公开(公告)号：US07716486B2

公开(公告)日：2010-05-11

申请号：US10893164

申请日：2004-07-16

Applicant: Phil Libin ,  Silvio Micali ,  David Engberg

Inventor： Phil Libin ,  Silvio Micali ,  David Engberg

IPC: H04L9/32

CPC classification number: H04L9/3247 ,  G07C9/00103 ,  G07C9/00571 ,  G07C2209/08

Abstract: An entity controlling access of a plurality of users to at least one disconnected door includes mapping the plurality of users to a group, for each time interval d of a sequence of dates, having an authority produce a digital signature indicating that members of the group can access door during time interval d, causing at least one of the members of the group to receive the digital signature during time interval d for presentation to the door in order to pass therethrough, having the at least one member of the group present the digital signature to the door D, and having the door open after verifying that (i) the digital signature is a digital signature of the authority indicating that members of the group can access the door at time interval d, and (ii) that the current time is within time interval d. The at least one member of the group may have a user card and the door may have a card reader coupled to an electromechanical lock, and the at least one member of the group may receive the digital signature by storing it into the user card, and may present the digital signature to the door by having the user card read by the card reader.

Abstract translation: 控制多个用户对至少一个断开的门的访问的实体包括：对于具有权限的每个时间间隔d，将多个用户映射到一个组，具有指示组的成员可以 在时间间隔d内访问门，使得组中的至少一个成员在时间间隔d期间接收数字签名，以呈现给门以便通过，具有组中的至少一个成员呈现数字签名 在门D之后，并且在验证（i）数字签名是授权机构的数字签名，指示该组成员可以在时间间隔d访问该门的情况下，并且（ii）当前时间是 在时间间隔内d。 组中的至少一个成员可以具有用户卡，并且门可以具有耦合到机电锁的读卡器，并且该组的至少一个成员可以通过将数字签名存储到用户卡中来接收数字签名，以及 可以通过读卡器读取用户卡将数字签名呈现给门。

公开(公告)号：US07600129B2

公开(公告)日：2009-10-06

申请号：US10893150

申请日：2004-07-16

Applicant: Phil Libin ,  Silvio Micali ,  David Engberg ,  Alex Sinelnikov

Inventor： Phil Libin ,  Silvio Micali ,  David Engberg ,  Alex Sinelnikov

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/08 ,  G06F21/00 ,  G06F11/30 ,  G06F17/00 ,  G06F7/04 ,  G06F17/30 ,  H04L9/00

CPC classification number: H04L9/00 ,  H04L9/3226 ,  H04L9/3234 ,  H04L9/3247 ,  H04L9/3263

Abstract: Determining access includes determining if particular credentials/proofs indicate that access is allowed, determining if there is additional data associated with the credentials/proofs, wherein the additional data is separate from the credentials/proofs, and, if the particular credentials/proofs indicate that access is allowed and if there is additional data associated with the particular credentials/proofs, then deciding whether to deny access according to information provided by the additional data. The credentials/proofs may be in one part or in separate parts. There may be a first administration entity that generates the credentials and other administration entities that generate proofs. The first administration entity may also generate proofs or may not generate proofs. The credentials may correspond to a digital certificate that includes a final value that is a result of applying a one way function to a first one of the proofs.

Abstract translation: 确定访问包括确定特定凭证/证明是否指示允许访问，确定是否存在与证书/证明相关联的附加数据，其中附加数据与证书/证明分开，并且如果特定凭证/证明表明 允许访问，并且如果存在与特定证书/证明相关联的附加数据，则根据附加数据提供的信息来决定是否拒绝访问。 凭证/证明可以在一个部分或分开的部分。 可能有一个第一个管理实体生成凭证和生成证明的其他管理实体。 第一个管理实体也可以生成证据，或者不会生成证明。 凭证可以对应于数字证书，其包括作为将单向函数应用于第一个证明的结果的最终值。

