[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

US20020108042A1 - Public key certificate issuing system, Public key certificate issuing method, digital certification apparatus, and program storage medium - Google Patents

Public key certificate issuing system, Public key certificate issuing method, digital certification apparatus, and program storage medium Download PDF

Info

Publication number
US20020108042A1
US20020108042A1 US10/041,964 US4196402A US2002108042A1 US 20020108042 A1 US20020108042 A1 US 20020108042A1 US 4196402 A US4196402 A US 4196402A US 2002108042 A1 US2002108042 A1 US 2002108042A1
Authority
US
United States
Prior art keywords
signature
public key
certificate
key certificate
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US10/041,964
Inventor
Makoto Oka
Yoshihito Ishibashi
Shinako Mastuyama
Hideaki Watanabe
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sony Corp
Original Assignee
Sony Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sony Corp filed Critical Sony Corp
Assigned to SONY CORPORATION reassignment SONY CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: OKA, MAKOTO, ISHIBASHI, YOSHIHITO, MATSUYAMA, SHINAKO, WATANABE, HIDEAKI
Publication of US20020108042A1 publication Critical patent/US20020108042A1/en
Priority to US12/659,289 priority Critical patent/US8214637B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • the present invention relates to a public key certificate issuing system, a public key certificate issuing method, a digital certification apparatus, and a program storage medium for processing the issuance of a public key certificate proving the validity of a public key used by an electronic delivery system in transmitting encrypted data. More particularly, the invention relates to a public key certificate issuing system, a public key certificate issuing method, a digital certification apparatus, and a program storage medium for use by a certificate authority (CA) that issues a public key certificate compatible with a plurality of signature algorithms, whereby entities utilizing such public key certificates are afforded enhanced convenience.
  • CA certificate authority
  • Encrypted data are decrypted to plain text data by use of a predetermined procedure.
  • Various methods for encrypting and decrypting information using an encryption key and a decryption key respectively have been known.
  • One of the diverse methods of data encryption and decryption based on encryption and decryption keys is so-called public key cryptosystem.
  • This system involves a transmitting party having one key and a receiving party possessing another key, one of the keys being used as a public key for use by indefinite users, the other key being kept private.
  • a data encryption key may be used as a public key and a decryption key as a private key.
  • an authentication code generation key may be used as a private key and an authentication code decryption key as a public key.
  • the public key cryptosystem is advantageous in terms of key management in that the private key need only be possessed by one particular person. Because of its lower data processing speed than the common key cryptosystem, the public key cryptosystem is more often utilized in applications involving limited amounts of data such as delivery of private keys and digital signatures.
  • a representative example of the public key cryptosystem is RSA (Rivest-Shamir-Adleman) cryptosystem. The system uses a product of two very large prime numbers (e.g., of 150 digits each), taking advantage of the difficulty in factorizing the product of two large prime numbers into prime factors (and in obtaining the discrete logarithm of the product).
  • ECC elliptic curve cryptography
  • the public key cryptosystem is structured to offer public keys for use by an indefinite number of people. As such, the system most often utilizes what is known as a public key certificate proving that a distributed public key is valid. For example, suppose that a user A generates a key pair consisting of a public key and a private key and sends the generated public key to a certificate authority. In turn, the certificate authority sends back a public key certificate to the user A. The user A then discloses the public key certificate thus obtained to the public. An indefinite number of users go through a predetermined procedure to acquire the public key from the public key certificate, encrypt documents or other desired data using the acquired public key, and transmit what is encrypted to the user A.
  • the user A decrypts the encrypted documents or data received using the previously generated private key.
  • the user A also attaches signatures to the documents using the private key.
  • the indefinite number of users go through the predetermined procedure to obtain the public key from the public key certificate and have the attached signatures verified.
  • the public key certificate is a certificate issued by a certificate authority (CA; also called an issuing authority or IA) on public key cryptosystem.
  • CA certificate authority
  • IA issuing authority
  • a typical public key certificate shown in FIG. 1 includes: a certificate version number; a serial number allocated to a certificate user by a certificate authority (CA); algorithm and parameters used for signature by the RSA, ECDSA, etc.; a certificate authority name; the period of certificate validity; the certificate user's name (user ID); the user's public key; and a digital signature.
