公开(公告)号：US09230375B2

公开(公告)日：2016-01-05

申请号：US13399480

申请日：2012-02-17

Applicant: Silvio Micali ,  David Engberg ,  Phil Libin ,  Leo Reyzin ,  Alex Sinelnikov

Inventor： Silvio Micali ,  David Engberg ,  Phil Libin ,  Leo Reyzin ,  Alex Sinelnikov

IPC: G05B19/00 ,  G07C9/00

CPC classification number: G07C9/00031 ,  G07C9/00134

Abstract: A system and method are disclosed for controlling physical access through a digital certificate validation process that works with standard certificate formats and that enables a certifying authority (CA) to prove the validity status of each certificate C at any time interval (e.g., every day, hour, or minute) starting with C's issue date, D1. C's time granularity may be specified within the certificate itself, unless it is the same for all certificates. For example, all certificates may have a one-day granularity with each certificate expires 365 days after issuance. Given certain initial inputs provided by the CA, a one-way hash function is utilized to compute values of a specified byte size that are included on the digital certificate and to compute other values that are kept secret and used in the validation process.

Abstract translation: 公开了一种用于通过数字证书验证过程来控制物理访问的系统和方法，所述数字证书验证过程使用标准证书格式，并且使得认证机构（CA）可以在任何时间间隔（例如，每天， 小时或分钟），从C的发行日期开始，D1。 C的时间粒度可以在证书本身内指定，除非对所有证书是相同的。 例如，所有证书可能具有一天的粒度，每个证书在发布后365天到期。 给定由CA提供的某些初始输入，单向散列函数用于计算数字证书中包含的指定字节大小的值，并计算保密并在验证过程中使用的其他值。

公开(公告)号：US08707030B2

公开(公告)日：2014-04-22

申请号：US10993131

申请日：2004-11-19

Applicant: David Engberg

Inventor： David Engberg

IPC: H04L29/06

CPC classification number: H04L9/3268 ,  H04L9/3265

Abstract: Providing path validation information for a system includes determining paths between a subset of certificate of the system and at least one trust root, storing each of the paths in a table prior to a request for path validation information, and fetching the validation information stored in the table in response to a request for path validation information. Providing path validation information may also include digitally signing the validation information. Providing path validation information may also include applying constraints to the validation information and only providing validation information that is consistent with the constraints. Determining paths may include constructing a directed graph of trusted roots and the subset of certificates and performing a depth-first acyclic search of the graph.

Abstract translation: 为系统提供路径验证信息包括确定系统的证书的子集与至少一个信任根之间的路径，在路径验证信息的请求之前将每个路径存储在表中，并且获取存储在路由验证信息中的验证信息 响应于路径验证信息的请求。 提供路径验证信息还可以包括对验证信息进行数字签名。 提供路径验证信息还可以包括对验证信息应用约束并且仅提供与约束一致的验证信息。 确定路径可以包括构建可信根的有向图和证书的子集，并执行图的深度优先非循环搜索。

公开(公告)号：US07353396B2

公开(公告)日：2008-04-01

申请号：US10409638

申请日：2003-04-08

Applicant: Silvio Micali ,  David Engberg ,  Phil Libin ,  Leo Reyzin ,  Alex Sinelnikov

Inventor： Silvio Micali ,  David Engberg ,  Phil Libin ,  Leo Reyzin ,  Alex Sinelnikov

IPC: H04L9/00

CPC classification number: G06Q20/02 ,  G06Q20/38215 ,  G06Q20/3827 ,  G06Q20/3829 ,  G07C9/00039 ,  G07C9/00087 ,  G07F7/1016 ,  H04L9/3218 ,  H04L9/3247 ,  H04L9/3268 ,  H04L2209/30 ,  H04L2209/38 ,  H04L2209/56 ,  H04L2209/80

Abstract: A system and method are disclosed for controlling physical access through a digital certificate validation process that works with standard certificate formats and that enables a certifying authority (CA) to prove the validity status of each certificate C at any time interval (e.g., every day, hour, or minute) starting with C's issue date, D1. C's time granularity may be specified within the certificate itself, unless it is the same for all certificates. For example, all certificates may have a one-day granularity with each certificate expires 365 days after issuance. Given certain initial inputs provided by the CA, a one-way hash function is utilized to compute values of a specified byte size that are included on the digital certificate and to compute other values that are kept secret and used in the validation process.