公开(公告)号：US20050154879A1

公开(公告)日：2005-07-14

申请号：US11036221

申请日：2005-01-10

Applicant: David Engberg ,  Phil Libin ,  Silvio Micali

Inventor： David Engberg ,  Phil Libin ,  Silvio Micali

IPC: H04L9/00

CPC classification number: H04L9/3268 ,  H04L9/3247 ,  H04L2209/56 ,  H04L2209/80

Abstract: Providing information about digital certificate validity includes obtaining a plurality of signing key/verification key pairs, where each signing key provides a digital signature and a corresponding one of the verification keys verifies the digital signature and where digitally signing together a plurality of data elements using the signing keys is computationally more efficient than digitally signing each of the data elements individually, ascertaining digital certificate validity status for each certificate in a set of digital certificates, generating a plurality of artificially pre-computed messages about the validity status of at least a subset of the set of digital certificates, and digitally signing together the artificially pre-computed messages using signing keys from the pairs. Ascertaining digital certificate validity status may include obtaining authenticated information about digital certificates. The authenticated information about digital certificates may be generated by an entity that also revokes certificates. The authenticated information about digital certificates may be a CRL. The artificially pre-computed responses may be OCSP format responses.

Abstract translation: 提供关于数字证书有效性的信息包括获得多个签名密钥/验证密钥对，其中每个签名密钥提供数字签名，并且对应的一个验证密钥验证数字签名，并且使用该签名密钥/验证密钥对将多个数据元素数字签名在一起 签名密钥在计算上比单独地数字签名每个数据元素更有效，确定一组数字证书中的每个证书的数字证书有效性状态，生成关于至少一个子集的有效性状态的多个人为预计算的消息 数字证书集合，并使用签名密钥从人员预先计算的消息数字签名。 确定数字证书的有效性状态可能包括获取关于数字证书的认证信息。 关于数字证书的认证信息可以由也撤销证书的实体生成。 关于数字证书的认证信息可能是CRL。 人为预先计算的响应可以是OCSP格式响应。

公开(公告)号：US20150236861A1

公开(公告)日：2015-08-20

申请号：US14703176

申请日：2015-05-04

Applicant: David Engberg ,  Phil Libin ,  Silvio Micali

Inventor： David Engberg ,  Phil Libin ,  Silvio Micali

IPC: H04L9/32

CPC classification number: H04L9/3268 ,  H04L63/0823 ,  H04L2209/56

Abstract: Providing information about digital certificate validity includes ascertaining digital certificate validity status for each of a plurality of digital certificates in a set of digital certificates, generating a plurality of artificially pre-computed messages about the validity status of at least a subset of the set of digital certificate of the plurality of digital certificates, where at least one of the messages indicates validity status of more than one digital certificate and digitally signing the artificially pre-computed messages to provide OCSP format responses that respond to OCSP queries about specific digital certificates in the set of digital certificates, where at least one digital signature is used in connection with an OCSP format response for more than one digital certificate. Generating and digitally signing may occur prior to any OCSP queries that are answered by any of the OCSP format responses. Ascertaining digital certificate validity status may include obtaining authenticated information about digital certificates.

Abstract translation: 提供关于数字证书有效性的信息包括确定一组数字证书中的多个数字证书中的每一个的数字证书有效性状态，生成关于数字集合的至少一个子集的有效状态的多个人为预先计算的消息 多个数字证书的证书，其中至少一个消息指示多于一个数字证书的有效性状态，并对人为预先计算的消息进行数字签名，以提供响应于集合中的特定数字证书的OCSP查询的OCSP格式响应 数字证书，其中至少一个数字签名与多于一个数字证书的OCSP格式响应结合使用。 生成和数字签名可能发生在任何OCSP格式响应应答的任何OCSP查询之前。 确定数字证书的有效性状态可能包括获取关于数字证书的认证信息。

