System and methods for using a signature protocol by a nonsigning client

US 7,539,869 B1
Filed: 09/17/2003
Issued: 05/26/2009
Est. Priority Date: 09/17/2003
Status: Active Grant

First Claim

Patent Images

1. A method for transmitting data according to a signature-based protocol comprising:

generating, at a server and in response to a request from a nonsigning client device, a signature corresponding to a signature block having a covered data portion and an information object portion, the signature computed only on data in the covered data portion such that payload data is not included in computing the signature, the server conversant in a predetermined protocol and the signature and signature block conformant with the predetermined protocol;

storing, at the server, the signature in the signature block, the signature covering the covered data portion and the information object portion remaining independent of the signature;

transmitting from the server to the nonsigning client device, the signature block, the nonsigning client device conversant in the predetermined protocol and unable to generate the signature in the signature block, the signature block further operable to store, in the information object portion, payload data in a nondestructive manner so as to preserve the covered data portion and corresponding signature generated by the server without regenerating the signature, the covered data portion remaining unwritten by the nonsigning client device; and

storing, at the nonsigning client device, payload data in the information object portion, the signature block receivable by a recipient destination having capability to authenticate the signature and conversant in the predetermined protocol.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a networked computer environment, a client is unencumbered from signature generating components, yet conversant to transmit signature-based documents in a signature-based metalanguage such as XML. The nonsigning client/user invokes a signature from a signature server to send a payload of data in a signed message format to a recipient also conversant in the metalanguage, according to the metalanguage format. The nonsigning client receives a signature block including a signature value from the server. The client identifies a payload for transmission according to the metalanguage. Employing the metalanguage interpreter in client, the client stores the payload data in the signature block without disrupting the signature and the data it covers in the signature block. The nonsigning client the sends the resulting signature message including the payload data and the signature value, in the metalanguage format, to the recipient destination conversant in the metalanguage. Accordingly, the nonsigning client employs signature-based messages without the encumbrance of cryptographic components.

21 Citations

View as Search Results

28 Claims

1. A method for transmitting data according to a signature-based protocol comprising:
- generating, at a server and in response to a request from a nonsigning client device, a signature corresponding to a signature block having a covered data portion and an information object portion, the signature computed only on data in the covered data portion such that payload data is not included in computing the signature, the server conversant in a predetermined protocol and the signature and signature block conformant with the predetermined protocol;
  
  storing, at the server, the signature in the signature block, the signature covering the covered data portion and the information object portion remaining independent of the signature;
  
  transmitting from the server to the nonsigning client device, the signature block, the nonsigning client device conversant in the predetermined protocol and unable to generate the signature in the signature block, the signature block further operable to store, in the information object portion, payload data in a nondestructive manner so as to preserve the covered data portion and corresponding signature generated by the server without regenerating the signature, the covered data portion remaining unwritten by the nonsigning client device; and
  
  storing, at the nonsigning client device, payload data in the information object portion, the signature block receivable by a recipient destination having capability to authenticate the signature and conversant in the predetermined protocol.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the signature block further includes a signature value portion, the signature value portion operable to store the signature as an authentication indicator according to the predetermined protocol, wherein storing further comprise storing the signature in the signature value portion.
  - 3. The method of claim 1 wherein the signature block further includes a key information portion, further comprising storing an authentication indicator to a validation instrument in the key information portion, the validation instrument operable to authenticate the signature value portion using the signature.
  - 4. The method of claim 3 wherein the validation instrument corresponds to an inverse operation of the generating of the signature.
  - 5. The method of claim 3 wherein the validation instrument is a public key and generating the signature further comprises generating a signature using the private key corresponding to the public key.
  - 6. The method of claim 1 wherein storing the payload data further comprises generating a transmission block conformant with the predetermined protocol and operable to be received as a signature authenticated transmission by a destination node according to the predetermined protocol.
  - 7. The method of claim 1 wherein generating the signature further comprises generating a signature corresponding to the covered data portion of the signature block.
  - 8. The method of claim 1 further comprising computing a digest on the covered data portion, the digest indicative of the data in the covered data portion.
  - 9. The method of claim 1 further comprising:
    - generating, at the server, a set of predetermined signatures operable for insertion in a message conformant to the predetermined protocol;
      
      storing, in a signature repository at the server, a bank of signatures including the set of predetermined signatures; and
      
      transmitting, responsive to a request from the nonsigning client device, a signature from the bank of signatures for insertion in a signature block in conjunction with a payload.

