[go: up one dir, main page]

GB2390701A - Digital certificate Management with smart card storage - Google Patents

Digital certificate Management with smart card storage Download PDF

Info

Publication number
GB2390701A
GB2390701A GB0208771A GB0208771A GB2390701A GB 2390701 A GB2390701 A GB 2390701A GB 0208771 A GB0208771 A GB 0208771A GB 0208771 A GB0208771 A GB 0208771A GB 2390701 A GB2390701 A GB 2390701A
Authority
GB
United Kingdom
Prior art keywords
secure
certificate
ocsp
digital certificates
management system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB0208771A
Other versions
GB0208771D0 (en
Inventor
Walter Paterson
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to GB0208771A priority Critical patent/GB2390701A/en
Publication of GB0208771D0 publication Critical patent/GB0208771D0/en
Publication of GB2390701A publication Critical patent/GB2390701A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/02Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/355Personalisation of cards for use
    • G06Q20/3552Downloading or loading of personalisation data
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3821Electronic credentials
    • G06Q20/38215Use of certificates or encrypted proofs of transaction rights
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1016Devices or methods for securing the PIN and other transaction-data, e.g. by encryption

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Accounting & Taxation (AREA)
  • General Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Finance (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Storage Device Security (AREA)

Abstract

A digital certificate management system contained within a single system unit, comprising the necessary hardware and software to enable the end-to-end generation, storage and deployment of digital signature, encryption and digital certificate technology, which can be deployed within a Public Key Infrastructure (PKI) or security application framework. The unit stores the certificates onto secure tokens e.g. smart cards.

Description

to 2390701 DES(::RIITION
Field of Invention
s The Invention is in the field of Public Key Infrastructure (PKI), related Digital
Certificate technology and secure access applications.
Background
Historically, deployments of PKI systems have involved the integration of a number of disparate technology components, with limited integration and interoperability between them. Consequently installation, commissioning and technical support has involved considerable expensive and resource. Where integration with secure access 15 applications or secure transactional systems was desired then large-scale development work and integration costs resulted. PKI systems have traditionally been He domain of banking and financial sector and the Defence Ministry, as the development and implementation costs are beyond most organizations. The use of secure tokens (media for storing a Digital Certificate) is also an add-on to PKI systems with attendant 20 problems of integration for client and server enviromnents.
A Digital Certificate is used to enable trust between third parties for verification of identity in electronic transactions and provides a high degree of assurance (based on a legal framework established within Europe by EU Directive and around the world by 25 UN UNICITRAL law) for relying third parties that the user of the digital certificate/document signatory is who they say they are, that the communication has not been altered or tampered since it was sent and a also basis for non-repudiation.
The validity of a digital certificate can be checked from publicly accessible online resources, using standard Internet browsers or specific applications.
Digital Certificates are used for encryption, online identity verification, signatory of emails, signatory of documents and timestamp verification for various applications.
Digital signatures are heavily used in the financial sector for ensuring trust in financial transactions. Technical Capabilities The Invention can operate in stand-alone mode where it comprises all the services of a selfcontained system serving all PK1, certificate, secure transaction and secure 40 validation applications.
The Invention can also operate in clustered mode where it integrates with or operates in conjunction with a number of different technologies, which together perform one or more tasks. In clustered mode one unit may operate as the PKI certificate manager, 45 while another units operates as the OCSP service, and another operates as the Secure Transaction unit. Units can also perform the same function in the same operating environment to provide redundancy and a scaleable system.
Clustered setup is a necessity for large-scale for implementation or to build a large 50 PKI transactional-based system. To extend the usability of the Invention, the unit can
be integrated as part of a wider PKI set-up. This is illustrated in the attached schematic, as step (4). PKI integration (4) allows the Invention to act as part of other PKI systems or internal systems such as Microsoft's PKI certification management services. The Invention incorporates PKI Certification Manager (3), which deals with the certification issue and management of Digital Certificates. The PKI certificate manager issues Digital Certificates to Secure Tokens such as smart card or USB tokens using the Secure Token Circuitry (8) or places the digital certificate in the 10 Digital Certificate Storage (5). Secure Token Circuitry (8) allow Secure Token tokens such as smart card, USB tokens or l-wire tokens to allow the creation and storage of Digital Certificates on the secure token.
Digital Certificate Storage (5) allows the central storage of Digital Certificates rather 15 than placing the certificated onto a Secure Token device. Storing Digital Certificates in a central repository, allows their use where the use of secure tokens would not be feasible, such as "dirty environments" (such as on an offshore installation).
The Invention uses certificate verification Online Certificate Service Protocol OCSP 20 (6). OCSP (6) can operate in stand-alone mode serving OCSP requests for its own issued Digital Certificates or in upload mode where it uploads certificate status to a central OCSP resource. OCSP is an industrial standard verification method that is compatible with most applications and Internet browsers.
25 The management system (14) provides a single user interface either GUI or web based through the http module (13). The device also allows the complete setup of all sub-
systems incorporated in the Invention. Ike Management System (14) allows the Invention to be configured in clustered mode to use multiple units of the Invention.
The Management System is protected from interference or tamper by only allowing 30 access with an appropriate Secure Token inserted into the Secure Token Circuitry (8) or a remote validated certificate through the http module (13) and Secure Verification (7) The Management System (14) allows the set-up of all PKI description fields relating
35 to the Digital Certificates issued by the Invention.
The Invention uses Data Storage (11) to store operational parameters and configuration details as required by the Management System (14). The OCSP uses the Data Storage (11) to store certification validation status of Digital Certificates that 40 require OCSP verification.
The Invention also has Secure Data Storage (11) for very secure storage of Digital Certificates and other data. The Secure Data Storage (11) encrypts and restricts the use of the secure storage to only the internal system preventing network access. The 45 Secure Data Storage (11) is encrypted to prevent third parties gaining access even if the secure storage media is removed.
The Invention includes Secure Transactions (15) module that allows secure transactions to be completed on the Invention with high security and protection by 50 providing access through encrypted network connections and Digital Certificates.
The Secure Transactions module can utilise Secure Validation (7) to ensure that restricted access is enforced on the transaction.
The Invention includes a Secure Validation (7) component that restricts network 5 access to the Invention or allows the Invention to be used as a gateway access device in a secure network enviromnent. The Invention will check the incoming network connection and perform digital certificate verification on the incoming network request and check this against an access and perform a check against an OCSP to ensure that the Digital Certificate has not been revoked. Only if an incoming network 10 request is on the access list and the OCSP check passed will the connection be allowed.

