Public key cryptosystem key management based on control vectors
First Claim
1. In a data processing system, a method for managing a public key cryptographic system, comprising the steps of:
- generating a first public key and a first private key as a first pair in said data processing system, for use with a first public key algorithm;
generating a second public key and a second private key as a second pair in said data processing system, for use with a second public key algorithm;
assigning a private control vector for said first private key and said second private key in said data processing system, for defining permitted uses for said first and second private keys;
forming a private key record which includes said first private key and said second private key in said data processing system, and encrypting said private key record under a first master key expression which is a function of said private control vector;
forming a private key token which includes said private control vector and said private key record, and storing said private key token in said data processing system;
receiving a first key use request in said data processing system, reguiring said first public key algorithm;
accessing said private key token in said data processing system and checking said private control vector to determine if said private key record contains a key having permitted uses which will satisfy said first request;
decrypting said private key record under said first master key expression in said data processing system and extracting said first private key from said private key record;
selecting said first public key algorithm in said data processing system for said first key use request;
selecting said first public key algorithm in said data processing system using said first private key to perform a cryptographic operation to satisfy said first key use request.
1 Assignment
0 Petitions
Accused Products
Abstract
A data processing system, method and program are disclosed, for managing a public key cryptographic system. The method includes the steps of generating a first public key and a first private key as a first pair in the data processing system, for use with a first public key algorithm and further generating a second public key and a second private key as a second pair in the data processing system, for use with a second public key algorithm. The method then continues by assigning a private control vector for the first private key and the second private key in the data processing system, for defining permitted uses for the first and second private keys. Then the method continues by forming a private key record which includes the first private key and the second private key in the data processing system, and encrypting the private key record under a first master key expression which is a function of the private control vector. The method then forms a private key token which includes the private control vector and the private key record, and stores the private key token in the data processing system.
At a later time, the method receives a first key use request in the data processing system, requiring the first public key algorithm. In response to this, the method continues by accessing the private key token in the data processing system and checking the private control vector to determine if the private key record contains a key having permitted uses which will satisfy the first request. The method then decrypts the private key record under the first master key expression in the data processing system and extracts the first private key from the private key record. The method selects the first public key algorithm in the data processing system for the first key use request and executes the first public key algorithm in the data processing system using the first private key to perform a cryptographic operation to satisfy the first key use request.
290 Citations
33 Claims
-
1. In a data processing system, a method for managing a public key cryptographic system, comprising the steps of:
-
generating a first public key and a first private key as a first pair in said data processing system, for use with a first public key algorithm; generating a second public key and a second private key as a second pair in said data processing system, for use with a second public key algorithm; assigning a private control vector for said first private key and said second private key in said data processing system, for defining permitted uses for said first and second private keys; forming a private key record which includes said first private key and said second private key in said data processing system, and encrypting said private key record under a first master key expression which is a function of said private control vector; forming a private key token which includes said private control vector and said private key record, and storing said private key token in said data processing system; receiving a first key use request in said data processing system, reguiring said first public key algorithm; accessing said private key token in said data processing system and checking said private control vector to determine if said private key record contains a key having permitted uses which will satisfy said first request; decrypting said private key record under said first master key expression in said data processing system and extracting said first private key from said private key record; selecting said first public key algorithm in said data processing system for said first key use request; selecting said first public key algorithm in said data processing system using said first private key to perform a cryptographic operation to satisfy said first key use request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. In a data processing system, a method for managing a public key cryptographic system, comprising the steps of:
-
generating a public key and a private key as a pair in said data processing system, for use with a public key algorithm; assigning a private control vector for said private key in said data processing system, for defining permitted uses for said private key; forming a private key record which includes said private key in said data processing system, and encrypting said private key record under a first master key expression which is a function of said private control vector; forming a private key token which includes said private control vector and said encrypted private key record and storing said private key token in said data processing system; receiving a first key use request in said data processing system, requiring execution of said public key algorithm with a private key; accessing said private key token in said data processing system and checking said private control vector to determine if said private key record contains a key having permitted uses which will satisfy said first request; decrypting said private key record under said first master key expression in said data processing system and extracting said private key from said private key record; executing said public key algorithm in said data processing system using said private key to perform a cryptographic operation to satisfy said first key use request. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. In a data processing system, a method for managing a public key cryptographic system, comprising the steps of:
-