  • CA certificate authority
  • the digital signature is generated to attest the whole range of certified items: certificate version number, certificate authority serial number, signature algorithm and parameters, certificate authority name, certificate validity, user ID, and user's public key.
  • a hash value is generated using hash function, and the certificate authority's private key is applied to the hash value to generate the signature.
  • the certificate authority issues public key certificates such as the one shown in FIG. 1, updates expired public key certificates; and creates, manages and distributes a certificate revocation list that repudiates unscrupulous users.
  • the certificate authority also generates public and private keys as needed.
  • a user When utilizing a public key certificate, a user gets a digital signature on his public key certificate verified using a certificate authority's public key in his possession. After the successful verification of the digital signature, the user utilizes the public key by extracting it from the public key certificate. It follows that all users employing public key certificates must have a common public key of the certificate authority.
  • a data transmission system may include a public key cryptosystem like the above-described scheme using public key certificates issued by the certificate authority.
  • the system allows each user to have the digital signature of his public key certificate verified and to extract the public key from the public key certificate after the successful signature verification. The user is then allowed to carry out a certification process based on the public key cryptosystem or to encrypt or decrypt outgoing or incoming data using the cryptosystem.
  • the problem is that end entities such as user devices performing various processes based on the public key cryptosystem are rarely compatible with all of such diverse encryption algorithms as the ECDSA, RSA and others. In most cases, each entity is capable of dealing with only one algorithm (ECDSA algorithm or RSA algorithm in particular).
  • Such devices each compatible with only a specific encryption algorithm can only be used with public key certificates based on that algorithm alone. Public key certificates signed by use of any other algorithm cannot be verified upon receipt.
  • HSM hardware security modules
  • an ECDSA end entity (device) 23 requests an ECDSA registration authority (ECDSA-RA) 22 (performing a signature process based on the ECDSA algorithm) to issue or update a public key certificate.
  • the ECDSA registration authority 22 certifies entities or devices taking part in various services, receives public key certificate issuance requests from these entities or devices, and forwards the requests to an ECDSA certificate authority (ECDSA-CA) 21 that performs a signature process based on the ECDSA algorithm.
  • the ECDSA certificate authority 21 issues public key certificates based on the signature process using the ECDSA algorithm, and distributes the certificates to the ECDSA end entities 23 via the ECDSA registration authority 22 .
  • an RSA end entity (device) 33 requests an RSA registration authority (RSA-RA) 32 (performing a signature process by use of the RSA algorithm) to issue or update a public key certificate.
  • the RSA registration authority 32 certifies entities or devices participating in diverse services, receives public key certificate issuance requests from these entities or devices, and forwards the requests to an RSA certificate authority (RSA-CA) 31 that performs a signature process based on the RSA algorithm.
  • RSA-CA RSA certificate authority
  • the RSA certificate authority 31 issues public key certificates based on the signature process using the RSA algorithm, and distributes the certificates to the RSA end entities 33 via the RSA registration authority 32 .
  • Each processing block constitutes a closed system wherein a public key cryptosystem specific to that block alone is used to effect certification and transmit encrypted data.
  • the ECDSA end entity 23 is incapable of verifying a public key certificate received from the RSA device 33 with a signature in RSA algorithm.
  • the received public key certificate will not serve as a certificate as long as its validity is not established.
  • the RSA end entity 33 cannot verify a public key certificate received from the ECDSA end entity 23 with a signature in ECDSA algorithm; the validity of the public key certificate remains uncertain following its receipt.
  • the ECDSA end entity 23 and RSA end entity 33 in FIG. 2 were to verify the validity of a public key certificate coming from the other party, each party must resort to a circuitous validation procedure: the received public key certificates are first transmitted respectively to the ECDSA registration authority 22 and RSA registration authority 32 , and forwarded from there to the ECDSA certificate authority 21 and RSA certificate authority 31 . The ECDSA certificate authority 21 and RSA certificate authority 31 then exchange queries about the respective certificates. The results of the queries are sent back finally to the respective end entities for certification purposes.
  • a public key certificate issuing system including: a certificate authority for issuing a public key certificate used by an entity; and a registration authority which, on receiving a public key certificate issuance request from any one of entities under jurisdiction thereof, transmits the received request to the certificate authority; wherein the certificate authority, having a plurality of signature modules each executing a different signature algorithm, selects at least one of the plurality of signature modules in accordance with the public key certificate issuance request from the registration authority, and causes the selected signature module to attach a digital signature to message data constituting a public key certificate.