Claims (7)

rig CLAIMS Invention consisting of Network Communication Circuit (1), which allows external communication to the internal services, Expansion Connection (2) for addition 5 hardware to be added, PKI Certification manager (3), PKI Integration (4), Digital Certificate Storage (5), Online Certificate Service Protocol; OCSP (6), Secure Validation (7), Secure Token Circuitry (8), Processor (9), Memory (10), Data Storage (11), Secure Data Storage (12), Http Module (13), Management System (14), Secure Transactions (15). PKI Certification Manager (3) provides digital certification services and the configuration of the service is controlled by the Management System (14), it will issue Digital Certificates and store corresponding certificate data either on the Data Storage (11) or on the Secure Data Storage (12) as directed by the setup entered on 15 the Management System (14). When a certificate has been issued the certificate is made available to OCSP checking (6). Digital Certificates can be placed onto secure tokens using the Secure Token Circuitry (8) or placed in the Secure Certificate Storage (5). The Secure Certificate Storage (12) 20 allows Digital Certificates to be used from a central network location. The Management System (14) can be configured through the http module (13) for remote configuration. The Management System (14) utilises the Processor (9), Memory (10) and Data Storage (11) as the core control system. Certification validation is handled by the OCSP (6). The OCSP (6) is configured by the Management System (14) AND will act as a local certificate validation service or OCSP validation service for multiple units. 30 Secure Validation (7) decides if a network connection can take place based on an access certificate list and OCSP check. Secure Data Storage (12) stores data or certificate details in a tamperproof encrypted storage media to prevent authorised access from third parties. 35 Secure Transactions (15) allows electronic transactions to be completed within a secure environment with encrypted network access to the transaction code or forms. Amendments to the claims have been filed as follows CLAIMS
1. A single physical unit including hardware and software components to create and manage the generation of Digital Certificates that are secured on to a secure storage medium. The unit can be situated at a customer site to enable in-house certificate generation to take place.
2. The unit as in claim 1 will contain components for a PC Dunning Windows 2000 Server and hardware to allow access in and out to the World Wide Web.
3. The unit as in Claim 1 and 2 will comprise software capable of generating Digital Certificates to the standard
of X509v3 that will be written on to a secure electronic token or smartcard, compliant with the PKCSff11 Standard.
4. The unit as claimed in Claim 3 including communication circuitry to enable connection to the World Wide Web to enable the verification of digital certificates back to the originating generation server with the use of OCSP (Online Certificate Status Protocol).
5. A unit as claimed in any proceeding claim that enables digital certificates to be validated by cross-reference
to a CRL (Certificate Revocation List) accessed through the World Wide Web from the originating generation server to the requesting cilent. The downloaded CRL is cross-referenced with the requesting
Client certificate to see if the User Certificate is still valid.
6. A unit as claimed in any proceeding claim, which is made of aluminium or suitable plastic.
7. A physical unit substantially as herein described above and illustrated in the accompanying drawing.
GB0208771A 2002-04-17 2002-04-17 Digital certificate Management with smart card storage Withdrawn GB2390701A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0208771A GB2390701A (en) 2002-04-17 2002-04-17 Digital certificate Management with smart card storage

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0208771A GB2390701A (en) 2002-04-17 2002-04-17 Digital certificate Management with smart card storage

Publications (2)

