Method and system for certificate delivery and management

US 7,484,089 B1
Filed: 11/10/2004
Issued: 01/27/2009
Est. Priority Date: 09/06/2002
Status: Active Grant

First Claim

Patent Images

1. A method for utilizing a certificate as an access method to a host system from one of a plurality of access points, comprising:

creating and distributing a certificate for certificate-based authentication to each of a plurality of storage methods consisting of a microcomputer of a smart card and at least one of a computer disk of a computing device disposed in a secure environment and a Hardware Security Module (HSM) associated with a computing device;

managing the certificate over a life span of the certificate at least in part via a Lightweight Directory Assistance protocol (LDAP) directory shared by a Certificate Authority (CA) and the host system; and

allowing access to the host system using the certificate for public key-based authentication to the host system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for combining multiple access points and utilizing certificates as an access method to a system from multiple access points enables use of a certificate that is stored within a smart card to access a host system through a browser, such that when the user accesses the application on the server, the application requires that the card and certificate be present for authentication of the individual user, and concurrently allows an external system to access applications on a host server using a certificate stored on the external system for authenticating itself to the host server. A certificate for certificate-based authentication is created and distributed to a choice of storage methods, such as a microcomputer of an integrated chip card, a computer disk of a computing device disposed in a secure environment, or a Hardware Security Module (HSM) associated with the computing device. The certificate is managed over its life span at least partly via a Lightweight Directory Assistance protocol (LDAP) directory shared by a certificate authority (CA) and the host system. Access to the host system is allowed using the certificate for public key-based authentication to the host system.

Citations

41 Claims

1. A method for utilizing a certificate as an access method to a host system from one of a plurality of access points, comprising:
- creating and distributing a certificate for certificate-based authentication to each of a plurality of storage methods consisting of a microcomputer of a smart card and at least one of a computer disk of a computing device disposed in a secure environment and a Hardware Security Module (HSM) associated with a computing device;
  
  managing the certificate over a life span of the certificate at least in part via a Lightweight Directory Assistance protocol (LDAP) directory shared by a Certificate Authority (CA) and the host system; and
  
