公开(公告)号：US5265164A

公开(公告)日：1993-11-23

申请号：US786237

申请日：1991-10-31

申请人： Stephen M. Matyas ,  Donald B. Johnson ,  An V. Le ,  Rostislaw Prymak ,  William C. Martin ,  William S. Rohland ,  John D. Wilkins

发明人： Stephen M. Matyas ,  Donald B. Johnson ,  An V. Le ,  Rostislaw Prymak ,  William C. Martin ,  William S. Rohland ,  John D. Wilkins

IPC分类号： G09C1/00 ,  G06F9/30 ,  H04L9/00 ,  H04L9/08 ,  H04K1/00

CPC分类号： G06F9/30003 ,  G06F9/30043 ,  H04L9/088 ,  H04L9/3247 ,  H04L9/3263

摘要： A computer apparatus, program and method function in a data processing system to replicate a cryptographic facility. The system includes a first cryptographic facility containing a portable part which personalizes the first cryptographic facility. The system also includes a second cryptographic facility which is linked to the first cryptographic facility by a public key cryptographic system. The portable part of the first cryptographic facility is encrypted and transferred to the second cryptographic facility, where it is decrypted and used to personalize the second cryptographic facility to enable replication of the first cryptographic facility. In one application, personalization of the second cryptographic facility can be in response to the detection of a failure in the first cryptographic facility. In another application, multiple cryptographic facilities can be brought on-line for parallel operation in the data processing system.

公开(公告)号：US5142578A

公开(公告)日：1992-08-25

申请号：US748407

申请日：1991-08-22

申请人： Stephen M. Matyas ,  Donald B. Johnson ,  An V. Le ,  Rostislaw Prymak ,  John D. Wilkins ,  William C. Martin ,  William S. Rohland

发明人： Stephen M. Matyas ,  Donald B. Johnson ,  An V. Le ,  Rostislaw Prymak ,  John D. Wilkins ,  William C. Martin ,  William S. Rohland

IPC分类号： G06F21/20 ,  G06F9/30 ,  G09C1/00 ,  H04L9/08

CPC分类号： G06F9/30003 ,  H04L9/088 ,  H04L9/0894 ,  H04L9/14

摘要： The patent describes a method and apparatus for securely distributing an initial Data Encryption Algorithm (DEA) key-encrypting key by encrypting a key record (consisting of the key-encrypting key and control information associated with that key-encrypting key) using a public key algorithm and a public key belonging to the intended recipient of the key record. The patent further describes a method and apparatus for securely recovering the distributed key-encrypting key by the recipient by decrypting the received key record using the same public key algorithm and private key associated with the public key and re-encrypting the key-encrypting key under a key formed by arithmetically combining the recipient's master key with a control vector contained in the control information of the received key record. Thus the type and usage attributes assigned by the originator of the key-encrypting key in the form of a control vector are cryptographically coupled to the key-encrypting key such that the recipient may only use the received key-encrypting key in a manner defined by the key originator.The patent further describes a method and apparatus to improve the integrity of the key distribution process by applying a digital signature to the key record and by including identifying information (i.e., an originator identifier) in the control information of the key record. The integrity of the distribution process is enhanced by verifying the digital signature and originator identifier at the recipient node.

公开(公告)号：US5164988A

公开(公告)日：1992-11-17

申请号：US786227

申请日：1991-10-31

申请人： Stephen M. Matyas ,  Donald B. Johnson ,  An V. Le ,  Rostislaw Prymak ,  William C. Martin ,  William S. Rohland ,  John D. Wilkins

发明人： Stephen M. Matyas ,  Donald B. Johnson ,  An V. Le ,  Rostislaw Prymak ,  William C. Martin ,  William S. Rohland ,  John D. Wilkins