Publication Number Publication Date
GB0208771D0 GB0208771D0 (en) 2002-05-29
GB2390701A true GB2390701A (en) 2004-01-14

Family

ID=9934984

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0208771A Withdrawn GB2390701A (en) 2002-04-17 2002-04-17 Digital certificate Management with smart card storage

Country Status (1)

Country Link
GB (1) GB2390701A (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11196735B2 (en) * 2019-07-17 2021-12-07 Microsoft Technology Licensing, Llc Certificate management in segregated computer networks
CN118467209B (en) * 2024-07-11 2024-09-20 四川启明芯智能科技有限公司 Automatic verification method for multi-business state integrated management system

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1995022810A1 (en) * 1994-02-17 1995-08-24 Telia Ab Arrangement and method for a system for administering certificates
GB2288267A (en) * 1994-04-07 1995-10-11 Plessey Telecomm Rechargeable smart card
WO1999019846A2 (en) * 1997-10-14 1999-04-22 Visa International Service Association Personalization of smart cards
WO2001053915A1 (en) * 2000-01-19 2001-07-26 Codex Technologies Incorporated Security system involving creation and auto-burning of a digital signature in an electronic device and intelligent token device
WO2001063589A1 (en) * 2000-02-23 2001-08-30 Smart Lite Digital Solutions Ltd. Integrated pointing device-smartcard transaction security system
WO2002075508A2 (en) * 2001-03-20 2002-09-26 Novomodo, Inc. Scalable certificate validation and simplified pki management
WO2002078290A1 (en) * 2001-03-22 2002-10-03 Ssh Communications Security Oyj Method for setting up communication parameters in upn using hardware token
EP1322088A2 (en) * 2001-12-19 2003-06-25 Trw Inc. Method and apparatus for centralized processing of hardware tokens for PKI solutions

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1995022810A1 (en) * 1994-02-17 1995-08-24 Telia Ab Arrangement and method for a system for administering certificates
GB2288267A (en) * 1994-04-07 1995-10-11 Plessey Telecomm Rechargeable smart card
WO1999019846A2 (en) * 1997-10-14 1999-04-22 Visa International Service Association Personalization of smart cards
WO2001053915A1 (en) * 2000-01-19 2001-07-26 Codex Technologies Incorporated Security system involving creation and auto-burning of a digital signature in an electronic device and intelligent token device
WO2001063589A1 (en) * 2000-02-23 2001-08-30 Smart Lite Digital Solutions Ltd. Integrated pointing device-smartcard transaction security system
WO2002075508A2 (en) * 2001-03-20 2002-09-26 Novomodo, Inc. Scalable certificate validation and simplified pki management
WO2002078290A1 (en) * 2001-03-22 2002-10-03 Ssh Communications Security Oyj Method for setting up communication parameters in upn using hardware token
EP1322088A2 (en) * 2001-12-19 2003-06-25 Trw Inc. Method and apparatus for centralized processing of hardware tokens for PKI solutions

Also Published As

Publication number Publication date
GB0208771D0 (en) 2002-05-29

Similar Documents

Publication Publication Date Title
Zissis et al. Addressing cloud computing security issues
US7747856B2 (en) Session ticket authentication scheme
CN102473212B (en) Generate the method for soft token
CN112468506B (en) Method and device for obtaining and issuing electronic certificate
US20060212270A1 (en) Auditing of secure communication sessions over a communications network
KR20060100920A (en) Trusted Third Party Authentication for Web Services
CN114666168B (en) Decentralized identity certificate verification method and device, and electronic equipment
Abdelrazig Abubakar et al. Blockchain-based identity and authentication scheme for MQTT protocol
CN109981287A (en) A kind of code signature method and its storage medium
US20130194075A1 (en) Method for reading an rfid token, rfid card and electronic device
US7287156B2 (en) Methods, systems and computer program products for authentication between clients and servers using differing authentication protocols
CN104094274B (en) Method for personalizing security module for smart meter or smart meter gateway
US20070098175A1 (en) Security enabler device and method for securing data communications
EP2805447B1 (en) Integrating server applications with multiple authentication providers
CN115134144A (en) Enterprise-level business system authentication method, device and system
Shakiba et al. ESIV: an end-to-end secure internet voting system
Muftic et al. Security architecture for distributed systems
GB2390701A (en) Digital certificate Management with smart card storage
US20060129815A1 (en) Generation of identities and authentication thereof
Fourar-Laidi A smart card based framework for securing e-business transactions in distributed systems
KR20020041857A (en) Method for double encryption of private key and sending/receiving the private key for transportation and roaming service of the private key in the public key infrastructure
Marian et al. A Technical Investigation towards a Cloud-Based Signature Solution
Ansper et al. Scalable and Efficient PKI for Inter-Organizational Communication.
Papastergiou et al. A Secure Mobile Framework for m-services
CN114003892B (en) Trusted authentication method, secure authentication device, and user terminal

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)