Method for the cryptographic protection of an application

US 9,215,070 B2
Filed: 06/22/2011
Issued: 12/15/2015
Est. Priority Date: 07/19/2010
Status: Expired due to Fees

First Claim

Patent Images

1. A method for the cryptographic protection of an application that is associated with an application owner and which is executed in a data processing center administered by an external service provider not belonging to the application owner,wherein the application owner is an entity that developed or otherwise owns the application,wherein the external service provider is an entity distinct from the application owner and provides non-owners of the application, which comprise entities distinct from the application owner and the external service provider, access to use the application,wherein the data processing center provides a security module of the application owner that stores private cryptographic material of the application owner, andwherein the method comprises:

generating a cryptographic secret by a generation application of the application owner or by the security module;

transmitting the cryptographic secret between a computer of the application owner and the security module via an encrypted transmission via a first secure channel between the application and the computer of the application owner, the encrypted transmission being decryptable by the application and the computer of the application owner, but not by the external service provider or the non-owners of the application, as a result of which encrypted transmission the cryptographic secret is made accessible to the computer of the application owner and the security module but not to the external service provider or the non-owners of the application;

transmitting the cryptographic secret from the computer of the application owner to the application via a second secure channel between the application and the computer of the application owner, as a result of which the cryptographic secret is made accessible to the application, but remains inaccessible to the external service provider and the non-owners of the application; and

performing an authentication of the application to the security module based on the cryptographic secret that is accessible to the application and the security module, wherein following successful authentication the cryptographic material of the application owner is transmittable from the security module to the application via a channel protected by the cryptographic secret.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided for cryptographic protection of an application associated with an application owner and executed in an external data processing center having a security module that stores private cryptographic material of the application owner. A first secure channel between the security module and application owner and a second secure channel between the application owner and the application are used for transmitting a cryptographic key. The cryptographic key is automatically made available to the secure module and the application via the secure channels, without the data processing center service operator being able to access said key. The application can authenticate itself using the key so that the cryptographic material can be transmitted to the application via a channel protected by the cryptographic key. The application data can be encrypted using the cryptographic material such that the application data cannot be accessed by the data processing center service operator.

24 Citations

14 Claims

1. A method for the cryptographic protection of an application that is associated with an application owner and which is executed in a data processing center administered by an external service provider not belonging to the application owner,wherein the application owner is an entity that developed or otherwise owns the application,wherein the external service provider is an entity distinct from the application owner and provides non-owners of the application, which comprise entities distinct from the application owner and the external service provider, access to use the application,wherein the data processing center provides a security module of the application owner that stores private cryptographic material of the application owner, andwherein the method comprises:
- generating a cryptographic secret by a generation application of the application owner or by the security module;
  
  transmitting the cryptographic secret between a computer of the application owner and the security module via an encrypted transmission via a first secure channel between the application and the computer of the application owner, the encrypted transmission being decryptable by the application and the computer of the application owner, but not by the external service provider or the non-owners of the application, as a result of which encrypted transmission the cryptographic secret is made accessible to the computer of the application owner and the security module but not to the external service provider or the non-owners of the application;
  
  transmitting the cryptographic secret from the computer of the application owner to the application via a second secure channel between the application and the computer of the application owner, as a result of which the cryptographic secret is made accessible to the application, but remains inaccessible to the external service provider and the non-owners of the application; and
  
