+

WO2002011357A2 - Procede et dispositif de gestion de cle de chiffrement a l'aide d'une interface de programmation url - Google Patents

Procede et dispositif de gestion de cle de chiffrement a l'aide d'une interface de programmation url Download PDF

Info

Publication number
WO2002011357A2
WO2002011357A2 PCT/US2001/021428 US0121428W WO0211357A2 WO 2002011357 A2 WO2002011357 A2 WO 2002011357A2 US 0121428 W US0121428 W US 0121428W WO 0211357 A2 WO0211357 A2 WO 0211357A2
Authority
WO
WIPO (PCT)
Prior art keywords
cryptographic
data
computer
cryptographic data
program product
Prior art date
Application number
PCT/US2001/021428
Other languages
English (en)
Other versions
WO2002011357A3 (fr
Inventor
Stephen Uhler
Rinaldo Digiorgio
Original Assignee
Sun Microsystems, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sun Microsystems, Inc. filed Critical Sun Microsystems, Inc.
Priority to AU2001280488A priority Critical patent/AU2001280488A1/en
Publication of WO2002011357A2 publication Critical patent/WO2002011357A2/fr
Publication of WO2002011357A3 publication Critical patent/WO2002011357A3/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network

Definitions

  • This invention relates to the field of computer systems, and, more specifically, managing cryptographic keys using URL (Uniform Resource Locator) programming interface (UPI).
  • URL Uniform Resource Locator
  • Sun, Sun Microsystems, the Sun logo, JavaTM and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All SPARCTM trademarks are used under license and are trademarks of SPARC International, Inc. in the United States and other countries. Products bearing SPARCTM trademarks are based upon an architecture developed by Sun Microsystems, Inc.
  • Access devices for example, personal computers, hand-held computers, laptop computers, wireless Web devices and networked office systems, will often use different cryptographic schemes to identify a user to the network.
  • a user of digital signatures must maintain one or more sets of digital certificates from a digital certificate authority that authenticates the user's digital signature.
  • Data such as cryptographic keys, trusted certificates and a database of digital certificates stored in one physical location will be referred to herein as cryptographic data, or as a data vault.
  • a data vault resides on one or more portable storage mediums and contains distinct elements of cryptographic data. Each cryptographic element of the data vault is stored separately and is individually addressable.
  • IADs Internet Aware Devices
  • a workable solution must provide strong authentication, offer optional encryption of the established session, and operate without requiring special permission to reconfigure firewalls. Additionally, the solution should not make use of large applets that only work on corporate LANs, as some users may access the system from low-speed modem and wireless connections.
  • Web based applications need easy access to devices that require a secure interface, as discussed above.
  • current technology requires Web applications to utilize Web browsers to provide a secure interface for communication between a user and a Web-based device.
  • PKCS RSA Labs' Public Key Cryptographic Standard
  • CSP Microsoft's Cryptographic Service Provider.
  • Web browsers are responsible for generating and storing keys, using the various security modules available to them. Therefore, to use multiple browsers, for example Netscape and Internet Explorer, users discover they must keep multiple cryptographic keys. When users keep keys at home, at work, and on portable devices key management becomes burdensome and security decreases. Furthermore, keys kept on networked hard disks are subject to various forms of hacker attacks.
  • the present technology faces many disadvantages, including:
  • each cryptographic scheme has a unique interface leading to a lack of portability. Having duplicate policies for certificates in multiple applications complicates the task and decreases the security — thereby providing multiple points of entry that could lead to the private key is that certificates contained.
  • Computers and computer networks are used to exchange information in many fields such as media, commerce, and telecommunications, for example.
  • the exchange of information between computers typically occurs between a "server application” that provides information or services, and a "client application” or device that receives the provided information and services.
  • Multiple server applications are sometimes available on a "system server” such as a single computer server that provides services for multiple clients.
  • system server such as a single computer server that provides services for multiple clients.
  • distributed server systems allow a single client to obtain services from applications residing on multiple servers.
  • client applications are able to communicate with server applications executing on the same computer system or on another computer system accessible via a network, for instance via the Internet.
  • the Internet is a worldwide network of interconnected computers.
  • An Internet client computer accesses a computer on the network via an Internet provider.
  • An Internet provider is an organization that provides a client (computer) with access to the Internet (via analog telephone line or Integrated Services Digital Network line, for example).
  • a client can, for example, read information from, download a file from, or send an electronic mail message to another computer /client using the Internet.
  • a client To retrieve a file or service on the Internet, a client must typically search for the file or service, make a connection to the computer on which the file or service is stored, and download the file or access the service. Each of these steps may involve a separate application and access to multiple, dissimilar computer systems (e.g., computer systems having operating different systems).
  • the World Wide Web (Web) was developed to provide a simpler, more uniform means for accessing information on the Internet.
  • the components of the Web include browser software, network links, servers, and Web protocols.