10. A method for transmitting data from a nonsigning client device according to a signature-based protocol comprising:
- receiving, at a nonsigning client device, a signature block and a signature corresponding to the signature block generated by a server in response to a request from the nonsigning client device, the signature block having an information object portion and a covered data portion corresponding to the signature, the signature computed only on data in the covered data portion such that payload data is not included in computing the signature, the nonsigning client device unable to compute the signature and conversant in a predetermined protocol, the signature and signature block being conformant with the predetermined protocol;
  
  storing, at the nonsigning client device and in the information object portion of the signature block, payload data in a nondestructive manner so as to preserve the covered data portion and the corresponding signature generated by the server without regenerating the signature, the signature covering the covered data portion and the information object portion remaining independent of the signature, the covered data portion remaining unwritten by the nonsigning client device; and
  
  transmitting, from the nonsigning client device to a recipient destination conversant in the predetermined protocol, the signature block according the predetermined protocol, the information object portion included in the signature block according to the predetermined protocol, the signature block including the public key corresponding to a private key employed in generating the signature, the included public key thus providing a self-authentication message for delivery to the recipient destination.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10 wherein the signature block further includes a signature value portion, the signature value portion operable to store the signature as an authentication indicator deterministic of the signature according to the predetermined protocol.
  - 12. The method of claim 10 wherein the signature block further includes a key information portion operable to store an authentication indicator to a validation instrument, the validation instrument operable to authenticate the signature value portion using the signature.
  - 13. The method of claim 10 wherein receiving the signature further comprises indexing a remote signature repository, and the nonsigning client device is further operable to store the received signature in the signature block according to the predetermined protocol.
  - 14. The method of claim 10 further comprisingreceiving an authentication instrument corresponding to the signature, andstoring the received authentication instrument in the signature block with the signed information portion and the signature.
  - 15. The method of claim 14 wherein the received authentication instrument is a public key corresponding to the private key for generating the signature, and storing further comprising forming a self-signed message by storing the public key in the key information portion.
  - 16. The method of claim 10 further comprising:
    - receiving, at the nonsigning client device, a plurality of signatures and corresponding covered data portions;
      
      selecting a first signature for inclusion in a first signature message for transmission to a destination recipient; and
      
      selecting a second signature different than the first signature for inclusion in a second signature message for transmission to the same destination recipient.
  - 17. The method of claim 16 wherein selecting the first and second signatures is performed based on signature selection logic, the signature selection logic for analyzing the covered data portion and the information object portion of the signature message to select an expected signature result at the destination recipient.
  - 18. The method of claim 17 wherein the signature selection logic is operable for analyzing the covered data portion based on at least one of content type, size, creation date, and sparsity of the data.

19. A data communications device for transmitting data according to a signature-based protocol comprising:
- a cryptographic engine operable to generate, by a server in response to a request from a nonsigning client device, a signature corresponding to a signature block, the signature block having a covered data portion and an information object portion, the signature computed only on data in the covered data portion such that payload data is not included in computing the signature, the server conversant in a predetermined protocol and the signature and signature block being conformant with the predetermined protocol;
  
  a metalanguage processor conversant in the predetermined protocol and operable to store the signature in the signature block, the signature block further including a signature value portion, the metalanguage processor further operable to store, in the signature value portion, authentication indicators according to the predetermined protocol, wherein storing further comprise storing the signature in the signature value portion; and
  
  an interface in the data communications device operable to transmit, according to the predetermined protocol, the signature block to the nonsigning client device conversant in the predetermined protocol and unencumbered by signature generation operability, the metalanguage processor being further operable to generate the signature block having the information object portion, the information object portion further operable for storing the payload data at the nonsigning client device, the signature block further operable to receive and store, in the information object portion, payload data in a nondestructive manner so as to preserve the covered data portion and corresponding signature generated by the server without regenerating the signature, the signature block being a script having fields defined by a predetermined metalanguage syntax, the metalanguage syntax defining the position of the covered data portion and corresponding signature, the signature block receivable by a recipient device conversant in the predetermined metalanguage syntax for decoding the message.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The data communications device of claim 19 wherein the signature block further includes a key information portion, the cryptographic engine further operable to store a validation instrument in the key information portion, the validation instrument operable to authenticate the signature.
  - 21. The data communications device of claim 20 wherein the validation instrument corresponds to an inverse operation of the generating of the signature.
  - 22. The data communications device of claim 19 wherein the signature block is adapted for storing the payload data by the nonsigning client device to generate a signature message transmission block of data conformant with the predetermined protocol and operable to be received as a signature authenticated transmission by a destination node according to the predetermined protocol.
  - 23. The data communications device of claim 20 wherein the cryptographic engine is further operable to generate the signature corresponding to the covered data portion of the signature block.
  - 24. The data communications device of claim 19 wherein the cryptographic engine is further operable to compute a digest on the covered data portion, the digest indicative of the data in the covered data portion.
  - 25. The data communications device of claim 19 wherein the validation instrument is a public key and generating the signature further comprises generating a signature using the private key corresponding to the public key.