IPC分类号： G09C1/00 ,  G06F1/00 ,  G06F21/00 ,  H04L9/08 ,  H04L9/32

CPC分类号： G06F21/79 ,  H04L9/083 ,  H04L9/088 ,  H04L9/321 ,  H04L9/3263 ,  G06F2211/008 ,  G06F2221/2101 ,  G06F2221/2107 ,  G06F2221/2115 ,  H04L2209/12

摘要： Device A in a public key cryptographic network will be constrained to continue to faithfully practice a security policy dictated by a network certification center, long after device A's public key PUMa has been certified. If device A alters its operations from the limits encoded in its configuration vector, for example by loading a new configuration vector, device A will be denied participation in the network. To accomplish this enforcement of the network security policy dictated by the certification center, it is necessary for the certification center to verify at the time device A requests certification of its public key PUMa, that device A is configured with the currently authorized configuration vector. Device A is required to transmit to the certification center a copy of device A's current configuration vector, in an audit record. the certification center then compares device A's copy of the configuration vector with the authorized configuration vector for device A stored at the certification center. If the comparison is satisfactory, then the certification center will issue the requested certificate and will produce a digital signiture dSigPRC on a representation of device A's public key PUMa, using the certification center's private certification key PRC. Thereafter, if device A attempts to change its configuration vector, device A's privacy key PRMa corresponding to the certified public key PUMa, will automatically become unavailable for use in communicating in the network.

公开(公告)号：US5048085A

公开(公告)日：1991-09-10

申请号：US418068

申请日：1989-10-06

申请人： Dennis G. Abraham ,  Steven G. Aden ,  Todd W. Arnold ,  Steven W. Neckyfarow ,  William S. Rohland

发明人： Dennis G. Abraham ,  Steven G. Aden ,  Todd W. Arnold ,  Steven W. Neckyfarow ,  William S. Rohland

IPC分类号： G06K19/073 ,  G06F12/12 ,  G06F21/00 ,  G06K17/00 ,  G07F7/10 ,  G11C5/00 ,  H04L9/32 ,  H04L29/06

CPC分类号： H04L63/04 ,  G06F12/121 ,  G06F21/34 ,  G06Q20/341 ,  G06Q20/367 ,  G06Q20/40975 ,  G07F7/1008 ,  H04L63/102 ,  H04L63/105 ,  H04L9/3226 ,  H04L9/3247 ,  H04L2209/56 ,  H04L2209/60

摘要： An improved security system is disclosed which uses an IC card to enchance the security functions involving component authentication, user verification, user authorization and access control, protection of message secrecy and integrity, management of cryptographic keys, and auditablity. Both the security method and the apparatus for embodying these functions across a total system or network using a common cryptographic architecture are disclosed. Authorization to perform there functions in the various security component device nodes in the network can be distributed to the various nodes at which they will be executed in order to personalize the use of the components.

公开(公告)号：US5200999A

公开(公告)日：1993-04-06

申请号：US766260

申请日：1991-09-27

申请人： Stephen M. Matyas ,  Donald B. Johnson ,  An V. Le ,  Rostislaw Prymak ,  William C. Martin ,  William S. Rohland ,  John D. Wilkins

发明人： Stephen M. Matyas ,  Donald B. Johnson ,  An V. Le ,  Rostislaw Prymak ,  William C. Martin ,  William S. Rohland ,  John D. Wilkins

