Method and system for establishing a trust framework based on smart key devices
First Claim
1. A data processing system comprising:
- a system unit including;
a processor for executing instructions in software modules; and
a first hardware security unit including;
means for storing a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair;
means for authenticating a software module; and
means for acting as a certificate authority to issue digital certificates to the software modules; and
a first software module executable on the system unit including;
means for storing a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair; and
means for authenticating the hardware security unit;
means for receiving a digital certificate corresponding to a private key possessed by a second hardware security unit that is not included in the system unit; and
means for storing the received digital certificate.
3 Assignments
0 Petitions
Accused Products
Abstract
A mechanism is provided for securing cryptographic functionality within a host system such that it may only be used when a system administrator physically allows it via a hardware security token. In addition, a hardware security unit is integrated into a data processing system, and the hardware security unit acts as a hardware certificate authority. The hardware security unit may be viewed as supporting a trust hierarchy or trust framework within a distributed data processing system. The hardware security unit can sign software that is installed on the machine that contains the hardware security unit. Server processes that use the signed software that is run on the machine can establish mutual trust relationships with the hardware security unit and amongst the other server processes based on their common trust of the hardware security unit.
76 Citations
43 Claims
-
1. A data processing system comprising:
-
a system unit including; a processor for executing instructions in software modules; and a first hardware security unit including; means for storing a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair; means for authenticating a software module; and means for acting as a certificate authority to issue digital certificates to the software modules; and a first software module executable on the system unit including; means for storing a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair; and means for authenticating the hardware security unit; means for receiving a digital certificate corresponding to a private key possessed by a second hardware security unit that is not included in the system unit; and means for storing the received digital certificate. - View Dependent Claims (2, 3, 4)
-
-
5. A data processing system comprising:
-
a system unit including; a processor for executing instructions in software modules; and a first hardware security unit including; means for storing a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair; means for authenticating a software module; and means for acting as a certificate authority to issue digital certificates to the software modules; a first software module executable on the system unit including; means for storing a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair; and means for authenticating the hardware security unit; and a software smart key module that is signed by the first hardware security unit, wherein the first hardware security unit includes means for acting as a certificate authority. - View Dependent Claims (6, 7, 8, 9, 10)
-
-
11. A data processing system comprising:
-
a system unit including; a processor for executing instructions in software modules; and a first hardware security unit including; means for storing a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair; means for authenticating a software module; and means for acting as a certificate authority to issue digital certificates to the software modules; a first software module executable on the system unit including; means for storing a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair; and means for authenticating the hardware security unit; and means for requiring all interacting software applications that are installed on the system unit to be able to mutually authenticate to one another. - View Dependent Claims (12)
-
-
13. A data processing system comprising:
-
a system unit including; a processor for executing instructions in software modules; and a first hardware security unit including; means for storing a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair; means for authenticating a software module; and means for acting as a certificate authority to issue digital certificates to the software modules; a first software module executable on the system unit including; means for storing a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair; and means for authenticating the hardware security unit; and means for asserting a digital certificate of a hardware security unit on a different system unit into a list of trusted certificate authorities in the first hardware security unit.
-
-
14. A method for performing cryptographic functions in a data processing system, the method comprising:
-
executing a software module on a system unit including a hardware security unit, wherein the hardware security unit contains a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair; performing a mutual authentication operation between the hardware security unit and the software module, wherein the software module contains a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair; issuing digital certificates by the hardware security unit to software modules; receiving at the hardware security unit a digital certificate corresponding to a private key possessed by a second hardware security unit that is not included in the system unit; and storing the received digital certificate. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. A method for performing cryptographic functions in a data processing system, the method comprising:
-
executing a software module on a system unit including a hardware security unit, wherein the hardware security unit contains a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair; performing a mutual authentication operation between the hardware security unit and the software module, wherein the software module contains a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair; issuing digital certificates by the hardware security unit to software modules; and signing a software smart key module by the hardware security unit, wherein the hardware security unit includes means for acting as a certificate authority. - View Dependent Claims (21, 22, 23, 24, 25)
-
-
26. A method for performing cryptographic functions in a data processing system, the method comprising:
-
executing a software module on a system unit including a hardware security unit, wherein the hardware security unit contains a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair; performing a mutual authentication operation between the hardware security unit and the software module, wherein the software module contains a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair; issuing digital certificates by the hardware security unit to software modules; and requiring all interacting software applications that are installed on the system unit to be able to mutually authenticate to one another. - View Dependent Claims (27)
-
-
28. A method for performing cryptographic functions in a data processing system, the method comprising:
-
executing a software module on a system unit including a hardware security unit, wherein the hardware security unit contains a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair; performing a mutual authentication operation between the hardware security unit and the software module, wherein the software module contains a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair; issuing digital certificates by the hardware security unit to software modules; and asserting a digital certificate of a software certificate authority trusted on a different data processing system into a list of trusted certificate authorities in the hardware security unit.
-
-
29. A computer program product stored on a storage computer readable medium for use in a data processing system for performing cryptographic functions, the computer program product comprising:
-
means for executing a software module on a system unit including a hardware security unit, wherein the hardware security unit contains a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair; means for performing a mutual authentication operation between the hardware security unit and the software module, wherein the software module contains a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair; means for issuing digital certificates by the hardware security unit to software modules; means for receiving at the hardware security unit a digital certificate corresponding to a private key possessed by a second hardware security unit that is not included in the system unit; and means for storing the received digital certificate. - View Dependent Claims (30, 31, 32, 33, 34, 35)
-
-
36. A computer program product stored on a storage computer readable medium for use in a data processing system for performing cryptographic functions, the computer program product comprising:
-
means for executing a software module on a system unit including a hardware security unit, wherein the hardware security unit contains a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair; means for performing a mutual authentication operation between the hardware security unit and the software module, wherein the software module contains a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair; means for issuing digital certificates by the hardware security unit to software modules; and means for signing a software smart key module by the hardware security unit, wherein the hardware security unit includes means for acting as a certificate authority. - View Dependent Claims (37, 38, 39, 40)
-
-
41. A computer program product stored on a storage computer readable medium for use in a data processing system for performing cryptographic functions, the computer program product comprising:
-
means for executing a software module on a system unit including a hardware security unit, wherein the hardware security unit contains a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair; means for performing a mutual authentication operation between the hardware security unit and the software module, wherein the software module contains a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair; means for issuing digital certificates by the hardware security unit to software modules; and means for requiring all interacting software applications that are installed on the system unit to be able to mutually authenticate to one another. - View Dependent Claims (42)
-
-
43. A computer program product stored on a storage computer readable medium for use in a data processing system for performing cryptographic functions, the computer program product comprising:
-
means for executing a software module on a system unit including a hardware security unit, wherein the hardware security unit contains a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair; means for performing a mutual authentication operation between the hardware security unit and the software module, wherein the software module contains a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair; means for issuing digital certificates by the hardware security unit to software modules; and means for asserting a digital certificate of a hardware security unit on a different system unit into a list of trusted certificate authorities in the hardware security unit.
-
Specification