Generalized certificate use in policy-based secure messaging environments

US 9,948,635 B2
Filed: 01/14/2017
Issued: 04/17/2018
Est. Priority Date: 03/13/2013
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a memory; and

a processor programmed to execute a secure messaging component to;

determine, at the secure messaging component as part of providing a generalized certificate use service within a secure messaging environment, that a request to send a message has been generated by a message sender, where the generalized certificate use service provides real-time selective use of different secured digital certificates for different messages sent by the message sender, and the different secured digital certificates are digital certificates other than a digital certificate of the message sender;

identify, within the memory, a message protection policy configured to process the message under the generalized certificate use service within the secure messaging environment, where the message protection policy specifies the different secured digital certificates that are each configured with an associated private key to digitally sign the message on behalf of the message sender;

determine, based upon the message protection policy, to digitally sign the message using the private key of a secured digital certificate selected from the different secured digital certificates specified in the message protection policy; and

sign the message on behalf of the message sender using the private key of the selected secured digital certificate;

where the message protection policy further specifies that the different secured digital certificates are configured to digitally sign messages on behalf of a plurality of message senders; and

the processor is further programmed to execute the secure messaging component to sign messages of the plurality of message senders using private keys of secured digital certificates selected in real-time from the different secured digital certificates.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Within a secure messaging environment, a determination is made that a request to send a message has been generated by a message sender. A message protection policy configured to process the message within the secure messaging environment is identified. The message protection policy specifies that, within the secure messaging environment, a secured digital certificate, other than a digital certificate of the message sender, is configured with an associated private key to digitally sign the message on behalf of the message sender. Based upon the message protection policy, a determination is made to digitally sign the message using the private key of the secured digital certificate. The message is signed on behalf of the message sender using the private key of the secured digital certificate.

23 Citations

18 Claims

1. A system, comprising:
- a memory; and
  
  a processor programmed to execute a secure messaging component to;
  
  determine, at the secure messaging component as part of providing a generalized certificate use service within a secure messaging environment, that a request to send a message has been generated by a message sender, where the generalized certificate use service provides real-time selective use of different secured digital certificates for different messages sent by the message sender, and the different secured digital certificates are digital certificates other than a digital certificate of the message sender;
  
  identify, within the memory, a message protection policy configured to process the message under the generalized certificate use service within the secure messaging environment, where the message protection policy specifies the different secured digital certificates that are each configured with an associated private key to digitally sign the message on behalf of the message sender;
  
  determine, based upon the message protection policy, to digitally sign the message using the private key of a secured digital certificate selected from the different secured digital certificates specified in the message protection policy; and
  
  sign the message on behalf of the message sender using the private key of the selected secured digital certificate;
  
  where the message protection policy further specifies that the different secured digital certificates are configured to digitally sign messages on behalf of a plurality of message senders; and
  
  the processor is further programmed to execute the secure messaging component to sign messages of the plurality of message senders using private keys of secured digital certificates selected in real-time from the different secured digital certificates.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, where the processor is further programmed to execute the secure messaging component to protect, by the secure messaging environment, the different secured digital certificates against access by the message sender.
  - 3. The system of claim 1, where one of the different secured digital certificates comprises:
    - a digital certificate owned by the secure messaging component within the secure messaging environment.
  - 4. The system of claim 1, where the secure messaging component comprises one of (i) a queue manager that manages a protected message queue within the secure messaging environment and (ii) a data protection module that controls access to the protected message queue within the secure messaging environment and that interfaces with the queue manager.
  - 5. The system of claim 1, where the selected secured digital certificate comprises a digital certificate that is (i) owned by an entity other than the message sender and (ii) managed by the secure messaging component within the secure messaging environment.
  - 6. The system of claim 1, where the generalized certificate use service provided by the secure messaging component further allows selection of different ones of the different secured digital certificates specified in the message protection policy for signing and encrypting the message.
  - 7. The system of claim 1, where the processor is further programmed, as part of the generalized certificate use service, to execute the secure messaging component to:
    - select a second secured digital certificate from the different secured digital certificates for encryption of the message; and
      
      encrypt the message using a public key associated with the selected second secured digital certificate.
  - 8. The system of claim 1, where the processor is further programmed, according to the message protection policy, to execute the secure messaging component to:
    - select the secured digital certificate from the different secured digital certificates to digitally sign the message; and
      
      select an additional one or more of the different secured digital certificates for encrypting the message.
  - 9. The system of claim 1, where the processor is further programmed to execute the secure messaging component to identify the selected secured digital certificate used by the secure messaging component to sign the message within the message.