  • the browser software, or browser is a tool for displaying a user-friendly interface (i.e., front-end) that simplifies user access to content (information and services) on the Web. Browsers use standard Web protocols to access content on remote computers running Web server processes.
  • a browser allows a user to communicate a request to a Web server without having to use the more obscure addressing scheme of the underlying Internet.
  • a browser typically provides a graphical user interface (GUI) for displaying information and receiving input. Examples of browsers currently available include Netscape Navigator and Communicator, and Microsoft Internet Explorer.
  • GUI graphical user interface
  • the most common modern protocol is the TCP/IP (Transmission Control Protocol/Internet Protocol) protocol suite.
  • the protocols are based on the OSI (Open Systems Interconnect) seven-layered network communication model. Web messages are primarily encoded using Hypertext Transport Protocol (HTTP).
  • HTTP instantiates the (top) Application layer of the OSI model. Application layer protocols facilitate remote access and resource sharing and are supported by the reliable communications ensured by the lower layers of the communications model. Therefore, HTTP simplifies remote access and resource sharing between clients and servers while providing reliable messaging on the Web.
  • Information servers maintain the information on the Web and are capable of processing client requests.
  • HTTP has communication methods that allow clients to request data from a server and send information to the server.
  • the client browser contacts the HTTP server and transmits the request to the HTTP server.
  • the request contains the communication method requested for the transaction (e.g., GET an object from the server or POST data to an object on the server).
  • the HTTP server responds to the client by sending a status of the request and the requested information. The connection is then terminated between the client and the HTTP server.
  • a client request therefore, consists of establishing a connection between the client and the HTTP server, performing the request, and terminating the connection.
  • the HTTP server typically does not retain any information about the request after the connection has been terminated. That is, a client can make several requests of an HTTP server, but each individual request is treated independent of any other request.
  • the Web employs an addressing scheme is that uniquely identifies Internet resources (e.g., HTTP server, file, or program) to clients and servers.
  • This addressing scheme is called the Uniform Resource Locator (URL).
  • a URL represents the Internet address of a resource on the Web.
  • the URL contains information about the protocol, Internet domain name and addressing port of the site on which the server is running. It also identifies the location of the resource in the file structure of the server.
  • HTTP provides a mechanism of associating a URL address with active text.
  • a browser generally displays active text as underlined and color-coded. When activated (by a mouse click, for example) the active text causes the browser to send a client request for a resource to the server indicated in the text's associated URL address.
  • This mechanism is called a hyperlink.
  • Hyperlinks provides the ability to create links within a document to move directly to other information.
  • a hyperlink can request information stored on the current server or information from a remote server.
  • the HTTP server locates the file and sends it to the client.
  • An HTTP server also has the ability to delegate work to gateway programs.
  • CGI Common Gateway Interface
  • a gateway program is referenced using a URL.
  • the HTTP server activates the program specified in the URL and uses CGI mechanisms to pass program data sent by the client to the gateway program.
  • Data is passed from the server to the gateway program via command-line arguments, standard input, or environment variables.
  • the gateway program processes the data and returns its response to the server using CGI (via standard output, for example).
  • the server forwards the data to the client using the HTTP.
  • HTML Hypertext Markup Language
  • a sever sends a Web page to a client in HTML format.
  • the browser program interprets the HTML and displays the Web page in a format based on the control tag information in the HTML.
  • Current network systems provide a way to transfer and display data.
  • a method and apparatus for managing cryptographic keys using URL (Uniform Resource Locator) programming interface (UPI) is described.
  • URL Uniform Resource Locator
  • a user of public key, symmetric, or other cryptographic scheme must maintain one or more keys, a list of trusted certificate authorities, and a database of certificates. This collection of distinct items is called a data vault. Current methods of storing such information are generally incompatible with each other.
  • Applications, including Web browsers, use different standards, algorithms, and formats to store and manage cryptographic keys.
  • the claimed invention provides a single data vault that is accessible by any HTTP-capable application.
  • the data vault may reside on any form of storage including a disk file, a directory, a Smart Card, a desktop computer, a handheld device, or other similar devices.
  • a data vault may also extend over numerous combinations of storage devices.
  • This architecture uses, in one embodiment of the invention, the JavaTM language to provide a technology that allows users to deploy the data vault interface as a very small protocol (HTTP) stack.
  • HTTP very small protocol
  • the protocol stack has a core of less than 100 KB.
  • the invention encompasses protocol stacks of both larger and smaller size.
  • a minimal stack may be installed on a variety of devices to permit secure Internet access to and from any HTTP-capable device.
  • Digital Certificates are generally issued by a Digital Certificate Authority (DC A). However, there is nothing to prevent the claimed invention from issuing its own digital certificates.
  • DC A Digital Certificate Authority
  • Single source management of cryptographic data makes connecting legacy architectures, home networks, corporate LANs, and Internet-aware devices (IADs) to Internet interface units (IIUs) manageable and secure.