  • the certificate authority may have a plurality of signature modules and a certificate authority server for outputting a signature processing request to the plurality of signature modules;
  • the certificate authority server may receive the public key certificate issuance request from the registration authority, select at least one of the plurality of signature modules in response to the public key certificate issuance request, and output the signature processing request to the selected signature module; and each of the plurality of signature modules may attach a digital signature to the message data constituting the public key certificate in response to the signature processing request received from the certificate authority server.
  • the certificate authority may have a registration authority management database which stores registration authority management data for associating registration authorities issuing public key certificate issuance requests with a signature algorithm specific to each of the registration authorities; and given a public key certificate issuance request from any registration authority, the certificate authority may select the signature module associated with the relevant signature algorithm based on the registration authority management data.
  • the registration authority management data may include key length and parameter information applicable to signatures.
  • the registration authority management data may include signature module identification information applicable to signatures.
  • the registration authority may transmit signature algorithm designation information along with the public key certificate issuance request to the certificate authority; and the certificate authority, based on the signature algorithm designation information received along with the public key certificate issuance request, may select a signature module applicable to the designated signature algorithm.
  • the signature algorithm designation information may include key length and parameter information applicable to signatures.
  • the certificate authority may have a verification key database which stores keys for signature verification in association with each of the plurality of signature modules; and the certificate authority may verify signatures generated by each of the plurality of signature modules.
  • the certificate authority may use at least two of the plurality of signature modules to attach at least two different digital signatures to one public key certificate.
  • the certificate authority may select at least two of the plurality of signature modules in order to have signature processing executed in steps by each of the selected signature modules used in concert for digital signature generation.
  • the certificate authority and the registration authority may each have a signature module structure management table which associates signature algorithm identifiers with identifiers of the plurality of signature modules; the registration authority may issue to the certificate authority a public key certificate issuance request designating a signature algorithm identifier in accordance with the signature module structure management table; and the certificate authority, upon receipt of the signature algorithm identifier from the registration authority, may select the signature module applicable to the received identifier from the signature module structure management table.
  • At least part of the plurality of signature modules may have a common signature key stored therein.
  • a plurality of signature algorithms may be executed by each of the plurality of signature modules.
  • a public key certificate issuing method for use with a certificate authority for issuing a public key certificate used by an entity, and with a registration authority which, on receiving a public key certificate issuance request from any one of entities under jurisdiction thereof, transmits the received request to the certificate authority, the method comprising the steps of: causing the certificate authority selects, from among a plurality of signature modules each executing a different signature algorithm, at least one of the signature modules in accordance with the public key certificate issuance request from the registration authority; and causing the selected signature module to attach a digital signature to message data constituting a public key certificate.
  • the public key certificate issuing method may further comprise the steps of: causing a certificate authority server to receive a public key certificate issuance request from the registration authority; causing the certificate authority server to select at least one of the plurality of signature modules in response to the public key certificate issuance request; and causing the certificate authority server to output a signature processing request to the selected signature module.
  • the step involving the certificate authority server selecting the signature module may include selecting the signature module based on a registration authority management database which stores registration authority management data for associating registration authorities issuing public key certificate issuance requests with a signature algorithm specific to each of the registration authorities.
  • the step involving the certificate authority server selecting the signature module may include selecting the signature module based on signature algorithm designation information received along with the public key certificate issuance request.
  • the public key certificate issuing method may further include the step of causing the certificate authority to verify signatures generated by each of the plurality of signature modules.
  • the public key certificate issuing method may further include the step of causing the certificate authority to use at least two of the plurality of signature modules to attach at least two different digital signatures to one public key certificate.
  • the public key certificate issuing method may further include the step of causing the certificate authority to select at least two of the plurality of signature modules in order to have signature processing executed in steps by each of the selected signature modules used in concert for digital signature generation.
  • the certificate authority and the registration authority may each have a signature module structure management table which associates signature algorithm identifiers with identifiers of the plurality of signature modules
  • the public key certificate issuing method may further comprise the steps of: causing the registration authority to issue to the certificate authority a public key certificate issuance request designating a signature algorithm identifier in accordance with the signature module structure management table; and causing the certificate authority, upon receipt of the signature algorithm identifier from the registration authority, to select the signature module applicable to the received identifier from the signature module structure management table.