  allowing access to the host system using the certificate for public key-based authentication to the host system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 2. The method of claim 1, wherein creating and distributing the certificate for storage on the microcomputer of the smart card further comprises preparing a key pair for the card and placing a unique Personal Identification Number (PIN) on the card by an initialization workstation.
  - 3. The method of claim 2, wherein creating and distributing the certificate for storage on the microcomputer of the smart card further comprises creating and signing the certificate by the CA in response to a request for the certificate received via a Registration Authority (RA).
  - 4. The method of claim 2, wherein the certificate is downloaded to the card after utilizing a securely distributed one-time-use Personal Identification Number (PIN) which, with information from the card, is used to positively identify a user and card as a valid owner of the certificate.
  - 5. The method of claim 3, wherein creating and distributing the certificate for storage on the microcomputer of the smart card further comprises posting a copy of the certificate to the LDAP directory shared by the CA and the host system in a location in which log-in rights and access rights for a holder of the card are identified to the host system.
  - 6. The method of claim 5, wherein creating and distributing the certificate for storage on the microcomputer of the smart card further comprises distributing the card and PIN to the cardholder through separate channels for security.
  - 7. The method of claim 1, wherein creating and distributing the certificate to at least one of the computer disk of the computing device disposed in a secure environment and the HSM associated with the computing device further comprises creating and distributing the certificate for storage on the computer disk of the computing device.
  - 8. The method of claim 7, wherein creating and distributing the certificate for storage on the computer disk of the computing device further comprises creating the certificate via a badging station that interacts with the host system and stores an encrypted private key for the certificate on the computer disk at the badging station.
  - 9. The method of claim 8, wherein creating and distributing the certificate for storage on the computer disk of the computing device further comprises allowing a user on an external system to request the certificate via the badging station and sending the user'"'"'s request to the CA via the RA for creation of the certificate.
  - 10. The method of claim 9, wherein creating and distributing the certificate for storage on the computer disk of the computing device further comprises creating the certificate by the CA and posting the certificate to the LDAP directory shared by the CA and the host system.
  - 11. The method of claim 10, wherein creating and distributing the certificate for storage on the computer disk of the computing device further comprises sending an email notice of the certificate to the external system user and allowing downloading and storage of the certificate in response to a request by the system user.
  - 12. The method of claim 1, wherein creating and distributing the certificate to at least one of the computer disk of the computing device disposed in a secure environment and the HSM associated with the computing device further comprises creating and distributing the certificate for storage on the HSM associated with the computing device.
  - 13. The method of claim 12, wherein creating and distributing the certificate for storage on the HSM associated with the computing device further comprises creating a key pair by the HSM in response to a request for an external system user, storing a private key of the key pair on the HSM, and delivering only a public key of the key pair external to the HSM.
  - 14. The method of claim 13, wherein creating and distributing the certificate for storage on the HSM associated with the computing device further comprises creating an entry in the LDAP directory for the external system user and sending the request to the CA by the RA.
  - 15. The method of claim 14, wherein creating and distributing the certificate for storage on the HSM associated with the computing device further comprises receiving the request by the CAY verifying that the request is complete, creating the certificate, and sending an email to the system user confirming creation of the certificate.
  - 16. The method of claim 15, wherein creating and distributing the certificate for storage on the HSM associated with the computing device further comprises allowing download and storage of the certificate, including only the public key, on a computer disk for the external system user.
  - 17. The method of claim 1, wherein consistent tools and utilities are used to manage certificate creation, distribution, use and reissuance across all disparate user categories.
  - 18. The method of claim 1, wherein managing the certificate over the life span of the certificate further comprises at least one of re-issuing the certificate in response to a request received upon notification of an approaching expiry for the certificate, sending notification of the approaching expiry for the certificate, issuing a new certificate in response to a request upon expiry of the certificate, revoking the certificate according to pre-defined parameters and simultaneously removing information regarding the revoked certificate from a user access definition within the LDAP directory shared by the CA and the host system.
  - 19. The method of claim 1, wherein allowing access to the host system using the certificate for public key-based authentication further comprises allowing a cardholder to utilize the certificate stored within the microcomputer of the smart card to access an application on a host system server, such that when the user accesses the application on the server, the application requires that the card and certificate are present for authentication of the cardholder.
  - 20. The method of claim 1, wherein allowing access to the host system using the certificate for public key-based authentication further comprises allowing an external system user to access an application on a host system server utilizing the certificate and associated keys stored on a disk of the computer of the external system for authentication of the system user to the host server.
  - 21. The method of claim 1, wherein allowing access to the host system using the certificate for public key-based authentication further comprises allowing an external system user to access an application on a host system server utilizing the certificate and associated keys stored on the HSM which stores encryption keys and encrypts information passed into the HSM and passes the encrypted information out of the HSM and that is associated with the computing device of the external system user for authentication of the external system user to the host server.
  - 22. The method of claim 1, wherein creating and distributing the certificate for storage on the microcomputer of the smart card further comprises initializing the card and creating a card data list.
