventors
Paatero, Lauri
Primary Examiner(s)
Moazzami, Nasser
Assistant Examiner(s)
Shiferaw, Eleni A

Application Number

US10/090,422
Publication Number

US 20030163700A1
Time in Patent Office

2,252 Days
Field of Search

380/280, 380/277, 380/380, 713/175, 713/176, 713/156
US Class Current

713/175
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

H04L 9/321   involving a third party or ...

H04L 9/3263   involving certificates, e.g...

H04W 12/069   using certificates or pre-s...

Method and system for user generated keys and certificates

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

57 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for user generated keys and certificates

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

57 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links