-
公开(公告)号:US06782103B1
公开(公告)日:2004-08-24
申请号:US09696158
申请日:2000-10-25
IPC分类号: G06F1700
CPC分类号: H04L9/088 , H04L9/0891
摘要: Business data flows from one computer system (1) to another (2) and its integrity can be protected by cryptographic means, such as digital signatures. In particular, a source system (1) may use a private key (DSPR) to sign outgoing data, and a destination system (2) may use a public key (DSPU) to verify incoming data. For security purposes all keys should be changed at scheduled times calculated using factors including key lifetime (from which is calculated the key expiry time) and key delivery time. If a key is compromised it needs to be changed at other than the scheduled time, and in general this will result in calculation of a new scheduled key change time. If a DSPR key is delivered to the source system (1) encrypted by a key encryption key (KEK), then change to the KEK key will in general also be needed upon compromise of the DSPR key. A new key changetime calculation can be avoided if another public key/private key pair is pre-generated and the public key part pre-supplied to the destination system (2), where it is stored as a spare. When the existing private key (DSPR) is compromised, the new private key corresponding to the spare is supplied to the source system (1) and can be put into use immediately. In this case the expiry time of the spare public key will be substantially the same as that of the original public key, as it will deemed to have been in use as of delivery, and recalculation of the key changetime will not be required. Preferably a public key in use at the destination system (2) is not revoked immediately upon compromise of the corresponding private key, in order to enable messages signed by that private key to be verified at the destination system, using the corresponding public key, during a predetermined time interval (message latency) after signing. A maximum value for the message latency may be set and used as another factor in the scheduled key change time calculation.
-
2.发明授权公开(公告)号:US06832313B1
公开(公告)日:2004-12-14
申请号:US09585665
申请日:2000-06-01
IPC分类号: H04L912
CPC分类号: H04L63/0272
摘要: A system involving a central computer (2) and a remote computer (3), which can communicate over a link (1), is migrated from in-clear working to encrypted working automatically as the computers receive and install long term keys necessary for encrypted communication. When migration is required, the settings at both ends of the link need to be changed to “encrypt” simultaneously and, particularly, if there are numerous remote computers and the possibility of connection of a remote computer to different central computers, as is possible in virtual private network (VPN) scenarios, severe problems can ensue. Hence, as well as the normal two modes of working “in-clear” and “encrypt”, a third mode in which “initiate encryption” is set at one end of the link and “accept encryption” is set at the other end of the link is proposed. This third mode ensures that working in-clear can continue over a particular link, such as between a particular VPN server and a particular gateway PC, until a long term key required for encrypted working is installed at both ends of the link, but that once key installation is complete, only encrypted working is possible over that link.
摘要翻译: 包括中央计算机(2)和可通过链路(1)进行通信的远程计算机(3)的系统随着计算机接收和安装加密所需的长期密钥而从清除工作迁移到加密工作 通讯。 当需要迁移时,链路两端的设置需要同时更改为“加密”,特别是如果有许多远程计算机以及将远程计算机连接到不同的中央计算机的可能性,可能在 虚拟专网(VPN)场景下,可能会出现严重的问题。 因此,除了正常的两种工作模式的“清除”和“加密”之外,在链路的一端设置“启动加密”的第三模式,并且在另一端设置“接受加密” 提出了链接。 这种第三种模式可确保在特定的链路(例如特定的VPN服务器和特定的网关PC之间)之间继续工作,直到加密工作所需的长期密钥安装在链路的两端,但是一旦 密钥安装完成后,只能通过该链接进行加密工作。
-
搜索结果
2 条记录 (耗时 0.017 秒)