26. A computer program product having an encoded set of processor based instructions defined as computer program code on a computer readable storage medium operable to store computer program logic embodied in computer program code encoded thereon for transmitting data from a nonsigning client device according to a signature-based protocol comprising:
- computer program code for receiving, at the nonsigning client device, a signature block and a signature corresponding to the signature block generated by a server in response to a request from the nonsigning client device, the signature block having an information object portion and a covered data portion corresponding to the signature, the signature computed only on data in the covered data portion such that payload data is not included in computing the signature, the receiving nonsigning client device conversant in a predetermined protocol and the signature and signature block being conformant with the predetermined protocol;
  
  computer program code for storing, in the information object portion of the signature block, payload data in a nondestructive manner so as to preserve the covered data portion and the corresponding signature generated by the server without regenerating the signature, the covered data portion remaining unwritten by the nonsigning client device, wherein storing in the information object portion further comprises storing the payload data in the information object portion at the nonsigning client device, the nonsigning client device being unencumbered by signature generation operability; and
  
  computer program code for transmitting, according to the predetermined protocol, the signature block to a recipient destination conversant in the predetermined protocol, the information object portion included in the signature block according to the predetermined protocol, wherein the signature block further includes a signature value portion, the signature value portion operable to store the signature as an authentication indicator according to the predetermined protocol, wherein storing further comprises storing the signature in the signature value portion, the signature covering the covered data portion and the information object portion remaining independent of the signature, the signature block being a script having fields defined by a predetermined metalanguage syntax, the metalanguage syntax defining the position of the covered data portion and corresponding signature, the signature block receivable by a recipient device conversant in the predetermined metalanguage syntax for decoding the message.

27. A method for transmitting data in conformance with a signature-based protocol comprising:
- transmitting, from a nonsigning client device to a server, a request for a signature block operable to store signature based data corresponding to a predetermined protocol;
  
  generating, at the server, a signature block having a covered data portion corresponding to a signature and an information object portion for storing payload data independent of the signature;
  
  computing, at the server, a signature based only on the covered data portion such that payload data is not included in computing the signature;
  
  storing, at the server, the computed signature in the signature block;
  
  transmitting, from the server to the nonsigning client device, the signature block, the nonsigning client device conversant in the predetermined protocol and unable to compute and authenticate the signature;
  
  populating, at the nonsigning client device, the information object portion of the signature block with payload data without destroying and regenerating the signature, the information object portion independent of the signature generated by the server, the populating preserving the covered data portion and the corresponding computed signature according to the predetermined protocol such that the populating is not included in computing the signature, the covered data portion remaining unwritten by the nonsigning client device; and
  
  transmitting, from the nonsigning client device to a destination, the signature block, the destination operable to (i) receive and authenticate the signature and corresponding covered data portion and (ii) receive the payload data in the information object portion.
- View Dependent Claims (28)
- - 28. The method of claim 27 wherein the predetermined protocol is XML and the signatures are conformant to XML signatures, such that storing into the information object portion includes writing in to payload fields in an XML message, the signature being an XML signature and remaining unchanged with respect to the values written in the payload fields.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Srinivas, Raghavan N., Mullan, Sean J.
Primary Examiner(s)
Chai; Longbit

Application Number

US10/664,613
Time in Patent Office

2,078 Days
Field of Search

713/176
US Class Current

713/176
CPC Class Codes

G06F 21/64   Protecting data integrity, ...

H04L 2209/68   Special signature format, e...

H04L 9/3247   involving digital signatures

System and methods for using a signature protocol by a nonsigning client

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

System and methods for using a signature protocol by a nonsigning client

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links