-
11.发明授权Secure cryptographic operations using control vectors generated inside a cryptographic facility 失效使用在加密设施内生成的控制向量来保护加密操作
公开(公告)号:US5432849A
公开(公告)日:1995-07-11
申请号:US103953
申请日:1993-08-10
CPC分类号: G06F12/1408
摘要: The invention described herein suggests methods of cryptographic key management based on control vectors in which the control vectors are generated or derived internal to a cryptographic facility implementing a set of cryptographic operations. The methods of alternate control vector enforcement described in the present application provide a high-integrity facility to ensure that cryptographic keys are used in a manner consistent with the type and usage attributes assigned to the keys by the originator of those keys. Since the control vectors are generated or derived internal to the cryptographic facility on the basis of data contained in each cryptographic service request to the cryptographic facility, control vectors need not be stored or managed outside the cryptographic facility.
摘要翻译: 本文所述的发明提出了基于控制向量的加密密钥管理方法,其中控制向量在实现一组密码操作的密码设施内部生成或导出。 在本申请中描述的替代控制向量实现的方法提供了高完整性设施,以确保以与这些密钥的发起者分配给密钥的类型和使用属性一致的方式使用加密密钥。 由于根据密码设备的每个密码服务请求中包含的数据,在密码设备的内部生成或导出控制向量,因此控制向量不需要在密码设备之外进行存储或管理。
-
12.发明授权Method to establish and enforce a network cryptographic security policy in a public key cryptosystem 失效在公共密钥密码系统中建立和实施网络加密安全策略的方法
公开(公告)号:US5164988A
公开(公告)日:1992-11-17
申请号:US786227
申请日:1991-10-31
申请人: Stephen M. Matyas , Donald B. Johnson , An V. Le , Rostislaw Prymak , William C. Martin , William S. Rohland , John D. Wilkins
发明人: Stephen M. Matyas , Donald B. Johnson , An V. Le , Rostislaw Prymak , William C. Martin , William S. Rohland , John D. Wilkins
CPC分类号: G06F21/79 , H04L9/083 , H04L9/088 , H04L9/321 , H04L9/3263 , G06F2211/008 , G06F2221/2101 , G06F2221/2107 , G06F2221/2115 , H04L2209/12
摘要: Device A in a public key cryptographic network will be constrained to continue to faithfully practice a security policy dictated by a network certification center, long after device A's public key PUMa has been certified. If device A alters its operations from the limits encoded in its configuration vector, for example by loading a new configuration vector, device A will be denied participation in the network. To accomplish this enforcement of the network security policy dictated by the certification center, it is necessary for the certification center to verify at the time device A requests certification of its public key PUMa, that device A is configured with the currently authorized configuration vector. Device A is required to transmit to the certification center a copy of device A's current configuration vector, in an audit record. the certification center then compares device A's copy of the configuration vector with the authorized configuration vector for device A stored at the certification center. If the comparison is satisfactory, then the certification center will issue the requested certificate and will produce a digital signiture dSigPRC on a representation of device A's public key PUMa, using the certification center's private certification key PRC. Thereafter, if device A attempts to change its configuration vector, device A's privacy key PRMa corresponding to the certified public key PUMa, will automatically become unavailable for use in communicating in the network.
-
13.发明授权
公开(公告)号:US5103478A
公开(公告)日:1992-04-07
申请号:US596637
申请日:1990-10-12
申请人: Stephen M. Matyas , Dennis G. Abraham , Donald B. Johnson , Ramesh K. Karne , An V. Le , Patrick J. McCormack , Rostislaw Prymak , John D. Wilkins
发明人: Stephen M. Matyas , Dennis G. Abraham , Donald B. Johnson , Ramesh K. Karne , An V. Le , Patrick J. McCormack , Rostislaw Prymak , John D. Wilkins
CPC分类号: G07B17/00733 , H04L9/088 , G07B2017/00967 , H04L2209/12
摘要: A requested cryptographic function is validated for performance in conjunction with a cryptographic key, by inputting a first portion of an associated control vector into a first control vector checker, which outputs a first authorization signal if the requested cryptographic function has been authorized by the originator of the key. A second portion of the control vector is input to a second control vector checker, which outputs a second authorization signal if the requested cryptographic function has been authorized by the originator of the key. Both the first and the second authorization signals are applied to a cryptographic processor which initiates the execution of the requested cryptographic function.