Abstract translation: 公开了一种用于通过数字证书验证过程来控制物理访问的系统和方法，所述数字证书验证过程使用标准证书格式，并且使得认证机构（CA）可以在任何时间间隔（例如，每天， 小时或分钟），从C的发行日期D <1> 开始。 C的时间粒度可以在证书本身内指定，除非对所有证书是相同的。 例如，所有证书可能具有一天的粒度，每个证书在发布后365天到期。 给定由CA提供的某些初始输入，单向散列函数用于计算数字证书中包含的指定字节大小的值，并计算保密并在验证过程中使用的其他值。

公开(公告)号：US20080016370A1

公开(公告)日：2008-01-17

申请号：US11804798

申请日：2007-05-21

Applicant: Phil Libin ,  David Engberg

Inventor： Phil Libin ,  David Engberg

IPC: H04L9/32 ,  H04L9/28

CPC classification number: H04L9/3234 ,  G06Q20/367 ,  G06Q20/3672 ,  G06Q20/3674 ,  G06Q20/382 ,  H04L9/0866 ,  H04L9/3226 ,  H04L2209/80 ,  H04W12/08

Abstract: A cost-effective system that provides for the efficient protection of transmitted non-public attribute information may be used, for example, to control access to a secure area. Encryption of the attribute information may be performed using symmetric encryption techniques, such as XOR and/or stream cipher encryption. A centralized database that stores and transmits the encrypted attribute information may generate the encryption/decryption key based on selected information bytes, for example, as taken from a card inserted into a handheld device used at the secure area. The selected information to generate the encryption key stream may be varied on a periodic basis by the centralized database. Information as to which selected bytes are to be used for a particular access authorization request may be transmitted to the handheld unit or may be input through action of a user of the handheld unit, for example by entry of a PIN code.

Abstract translation: 可以使用提供有效保护所传送的非公开属性信息的具有成本效益的系统，例如来控制对安全区域的访问。 可以使用诸如XOR和/或流密码加密之类的对称加密技术来执行属性信息的加密。 存储和发送加密的属性信息的集中式数据库可以基于所选择的信息字节生成加密/解密密钥，例如从插入到安全区域使用的手持设备的卡中取出。 用于生成加密密钥流的所选择的信息可以由集中式数据库周期性地改变。 用于特定访问授权请求的哪些选定字节的信息可以被发送到手持式单元，或者可以通过手持式单元的用户的动作来输入，例如通过输入PIN码。

公开(公告)号：US20050154918A1

公开(公告)日：2005-07-14

申请号：US10993131

申请日：2004-11-19

Applicant: David Engberg

Inventor： David Engberg

IPC: G06F20060101 ,  G06F11/30 ,  H04L9/32

CPC classification number: H04L9/3268 ,  H04L9/3265

Abstract: Providing path validation information for a system includes determining paths between a subset of certificate of the system and at least one trust root, storing each of the paths in a table prior to a request for path validation information, and fetching the validation information stored in the table in response to a request for path validation information. Providing path validation information may also include digitally signing the validation information. Providing path validation information may also include applying constraints to the validation information and only providing validation information that is consistent with the constraints. Determining paths may include constructing a directed graph of trusted roots and the subset of certificates and performing a depth-first acyclic search of the graph.

Abstract translation: 为系统提供路径验证信息包括确定系统的证书的子集与至少一个信任根之间的路径，在路径验证信息的请求之前将每个路径存储在表中，并且获取存储在路由验证信息中的验证信息 响应路径验证信息的请求。 提供路径验证信息还可以包括对验证信息进行数字签名。 提供路径验证信息还可以包括对验证信息应用约束并且仅提供与约束一致的验证信息。 确定路径可以包括构建可信根的有向图和证书的子集，并执行图的深度优先非循环搜索。

公开(公告)号：US20050154878A1

公开(公告)日：2005-07-14

申请号：US11036220

申请日：2005-01-10

Applicant: David Engberg ,  Phil Libin ,  Silvio Micali

Inventor： David Engberg ,  Phil Libin ,  Silvio Micali

IPC: H04L9/00 ,  H04L9/32

CPC classification number: H04L9/3268 ,  H04L63/0823 ,  H04L2209/56

Abstract: Providing information about digital certificate validity includes ascertaining digital certificate validity status for each of a plurality of digital certificates in a set of digital certificates, generating a plurality of artificially pre-computed messages about the validity status of at least a subset of the set of digital certificate of the plurality of digital certificates, where at least one of the messages indicates validity status of more than one digital certificate and digitally signing the artificially pre-computed messages to provide OCSP format responses that respond to OCSP queries about specific digital certificates in the set of digital certificates, where at least one digital signature is used in connection with an OCSP format response for more than one digital certificate. Generating and digitally signing may occur prior to any OCSP queries that are answered by any of the OCSP format responses. Ascertaining digital certificate validity status may include obtaining authenticated information about digital certificates.