  • IADs Internet-aware devices
  • IIUs Internet interface units
  • Figure 1 is a flow diagram of the overall process in one embodiment of the claimed invention.
  • FIG. 2 is a representation of the functions provided by the claimed invention.
  • Figure 3 represents a smart card reader, in one embodiment of the claimed invention.
  • Figure 4 is a representation of the current technology's approach using multiple key stores to generate digital signatures.
  • Figure 5 shows the method of one embodiment of the claimed invention for generating digital signatures.
  • Figure 6 shows, in one embodiment of the claimed invention, a session that creates a key pair and signs a data item using the claimed invention.
  • Figure 7 is a block diagram of one embodiment of a computer system capable of providing a suitable execution environment for an embodiment of the invention.
  • the invention is a method and apparatus for managing cryptographic keys using Uniform Resource Locator (URL) programming interface (UPI).
  • URL Uniform Resource Locator
  • UPI Uniform Resource Locator
  • the invention may be implemented in any environment that supports object or data access through references, and that provides information about private key URL programming interfaces. Additionally, while one embodiment of the present invention is described using Java CardTM technology, the invention encompasses the use of any device that provides portable storage of programmable data.
  • the URL programming interface effectively provides a set of URLs for a device that is available to any application capable of performing the HTTP (Hyper Text Transfer Protocol.) HTTP has become so universal that in college computer courses students are often given as an assignment the creation of an HTTP stack. This trend is due to the growing interest in connecting devices to the Internet. Sun Microsystems Laboratories has used the JavaTM language to develop a technology that allows users to deploy a very small HTTP stacks. However, the claimed invention can be practiced using any computer programming language and transmission protocol.
  • These small HTTP servers can be run on any embedded device or used as application servers that are similar to traditional Web servers. Such minimal servers provide an integrated presentation and service layer for a device. Because a Web server answers URL requests, universal access to devices from any Internet node is achieved. UPI provides an interface to allow applications, including Web applications, to access any device as if the device is a file resident on a Web server, if the device can perform the HTTP protocol.
  • the UPI architecture at its core, consists of a series of handlers that are similar to servlets, but have fewer features. These handlers are mapped to incoming URL requests. This allows the UPI function on very small devices, such as a TINI board.
  • the UPI supplies handlers for Web services such as file service and CGI script execution.
  • Application developers can develop handlers for Internet aware devices (IADs) simply by coding a few required methods, such as init and respond, along with code that understands the applicable device grammar.
  • IADs Internet aware devices
  • the claimed invention provides a solution for users required to maintain multiple data vaults for various applications and network access devices. All cryptographic data using the claimed invention may be stored on a single
  • PSID Portable Secure Identification Device
  • the PSID may be implemented using a Smart Card.
  • IADs Internet Aware Devices
  • PDA Personal Data Assistant
  • a Smart Card is a credit card-sized plastic card with an integrated circuit (IC) inside.
  • the IC contains a microprocessor and memory, which gives Smart Cards the ability to process, as well as store more information than was previously possible.
  • Java technology-based applications in the form of byte-codes, are loaded into the memory zone of the Smart Card's microprocessor where they are run by the Java Virtual Machine.
  • the executable code is platform independent so that any card incorporating a
  • Java CardTM interpreter can run the same application.
  • JavaTM technology-based applications can reside on a single card, each allocated to their own secure memory areas to ensure their integrity and eliminate program tampering, either by individuals or through program interference.
  • the claimed invention solves this problem by creating an architecture utilizes the latest versions of JavaTM and Java CardTM and that is independent of Microsoft and Netscape.
  • the architecture also supports non-JavaTM Smart Cards.
  • This architecture is built on the concept of UPIs that create small Web servers, which in turn are wrapped around physical or logical devices.
  • Java CardsTM in one embodiment of the invention, allow applications to easily and reliably verify the authority of a user to perform UPI operations.
  • UPI has the potential to make Web servers appeared to be equal in terms of authenticated access and services.
  • the core concept of UPI involves speaking to a Smart Card and card reader combined with an HTTP stack; in other words, the card reader and card answer to URLs to provide responses to queries as illustrated in Figure 1 and described above.
  • responses to a Web server request are Web pages, disk files, or data generated from programs.
  • data returned to the user comes from the data vault on a Smart Card in a Smart Card reader.
  • FIG. 1 illustrates a flow diagram of the overall process of one embodiment of the claimed invention.
  • a user on a Web accessible device invokes a Web browser, or other application capable of generating URL requests.
  • the user starts an application program that requires secure communication. For example, the user may wish to send an email message containing a digital signature by which to identify the sender.
  • This scenario will be used throughout this description as an example of the kind of transaction the claimed invention will facilitate.
  • the claimed invention may be practiced with any application that requires secure communication and /or authentication of the user over a network or other intercommunication fabric.