摘要翻译: 通过将相关联的控制向量的第一部分输入到第一控制向量检验器中,所请求的加密函数被验证用于与加密密钥相关的性能,如果所请求的密码功能已被发起者授权,则输出第一授权信号 钥匙。 控制向量的第二部分被输入到第二控制向量检验器,如果请求的密码函数已被密钥的发起者授权,则输出第二授权信号。 第一和第二授权信号都被应用于启动所请求的密码功能的执行的密码处理器。
-
公开(公告)号:US4941176A
公开(公告)日:1990-07-10
申请号:US231114
申请日:1988-08-11
申请人: Stephen M. Matyas , Dennis G. Abraham , Donald B. Johnson , Ramesh K. Karne , An V. Le , Rostislaw Prymak , Julian Thomas , John D. Wilkins , Phil C. Yeh
发明人: Stephen M. Matyas , Dennis G. Abraham , Donald B. Johnson , Ramesh K. Karne , An V. Le , Rostislaw Prymak , Julian Thomas , John D. Wilkins , Phil C. Yeh
CPC分类号: G06F9/30076 , G06F9/30007 , G06F9/30018 , H04L9/0827 , H04L9/088 , H04L2209/12 , H04L2209/38
摘要: The invention is an apparatus and method for validating that key management functions requested for a cryptographic key by the program have been authorized by the originator of the key. The invention includes a cryptographic facility characterized by a secure boundary through which passes an input path for receiving the cryptographic service requests, cryptographic keys and their associated control vectors, and an output path for providing responses thereto. There can be included within the boundary a cryptographic instruction storage coupled to the input path, a control vector checking unit and a cryptographic processing unit coupled to the instruction storage, and a master key storage coupled to the processing means, for providing a secure location for executing key management functions in response to the received service requests. The cryptographic instruction storage receives over the input path a cryptographic service request for performing a key management function on a cryptographic key. The control vector checking unit has an input coupled to the input path for receiving a control vector associated with the cryptographic key and an input connected to the cryptographic instruction storage, for receiving control signals to initiate checking that the control vector authorizes the key management function which is requested by the cryptographic service request. The control vector checking unit has an authorization output connected to an input of the cryptographic processing means, for signalling that the key management function is authorized, the receipt of which by the cryptographic processing unit initiates the performance of the requested key management function with the cryptographic key. The invention enables the flexible control of many cryptographic key management functions in the generation, distribution and use of cryptographic keys, while maintaining a high security standard.
摘要翻译: 本发明是用于验证由程序所请求的加密密钥的密钥管理功能已被密钥的发起者授权的装置和方法。 本发明包括一个加密设施,其特征在于一个安全边界,通过该边界通过用于接收加密服务请求的输入路径,加密密钥及其相关控制向量,以及用于提供响应的输出路径。 可以在边界内包括耦合到输入路径的加密指令存储器,耦合到指令存储器的控制向量检查单元和密码处理单元,以及耦合到处理装置的主密钥存储器,用于提供用于 响应于所接收的服务请求执行密钥管理功能。 加密指令存储器通过输入路径接收用于对加密密钥执行密钥管理功能的密码服务请求。 控制向量检查单元具有耦合到输入路径的输入,用于接收与密码密钥相关联的控制向量和连接到密码指令存储器的输入,用于接收控制信号以启动检查控制向量授权密钥管理功能, 被加密服务请求请求。 控制向量检查单元具有连接到密码处理装置的输入的授权输出,用于发信号通知密钥管理功能被授权,密码处理单元接收密钥管理功能的密码管理功能的密码 键。 本发明能够灵活地控制密码密钥的生成,分发和使用中的许多加密密钥管理功能,同时保持高安全性的标准。
-
公开(公告)号:US4924515A
公开(公告)日:1990-05-08
申请号:US398299
申请日:1989-08-24
申请人: Stephen M. Matyas , Dennis G. Abraham , William C. Arnold , Donald B. Johnson , Ramesh K. Karne , An V. Le , Rostislaw Prymak , Steve R. White , John D. Wilkins
发明人: Stephen M. Matyas , Dennis G. Abraham , William C. Arnold , Donald B. Johnson , Ramesh K. Karne , An V. Le , Rostislaw Prymak , Steve R. White , John D. Wilkins
IPC分类号: H04L9/08
CPC分类号: H04L9/088 , H04L9/0643 , H04L2209/12
摘要: A method and apparatus are disclosed for use in a data processing system which executes a program which outputs cryptographic service requests for operations with cryptographic keys which are associated with control vectors defining the functions which each key is allowed by its originator to perform. The improved method and apparatus enable the use of control vectors having an arbitrary length. It includes a control vector register having an arbitrary length, for storing a control vector of arbitrary length associated with an N-bit cryptographic key. It further includes a control vector checking means having an input coupled to the control vector register, for checking that the control vector authorizes the cryptographic function which is requested by the cryptographic service request. It further includes a hash function generator having an input coupled to the control vector register and an N-bit output, for mapping the control vector output from the control vector register, into an N-bit hash value. A key register is included for storing the N-bit cryptographic key. It further includes a logic block having a first input coupled to the N-bit output of the hash function generator, and a second input connected to the key register, for forming at the output thereof a product of the N-bit key and the N-bit hash value. Finally, an encryption device is included having a first input for receiving a cleartext data stream and a key input coupled to the output of the logic block, for forming a ciphertext data stream at the output thereof from the cleartext data stream and the product. A decryption device can be substituted for the encryption device to perform decryption operations in a similar manner.