公开(公告)号：US08261319B2

公开(公告)日：2012-09-04

申请号：US10893174

申请日：2004-07-16

Applicant: Phil Libin ,  Silvio Micali ,  David Engberg

Inventor： Phil Libin ,  Silvio Micali ,  David Engberg

IPC: G06F7/04

CPC classification number: G05B1/00 ,  G07C9/00039 ,  G07C9/00103 ,  G07C9/00158 ,  H04L63/08 ,  H04L63/102 ,  H04L63/1416 ,  H04W4/021

Abstract: Logging events associated with accessing an area includes recording an event associated with accessing the area to provide an event recording and authenticating at least the event recording to provide an authenticated recording. Recording an event may include recording a time of the event. Recording an event may include recording a type of event. The event may be an attempt to access the area. Recording an event may include recording credentials/proofs used in connection with the attempt to access the area. Recording an event may include recording a result of the attempt. Recording an event may include recording the existence of data other than the credentials/proofs indicating that access should be denied. Recording an event may include recording additional data related to the area. Authenticating the recording may include digitally signing the recording. Authenticating at least the event recording may include authenticating the event recording and authenticating other event recordings to provide a single authenticated recording.

Abstract translation: 与访问区域相关联的记录事件包括记录与访问该区域相关联的事件以提供事件记录和至少认证事件记录以提供经认证的记录。 记录事件可能包括记录事件的时间。 记录事件可能包括记录一种事件。 该事件可能是访问该地区的尝试。 记录事件可能包括与访问该区域的尝试相关联的记录凭证/证明。 记录事件可能包括记录尝试的结果。 记录事件可以包括记录除了表示应该拒绝访问的凭据/证明之外的数据的存在。 记录事件可能包括记录与该区域相关的附加数据。 记录录制可能包括对录音进行数字签名。 至少验证事件记录可以包括认证事件记录和认证其他事件记录以提供单一的认证记录。

公开(公告)号：US20120210137A1

公开(公告)日：2012-08-16

申请号：US13324239

申请日：2011-12-13

Applicant: Phil LIBIN ,  David Engberg

Inventor： Phil LIBIN ,  David Engberg

IPC: G06F21/00

CPC classification number: H04L9/3234 ,  G06Q20/367 ,  G06Q20/3672 ,  G06Q20/3674 ,  G06Q20/382 ,  H04L9/0866 ,  H04L9/3226 ,  H04L2209/80 ,  H04W12/08

Abstract: A cost-effective system that provides for the efficient protection of transmitted non-public attribute information may be used, for example, to control access to a secure area. Encryption of the attribute information may be performed using symmetric encryption techniques, such as XOR and/or stream cipher encryption. A centralized database that stores and transmits the encrypted attribute information may generate the encryption/decryption key based on selected information bytes, for example, as taken from a card inserted into a handheld device used at the secure area. The selected information to generate the encryption key stream may be varied on a periodic basis by the centralized database. Information as to which selected bytes are to be used for a particular access authorization request may be transmitted to the handheld unit or may be input through action of a user of the handheld unit, for example by entry of a PIN code.

Abstract translation: 可以使用提供有效保护所传送的非公开属性信息的具有成本效益的系统，例如来控制对安全区域的访问。 可以使用诸如XOR和/或流密码加密之类的对称加密技术来执行属性信息的加密。 存储和发送加密的属性信息的集中式数据库可以基于所选择的信息字节生成加密/解密密钥，例如从插入到安全区域使用的手持设备的卡中取出。 用于生成加密密钥流的所选择的信息可以由集中式数据库周期性地改变。 用于特定访问授权请求的哪些选定字节的信息可以被发送到手持式单元，或者可以通过手持式单元的用户的动作来输入，例如通过输入PIN码。