  • the user invokes a secure transaction, for example commanding the email message be sent "signed" with a digital signature.
  • the application program calls the interface in step 130 by issuing a URL to the invention's UPI to initiate a session with the key store that contains the user's cryptographic data.
  • the user's key store may be on any IAD that is accessible via UPI at the time the user makes the request for the data.
  • the application or the user selects the correct token (IAD and key store) and at step 150, a digital signature is produced.
  • the IAD is a Smart Card in a Smart Card reader equipped with the present invention's UPI.
  • the signed data is returned to the application for further processing.
  • Figure 2 represents the functions provided by one embodiment of the claimed invention.
  • Functions 200 and 205 provide the ability to login or logout a user with an established communication session, using the user's PIN (Personal Identification Number). A PIN is required in addition to access to the user's Smart Card to ensure that the user is authorized to access the card.
  • Functions 210 and 215 are session management functions. A session establishes communication with a particular token, in this example a Smart Card.
  • Functions 220 and 225 provide an application with a list of available tokens and their attributes. A token may be available or not available; for example, a Smart Card removed from a reader may be an unavailable token.
  • the claimed invention provides the application the ability to manage objects using functions 230, 235, and 240. Objects allow an application to access and manage information retrieved from or stored to a token.
  • Functions 245 and 250 control an object's attributes. Attributes are label value pairs of information retrieved from or stored to a token. Finally, functions 255 and 260 provide decrypt and sign functions for using digital signatures. A more detailed explanation of each of these functions in one embodiment of the invention follows.
  • PKCS#11 system used by Netscape are defined as follows.
  • the invention may be practiced with or without the following functions, which are provided herein only as an example of the claimed invention.
  • the invention may be practiced using PKCS, any version of PKCS, CSP, or any other cryptographic scheme.
  • getTokenList this function retrieves a list of tokenlds for all available tokens. A tokenld is assigned so that each token available to a given application at a given time has a unique tokenld. When a token is no longer available, perhaps a card removed from a reader, then the tokenld is removed from the Token List.
  • getTokenlnf o - this function returns a list of attribute-value pairs describing the token associated with tokenld.
  • login - this function connects the user to the session associated with sessionld, using a PIN. All active sessions associated between this application and this token will automatically be logged in (assuming the PIN is correct.)
  • logout - this function ends the user login with the session identified by sessionld.
  • createObject this function creates an object on the token identified, with the attributes specified. It returns an objectld associated with the new object.
  • deleteObject - this function deletes an object created with createObject above.
  • getAttributes - this function gets the value of the attribute whose identifiers are listed in the attribute from the object associated with objectld from the token.
  • setAttributes - this function sets the attributes listed in attrs for the object associated with objectld on the token.
  • decrypt - this function decrypts the encrypted text passed to it using the mechanism identified by mechanismld and the private key stored in the object associated with the keyld. Plain text is returned.
  • Smart Card Reader Example An example of a UPI for a Smart Card reader is Provided.
  • the client software is called PersonalCard Services
  • the server side products are called PersonalCard Service Providers.
  • Service Providers provide server implementations of code but complete client requests and /or transactions that require server services.
  • PersonalCard Server is a minimal HTTP 1.1 server that can respond to URLs of the form: http: / /somehos someport/SecureTokenServices/Getld. This is an example of a UPI URL that queries a handler for the operation of the getid method. The last element in this path is not treated as a file or CGI script, but rather as an identifier that allows the handler secured token services to dispatch appropriate processing.
  • the getid path component returns the ID of Smart Card in the reader.
  • This approach allows non-Java programmers to develop Smart Card applications using JavaTM script. This approach minimizes the IT deployment costs because it allows Smart Card readers and Smart Cards to be treated as Web servers.
  • the servers can be maintained over the Web using HTML and JavaScript macros, or using Java programs and applications.
  • Figure 3 represents a Smart Card reader, in one embodiment of the invention.
  • the claimed invention provides a small HTTP stack that may be run on any IAD that can support a Web browser.
  • This stack along with the UPI interface, provides the device the ability to respond to URLs.
  • Figure 3 shows Smart Card reader 300, in one embodiment of the invention.
  • URL 310 enters the system via a network interface, where it is processed by local Web server 320 -- a miniature HTTP stack program. This interface communicates with traditional Smart Card reader interface 340 to store and read data from Smart Card 350 and its Integrated Circuit chip 360.
  • Certificate management functions include: Issuance of Certificates, Certificate and LDAP Directory management, Key Management, Renewing and Revoking Certificates, and Registration authorities.
  • the claimed invention provides access to these certificate operations and certificate management functions through a series of URLs that allow application programs and/or applets to securely interact with certificates stored in the invention's data vault.
  • the data vault can be protected with various levels of security.
  • the data vault may reside in any location, including a local or remote data file, or on an IAD such as a Personal Digital Assistant (PDA) or a Smart Card.