generating a public key and a private key in said cryptographic system; assigning a public key control vector to said public key in accordance with intended uses for said public key; assigning a private key control vector to said private key in accordance with intended uses for said private key; storing said public key in a public key record and storing said private key in a private key record; encrypting said public key record under a master key and encrypting said private key under said master key; forming a modification detection code on a concatenated expression of said public key control vector and said public key record as a public key authentication record; forming a modification detection code on a concatenated expression of said private key control vector and said private key record to produce a private key authentication record; encrypting said public key authentication record under said master key and encrypting said private key authentication record under said master key; forming a public key token which includes said public key control vector in a first field, said encrypted public key record in a second field, and said encrypted public key authentication record in a third field; forming a private key token including said private key control vector in a first field, said encrypted private key record in a second field, and said encrypted private key authentication record in a third field. - View Dependent Claims (18, 19)
-
-
20. In a data processing system, a computer program for managing a public key cryptographic system, which when executed on said data processing system, performs a method comprising the steps of:
-
generating a first public key and a first private key as a first pair in said data processing system, for use with a first public key algorithm; generating a second public key and a second private key as a second pair in said data processing system, for use with a second public key algorithm; assigning a private control vector for said first private key and said second private key in said data processing system, for defining permitted uses for said first and second private keys; forming a private key record which includes said first private key and said second private key in said data processing system, and encrypting said private key record under a first master key expression which is a function of said private control vector; forming a private key token which includes said private control vector and said private key record, and storing said private key token in said data processing system; receiving a first key use request in said data processing system, regulating said first public key algorithm; accessing said private key token in said data processing system and checking said private control vector to determine if said private key record contains a key having permitted uses which will satisfy said first request; decrypting said private key record under said first master key expression in said data processing system and extracting said first private key from said private key record; selecting said first public key algorithm in said data processing system for said first key use request; selecting said first public key algorithm in said data processing system using said first private key to perform a cryptographic operation to satisfy said first key use request. - View Dependent Claims (21, 22, 23, 24)
-
-
25. In a data processing system, a computer program for managing a public key cryptographic system, which when executed on said data processing system, performs a method comprising the steps of:
-
generating a public key and a private key as a pair in said data processing system, for use with a public key algorithm; assigning a private control vector for said private key in said data processing system, for defining permitted uses for said private key; forming a private key record which includes said private key in said data processing system, and encrypting said private key record under a first master key expression which is a function of said private control vector; forming a private key token which includes said private control vector and said encrypted private key record and storing said private key token in said data processing system; receiving a first key use request in said data processing system, requiring execution of said public key algorithm with a private key; accessing said private key token in said data processing system and checking said private control vector to determine if said private key record contains a key having permitted uses which will satisfy said first request; decrypting said private key record under said first master key expression in said data processing system and extracting said private key from said private key record; executing said public key algorithm in said data processing system using said private key to perform a cryptographic operation to satisfy said first key use request. - View Dependent Claims (26, 27, 28, 29, 30)
-
-
31. A data processing system for managing a public key cryptographic system, comprising:
-
first generating means for generating a first public key and a first private key as a first pair in said data processing system, for use with a first public key algorithm; second generating means for generating a second public key and a second private key as a second pair in said data processing system, for use with a second public key algorithm; assigning means for assigning a private control vector for said first private key in said second private key in said data processing system, for defining permitted uses for said first and second private keys; key record forming means coupled to said first and second generating means, for forming a private key record which includes said first private key and said second private key in said data processing system, encrypting means coupled to said key record forming means and said assigning means, for encrypting said private key record under a first master key expression which is a function of said private control vector; key token forming means coupled to said assigning means and to said key record forming means, for forming a private key token which includes said private control vector and said private key record; storing means coupled to said key token forming means, for storing said private key token in said data processing system; receiving means coupled to a user input, for receiving a first key use request in said data processing system, requiring said first public key algorithm; accessing means coupled to said receiving means and to said storing means, for accessing said private key token in said data processing system and checking said private control vector to determine if said private key record contains a key having permitted uses which will satisfy said first request; decrypting means coupled to said accessing means, for decrypting said private key record under said first master key expression in said data processing system and extracting said first private key from said private key record; selecting means coupled to said receiving means, for selecting said first public key algorithm in said data processing system for said first key use request; executing means coupled to said selecting means and to said decrypting means, for executing said first public key algorithm in said data processing system using said first private key to perform a cryptographic operation to satisfy said first key use request. - View Dependent Claims (32, 33)
-
Specification