Cryptography system and method for providing cryptographic services for a computer application
First Claim
1. A cryptography system to support an application requiring cryptographic functions, the cryptography system comprising:
- a cryptographic application program interface (CAPI) to interface with the application and handle its requests for a cryptographic function;
at least one cryptography service provider (CSP) independent from, but dynamically accessible by, the CAPI;
the CSP providing the cryptographic function requested by the application, the CSP also managing and protecting at least one encryption key used in the cryptographic function to prevent exposure of the encryption key in a non-encrypted form to the CAPI and application; and
a private application program interface (PAPI) to interface the CSP with a user, the PAPI enabling the user to observe, confirm, or reject the requested cryptographic function.
1 Assignment
0 Petitions
Accused Products
Abstract
A cryptography system architecture provides cryptographic functionality to support an application requiring encryption. decryption, signing, and verification of electronic messages. The cryptography system has a cryptographic application program interface (CAPI) which interfaces with the application to receive requests for cryptographic functions. The cryptographic system further includes at least one cryptography service provider (CSP) that is independent from, but dynamically accessible by, the CAPI. The CSP provides the cryptographic functionality and manages the secret cryptographic keys. In particular, the CSP prevents exposure of the encryption keys in a non-encrypted form to the CAPI or application. The cryptographic system also has a private application program interface (PAPI) to provide direct access between the CSP and the user. The PAPI enables the user to confirm or reject certain requested cryptographic functions, such as digitally signing the messages or exportation of keys.
116 Citations
80 Claims
-
1. A cryptography system to support an application requiring cryptographic functions, the cryptography system comprising:
-
a cryptographic application program interface (CAPI) to interface with the application and handle its requests for a cryptographic function;
at least one cryptography service provider (CSP) independent from, but dynamically accessible by, the CAPI;
the CSP providing the cryptographic function requested by the application, the CSP also managing and protecting at least one encryption key used in the cryptographic function to prevent exposure of the encryption key in a non-encrypted form to the CAPI and application; and
a private application program interface (PAPI) to interface the CSP with a user, the PAPI enabling the user to observe, confirm, or reject the requested cryptographic function. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. In a computer system having a processing unit and a computer-readable medium, a computer-implemented cryptography service provider stored on the computer-readable medium for execution on the processing unit as part of a cryptography system used to support a computer executable application requiring encryption or decryption of electronic messages to be sent or received by a user, the cryptography service provider comprising:
-
a key manager to manage encryption keys used to encrypt messages and to prevent the encryption keys from being exported in a non-encrypted form from the cryptography service provider;
an encryption/decryption device to encrypt or decrypt messages using the encryption keys; and
the cryptography service provider being configured as a dynamic linked library, software module which is dynamically accessible as needed by the application to receive a plaintext message and to return an encrypted message, or to receive an encrypted message and to return a plaintext message, without exposing the encryption keys in their non-encrypted form to the application. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
-
-
28. A method for supporting cryptographic functions requested by an application, the method comprising the following steps:
-
supplying a request for a cryptographic function to a cryptographic application program interface (CAPI);
selecting a cryptography service provider (CSP) to perform the desired cryptographic function;
establishing communication between the CAPI and the CSP;
verifying an authenticity of the CSP;
performing the cryptographic function at the CSP using at least one cryptographic key; and
preventing exposure of the encryption key in a non-encrypted form to the CAPI or application. - View Dependent Claims (29, 30, 45)
-
-
31. A method for encrypting a message comprising the following steps:
-
supplying a plaintext message to a cryptographic application program interface (CAPI);
selecting a cryptography service provider (CSP) for encrypting the message;
establishing communication between the CAPI and the CSP;
verifying an authenticity of the CSP;
passing the plaintext message from the CAPI to the CSP;
encrypting the message at the CSP using an encryption key maintained by the CSP to produce an encrypted message; and
passing the encrypted message from the CSP back to the CAPI without exposing the encryption key in its non-encrypted form. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 46)
encrypting the message with a symmetric encryption key; and
encrypting the symmetric key with a public key from an asymmetric pair of private and public cryptographic keys.
-
-
33. A method as recited in claim 32 wherein the encrypting step comprises the step of passing the encrypted symmetric encryption key to the CAPI along with the message.
-
34. A method as recited in claim 31 wherein the verifying step comprises the following steps:
-
attaching a digital signature of a certified trusted authority to the CSP; and
validating the digital signature to authenticate the CSP.