  • PDA Personal Digital Assistant
  • Some examples of URLs that provide access to a secure portable data vault are:
  • each device manufacturer has a different interface, leading to a lack of software portability.
  • the UPI-based approach provides centralized storage and management with stronger security. Having duplicate policies for certificates in multiple applications and multiple locations is undesirable because it complicates the task of managing certificates and decreases security by duplication; thereby providing multiple points of entry that could lead to discovery of the private keys the certificates contain.
  • the claimed invention solves this problem by providing a mechanism to run a personal certificate server that can support different levels of security and is under control of the owner of the certificates rather than control of the Web browser.
  • the certificates can be made available to many browsers as well as applications and remote operations over the network. Applications may perform many operations with the many different types of certificates a user may own.
  • Figure 4 illustrates of the current technology's approach to maintaining cryptographic keys using multiple key stores.
  • a user begins with home system 400.
  • the user uses the PKCS#11 cryptographic method to create and manage cryptographic data.
  • Web browser 410 uses the PKCS#11 cryptographic method to create and manage cryptographic data.
  • Email application 420 makes signature request 450 of Web browser 410 to sign email message 470.
  • the message is signed using PKCS#11 interface 430 and cryptographic data stored in key store 440.
  • the signed email message is returned to email program 420, which then sends the message over dialup network connection 480 to Web server 490 for further processing.
  • Office system 405 is configured to run email application 425 - a different program than the one on home system 400.
  • Email application 425 makes signature request 455 of CSP interface 435, and received back signed message 475 that was encrypted with cryptographic data stored in key store 445.
  • the data in key store 445 and the data in key store 440 are different for two reasons.
  • the cryptographic schemes used by interfaces 430 and 435 are different, and therefore require different key stores.
  • web browser 410 and web browser 415 each control the email program interface to the cryptographic system. Meanwhile, the user's cryptographic data is vulnerable to attack in two different locations.
  • Figure 5 shows a method of one embodiment of the claimed invention that eliminates the problems of the traditional approach to cryptographic key management illustrated in Figure 4.
  • the user's cryptographic data is stored on Internet Aware Device (IAD) 550.
  • IAD 550 is a Smart Card; for example a Java CardTM.
  • the user may use either home system 500 or office system 505 to initiate a secure email message.
  • Email application 510 or 515 which use different cryptographic schemes as illustrated above, initiates a request for a digital signature in the form of URL request 520. Even though both applications use different cryptographic schemes they make the same URL call, passing different parameters to indicate the cryptographic mechanism to use to encode the data.
  • Web server 530 receives each of the requests, and uses UPI interface 560 to perform the requested encryption, using data stored in data vault 570. Signed message 580 is returned as a response to the request by email applications 510 and 515. Next, email applications 510 and 515 each send signed message 690 back to Web server 530 for delivery.
  • the user has only one location for cryptographic data, data vault 570. Data vault 570 is accessible from any network because it can respond to a URL via the UPI of the claimed invention.
  • Figure 6 shows, in one embodiment of the invention, the steps to create a cryptographic key pair and sign a data item using the claimed invention. At step 600, the application calls to retrieve a list of available tokens.
  • a data vault currently accessible on a network is called a token.
  • the application or user must select another token.
  • the application gets information about the selected token, such as its object attributes.
  • the application must create a session, which establishes its connection to the token. This is done at step 630.
  • Step 640 requires the application to provide the user's PIN or other identification required to login to the session for a particular user. In this scenario the user wishes to first create a key pair, then use that key pair to sign a message. The key pair will be stored on the token for future use.
  • the application provides the required information at step 650 and the key pair is generated.
  • the application specifies the cryptographic mechanism, key id and data to be signed.
  • the signed data is returned.
  • the user's private key is stored in the token's memory for future use.
  • Embodiment of Computer Execution Environment is a computer system composed of both hardware and software.
  • the following detailed description of a general computer hardware environment is an example of a system that may be implement the claimed invention. This example is illustrative and does not limit the types of computers or computer systems that may be used to implement the claimed invention.
  • An embodiment of the invention can be implemented as computer software in the form of computer readable code executed on a general-purpose computer such as computer 700 illustrated in Figure 7.
  • a keyboard 710 and mouse 711 are coupled to a bi-directional system bus 718.
  • the keyboard and mouse are for introducing user input to the computer system and communicating that user input to processor 713.
  • Other suitable input devices may be used in addition to, or in place of, the mouse 711 and keyboard 710.
  • I/O (input/ output) unit 719 coupled to bi-directional system bus 718 represents such I/O elements as a printer, A/ V (audio/video) I/O, etc.
  • Computer 700 includes a video memory 714, main memory 715 and mass storage 712, all coupled to bi-directional system bus 718 along with keyboard 710, mouse 711 and processor 713.