Abstract translation: 提供关于数字证书有效性的信息包括确定一组数字证书中的多个数字证书中的每一个的数字证书有效性状态，生成关于数字集合的至少一个子集的有效状态的多个人为预先计算的消息 多个数字证书的证书，其中至少一个消息指示多于一个数字证书的有效性状态，并对人为预先计算的消息进行数字签名，以提供响应于集合中的特定数字证书的OCSP查询的OCSP格式响应 数字证书，其中至少一个数字签名与多于一个数字证书的OCSP格式响应结合使用。 生成和数字签名可能发生在任何OCSP格式响应应答的任何OCSP查询之前。 确定数字证书的有效性状态可能包括获取关于数字证书的认证信息。

公开(公告)号：US20050055567A1

公开(公告)日：2005-03-10

申请号：US10893126

申请日：2004-07-16

Applicant: Phil Libin ,  Silvio Micali ,  David Engberg

Inventor： Phil Libin ,  Silvio Micali ,  David Engberg

IPC: H04L9/32

CPC classification number: G07C9/00103 ,  G07C9/00007

Abstract: Controlling access includes providing a barrier to access that includes a controller that selectively allows access, at least one administration entity generating credentials/proofs, wherein no valid proofs are determinable given only the credentials and values for expired proofs, the controller receiving the credentials/proofs, the controller determining if access is presently authorized, and, if access is presently authorized, the controller allowing access. The credentials/proofs may be in one part or may be in separate parts. There may be a first administration entity that generates the credentials and other administration entities that generate proofs. The first administration entity may also generate proofs or the first administration entity may not generate proofs. The credentials may correspond to a digital certificate that includes a final value that is a result of applying a one way function to a first one of the proofs.

Abstract translation: 控制访问包括提供访问障碍，其包括选择性地允许访问的控制器，至少一个生成凭证/证明的管理实体，其中没有有效证明是可被确定的，只给出期限证明的凭证和值，控制器接收证书/证明 ，控制器确定当前是否授权访问，并且如果当前授权访问，则控制器允许访问。 凭证/证明可以在一个部分或可以在不同的部分。 可能有一个第一个管理实体生成凭证和生成证明的其他管理实体。 第一管理实体也可以生成证明，或者第一管理实体可能不生成证明。 证书可以对应于数字证书，其包括作为将单向函数应用于第一个证明的结果的最终值。

公开(公告)号：US20050044402A1

公开(公告)日：2005-02-24

申请号：US10893174

申请日：2004-07-16

Applicant: Phil Libin ,  Silvio Micali ,  David Engberg

Inventor： Phil Libin ,  Silvio Micali ,  David Engberg

IPC: H04L9/00

CPC classification number: G05B1/00 ,  G07C9/00039 ,  G07C9/00103 ,  G07C9/00158 ,  H04L63/08 ,  H04L63/102 ,  H04L63/1416 ,  H04W4/021

Abstract: Logging events associated with accessing an area includes recording an event associated with accessing the area to provide an event recording and authenticating at least the event recording to provide an authenticated recording. Recording an event may include recording a time of the event. Recording an event may include recording a type of event. The event may be an attempt to access the area. Recording an event may include recording credentials/proofs used in connection with the attempt to access the area. Recording an event may include recording a result of the attempt. Recording an event may include recording the existence of data other than the credentials/proofs indicating that access should be denied. Recording an event may include recording additional data related to the area. Authenticating the recording may include digitally signing the recording. Authenticating at least the event recording may include authenticating the event recording and authenticating other event recordings to provide a single authenticated recording.

Abstract translation: 与访问区域相关联的记录事件包括记录与访问该区域相关联的事件以提供事件记录和至少认证事件记录以提供经认证的记录。 记录事件可能包括记录事件的时间。 记录事件可能包括记录一种事件。 该事件可能是访问该地区的尝试。 记录事件可能包括与访问该区域的尝试相关联的记录凭证/证明。 记录事件可能包括记录尝试的结果。 记录事件可以包括记录除了表示应该拒绝访问的凭据/证明之外的数据的存在。 记录事件可能包括记录与该区域相关的附加数据。 记录录制可能包括对录音进行数字签名。 至少验证事件记录可以包括认证事件记录和认证其他事件记录以提供单一的认证记录。