Universal secure messaging for cryptographic modules
First Claim
1. A secure messaging method for securely exchanging information between a host computer system and a functionally connected cryptographic module comprising:
- generating a pair of session keys;
performing a secure key exchange between said host computer system and said cryptographic module such that said host computer system and said cryptographic module each provided with one session key of said pair of session keys;
generating a unique session identifier;
associating said unique session identifier with said pair of session keys;
performing counterpart cryptographic functions on at least a portion of information exchanged between said host computer system and said cryptographic module, wherein the exchanged information includes a credential and information of said secure key exchange corresponding to least one of the session keys; and
verifying the credential initially before unlocking a credential protected application, wherein, after initial verification of the credential, the at least one of the session keys is temporarily granted permission to unlock the credential protected application for the duration of a session between the host computer and the cryptographic module, and wherein subsequent access to the credential protected application during the session is allowed by using the at least one of the session keys as a surrogate for the credential.
4 Assignments
0 Petitions
Accused Products
Abstract
An anonymous secure messaging method and system for securely exchanging information between a host computer system and a functionally connected cryptographic module. The invention comprises a Host Security Manager application in processing communications with a security executive program installed inside the cryptographic module. An SSL-like communications pathway is established between the host computer system and the cryptographic module. The initial session keys are generated by the host and securely exchanged using a PKI key pair associated with the cryptographic module. The secure communications pathway allows presentation of critical security parameter (CSP) without clear text disclosure of the CSP and further allows use of the generated session keys as temporary substitutes of the CSP for the session in which the session keys were created.
-
Citations
17 Claims
-
1. A secure messaging method for securely exchanging information between a host computer system and a functionally connected cryptographic module comprising:
-
generating a pair of session keys; performing a secure key exchange between said host computer system and said cryptographic module such that said host computer system and said cryptographic module each provided with one session key of said pair of session keys; generating a unique session identifier; associating said unique session identifier with said pair of session keys; performing counterpart cryptographic functions on at least a portion of information exchanged between said host computer system and said cryptographic module, wherein the exchanged information includes a credential and information of said secure key exchange corresponding to least one of the session keys; and verifying the credential initially before unlocking a credential protected application, wherein, after initial verification of the credential, the at least one of the session keys is temporarily granted permission to unlock the credential protected application for the duration of a session between the host computer and the cryptographic module, and wherein subsequent access to the credential protected application during the session is allowed by using the at least one of the session keys as a surrogate for the credential. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A secure messaging system for securely exchanging information between a host computer system and a functionally connected cryptographic module comprising:
-
at least one hardware processor; a host security manager application stored on a first non-transitory computer readable medium and being executable by the at least one hardware processor to; generate a session key pair, associate at least one session key of said session key pair with a unique session identifier, perform a secure key exchange with said cryptographic module, wherein a session key associated with said unique session identifier is securely provided to said cryptographic module, and perform counterpart cryptographic functions on at least a portion of information exchanged between said host computer system and said cryptographic module, wherein the exchanged information includes a credential and information of said secure key exchange corresponding to least one of the session keys, and a security executive application stored on a second non-transitory computer readable medium and being executable by the at least one hardware processor to; generate said unique session identifier, associate said unique session identifier with said exchanged key, perform counterpart cryptographic functions on at least a portion of the information exchanged between said host computer system and said cryptographic module, and verify the credential initially before unlocking a credential protected application, wherein, after initial verification of the credential, the at least one of the session keys is temporarily granted permission to unlock the credential protected application for the duration of a session between the host computer and the cryptographic module, and wherein subsequent access to the credential protected application during the session is allowed by using the at least one of the session keys as a surrogate for the credential. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
Specification