Method and system for using a portable computing device as a smart key device

US 20060133615A1
Filed: 12/16/2004
Published: 06/22/2006
Est. Priority Date: 12/16/2004
Status: Active Grant

First Claim

Patent Images

1. A data processing system, comprising:

a first system unit, the first system unit comprising;

a first hardware security unit coupled to the first system unit, the first hardware security unit comprising;

a first private key corresponding to a first asymmetric cryptographic key pair;

a first public key corresponding to a second asymmetric cryptographic key pair;

a second private key corresponding to a third asymmetric cryptographic key pair; and

a second public key corresponding to a fourth asymmetric cryptographic key pair;

a first removable hardware device, comprising;

a third public key corresponding to the first asymmetric cryptographic key pair; and

a third private key corresponding to the second asymmetric cryptographic key pair;

wherein the first hardware security unit includes logic for authenticating the first hardware security unit with respect to the first removable hardware device based upon the first and second cryptographic key pairs while the first removable hardware device is engaged with the first system unit;

a second system unit, the second system unit comprising;

a second hardware security unit coupled to the second system unit, the second hardware security unit comprising;

a fourth private key corresponding to a fifth asymmetric cryptographic key pair;

a fourth public key corresponding to a sixth asymmetric cryptographic key pair;

a fifth public key corresponding to the third asymmetric cryptographic key pair; and

a fifth private key corresponding to the fourth asymmetric cryptographic key pair;

a second removable hardware device, comprising;

a sixth public key corresponding to the fifth asymmetric cryptographic key pair; and

a sixth private key corresponding to the sixth asymmetric cryptographic key pair;

wherein the second hardware security unit includes logic for authenticating the second hardware security unit with respect to the second removable hardware device based upon the fifth and sixth cryptographic key pairs while the second removable hardware device is engaged with the second system unit; and

logic for authenticating the first hardware security unit with respect to the second hardware security unit based upon the third and fourth cryptographic key pairs while the first and second system units are communicatively coupled and after the first hardware security unit has been authenticated with respect to the first removable hardware device and the second hardware security unit has been authenticated with respect to the second removable hardware device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first data processing system, which includes a first cryptographic device, is communicatively coupled with a second data processing system, which includes a second cryptographic device. The cryptographic devices then mutually authenticate themselves. The first cryptographic device stores a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair that is associated with the second data processing system. The second cryptographic device stores a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair that is associated with the first data processing system. In response to successfully performing the mutual authentication operation between the two cryptographic systems, the first data processing system is enabled to invoke sensitive cryptographic functions on the first cryptographic device while the first data processing system remains communicatively coupled with the second data processing system.

50 Citations

View as Search Results

20 Claims

1. A data processing system, comprising:
- a first system unit, the first system unit comprising;
  
  a first hardware security unit coupled to the first system unit, the first hardware security unit comprising;
  
  a first private key corresponding to a first asymmetric cryptographic key pair;
  
  a first public key corresponding to a second asymmetric cryptographic key pair;
  
  a second private key corresponding to a third asymmetric cryptographic key pair; and
  
  a second public key corresponding to a fourth asymmetric cryptographic key pair;
  
  a first removable hardware device, comprising;
  
  a third public key corresponding to the first asymmetric cryptographic key pair; and
  
  a third private key corresponding to the second asymmetric cryptographic key pair;
  
  wherein the first hardware security unit includes logic for authenticating the first hardware security unit with respect to the first removable hardware device based upon the first and second cryptographic key pairs while the first removable hardware device is engaged with the first system unit;
  
  a second system unit, the second system unit comprising;
  
  a second hardware security unit coupled to the second system unit, the second hardware security unit comprising;
  
  a fourth private key corresponding to a fifth asymmetric cryptographic key pair;
  
  a fourth public key corresponding to a sixth asymmetric cryptographic key pair;
  
  a fifth public key corresponding to the third asymmetric cryptographic key pair; and
  
  a fifth private key corresponding to the fourth asymmetric cryptographic key pair;
  
  a second removable hardware device, comprising;
  
  a sixth public key corresponding to the fifth asymmetric cryptographic key pair; and
  
  a sixth private key corresponding to the sixth asymmetric cryptographic key pair;
  
  wherein the second hardware security unit includes logic for authenticating the second hardware security unit with respect to the second removable hardware device based upon the fifth and sixth cryptographic key pairs while the second removable hardware device is engaged with the second system unit; and
  
