Reducing a size of a security-related data object stored on a token

US 8,813,243 B2
Filed: 02/02/2007
Issued: 08/19/2014
Est. Priority Date: 02/02/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

storing a security-related object in a storage structure in a token, wherein the security-related object comprises;

an identity reference that identifies a certificate assigned to an owner of the token, wherein the identity reference comprises an issuer name and a serial number associated with the certificate, anda private key identifier, separate from the certificate, that identifies a private key associated with the certificate and assigned to the owner of the token, andwherein the storage structure is indexed according to the identity reference;

receiving a request to access an encrypted data object, the request containing the identity reference that identifies the certificate; and

accessing, by a processor device, the private key identifier in the storage structure in the token using only the identity reference as an index,wherein the private key identifier is used to decrypt the encrypted data object and wherein accessing the private key identifier comprises constructing an application program interface (API) command to retrieve the corresponding private key identifier using only the identity reference.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention provide a method and system, including a client and security token, for reducing a size of a security-related object stored in the token. The object is stored in a storage structure that is indexed according to an identity reference to a certificate associated with the object and a private key identifier identifying a private key assigned to an owner of the token. A request to access an encrypted data object results in accessing the private key identifier in the storage structure using only the identity reference as an index.

226 Citations

13 Claims

1. A method comprising:
- storing a security-related object in a storage structure in a token, wherein the security-related object comprises;
  
  an identity reference that identifies a certificate assigned to an owner of the token, wherein the identity reference comprises an issuer name and a serial number associated with the certificate, anda private key identifier, separate from the certificate, that identifies a private key associated with the certificate and assigned to the owner of the token, andwherein the storage structure is indexed according to the identity reference;
  
  receiving a request to access an encrypted data object, the request containing the identity reference that identifies the certificate; and
  
  accessing, by a processor device, the private key identifier in the storage structure in the token using only the identity reference as an index,wherein the private key identifier is used to decrypt the encrypted data object and wherein accessing the private key identifier comprises constructing an application program interface (API) command to retrieve the corresponding private key identifier using only the identity reference.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the encrypted data object comprises an email message.
  - 3. The method of claim 1, wherein the identity reference comprises a key identifier associated with the certificate.
  - 4. The method of claim 1, wherein the token is one of a smartcard and a universal serial bus (USB) token.

5. A non-transitory computer readable medium comprising computer executable instructions to cause a processor device to perform operations comprising:
- storing a security-related object in a storage structure in a token,wherein the security-related object comprises;
  
  an identity reference that identifies a certificate assigned to an owner of the token, wherein the identity reference comprises an issuer name and a serial number associated with the certificate, anda private key identifier, separate from the certificate, that identifies a private key associated with the certificate and assigned to the owner of the token, andwherein the storage structure is indexed according to the identity reference;
  
  receiving a request to access an encrypted data object, the request containing the identity reference that identifies the certificate; and
  
  accessing, by the processor device, the private key identifier in the storage structure in the token using only the identity reference as an index,wherein the private key identifier is used to decrypt the encrypted data object and wherein accessing the private key identifier comprises constructing an application program interface (API) command to retrieve the corresponding private key identifier using only the identity reference.

6. A method comprising:
- receiving a public key infrastructure (PKI) certificate assigned to an owner of a token;
  
  extracting an identity portion from the PKI certificate, wherein the identity portion comprises an issuer name and a serial number associated with the certificate;
  
  creating a private key identifier for a private key associated with the PKI certificate and separate from the PKI certificate, wherein the private key is assigned to the owner of the token;
  
  storing, in a security-related object in a storage structure on the token, data comprising the identity portion from the PKI certificate and the private key identifier; and
  
  indexing, by a processor device, the storage structure such that the private key identifier is indexed in association with the identity portion from the PKI certificate,wherein additional portions of the PKI certificate are not stored in the storage structure and wherein the identity portion is accessible by a computer system to construct an application program interface (API) command to retrieve the corresponding private key identifier using only the identity portion.
- View Dependent Claims (7, 8)
- - 7. The method of claim 6, further comprising:
    - retrieving the private key identifier by searching the storage structure using only the identity portion in response to a request to decrypt a data object; and
      
      decrypting the data object using the retrieved private key identifier.
  - 8. The method of claim 7, wherein the data object comprises an email message.