摘要翻译: 公开了一种在数据处理系统中使用的方法和装置,该数据处理系统执行一个程序,该程序输出密码服务请求,该密码服务请求与密码密钥相关联,该控制向量定义每个密钥由其发起者允许执行的功能。 改进的方法和装置使得能够使用具有任意长度的控制向量。 它包括具有任意长度的控制向量寄存器,用于存储与N位加密密钥相关联的任意长度的控制向量。 它还包括控制向量检查装置,其具有耦合到控制向量寄存器的输入,用于检查控制向量授权由密码服务请求请求的加密功能。 它还包括具有耦合到控制向量寄存器的输入和用于将从控制向量寄存器输出的控制矢量映射到N位散列值的N位输出的散列函数发生器。 包含密钥寄存器用于存储N位加密密钥。 它还包括具有耦合到散列函数发生器的N位输出的第一输入和连接到键寄存器的第二输入的逻辑块,用于在其输出处形成N位键和N的乘积 位散列值。 最后,包括具有用于接收明文数据流的第一输入和耦合到逻辑块的输出的键输入的加密装置,用于在明文数据流和产品的输出处形成密文数据流。 解密装置可以代替加密装置以类似的方式执行解密操作。
-
公开(公告)号:US4924514A
公开(公告)日:1990-05-08
申请号:US398300
申请日:1989-08-24
申请人: Stephen M. Matyas , Dennis G. Abraham , Donald B. Johnson , Ramesh K. Karne , An V. Le , Rostislaw Prymak , Julian Thomas , John D. Wilkins , Phil C. Yeh , Ronald M. Smith
发明人: Stephen M. Matyas , Dennis G. Abraham , Donald B. Johnson , Ramesh K. Karne , An V. Le , Rostislaw Prymak , Julian Thomas , John D. Wilkins , Phil C. Yeh , Ronald M. Smith
CPC分类号: G06F9/30018 , G06F9/30007 , G06Q20/3829 , G06Q20/4012 , G07F7/1016 , H04L9/0822 , H04L9/088 , H04L9/0894 , H04L9/3226 , H04L9/3271 , H04L2209/56
摘要: Cryptographic PIN processing is achieved in an improved manner by associating control vectors with the PIN generating (verification) keys and PIN encrypting keys which provide authorization for the uses of the keys intended by the originator of the keys. The originator may be the local cryptographic facility (CF) and a utility program under the control of a security administrator, or the originator may be another network node which uses the key management methods described in the above-referenced copending patent applications to distribute said keys.Among the uses specified by the control vector are limitations on the authority to use the associated key with certain PIN processing instructions, such as PIN generation, verification, translation and PIN block creation. Furthermore, the control vector may limit the authority of certain instructions to process clear PIN inputs (such as in PIN verification). The control vector may contain information identifying and, possibly restricting, PIN processing to a particular PIN format or particular processing algorithm.The control vector implementation provides a flexible method for coupling format, usage, and processing authorization to keys. The system administrator can exercise flexibility in changing the implementation of his security policy by selecting appropriate control vectors in accordance with the invention. Furthermore, a method is provided for the security administrator to restrict certain PIN format translations.