  logic for authenticating the first hardware security unit with respect to the second hardware security unit based upon the third and fourth cryptographic key pairs while the first and second system units are communicatively coupled and after the first hardware security unit has been authenticated with respect to the first removable hardware device and the second hardware security unit has been authenticated with respect to the second removable hardware device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The data processing system of claim 1, the first hardware security unit comprising logic for enabling the first system unit to invoke cryptographic functions on the first hardware security unit while the first and second system units are communicatively coupled after the first hardware security unit has been authenticated with respect to the second hardware security unit.
  - 3. The data processing system of claim 1 wherein one cryptographic function of the cryptographic functions is authentication of a software security unit of an application loaded on the first system unit.
  - 4. The data processing system of claim 3, further comprising logic for exchanging a session key between the software security unit and the first hardware security unit during the authentication of the software security unit.
  - 5. The data processing system of claim 4, further comprising logic for employing the session key by the software security unit to encrypt subsequent requests to the first hardware security unit in order to prove the software security unit'"'"'s identity.
  - 6. The data processing system of claim 1, wherein the first system unit and the second system unit are communicatively coupled via a network.
  - 7. The data processing system of claim 1, further comprising logic for performing a cryptographic function by the first hardware security unit for a software security unit in response to a request from the software security unit after successfully performing a mutual authentication operation between the software security unit and the hardware security unit without requiring the first system unit to be communicatively coupled to the second system unit.

8. A method for performing cryptographic functions, the method comprising:
- engaging a first removable hardware device with a first system unit;
  
  engaging a second removable hardware device with a second system unit;
  
  communicatively coupling the first system unit and the second system unit while the first removable hardware device is engaged with the first system unit and the second removable hardware device is engaged with the second system unit;
  
  wherein the first system unit includes a first hardware security unit and the second system unit includes a second hardware security unit, wherein the first hardware security unit includes a first private key corresponding to a first asymmetric cryptographic key pair, a first public key corresponding to a second asymmetric cryptographic key pair, a second private key corresponding to a third asymmetric cryptographic key pair; and
  
  a second public key corresponding to a fourth asymmetric cryptographic key pair; and
  
  wherein the second hardware security unit contains a third private key corresponding to the second asymmetric cryptographic key pair, a third public key corresponding to the first asymmetric cryptographic key pair, a fourth private key corresponding to the fourth asymmetric cryptographic key pair, and a fourth public key corresponding to the third asymmetric cryptographic key pair;
  
  executing a mutual authentication operation between the first hardware security unit and the first removable hardware device based upon the first and second asymmetric cryptographic key pairs, which the first system unit and the second system unit are communicatively coupled;
  
  executing a mutual authentication operation between the second hardware security unit and the second removable hardware device based upon the fifth and sixth asymmetric cryptographic key pairs first system unit and the second system unit are communicatively coupled;
  
  executing a mutual authentication operation between the first hardware security unit and the second hardware security based upon the third and fourth asymmetric cryptographic key pairs while the first system unit and the second system unit are communicatively coupled; and
  
  in response to successfully performing the mutual authentication operation between the first and second hardware security units, enabling the first system unit to invoke cryptographic functions on the first hardware security unit while the first and second system units remain communicatively coupled.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, further comprising:
    - executing a software security unit on the first system unit, wherein the software security unit contains a seventh private key corresponding to a seventh asymmetric cryptographic key pair and a seventh public key corresponding to a eighth asymmetric cryptographic key pair, and wherein the first hardware security unit contains an eighth private key corresponding to the eighth asymmetric cryptographic key pair and an eighth public key corresponding to the seventh asymmetric cryptographic key pair;
      
      performing a mutual authentication operation between the software security unit and the first hardware security unit based upon the seventh and eighth asymmetric cryptographic key pairs; and
      
      in response to successfully performing the mutual authentication operation between the software security unit and the first hardware security unit, enabling the software security unit to invoke functions on the first hardware security unit while the first and second system units remain communicatively coupled.
  - 10. The method of claim 9, further comprising performing a cryptographic function by the first hardware security unit for the software security unit in response to a request from the software security unit after successfully performing a mutual authentication operation between the first and second the hardware security units without requiring the first and second system units to remain communicatively coupled.
  - 11. The method of claim 10, further comprising exchanging a session key between the software security unit and the first hardware security unit during the mutual authentication operation between the software security unit and the first hardware security unit.
  - 12. The method of claim 11, further comprising employing the session key by the software security unit to encrypt subsequent requests to the first hardware security unit in order to prove the software security unit'"'"'s identity.
  - 13. The method of claim 9, further comprising, in response to a request from the software security unit, generating a digital certificate for the software security unit by the first hardware security unit while the first and second system units remain communicatively coupled.
  - 14. The method of claim 9, further comprising, in response to a request from the software security unit, digitally signing a data item from the software security unit by the first hardware security unit while the first and second system units remain communicatively coupled.

