Universal secure messaging for cryptographic modules

US 8,306,228 B2
Filed: 09/07/2007
Issued: 11/06/2012
Est. Priority Date: 06/15/2001
Status: Expired due to Term

First Claim

Patent Images

1. A secure messaging method for securely exchanging information between a host computer system and a functionally connected cryptographic module comprising:

generating a pair of session keys;

performing a secure key exchange between said host computer system and said cryptographic module such that said host computer system and said cryptographic module each provided with one session key of said pair of session keys;

generating a unique session identifier;

associating said unique session identifier with said pair of session keys;

performing counterpart cryptographic functions on at least a portion of information exchanged between said host computer system and said cryptographic module, wherein the exchanged information includes a credential and information of said secure key exchange corresponding to least one of the session keys; and

verifying the credential initially before unlocking a credential protected application, wherein, after initial verification of the credential, the at least one of the session keys is temporarily granted permission to unlock the credential protected application for the duration of a session between the host computer and the cryptographic module, and wherein subsequent access to the credential protected application during the session is allowed by using the at least one of the session keys as a surrogate for the credential.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An anonymous secure messaging method and system for securely exchanging information between a host computer system and a functionally connected cryptographic module. The invention comprises a Host Security Manager application in processing communications with a security executive program installed inside the cryptographic module. An SSL-like communications pathway is established between the host computer system and the cryptographic module. The initial session keys are generated by the host and securely exchanged using a PKI key pair associated with the cryptographic module. The secure communications pathway allows presentation of critical security parameter (CSP) without clear text disclosure of the CSP and further allows use of the generated session keys as temporary substitutes of the CSP for the session in which the session keys were created.

108 Citations

View as Search Results

17 Claims

1. A secure messaging method for securely exchanging information between a host computer system and a functionally connected cryptographic module comprising:
- generating a pair of session keys;
  
  performing a secure key exchange between said host computer system and said cryptographic module such that said host computer system and said cryptographic module each provided with one session key of said pair of session keys;
  
  generating a unique session identifier;
  
  associating said unique session identifier with said pair of session keys;
  
  performing counterpart cryptographic functions on at least a portion of information exchanged between said host computer system and said cryptographic module, wherein the exchanged information includes a credential and information of said secure key exchange corresponding to least one of the session keys; and
  
  verifying the credential initially before unlocking a credential protected application, wherein, after initial verification of the credential, the at least one of the session keys is temporarily granted permission to unlock the credential protected application for the duration of a session between the host computer and the cryptographic module, and wherein subsequent access to the credential protected application during the session is allowed by using the at least one of the session keys as a surrogate for the credential.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1 wherein said counterpart cryptographic functions occur within an active session.
  - 3. The method according to claim 2 wherein said unique session identifier is further associated with a specific function performed by said cryptographic module.
  - 4. The method according to claim 1, further comprising:
    - encrypting said credential with a public key before sending said credential to a security token; and
      
      decrypting said credential with a private key before unlocking said credential protected application.
  - 5. The method according to claim 1 wherein said credential includes a critical security parameter (CSP).
  - 6. The method according to claim 5 wherein said session keys are temporarily surrogates for said CSP after successfully performing a prerequisite initial authentication.
  - 7. The method according to claim 1 wherein said session keys incorporate a timestamp or the unique session identifier.
  - 8. The method according to claim 1, wherein the pair of session keys include a pair of identical session keys.

9. A secure messaging system for securely exchanging information between a host computer system and a functionally connected cryptographic module comprising:
- at least one hardware processor;
  
  a host security manager application stored on a first non-transitory computer readable medium and being executable by the at least one hardware processor to;
  
  generate a session key pair,associate at least one session key of said session key pair with a unique session identifier,perform a secure key exchange with said cryptographic module, wherein a session key associated with said unique session identifier is securely provided to said cryptographic module, andperform counterpart cryptographic functions on at least a portion of information exchanged between said host computer system and said cryptographic module, wherein the exchanged information includes a credential and information of said secure key exchange corresponding to least one of the session keys, anda security executive application stored on a second non-transitory computer readable medium and being executable by the at least one hardware processor to;
  
  generate said unique session identifier,associate said unique session identifier with said exchanged key,perform counterpart cryptographic functions on at least a portion of the information exchanged between said host computer system and said cryptographic module, andverify the credential initially before unlocking a credential protected application, wherein, after initial verification of the credential, the at least one of the session keys is temporarily granted permission to unlock the credential protected application for the duration of a session between the host computer and the cryptographic module, and wherein subsequent access to the credential protected application during the session is allowed by using the at least one of the session keys as a surrogate for the credential.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The system according to claim 9 wherein said security executive application further shares said unique session identifier with said host security manager application.
  - 11. The system according to claim 9 wherein said cryptographic functions includes encryption, decryption and message authentication.
  - 12. The system according to claim 9 wherein at least a portion of said cryptographic functions are performed using said session key pair.
  - 13. The system according to claim 9 wherein said credential includes a critical security parameter (CSP).
  - 14. The system according to claim 13 wherein said security executive application further allows said session key pair to act as a temporary surrogate of said CSP after successfully performing a prerequisite initial authentication using said CSP.
  - 15. The system according to claim 14 wherein said temporary surrogate remains valid for at least a portion of a session.
  - 16. The system according to claim 15 wherein said session may be reactivated.
  - 17. The system according to the claim 9, wherein the pair of session keys include a pair of identical session keys.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Assa Abloy AB
Original Assignee
Activcard Ireland, Limited
Inventors
Wen, Wu, Le Saint, Eric
Primary Examiner(s)
SHAN, APRIL YING

Application Number

US11/852,261
Publication Number

US 20080089521A1
Time in Patent Office

1,887 Days
Field of Search

380/278, 380/259, 380/260, 380/29, 705/67, 713/171, 726/3
US Class Current

380/278
CPC Class Codes

H04L 2209/42   Anonymization, e.g. involvi...

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0421   Anonymous communication, i....

H04L 63/045   wherein the sending and rec...

H04L 63/0853   using an additional device,...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0844   with user authentication or...

Universal secure messaging for cryptographic modules

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

108 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Universal secure messaging for cryptographic modules

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

108 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links