  • the public key certificate issuing method may further comprise the step of having a plurality of signature algorithms executed by each of the plurality of signature modules.
  • a digital certification apparatus for constituting a certificate authority which issues a public key certificate used by an entity: wherein the digital certification apparatus, having a plurality of signature modules each executing a different signature algorithm, selects at least one of the plurality of signature modules in accordance with a public key certificate issuance request received from outside, and causes the selected signature module to attach a digital signature to message data constituting a public key certificate.
  • the digital certification apparatus may further comprise a plurality of signature modules and a certificate authority server for outputting a signature processing request to the plurality of signature modules; wherein the certification authority may receive the public key certificate issuance request, select at least one of the plurality of signature modules in response to the public key certificate issuance request, and output the signature processing request to the selected signature module; and wherein each of the plurality of signature modules may attach a digital signature to the message data constituting the public key certificate in response to the signature processing request received from the certificate authority server.
  • the digital certification apparatus may further comprise a registration authority management database which stores registration authority management data for associating registration authorities issuing public key certificate issuance requests with a signature algorithm specific to each of the registration authorities; wherein, given a public key certificate issuance request from any registration authority, the digital certification apparatus may select the signature module associated with the relevant signature algorithm based on the registration authority management data.
  • the registration authority management data may include key length and parameter information applicable to signatures.
  • the registration authority management data may include signature module identification information applicable to signatures.
  • the digital certification apparatus may, based on signature algorithm designation information received along with the public key certificate issuance request, select a signature module applicable to the designated signature algorithm.
  • the signature algorithm designation information may include key length and parameter information applicable to signatures.
  • the digital certification apparatus may further comprise a verification key database which stores keys for signature verification in association with each of the plurality of signature modules; wherein the digital certification apparatus may verify signatures generated by each of the plurality of signature modules.
  • the digital certification apparatus may use at least two of the plurality of signature modules to attach at least two different digital signatures to one public key certificate.
  • the digital certification apparatus may select at least two of the plurality of signature modules in order to have signature processing executed in steps by each of the selected signature modules used in concert for digital signature generation.
  • the digital certification apparatus may further comprise a signature module structure management table which associates signature algorithm identifiers with identifiers of the plurality of signature modules; wherein the digital certification apparatus may, upon receipt of a signature algorithm identifier along with the public key certificate issuance request, select the signature module applicable to the received identifier from the signature module structure management table.
  • At least part of the plurality of signature modules may have a common signature key stored therein.
  • a plurality of signature algorithms may be executed by each of the plurality of signature modules.
  • a program storage medium which stores a computer program executed by a computer system in carrying out public key certificate issuance processing to issue a public key certificate for use by an entity, the computer program comprising the steps of: selecting, from among a plurality of signature modules each executing a different signature algorithm, at least one of the signature modules in accordance with a public key certificate issuance request; and causing the selected signature module to attach a digital signature to message data constituting a public key certificate.
  • the program storage medium according to the fourth aspect of the invention is a medium that offers a computer program in computer-readable format for use on a general-purpose computer capable of executing diverse program codes.
  • the medium may be any one of such storage media as CDs (compact discs), FDs (floppy discs) and MOs (magneto-optical discs); or of transmission media such as networks, and others.
  • the above type of program storage medium retains definitions of structural or functional relations of cooperation between the medium carrying the computer program on the one hand, and the computer program for implementing necessary computer program functions on the computer system on the other hand. That is, once the computer program is installed into the computer system by means of the program-carrying medium, the computer system performs cooperative operations based on the program providing the same effects as those of the other aspects of the present invention.
  • FIG. 1 is a schematic view of a typical public key certificate
  • FIG. 2 is a schematic view outlining a conventional public key certificate issuing system
  • FIG. 3 is a schematic view outlining a public key certificate issuing system according to this invention.