15. A computer programming product on a computer readable medium for use in a data processing system for performing cryptographic functions, the computer programming product comprising:
- logic, stored on the computer readable medium, for communicatively coupling a first removable hardware device with a first system unit;
  
  logic, stored on the computer readable medium, for communicatively coupling a second removable hardware device with a second system unit;
  
  logic, stored on the computer readable medium, for communicatively coupling the first system unit and the second system unit while the first removable hardware device is engaged with the first system unit and the second removable hardware device is engaged with the second system unit;
  
  wherein the first system unit includes a first hardware security unit and the second system unit includes a second hardware security unit, wherein the first hardware security unit includes a first private key corresponding to a first asymmetric cryptographic key pair, a first public key corresponding to a second asymmetric cryptographic key pair, a second private key corresponding to a third asymmetric cryptographic key pair; and
  
  a second public key corresponding to a fourth asymmetric cryptographic key pair; and
  
  wherein the second hardware security unit contains a third private key corresponding to the second asymmetric cryptographic key pair, a third public key corresponding to the first asymmetric cryptographic key pair, a fourth private key corresponding to the fourth asymmetric cryptographic key pair, and a fourth public key corresponding to the third asymmetric cryptographic key pair;
  
  logic, stored on the computer readable medium, for executing a mutual authentication operation between the first hardware security unit and the first removable hardware device based upon the first and second asymmetric cryptographic key pairs, which the first system unit and the second system unit are communicatively coupled;
  
  logic, stored on the computer readable medium, for executing a mutual authentication operation between the second hardware security unit and the second removable hardware device based upon the fifth and sixth asymmetric cryptographic key pairs first system unit and the second system unit are communicatively coupled;
  
  logic, stored on the computer readable medium, for executing a mutual authentication operation between the first hardware security unit and the second hardware security based upon the third and fourth asymmetric cryptographic key pairs while the first system unit and the second system unit are communicatively coupled; and
  
  in response to successfully performing the mutual authentication operation between the first and second hardware security units, logic, stored on the computer readable medium, for enabling the first system unit to invoke cryptographic functions on the first hardware security unit while the first and second system units remain communicatively coupled.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer programming product of claim 15, further comprising:
    - logic, stored on the computer readable medium, for executing a software security unit on the first system unit, wherein the software security unit contains a seventh private key corresponding to a seventh asymmetric cryptographic key pair and a seventh public key corresponding to a eighth asymmetric cryptographic key pair, and wherein the first hardware security unit contains an eighth private key corresponding to the eighth asymmetric cryptographic key pair and an eighth public key corresponding to the seventh asymmetric cryptographic key pair;
      
      logic, stored on the computer readable medium, for performing a mutual authentication operation between the software security unit and the first hardware security unit based upon the seventh and eighth asymmetric cryptographic key pairs; and
      
      in response to successfully performing the mutual authentication operation between the software security unit and the first hardware security unit, logic, stored on the computer readable medium, for enabling the software security unit to invoke functions on the first hardware security unit while the first and second system units remain communicatively coupled.
  - 17. The computer programming product of claim 16, further comprising logic, stored on the computer readable medium, for performing a cryptographic function by the first hardware security unit for the software security unit in response to a request from the software security unit after successfully performing a mutual authentication operation between the first and second the hardware security units without requiring the first and second system units to remain communicatively coupled.
  - 18. The computer programming product of claim 17, further comprising logic, stored on the computer readable medium, for exchanging a session key between the software security unit and the first hardware security unit during the mutual authentication operation between the software security unit and the first hardware security unit.
  - 19. The computer programming product of claim 18, further comprising logic, stored on the computer readable medium, for employing the session key by the software security unit to encrypt subsequent requests to the first hardware security unit in order to prove the software security unit'"'"'s identity.
  - 20. The method of claim 16, further comprising logic, stored on the computer readable medium, for generating a digital certificate for the software security unit by the first hardware security unit while the first and second system units remain communicatively coupled.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Bade, Steven A., Chao, Ching-Yun

Granted Patent

US 7,475,247 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/277
CPC Class Codes

G06F 21/33   using certificates

G06F 21/34   involving the use of extern...

G06F 21/445   by mutual authentication, e...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 9/3265   using certificate chains, t...

H04L 9/3273   for mutual authentication n...

Method and system for using a portable computing device as a smart key device

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

50 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for using a portable computing device as a smart key device

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links