  - 23. The method of claim 22, wherein creating and distributing the certificate for storage on the microcomputer of the smart card further comprises setting an initial PIN on the card, preparing the card to receive a PKI certificate using authentication and digital signature smart card client software, and capturing pre-selected card initialization data for the initialized card by a card data list utility.
  - 24. The method of claim 23, wherein creating and distributing the certificate for storage on the microcomputer of the smart card further comprises receiving an account request file related to an access request for a new card user account.
  - 25. The method of claim 24, wherein creating and distributing the certificate for storage on the microcomputer of the smart card further comprises converting the account request file to an LDAP file, importing the LDAP file into an LDAP system to create an account for a pre-authorized card user, and creating a certificate account list.
  - 26. The method of claim 25, wherein creating and distributing the certificate for storage on the microcomputer of the smart card further comprises producing a one-time use PIN for authorization to a RA certificate website for downloading the certificate for the pre-authorized card user.
  - 27. The method of claim 26, wherein creating and distributing the certificate for storage on the microcomputer of the smart card further comprises accessing the RA certificate website from a browser of an issuing workstation, downloading the PKI certificate that enables the approved user to login to the host system to the initialized card using the browser and client software.
  - 28. The method of claim 27, wherein creating and distributing the certificate for storage on the microcomputer of the smart card further comprises verifying a User Identification (UID), password, and PIN information with information stored in the LDAP system by the RA, and if the UID, password, and PIN information match the UID, password, and PIN information stored in the LDAP database, automatically approving the request, and sending the certificate to the CA by the RA for signing.
  - 29. The method of claim 28, wherein creating and distributing the certificate for storage on the microcomputer of the smart card further comprises sending the signed certificate to the issuing workstation by the CA via the RA.
  - 30. The method of claim 1, wherein creating and distributing the certificate for storage on at least one of the computer disk of the computing device and the HSM associated with the computing device further comprises receiving an account request file related to an access request for a new external system user.
  - 31. The method of claim 30, wherein creating and distributing the certificate for storage on at least one of the computer disk of the computing device and the HSM associated with the computing device further comprises converting the account request file to a LDAP file, importing the LDAP file into an LDAP system to create an account for the new external system user, and creating a system account list.
  - 32. The method of claim 31, wherein creating and distributing the certificate for storage on at least one of the computer disk of the computing device and the HSM associated with the computing device further comprises receiving a server certificate request for the new external system user, verifying the certificate request against the system account list, and publishing the certificate to the LDAP directory.
  - 33. The method of claim 32, wherein creating and distributing the certificate for storage on at least one of the computer disk of the computing device and the HSM associated with the computing device further comprises allowing the new external system user to log into an RA website to import the certificate signed by the CA into a file-based certificate database.
  - 34. The method of claim 33, wherein creating and distributing the certificate for storage on at least one of the computer disk of the computing device and the HSM associated with the computing device further comprises generating a private key and importing a signed public key and CA certificate into the file-based certificate database.
  - 35. The method of claim 34, wherein creating and distributing the certificate for storage on at least one of the computer disk of the computing device and the HSM associated with the computing device further comprises storing the signed public key and CA certificate on said one of the computer disk of the computing device and the HSM associated with the computing device for the external system user.
  - 36. The method of claim 1, wherein allowing access to the host system further comprises sending a host system certificate to a client terminal via which access is sought with a request for the client certificate by the host system.
  - 37. The method of claim 36, wherein allowing access to the host further comprises confirming that the host system certificate presented was issued by a trusted CA, and if so, sending the client certificate to the host system by the client terminal.
  - 38. The method of claim 37, wherein allowing access to the host system further comprises confirming that the client certificate was issued by a trusted CA, and if so, extracting a UID from the client certificate and sending a request for the stored client certificate to the host system LDAP.
  - 39. The method of claim 38, wherein allowing access to the host system further comprises confirming that the client certificate is not revoked, and if not revoked, fetching a copy of the client certificate and returning the copy to the host system by the host system LDAP.
  - 40. The method of claim 39, wherein allowing access to the host system further comprises comparing the client certificate with the copy of the client certificate, and if a match is found, permitting access via the client terminal to the host system.

41. A system for utilizing a certificate as an access method to a host system from one of a plurality of access points, comprising:
- means for creating and distributing a certificate for certificate-based authentication to each of a plurality of storage methods consisting of a microcomputer of an smart card and at least one of a computer disk of a computing device disposed in a secure environment and a Hardware Security Module (HSM) associated with a computing device;
  
  means for managing the certificate over a life span of the certificate at least in part via a Lightweight Directory Assistance Protocol (LDAP) directory shared by a Certificate Authority (CA) and the host system; and
  
  means for allowing access to the host system by the user at a client terminal using the certificate for public key-based authentication to an application on a host server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citicorp Credit Services Incorporated (Citigroup Incorporated)
Original Assignee
Citicorp Del-Lease Incorporated (Citigroup Incorporated)
Inventors
Kogen, Mark, Lin, Elton, Garcia, Herve, Pinn, Fred, Tan, Warren
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
Lemma; Samson B

Application Number

US10/985,414
Time in Patent Office

1,539 Days
Field of Search

713/156, 713157-158, 713/168, 713/175, 726/10
US Class Current

713/156
CPC Class Codes

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

Method and system for certificate delivery and management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for certificate delivery and management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links