9. A security token comprising:
- an interface to connect to a computer system;
  
  a memory comprising an indexable storage structure to store security-related objects; and
  
  a hardware processor coupled to the interface and the memory, the hardware processor to;
  
  receive a private key identifier that identifies a private key for a public key infrastructure (PKI) certificate assigned to an owner of the security token and an identity portion of the PKI certificate issued in connection with a security operation associated with the owner of the security token, the identity portion comprising an issuer name and a serial number associated with the PKI certificate, wherein the identity portion positively identifies the PKI certificate and wherein the private key identifier is separate from the PKI certificate, andstore a security related object comprising the identity portion of the PKI certificate in the indexable storage structure in association with the private key identifier, such that the storage structure can be accessed using the identity portion that positively identifies the PKI certificate as an index to the private key identifier, wherein the identity portion is accessible by the computer system to construct an application program interface (API) command to retrieve the corresponding private key identifier using only the identity portion.

10. A security token comprising:
- an interface to connect the security token and a computer system;
  
  a memory to store an indexable storage structure to store security-related objects, a security-related object comprising a private key identifier that identifies a private key for a public key infrastructure (PKI) certificate issued to an owner of the security token stored in association with an identity portion of the PKI certificate issued to the owner of the security token, the identity portion comprising an issuer name and a serial number associated with the PKI certificate, wherein the identity portion is accessible by the computer system to construct an application program interface (API) command to retrieve the corresponding private key identifier using only the identity portion and wherein the identity portion positively identifies the PKI certificate and wherein the private key identifier is separate from the PKI certificate; and
  
  a hardware processor coupled to the interface and the memory, the hardware processor to;
  
  receive a request for the private key identifier in connection with a decrypting operation, andretrieve the private key identifier by indexing into the storage structure using only the identity portion of the PKI certificate.

11. A system comprising:
- a hardware token interface to connect to a token, wherein the token comprises a memory comprising an indexable storage structure to store a security object comprising;
  
  an identity portion from a public-key infrastructure (PKI) certificate issued to an owner of the token, wherein the identity portion identifies the PKI certificate and wherein the identity portion comprises an issuer name and a serial number associated with the PKI certificate and wherein the identity portion is accessible by a computer system to construct an application program interface (API) command to retrieve the corresponding private key identifier using only the identity portion; and
  
  a private key identifier, separate from the PKI certificate, that identifies a private key associated with the PKI certificate issued to the owner of the token; and
  
  a processor coupled to the token interface, the processor to;
  
  receive a request to decrypt an encrypted message using the private key identifier, the request comprising the identity portion;
  
  retrieve the private key identifier by indexing the storage structure in the token using the identity portion that identifies the PKI certificate, wherein the storage structure is indexed such that the private key identifier is accessible using only the identity portion.

12. A system comprising:
- a token interface to connect to a token, wherein the token comprises a memory comprising an indexable storage structure to store security-related objects; and
  
  a hardware processor coupled to the token interface, the hardware processor to;
  
  receive a public-key infrastructure (PKI) certificate comprising an identity portion that identifies the PKI certificate, wherein the identity portion comprises an issuer name and a serial number associated with the PKI certificate and wherein the PKI certificate is issued to an owner of the token;
  
  obtain a private key identifier, separate from the PM certificate, that identifies a private key associated with the PKI certificate issued to the owner of the token;
  
  transfer a security-related object comprising the identity portion and the private key identifier to the token via the token interface such that the identity portion and the private key identifier are stored in the storage structure,wherein, the storage structure is indexed such that the private key identifier is accessible using only the identity portion that identifies the PKI certificate; and
  
  retrieve the private key identifier by indexing the storage structure using the identity portion, wherein retrieve retrieving the private key identifier comprises constructing an application program interface (API) command to retrieve the corresponding private key identifier using only the identity portion.
- View Dependent Claims (13)
- - 13. The system of claim 12, wherein the hardware processor is further to:
    - receive a request to decrypt an encrypted message using the private key identifier, the request comprising the identity portion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Parkinson, Steven William
Primary Examiner(s)
Dada, Beemnet
Assistant Examiner(s)
BEHESHTI SHIRAZI, SAYED ARESH

Application Number

US11/670,661
Publication Number

US 20080189543A1
Time in Patent Office

2,755 Days
Field of Search

726/27, 713/155, 713/156, 713/162, 713/171, 713/175, 713/193, 727/2, 727/3, 727/5, 727/27, 380/1, 380/30, 380/277, 705/76
US Class Current

726/27
CPC Class Codes

G06F 21/33   using certificates

G06F 21/34   involving the use of extern...

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

Reducing a size of a security-related data object stored on a token

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

226 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Reducing a size of a security-related data object stored on a token

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

226 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links