摘要翻译: 通过将控制向量与PIN生成(验证)密钥和PIN加密密钥相关联来实现密码PIN处理,该密码提供对使用密钥发起者所期望的密钥的授权。 发起者可以是本地加密设施(CF)和在安全管理员的控制下的实用程序,或者发起者可以是使用上述参考的未决专利申请中描述的密钥管理方法的另一个网络节点来分发所述密钥 。 由控制向量指定的用途之一是对使用相关密钥与某些PIN处理指令(例如PIN生成,验证,翻译和PIN块创建)的权限的限制。 此外,控制向量可以限制某些指令的权限来处理明确的PIN输入(例如在PIN验证中)。 控制向量可以包含识别并且可能限制对特定PIN格式或特定处理算法的PIN处理的信息。 控制向量实现提供了一种用于将格式,使用和处理权限耦合到密钥的灵活方法。 系统管理员可以通过根据本发明选择适当的控制向量来灵活地改变其安全策略的实现。 此外,提供了一种用于安全管理员限制某些PIN格式转换的方法。
-
公开(公告)号:US5323464A
公开(公告)日:1994-06-21
申请号:US962951
申请日:1992-10-16
申请人: Robert C. Elander , Christopher J. Holloway , Donald B. Johnson , Michael J. Kelly , An V. Le , Paul G. Lubold , Stephen M. Matyas , James D. Randall
发明人: Robert C. Elander , Christopher J. Holloway , Donald B. Johnson , Michael J. Kelly , An V. Le , Paul G. Lubold , Stephen M. Matyas , James D. Randall
CPC分类号: H04L9/0625 , H04L9/088 , H04L2209/04 , H04L2209/56
摘要: A method and system are disclosed for the implementation of a weakened privacy channel. This is achieved through use of a weakened symmetric cryptographic algorithm called commercial data masking. The masked text is created from clear text at one system and may to transported electronically to another system where the masked text may be unmasked to produce the clear text. The reason to use the commercial data masking algorithm for data privacy is that it is exportable to organizations to which products which contain the Data Encryption Algorithm when used for data privacy are not exportable. In addition, a method and system is disclosed by which the key when used for commercial data masking may be transformed into a key that may be used with the Data Encryption Algorithm.
摘要翻译: 公开了一种用于实现弱化的隐私信道的方法和系统。 这通过使用称为商业数据掩蔽的弱化对称密码算法来实现。 掩蔽的文本是在一个系统中以明文形式创建的,并且可以以电子方式传输到另一个系统,其中屏蔽的文本可能被隐藏以产生明文。 使用商业数据隐藏算法进行数据隐私的原因是可以导出到组织,当用于数据隐私时,包含数据加密算法的产品不可导出。 此外,公开了一种方法和系统,通过该方法和系统,当用于商业数据屏蔽时,密钥可以被转换成可以与数据加密算法一起使用的密钥。
-
公开(公告)号:US5301231A
公开(公告)日:1994-04-05
申请号:US834634
申请日:1992-02-12
申请人: Dennis G. Abraham , Daniela Henningsmeyer , John M. Hudson , Donald B. Johnson , An V. Le , Stephen M. Matyas , James V. Stevens
发明人: Dennis G. Abraham , Daniela Henningsmeyer , John M. Hudson , Donald B. Johnson , An V. Le , Stephen M. Matyas , James V. Stevens
CPC分类号: G06F9/30003 , G06F21/72 , G06F2207/7219
摘要: In a cryptographic module, a User Defined Function (UDF) facility is provided which provides users with the capability of defining and creating custom functions to meet their cryptographic processing needs. The cryptographic module is contained within a physically and logically secure environment and comprises a processing unit and memory connected to the processing unit. The memory includes code for translating User Defined Functions (UDFs) into a machine-readable form and at least one command for operating on the UDFs. The UDFs are loaded into and executed in the secure area of the cryptographic module without compromising the total security of the transaction security system.
摘要翻译: 在加密模块中,提供了一种用户定义功能(UDF)功能,可为用户提供定义和创建自定义功能以满足其加密处理需求的功能。 加密模块包含在物理和逻辑上安全的环境中,并且包括连接到处理单元的处理单元和存储器。 内存包括用于将用户定义函数(UDF)转换为机器可读形式的代码和至少一个用于在UDF上运行的命令。 UDF被加载到密码模块的安全区域并在其中执行,而不会影响交易安全系统的总体安全性。
-
-
-
-
-
-
-
搜索结果
18 条记录 (耗时 0.048 秒)