-
-
35. A method as recited in claim 31 further comprising the step of attaching a digital signature of the cryptography system to the message.
-
36. A method as recited in claim 31 further comprising the step of storing within the CSP at least one unique encryption key.
-
37. A method as recited in claim 31 further comprising the step of generating within the CSP the encryption key used to encrypt the message.
-
38. A method as recited in claim 31 further comprising the step of destroying the encryption key following its use.
-
39. A method as recited in claim 31 further comprising the following steps:
-
assigning a handle to the encryption key; and
making the handle available to the CAPI while maintaining the encryption key in confidence within the CSP.
-
-
40. A method as recited in claim 31 further comprising the step of hashing within the CSP at least some data contained in the message.
-
41. A method as recited in claim 31 further comprising the following steps:
-
passing an explanation of the message to a private application program interface (PAPI) used to interface the CSP with a user; and
presenting the explanation to the user.
-
-
42. A method as recited in claim 41 further comprising the step of verifying at the PAPI an authenticity of the user prior to presenting the explanation of the message.
-
43. A method as recited in claim 41 further comprising the step of enabling data entry from the user through the PAPI.
-
44. A method as recited in claim 41 further comprising the step of selectively notifying the user via the PAPI when a particular encryption key is to be used.
-
46. A computer-readable medium having computer-executable instructions for performing the steps in the method recited in claim 31.
-
47. A computer-readable medium having a computer-executable instructions for implementing a cryptography system, comprising:
-
a cryptographic application program interface (CAPI) configured as a software module to interface with a computer-implemented application and to handle requests from the application for a cryptographic function;
at least one cryptography service provider (CSP) configured as a software module independent from, but dynamically accessible by, the CAPI;
the CSP providing the cryptographic function requested by the software application, the CSP also managing and protecting at least one encryption key used in the cryptographic function to prevent exposure of the encryption key in a non-encrypted form to the CAPI and software application. - View Dependent Claims (48, 49)
the CSP module is digitally signed with a digital signature of a certified trusted authority; and
the CAPI module verifies an authenticity of the CSP when accessing the CSP by validating the digital signature of the certified trusted authority.
-
-
50. In a computer system having a processing unit and a computer-readable medium, a computer-implemented cryptography service provider stored on the computer-readable medium for execution on the processing unit as part of a cryptography system used to support a computer executable application requiring encryption or decryption of electronic information, the cryptography service provider comprising:
a key manager to manage encryption keys used to encrypt messages and to prevent the encryption keys from being exported in a non-encrypted form from the cryptography service provider;
-
51. A computer-readable medium having a computer-implemented cryptography service provider stored thereon for execution on a processing unit as part of a cryptography system used to support a computer executable application requiring encryption or decryption of electronic information the cryptography service provider comprising:
a key manager to manage encryption keys used to encrypt data and to prevent the encryption keys from being exported in a non-encrypted form from the cryptography service provider;
- View Dependent Claims (52, 53, 54, 55, 56, 57, 58)
-
59. A method for supporting cryptographic functions requested by an application, the method comprising:
-
supplying a request for a cryptographic function to a cryptographic application program interface (CAPI);
selecting an independent dynamically accessible cryptography service provider (CSP) to perform the desired cryptographic function;
- View Dependent Claims (60, 61, 62)
-
-
63. A method for encrypting a message comprising:
-
supplying a plaintext message to a cryptographic application program interface (CAPI);
selecting a cryptography service provider (CSP) for encrypting the message;
- View Dependent Claims (64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77)
-
-
78. A computer-readable medium having computer-executable instructions for implementing a cryptography system, comprising:
-
a cryptographic application program interface (CAPI) for interfacing with a computer-implemented application and to handle requests from the application for a cryptographic function; and
whereinthe cryptographic application program interface is further configured to dynamically access at least one independent cryptography service provider (CSP) software module which provides the cryptographic function requested by the software application. - View Dependent Claims (79)
-
-
80. A computer-readable medium having a computer-implemented cryptography service provider architecture stored thereon for use by a processing unit as part of a cryptography system used to support a computer executable application requiring encryption or decryption of data to be sent or received by a user, the cryptography service provider architecture comprising:
a key manager to manage encryption keys used to encrypt data and to prevent the encryption keys from being exported in a non-encrypted form from the cryptography service provider;
Specification