10. A computer program product, comprising:
- a computer readable storage medium having computer readable program code embodied therewith, where the computer readable storage medium is not a transitory signal per se and where the computer readable program code when executed on a computer causes the computer to;
  
  determine, at a secure messaging component that provides a generalized certificate use service within a secure messaging environment, that a request to send a message has been generated by a message sender, where the generalized certificate use service provides real-time selective use of different secured digital certificates for different messages sent by the message sender, and the different secured digital certificates are digital certificates other than a digital certificate of the message sender;
  
  identify a message protection policy configured to process the message under the generalized certificate use service within the secure messaging environment, where the message protection policy specifies the different secured digital certificates that are each configured with an associated private key to digitally sign the message on behalf of the message sender;
  
  determine, based upon the message protection policy, to digitally sign the message using the private key of a secured digital certificate selected from the different secured digital certificates specified in the message protection policy; and
  
  sign the message on behalf of the message sender using the private key of the selected secured digital certificate;
  
  where the message protection policy further specifies that the different secured digital certificates are configured to digitally sign messages on behalf of a plurality of message senders; and
  
  the computer readable program code when executed on the computer further causes the computer to sign messages of the plurality of message senders using private keys of secured digital certificates selected in real-time from the different secured digital certificates.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The computer program product of claim 10, where the computer readable program code when executed on the computer further causes the computer to protect, by the secure messaging environment, the different secured digital certificates against access by the message sender.
  - 12. The computer program product of claim 10, where one of the different secured digital certificates comprises:
    - a digital certificate owned by the secure messaging component within the secure messaging environment.
  - 13. The computer program product of claim 10, where the secure messaging component comprises one of (i) a queue manager that manages a protected message queue within the secure messaging environment and (ii) a data protection module that controls access to the protected message queue within the secure messaging environment and that interfaces with the queue manager.
  - 14. The computer program product of claim 10, where the selected secured digital certificate comprises a digital certificate that is (i) owned by an entity other than the message sender and (ii) managed by the secure messaging component within the secure messaging environment.

15. A computer program product, comprising:
- a non-transitory machine readable data storage medium; and
  
  computer instructions stored in the non-transitory machine readable data storage medium;
  
  where the computer instructions, when executed by a processor(s) set, cause the processor(s) set to perform operations comprising;
  
  creating a message protection policy for application in a secure messaging environment, with the message protection policy specifying that any delivery of a message according to the message protection policy requires a digital signature made using a private key that is managed by a queue manager that manages a secured message queue within the secure messaging environment;
  
  receiving, by the secure messaging environment, a message;
  
  determining, by the secure messaging environment, that the message protection policy is applicable to the message;
  
  responsive to the determination that the message protection policy is applicable to the message, creating, by the secure messaging environment, the digital signature using the private key managed by the queue manager; and
  
  associating, by the secure messaging environment, the message and the digital signature such that the message will be communicated with the digital signature in the secure messaging environment;
  
  where the message protection policy further specifies that different secured digital certificates are configured to digitally sign messages on behalf of a plurality of message senders; and
  
  the computer instructions when executed by the processor(s) set cause the processor(s) set to perform operations comprising signing messages of the plurality of message senders using private keys of secured digital certificates selected in real-time from the different secured digital certificates.
- View Dependent Claims (16, 17, 18)
- - 16. The computer program product of claim 15, where the computer instructions when executed by the processor(s) set further cause the processor(s) set to perform an operation comprising:
    - obtaining the private key from a digital certificate.
  - 17. The computer program product of claim 15, where the private key is owned by the queue manager.
  - 18. The computer program product of claim 15, where the computer program product is in the form of a computer system, with the computer program product further comprising:
    - the processor(s) set structured, programmed, and/or connected to execute the computer instructions stored in the non-transitory machine readable data storage medium.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Dixon, Bret W.
Primary Examiner(s)
LE, KHOI V

Application Number

US15/406,704
Publication Number

US 20170126666A1
Time in Patent Office

458 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0435   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

H04L 63/0876   based on the identity of th...

H04L 63/104   Grouping of entities

H04L 63/126   the source of the received ...

H04L 63/20   for managing network securi...

H04L 9/3263   involving certificates, e.g...

Generalized certificate use in policy-based secure messaging environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

23 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Generalized certificate use in policy-based secure messaging environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others