  • the mass storage 712 may include both fixed and removable media, such as magnetic, optical or magnetic optical storage systems or any other available mass storage technology.
  • Bus 718 may contain, for example, address lines for addressing video memory 714 or main memory 715.
  • the system bus 718 also includes, for example, a data bus for transferring data between and among the components, such as processor 713, main memory 715, video memory 714 and mass storage 712. Alternatively, multiplex data/address lines may be used instead of separate data and address lines.
  • the processor 713 is a microprocessor manufactured by Motorola, such as the 680X0 processor or a microprocessor manufactured by Intel, such as the 80X86, or Pentium processor, or a SPARCTM microprocessor from Sun Microsystems, Inc.
  • Main memory 715 is comprised of dynamic random access memory (DRAM).
  • Video memory 714 is a dual-ported video random access memory. One port of the video memory 714 is coupled to video amplifier 716.
  • the video amplifier 716 is used to drive the cathode ray tube (CRT) raster monitor 717.
  • Video amplifier 716 is well known in the art and may be implemented by any suitable apparatus.
  • This circuitry converts pixel data stored in video memory 714 to a raster signal suitable for use by monitor 717.
  • Monitor 717 is a type of monitor suitable for displaying graphic images.
  • the video memory could be used to drive a flat panel or liquid crystal display (LCD), or any other suitable data presentation device.
  • Computer 700 may also include a communication interface 720 coupled to bus 718.
  • Communication interface 720 provides a two-way data communication coupling via a network link 721 to a local network 722.
  • ISDN integrated services digital network
  • communication interface 720 provides a data communication connection to the corresponding type of telephone line, which comprises part of network link 721.
  • LAN local area network
  • communication interface 720 provides a data communication connection via network link 721 to a compatible LAN.
  • Communication interface 720 could also be a cable modem or wireless interface. In any such implementation, communication interface 720 sends and receives electrical, electromagnetic or optical signals that carry digital data streams representing various types of information.
  • Network link 721 typically provides data communication through one or more networks to other data devices.
  • network link 721 may provide a connection through local network 722 to local server computer 723 or to data equipment operated by an Internet Service Provider (ISP) 724.
  • ISP 724 in turn provides data communication services through the worldwide packet data communication network now commonly referred to as the "Internet" 725.
  • Internet 725 uses electrical, electromagnetic or optical signals that carry digital data streams.
  • the signals through the various networks and the signals on network link 721 and through communication interface 720, which carry the digital data to and from computer 700, are exemplary forms of carrier waves transporting the information.
  • Computer 700 can send messages and receive data, including program code, through the network(s), network link 721, and communication interface 720.
  • remote server computer 726 might transmit a requested code for an application program through Internet 725, ISP 724, local network 722 and communication interface 720.
  • the received code may be executed by processor 713 as it is received, and/or stored in mass storage 712, or other non-volatile storage for later execution.
  • computer 700 may obtain application code in the form of a carrier wave.
  • an example of such a downloaded application is the apparatus for debugging a virtual machine described herein.
  • Application code may be embodied in any form of computer program product.
  • a computer program product comprises a medium configured to store or transport computer readable code or data, or in which computer readable code or data may be embedded.
  • Some examples of computer program products are CD-ROM disks, ROM cards, floppy disks, magnetic tapes, computer hard drives, servers on a network, and carrier waves.
  • An embodiment of the invention may be implemented in any type of computer system or programming or processing environment, including embedded devices (e.g., Web phones, etc.), wireless devices, and "thin" client processing environments (e.g., network computers) that support a virtual machine.
  • embedded devices e.g., Web phones, etc.
  • wireless devices e.g., Bluetooth, etc.
  • client processing environments e.g., network computers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé et un dispositif permettant de gérer des clés de chiffrement à l'aide d'une interface de programmation URL (UPI). Un utilisateur utilisant une clé publique, un schéma symétrique ou un autre schéma de chiffrement, doit conserver une ou plusieurs clés, une liste d'autorités de certification de confiance, et une base de données de certificats. Cet ensemble d'objets est appelé dépôt de données. Les applications, y compris les navigateurs web, utilisent différentes normes, différents algorithmes et différents formats pour stocker et gérer des clés de chiffrement. La présente invention concerne un dépôt de données unique qui est accessible par n'importe quelle application HTTP. Le dépôt de données peut être contenu sur n'importe quel type de stockage, y compris un fichier sur disque, un répertoire, une carte à puce, un ordinateur portable, un dispositif portable, ou d'autres dispositifs similaires. Un dépôt de données peut également s'étendre sur plusieurs combinaisons de dispositifs de stockage. Selon un mode de réalisation décrit dans l'invention, cette architecture permet d'obtenir un dépôt de données présentant la forme d'une pile HTTP très petite. Cette pile minimale peut être installée sur divers dispositifs de manière à permettre l'accès sécurisé à Internet vers et depuis n'importe quel dispositif HTTP.
PCT/US2001/021428 2000-07-28 2001-07-06 Procede et dispositif de gestion de cle de chiffrement a l'aide d'une interface de programmation url WO2002011357A2 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001280488A AU2001280488A1 (en) 2000-07-28 2001-07-06 Method and apparatus for cryptographic key management using url programming interface