  performing an authentication of the application to the security module based on the cryptographic secret that is accessible to the application and the security module, wherein following successful authentication the cryptographic material of the application owner is transmittable from the security module to the application via a channel protected by the cryptographic secret.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the authentication of the application is performed such that information is encrypted by the application using the cryptographic secret that is accessible to the application and is transmitted to the security module, wherein the authentication requires that the security module can decrypt the information using the cryptographic secret that is accessible to the security module.
  - 3. The method of claim 2, wherein the session identity is the information which is encrypted by the application during its authentication and transmitted to the security module.
  - 4. The method of claim 1, wherein a session identity is generated which is transmitted in addition at the time of the transmission of the cryptographic secret via at least one of the first and second secure channels or as part of the authentication of the application, and wherein it is verified whether the session identity remains unchanged.
  - 5. The method of claim 1, wherein the cryptographic secret is generated by the security module and transmitted to the computer of the application owner via the first secure channel, the first secure channel being formed in that a first message is encrypted by a first encryption to which the service provider has no access and is then transmitted to the computer of the application owner, the first message containing the cryptographic secret.
  - 6. The method of claim 5, wherein the encrypted first message is signed with a signature of the security module.
  - 7. The method of claim 5, wherein the first encryption is carried out using a public key of the application owner or using a private key which is known only to the application owner and to the security module.
  - 8. The method of claim 5, wherein the encrypted first message transmitted to the computer of the application owner is decrypted and subsequently transmitted to the application via the second secure channel, the second secure channel being formed in that the decrypted first message is encrypted by a second encryption to which the service provider has no access and is then sent to the application.
  - 9. The method of claim 1, wherein the cryptographic secret is generated by the generation application of the application owner and transmitted to the security module via the first secure channel, the first secure channel being formed in that a second message is encrypted by a second encryption to which the service provider has no access and is then sent to the security module, the second message containing the cryptographic secret.
  - 10. The method of claim 9, wherein the encrypted second message is signed with a signature of the application owner.
  - 11. The method of claim 9, wherein the second encryption of the second message is carried out using a public key of the security module or using a private key which is known only to the application owner and to the security module.
  - 12. The method of claim 1, wherein the first secure channel is tunneled by way of the application.
  - 13. The method of claim 1,wherein the cryptographic secret is generated by the generation application of the application owner and transmitted to the security module via the first secure channel, the first secure channel being formed in that a second message is encrypted by a second encryption to which the service provider has no access and is then sent to the security module, the second message containing the cryptographic secret;
    - wherein the first secure channel is tunneled by way of the application; and
      
      wherein the first secure channel is formed in that the encrypted second message is transmitted to the application initially via the second secure channel together with at least the cryptographic secret, the application thereupon transmitting the received encrypted second message to the security module.

14. A system for the cryptographic protection of an application that is associated with an application owner and which is executable in a data processing center administered by an external service provider not belonging to the application owner,wherein the application owner is an entity that developed or otherwise owns the application,wherein the external service provider is an entity distinct from the application owner and provides non-owners of the application, which comprise entities distinct from the application owner and the external service provider, access to use the application,the system comprising:
- a security module of the application owner provided in the data processing center and which stores private cryptographic material of the application owner, anda computer of the application owner,wherein the system is configured to perform the following steps upon execution of the application at the data processing center;
  
  generating a cryptographic secret by the application owner;
  
  transmitting the cryptographic secret between the computer of the application owner and the security module via an encrypted transmission via a first secure channel between the application and the computer of the application owner, the encrypted transmission being decryptable by the application and the computer of the application owner, but not by the external service provider or the non-owners of the application, as a result of which encrypted transmission the cryptographic secret is made accessible to the computer of the application owner and the security module but not to the external service provider or the non-owners of the application;
  
  transmitting the cryptographic secret from the computer of the application owner to the application via a second secure channel between the application and the computer of the application owner, as a result of which the cryptographic secret is made accessible to the application, but remains inaccessible to the external service provider and the non-owners of the application; and
  
  performing an authentication of the application to the security module based on the cryptographic secret which is accessible to the application and the security module, wherein following successful authentication the cryptographic material of the application owner is transmittable from the security module to the application via a channel protected by the cryptographic secret.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Siemens AG
Original Assignee
Siemens AG
Inventors
Maidl, Monika, Seltzsam, Stefan
Primary Examiner(s)
Su, Sarah

Application Number

US13/811,417
Publication Number

US 20130124860A1
Time in Patent Office

1,637 Days
Field of Search

713/164, 713/168, 713/171, 726/4, 380/259, 380/178, 380/183
US Class Current

1/1
CPC Class Codes

G06F 21/6263   during internet communicati...

G06F 2221/2153   Using hardware token as a s...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/123   received data contents, e.g...

H04L 9/0827   involving distinctive inter...

H04L 9/0877   using additional device, e....

H04L 9/32   including means for verifyi...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

Method for the cryptographic protection of an application

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

24 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Method for the cryptographic protection of an application

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links