Relying party trust anchor based public key technology framework

US 7,844,816 B2
Filed: 06/08/2005
Issued: 11/30/2010
Est. Priority Date: 06/08/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A public key (PK) framework having a relying party user authentication system for allowing a relying party to authenticate a user, wherein the PK framework places user credentials under the control of the relying party, and wherein the relying party user authentication system includes:

a storage system for storing certificates received via a secure channel from users in a user credentials data repository that acts as a trust anchor, wherein the certificates are issued by a plurality of different certificate authorities, and wherein the certificates in the user credential data repository are publically available;

a management system for managing records in the user credentials data repository associated with users; and

a validation system that retrieves certificates from the user credentials data repository in order to authenticate users, wherein the validation system utilizes a public key obtained from a stored certificate to decrypt a digital signature of a user that was encrypted by the user with an associated private key, and wherein authentication is performed without obtaining a certificate from the user at a time of authentication.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A public key (PK) framework for allowing a relying party to act as a trust anchor to authenticate a subscriber. The framework provides a directory system under the control of the relying party, wherein the directory system includes: a storage system for storing certificates received from subscribers in a database, wherein the certificates are issued by a plurality of different certificate authorities; a management system for managing records in the database associated with subscribers; and a validation system that allows the relying party to retrieve certificates from the database in order to authenticate subscribers.

23 Citations

View as Search Results

15 Claims

1. A public key (PK) framework having a relying party user authentication system for allowing a relying party to authenticate a user, wherein the PK framework places user credentials under the control of the relying party, and wherein the relying party user authentication system includes:
- a storage system for storing certificates received via a secure channel from users in a user credentials data repository that acts as a trust anchor, wherein the certificates are issued by a plurality of different certificate authorities, and wherein the certificates in the user credential data repository are publically available;
  
  a management system for managing records in the user credentials data repository associated with users; and
  
  a validation system that retrieves certificates from the user credentials data repository in order to authenticate users, wherein the validation system utilizes a public key obtained from a stored certificate to decrypt a digital signature of a user that was encrypted by the user with an associated private key, and wherein authentication is performed without obtaining a certificate from the user at a time of authentication.
- View Dependent Claims (2, 3, 4)
- - 2. The PK framework of claim 1, wherein the certificates stored in the user credentials data repository include self-signed certificates.
  - 3. The PK framework of claim 1, wherein the secure channel comprises SSL with a one-way server authentication.
  - 4. The PK framework of claim 1, wherein the users subscribe to a service provided by the relying party.

5. A method for allowing a relying party to authenticate a user within a public key (PK) framework in which the user credentials are under the control of the relying party, comprising:
- providing a user credentials data repository that is under the control of a relying party;
  
  storing certificates received from users via a secure channel in the user credentials data repository that acts as a trust anchor, wherein the certificates are issued by a plurality of different certificate authorities;
  
  allowing the certificates in the user credentials data repository to be publically available;
  
  receiving a request at the relying party to authenticate a user;
  
  retrieving a certificate from the user credentials data repository in order to authenticate the user;
  
  obtaining a digital signature from the user that was encrypted with a private key of the user;
  
  decrypting the digital signature with a computing device using a public key associated with the certificate retrieved from the user credentials data repository; and
  
  authenticating the user without receiving a certificate from the user at a time of authentication.
- View Dependent Claims (6, 7, 8, 9)
- - 6. The method of claim 5, comprising the further step of allowing the relying party to manage records in the user credentials data repository associated with users.
  - 7. The method of claim 5, wherein the certificates stored in the user credentials data repository include self-signed certificates.
  - 8. The method of claim 5, wherein the secure channel comprises SSL with one-way server authentication.
  - 9. The method of claim 5, wherein the users subscribe to a service provided by the relying party.

10. A method for authenticating users using public key infrastructure (PKI) credentials, comprising the steps of:
- receiving a certificate via a secure channel from a subscriber at a relying party authentication server;
  
  selecting at least one trust anchor from a plurality of trust anchors to authenticate the subscriber based on the certificate, wherein the plurality of trust anchors for authenticating the subscriber include;
  
  a key store containing trusted certificate authority certificates;
  
  a directory of registered certificates; and
  
  a custom web services user credentials verification application that sends a received certificate to a remote application using web services to verify the received certificate;
  
  storing the certificate in a user credentials data repository, wherein the certificate in the user credentials data repository is publically available;
  
  receiving a request at the relying party to authenticate the user during a subsequent session;
  
  retrieving the certificate from the user credentials data repository;
  
  obtaining a digital signature from the user encrypted with a private key of the user;
  
  decrypting the digital signature with a computing device using a public key associated with the certificate retrieved from the user credentials data repository; and
  
  authenticating the user during the subsequent session without receiving a certificate from the user.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10, wherein the directory of registered certificates comprises an LDAP Directory.
  - 12. The method of claim 10, wherein the directory of registered certificates comprises a database using an access protocol selected from the group consisting of:
    - JDBC (Java DataBase Connectivity), ODBC (Open DataBase Connectivity), and SQL (Structured Query Language).
  - 13. The method of claim 12, wherein the users subscribe to a service provided by the relying party.
  - 14. The method of claim 10, wherein the relying party user authentication application is further operable to:
    - receive a request to authenticate a user; and
      
      select at least one trust anchor from a plurality of trust anchors to authenticate the user, wherein the plurality of trust anchors for authenticating the user includes;
      
      a key store containing trusted certificate authority certificates;
      
      a directory of registered certificates; and
      
      a custom web services user credentials verification application.

15. A method for deploying a relying party user authentication application in which user credentials are under the control of a relying party, comprising:
- providing a computer infrastructure being configured to;
  
  store certificates received from users via a secure channel in a user credentials data repository that is under the control of the relying party, wherein the certificates are issued by a plurality of different certificate authorities, wherein the certificates in the user credentials data repository are publically available;
  
  manage records in the user credentials data repository associated with the relying party;
  
  allow the relying party to retrieve certificates from the user credentials data repository in order to authenticate users;
  
  obtain a digital signature from the user that was encrypted with a private key of the user;
  
  decrypt the digital signature with a computing device using a public key associated with the certificate retrieved from the user credentials data repository; and
  
  authenticate the user without receiving a certificate from the user at a time of authentication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Karchov, David
Primary Examiner(s)
Moise; Emmanuel L
Assistant Examiner(s)
Abyaneh; Ali S

Application Number

US11/148,772
Publication Number

US 20060282670A1
Time in Patent Office

2,001 Days
Field of Search

713/156, 713/175, 726/10, 380/277
US Class Current

713/156
CPC Class Codes

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 9/006   involving public key infras...

H04L 9/3268   using certificate validatio...

Relying party trust anchor based public key technology framework

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

23 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Relying party trust anchor based public key technology framework

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links