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US62762300A 2000-07-28 2000-07-28
US09/627,623 2000-07-28

Publications (2)

Publication Number Publication Date
WO2002011357A2 true WO2002011357A2 (fr) 2002-02-07
WO2002011357A3 WO2002011357A3 (fr) 2002-08-22

Family

ID=24515403

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2001/021428 WO2002011357A2 (fr) 2000-07-28 2001-07-06 Procede et dispositif de gestion de cle de chiffrement a l'aide d'une interface de programmation url

Country Status (2)

Country Link
AU (1) AU2001280488A1 (fr)
WO (1) WO2002011357A2 (fr)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004038995A1 (fr) * 2002-10-28 2004-05-06 Nokia Corporation Cles de dispositifs
WO2004040845A1 (fr) * 2002-11-01 2004-05-13 Huawei Technologies Co., Ltd Procede de gestion de la securite pour un dispositif d'acces integre du reseau
WO2004091165A1 (fr) * 2003-04-11 2004-10-21 Nokia Corporation Module d’identification d’abonne permettant l’acces a de multiples reseaux de transmission
KR100749868B1 (ko) * 2005-04-27 2007-08-16 노키아 코포레이션 장치 키
CN100421376C (zh) * 2004-08-31 2008-09-24 国际商业机器公司 用于服务资源定位符的请求的方法
US20120322410A1 (en) * 2011-06-17 2012-12-20 Sony Europe Limited Mobile communications
CN103391281A (zh) * 2013-06-25 2013-11-13 福建星网锐捷通讯股份有限公司 基于综合接入设备iad实现协议三合一的融合方法
CN114692173A (zh) * 2020-12-29 2022-07-01 深圳Tcl新技术有限公司 智能设备的加密方法、智能设备及计算机可读存储介质