IPC分类号： G09C1/00 ,  G06F9/30 ,  H04L9/08

CPC分类号： H04L9/0844 ,  G06F9/30007 ,  G06F9/30018 ,  H04L9/088 ,  H04L2209/12 ,  H04L2209/38

摘要： A data processing system, method and program are disclosed, for managing a public key cryptographic system. The method includes the steps of generating a first public key and a first private key as a first pair in the data processing system, for use with a first public key algorithm and further generating a second public key and a second private key as a second pair in the data processing system, for use with a second public key algorithm. The method then continues by assigning a private control vector for the first private key and the second private key in the data processing system, for defining permitted uses for the first and second private keys. Then the method continues by forming a private key record which includes the first private key and the second private key in the data processing system, and encrypting the private key record under a first master key expression which is a function of the private control vector. The method then forms a private key token which includes the private control vector and the private key record, and stores the private key token in the data processing system.At a later time, the method receives a first key use request in the data processing system, requiring the first public key algorithm. In response to this, the method continues by accessing the private key token in the data processing system and checking the private control vector to determine if the private key record contains a key having permitted uses which will satisfy the first request. The method then decrypts the private key record under the first master key expression in the data processing system and extracts the first private key from the private key record. The method selects the first public key algorithm in the data processing system for the first key use request and executes the first public key algorithm in the data processing system using the first private key to perform a cryptographic operation to satisfy the first key use request.

公开(公告)号：US5148481A

公开(公告)日：1992-09-15

申请号：US723875

申请日：1991-07-01

申请人： Dennis G. Abraham ,  Steven G. Aden ,  Todd W. Arnold ,  Steven W. Neckyfarow ,  William S. Rohland

发明人： Dennis G. Abraham ,  Steven G. Aden ,  Todd W. Arnold ,  Steven W. Neckyfarow ,  William S. Rohland

IPC分类号： G06F1/00 ,  G06F12/12 ,  G06F12/14 ,  G06F21/00 ,  G07F7/10 ,  H04L9/32 ,  H04L29/06

CPC分类号： H04L63/102 ,  G06F12/121 ,  G06F12/1408 ,  G06F21/34 ,  G06Q20/341 ,  G06Q20/40975 ,  G07F7/1008 ,  H04L63/0853 ,  H04L9/3271 ,  H04L2209/56

摘要： An improved security system is disclosed which uses an IC card to enhance the security functions involving component authentication, user verification, user authorization and access control, protection of message secrecy and integrity, management of cryptographic keys, and auditability. Both the security method and the apparatus for embodying these functions across a total system or network using a common cryptographic architecture are disclosed. Authorization to perform these functions in the various security component device nodes in the network can be distributed to the various nodes at which they will be executed in order to personalize the use of the components.

摘要翻译： 公开了一种改进的安全系统，其使用IC卡来增强涉及组件认证，用户验证，用户授权和访问控制，保护消息保密性和完整性，加密密钥管理和可审计性的安全功能。 公开了通过使用公共密码体系结构的整个系统或网络中实现这些功能的安全方法和装置。 在网络中的各种安全组件设备节点中执行这些功能的授权可以被分发到将要执行它们的各个节点，以个性化组件的使用。

公开(公告)号：US5073934A

公开(公告)日：1991-12-17

申请号：US602989

申请日：1990-10-24

申请人： Stephen M. Matyas ,  Donald B. Johnson ,  An V. Le ,  William C. Martin ,  Rostislaw Prymak ,  William S. Rohland ,  John D. Wilkins

发明人： Stephen M. Matyas ,  Donald B. Johnson ,  An V. Le ,  William C. Martin ,  Rostislaw Prymak ,  William S. Rohland ,  John D. Wilkins

IPC分类号： G09C1/00 ,  H04L9/08 ,  H04L9/10 ,  H04L9/30

CPC分类号： H04L9/088 ,  H04L2209/26 ,  H04L2209/38

摘要： A method and apparatus in a public crypto system, control the use of a public key, based on the level of import integrity for the public key. The method and apparatus generate a control vector associated with the public key, having a history field. The public key and the control vector are transmitted from the location of generation over a communications link to a receiving location, using the selected one of a plurality of levels of import integrity for the transmission. At the receiving location, the public key and the control vector are tested to determine the actual level of import integrity for the transmission. Then, a value is written into the history field of the control vector which characterizes the actual level of import integrity. Thereafter, cryptographic applications for the public key are limited by control vector checking, to only those applications which have a required level of integrity which is not greater than the actual level of import integrity characterized by the history field in the control vector.