公开(公告)号：US20050193204A1

公开(公告)日：2005-09-01

申请号：US11032520

申请日：2005-01-10

Applicant: David Engberg ,  Phil Libin ,  Silvio Micali

Inventor： David Engberg ,  Phil Libin ,  Silvio Micali

IPC: H04L9/00

CPC classification number: H04L9/3268 ,  H04L9/3247 ,  H04L2209/56 ,  H04L2209/80

Abstract: Facilitating a transaction between a first party and a second party includes, prior to initiating the transaction, one of the parties obtaining an artificially pre-computed OCSP response about a specific digital certificate, where the artificially pre-computed OCSP response is generated by an entity other than the first party and the second party, one of the parties initiating the transaction, in connection with the transaction, the first party providing the specific digital certificate to the second party, and the second party verifying the specific digital certificate using the artificially pre-computed OCSP response. The second party may obtain the artificially pre-computed OCSP response prior to the transaction being initiated. The second party may cache the artificially pre-computed OCSP response for future transactions. The first party may obtain the artificially pre-computed OCSP response prior to the transaction being initiated. The first party may cache the artificially pre-computed OCSP response for future transactions.

Abstract translation: 促进第一方和第二方之间的交易包括在发起交易之前，其中一方获得关于特定数字证书的人为预先计算的OCSP响应，其中人为地预先计算出的OCSP响应由实体产生 除了第一方和第二方之外，与交易相关的当事方之一发起交易，向第二方提供特定数字证书的第一方，以及使用人为预先验证特定数字证书的第二方 计算OCSP响应。 第二方可以在事务开始之前获得人为预先计算的OCSP响应。 第二方可以缓存人为预先计算的OCSP响应以供将来的交易使用。 第一方可以在交易开始之前获得人为预先计算的OCSP响应。 第一方可以缓存人为预先计算的OCSP响应以用于将来的交易。

公开(公告)号：US20050044386A1

公开(公告)日：2005-02-24

申请号：US10893150

申请日：2004-07-16

Applicant: Phil Libin ,  Silvio Micali ,  David Engberg ,  Alex Sinelnikov

Inventor： Phil Libin ,  Silvio Micali ,  David Engberg ,  Alex Sinelnikov

IPC: H04L9/00

CPC classification number: H04L9/00 ,  H04L9/3226 ,  H04L9/3234 ,  H04L9/3247 ,  H04L9/3263

Abstract: Determining access includes determining if particular credentials/proofs indicate that access is allowed, determining if there is additional data associated with the credentials/proofs, wherein the additional data is separate from the credentials/proofs, and, if the particular credentials/proofs indicate that access is allowed and if there is additional data associated with the particular credentials/proofs, then deciding whether to deny access according to information provided by the additional data. The credentials/proofs may be in one part or in separate parts. There may be a first administration entity that generates the credentials and other administration entities that generate proofs. The first administration entity may also generate proofs or may not generate proofs. The credentials may correspond to a digital certificate that includes a final value that is a result of applying a one way function to a first one of the proofs.

Abstract translation: 确定访问包括确定特定凭证/证明是否指示允许访问，确定是否存在与证书/证明相关联的附加数据，其中附加数据与证书/证明分开，并且如果特定凭证/证明表明 允许访问，并且如果存在与特定证书/证明相关联的附加数据，则根据附加数据提供的信息来决定是否拒绝访问。 凭证/证明可以在一个部分或分开的部分。 可能有一个第一个管理实体生成凭证和生成证明的其他管理实体。 第一个管理实体也可以生成证据，或者不会生成证明。 证书可以对应于数字证书，其包括作为将单向函数应用于第一个证明的结果的最终值。