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1025551A2 (fr) * 1997-10-22 2000-08-09 Interx Technologies Inc. Procede et appareil de gestion de certificat en appui a la non-repudiation

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004038995A1 (fr) * 2002-10-28 2004-05-06 Nokia Corporation Cles de dispositifs
US7920706B2 (en) 2002-10-28 2011-04-05 Nokia Corporation Method and system for managing cryptographic keys
WO2004040845A1 (fr) * 2002-11-01 2004-05-13 Huawei Technologies Co., Ltd Procede de gestion de la securite pour un dispositif d'acces integre du reseau
WO2004091165A1 (fr) * 2003-04-11 2004-10-21 Nokia Corporation Module d’identification d’abonne permettant l’acces a de multiples reseaux de transmission
US7443839B2 (en) 2003-04-11 2008-10-28 Nokia Corporation User identification module for access to multiple communication networks
CN100421376C (zh) * 2004-08-31 2008-09-24 国际商业机器公司 用于服务资源定位符的请求的方法
KR100749868B1 (ko) * 2005-04-27 2007-08-16 노키아 코포레이션 장치 키
US20120322410A1 (en) * 2011-06-17 2012-12-20 Sony Europe Limited Mobile communications
US9185551B2 (en) * 2011-06-17 2015-11-10 Sony Corporation Mobile communications
CN103391281A (zh) * 2013-06-25 2013-11-13 福建星网锐捷通讯股份有限公司 基于综合接入设备iad实现协议三合一的融合方法
CN114692173A (zh) * 2020-12-29 2022-07-01 深圳Tcl新技术有限公司 智能设备的加密方法、智能设备及计算机可读存储介质

Also Published As

Publication number Publication date
WO2002011357A3 (fr) 2002-08-22
AU2001280488A1 (en) 2002-02-13

Similar Documents

Publication Publication Date Title
US6226752B1 (en) Method and apparatus for authenticating users
US6438600B1 (en) Securely sharing log-in credentials among trusted browser-based applications
US20010039587A1 (en) Method and apparatus for accessing devices on a network
US6311269B2 (en) Trusted services broker for web page fine-grained security labeling
US6006332A (en) Rights management system for digital media
US6789204B2 (en) Resource sharing on the internet via the HTTP
US6928469B1 (en) Apparatus and method for determining a program neighborhood for a client node in a client-server network using markup language techniques
US7281139B2 (en) Authenticating legacy service via web technology
EP1934827B1 (fr) Système et procédé se rapportant à une architecture sure axée sur le service
US6351810B2 (en) Self-contained and secured access to remote servers
US7269635B2 (en) File transfer system for secure remote file accesses
DE60221113T3 (de) Verfahren und system für die fernaktivierung und -verwaltung von personal security devices
US20020111814A1 (en) Network dynamic service availability
WO2003049000A1 (fr) Identite pour reseau reparti
AU3565001A (en) Method for registering a user on an internet-type network directory server and/or for locating a user on said network, and smart card therefor
US6877094B1 (en) Method and apparatus for authentication and payment for devices participating in Jini communities
US7013388B2 (en) Vault controller context manager and methods of operation for securely maintaining state information between successive browser connections in an electronic business system
US7461400B2 (en) Methods, systems, and computer program products for providing authentication in a computer environment
WO2002011357A2 (fr) Procede et dispositif de gestion de cle de chiffrement a l'aide d'une interface de programmation url
US7266838B2 (en) Secure resource
US20040141616A1 (en) Security object with encrypted, spread spectrum data communications
Dragoi et al. Discovering services is not enough
Biget The vault, an architecture for smartcards to gain infinite memory
Ba-Rukab Survivable itinerant object
KR20100066727A (ko) 아이덴터티 제공자 서버를 이용한 사용자 인증 시스템 및 그 방법

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
AK Designated states

Kind code of ref document: A3

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载