公开(公告)号：US20050044376A1

公开(公告)日：2005-02-24

申请号：US10893165

申请日：2004-07-16

Applicant: Phil Libin ,  Silvio Micali ,  David Engberg ,  Alex Sinelnikov

Inventor： Phil Libin ,  Silvio Micali ,  David Engberg ,  Alex Sinelnikov

IPC: H04L9/00

CPC classification number: H04L9/3247 ,  H04L9/3268 ,  H04L2209/80

Abstract: Issuing and disseminating a data about a credential includes having an entity issue authenticated data indicating that the credential has been revoked, causing the authenticated data to be stored in a first card of a first user, utilizing the first card for transferring the authenticated data to a first door, having the first door store information about the authenticated data, and having the first door rely on information about the authenticated data to deny access to the credential. The authenticated data may be authenticated by a digital signature and the first door may verify the digital signature. The digital signature may be a public-key digital signature. The public key for the digital signature may be associated with the credential. The digital signature may be a private-key digital signature. The credential and the first card may both belong to the first user. The credential may be stored in a second card different from the first card, and the first door may rely on information about the authenticated data by retrieving such information from storage. The authenticated data may be first stored in at least one other card different from the first card and the authenticated data may be transferred from the at least one other card to the first card. The authenticated data may be transferred from the at least one other card to the first card by first being transferred to at least one other door different from the first door.

Abstract translation: 发布和传播关于凭证的数据包括：使实体发出指示证书已被撤销的认证数据，使认证数据存储在第一用户的第一卡中，利用第一卡将认证数据传送到 第一门，具有关于认证数据的第一门店信息，并且使第一门依靠关于认证数据的信息来拒绝对证书的访问。 认证数据可以通过数字签名认证，并且第一门可以验证数字签名。 数字签名可以是公钥数字签名。 数字签名的公钥可能与凭证相关联。 数字签名可以是私钥数字签名。 证书和第一张卡可能都属于第一个用户。 证书可以存储在与第一卡不同的第二卡中，并且第一门可以通过从存储检索这些信息来依赖关于认证数据的信息。 认证数据可以首先存储在与第一卡不同的至少一个其他卡中，并且认证数据可以从至少一个其他卡传送到第一卡。 经认证的数据可以通过首先被传送到与第一门不同的至少一个其他门，从至少一个其他卡传送到第一卡。

公开(公告)号：US20050033962A1

公开(公告)日：2005-02-10

申请号：US10893164

申请日：2004-07-16

Applicant: Phil Libin ,  Silvio Micali ,  David Engberg

Inventor： Phil Libin ,  Silvio Micali ,  David Engberg

IPC: H04L9/00

CPC classification number: H04L9/3247 ,  G07C9/00103 ,  G07C9/00571 ,  G07C2209/08

Abstract: An entity controlling access of a plurality of users to at least one disconnected door includes mapping the plurality of users to a group, for each time interval d of a sequence of dates, having an authority produce a digital signature indicating that members of the group can access door during time interval d, causing at least one of the members of the group to receive the digital signature during time interval d for presentation to the door in order to pass therethrough, having the at least one member of the group present the digital signature to the door D, and having the door open after verifying that (i) the digital signature is a digital signature of the authority indicating that members of the group can access the door at time interval d, and (ii) that the current time is within time interval d. The at least one member of the group may have a user card and the door may have a card reader coupled to an electromechanical lock, and the at least one member of the group may receive the digital signature by storing it into the user card, and may present the digital signature to the door by having the user card read by the card reader.

Abstract translation: 控制多个用户对至少一个断开的门的访问的实体包括：对于具有权限的每个时间间隔d，将多个用户映射到一个组，具有指示组的成员可以 在时间间隔d内访问门，使得组中的至少一个成员在时间间隔d期间接收数字签名，以呈现给门以便通过，具有组中的至少一个成员呈现数字签名 在门D之后，并且在验证（i）数字签名是授权机构的数字签名，指示该组成员可以在时间间隔d访问该门的情况下，并且（ii）当前时间是 在时间间隔内d。 组中的至少一个成员可以具有用户卡，并且门可以具有耦合到机电锁的读卡器，并且该组的至少一个成员可以通过将数字签名存储到用户卡中来接收数字签名，以及 可以通过读卡器读取用户卡将数字签名呈现给门。