  • FIG. 4 is a tabular view detailing a data structure of a public key certificate
  • FIG. 5 is another tabular view detailing the data structure of the public key certificate
  • FIG. 6 is a flowchart of steps constituting an ECDSA signature generation process
  • FIG. 7 is a flowchart of steps constituting an ECDSA signature verification process
  • FIG. 8 is a flowchart of steps carried out to generate keys necessary for RSA signature processing
  • FIG. 9A is a flowchart of steps constituting an RSA signature generation process
  • FIG. 9B is a flowchart of steps constituting an RSA signature verification process
  • FIG. 10 is a block diagram showing a typical structure of a certificate authority (CA) server
  • FIG. 11 is a tabular view depicting a typical structure of a registration authority (RA) management database owned by the certificate authority server;
  • RA registration authority
  • FIG. 12 is a tabular view indicating a typical structure of a verification key database owned by the certificate authority server;
  • FIG. 13 is a block diagram illustrating a typical HSM (hardware security module) structure including a signature module;
  • FIG. 14 is a schematic view of a setup where the same signature key is shared by a plurality of signature modules
  • FIG. 15 is a flowchart of steps constituting the process of having the same signature key shared by a plurality of signature modules
  • FIG. 16 is another flowchart of steps constituting the process of having the same signature key shared by a plurality of signature modules
  • FIG. 17 is yet another flowchart of steps constituting the process of having the same signature key shared by a plurality of signature modules;
  • FIG. 18 is a flowchart of steps constituting the process of storing a signature key into a signature module
  • FIG. 19 is a flowchart of steps constituting a signature process performed by a signature module using a signature key
  • FIG. 20 is a flowchart of steps constituting a signature module determining process performed by a signature module during signature process execution;
  • FIG. 21 is a schematic view with subfigures for explaining a typical signature process performed by signature modules (as example 1);
  • FIG. 22 is a schematic view with subfigures for explaining another typical signature process performed by signature modules (as example 2);
  • FIG. 23 is a schematic view with subfigures for explaining another typical signature process performed by signature modules (as example 3);
  • FIG. 24 is a schematic view with subfigures for explaining another typical signature process performed by signature modules (as example 4);
  • FIG. 25 is a schematic view of a typical setup for privately managing a signature module structure.
  • FIG. 26 is a schematic view of the process of getting a plurality of signature modules to perform signature processes in cooperation.
  • a certificate authority is an organ that creates and issues public key certificates.
  • a registration authority is an organ that performs registration work for issuing public key certificates.
  • the registration authority is requested to issue a public key certificate by a user, a service provider, a server or other party (called an end entity, to be defined later) desirous of utilizing a public key certificate.
  • the registration authority sends a public key certificate issuance request to the certificate authority.
  • the certificate authority issues a public key certificate to the registration authority which then forwards the certificate to the requesting party.
  • a hardware security module is a piece of dedicated hardware for retaining a signature key and attaching it to a certificate.
  • An end entity is a subject to which a public key certificate is issued.
  • the end entity may be a device, a server, a user, a service provider, or any other entity utilizing the certificate.
  • CA certificate authority
  • One of the challenges in establishing the certificate authority is how to store private keys securely in a system based on a public key cryptosystem while ensuring security in providing signatures.
  • Another challenge is how to improve the computing speed of signature provision, which is conducive to boosting system performance of the certificate authority.
  • the inventive system comprises a certificate authority (CA) capable of accommodating a plurality of different signature algorithms, key lengths and parameters. More specifically, the certificate authority is structured to include a plurality of signature modules implemented either by dedicated hardware (HSM) or by software executing different signature algorithms.
  • CA certificate authority
  • HSM dedicated hardware
  • FIG. 3 is a schematic view showing how a certificate authority acting as a digital certification apparatus (CA) comprising a plurality of signature modules typically operates.
  • a CA server 71 in a certificate authority 70 receives via registration authorities (RA) 81 through 85 a public key certificate issuance request sent from any one of various end entities (EE) such as servers, users and service providers wishing to utilize a public key certificate.
  • EE end entities
  • the registration authorities 81 through 85 each have a specific signature algorithm such as Rivest-Shamir-Adleman (RSA) cryptosystem or elliptic curve cryptography (ECC) ready to be applied to a public key certificate that may be issued for use by end entities (EE) under jurisdiction of the registration authority in question.
  • RSA Rivest-Shamir-Adleman
  • ECC elliptic curve cryptography
  • One or more algorithms are selectively designated in a public key certificate issuance request bound for the certificate authority 70 .
  • the request with a specific signature algorithm designated therein requires having a signature executed in the specified algorithm.
  • one of the registration authorities (RA) 81 through 85 forwards the request to the certificate authority 70 , calling on the latter to issue a public key certificate with the signature in the specified encryption algorithm.
  • the public key certificate thus issued is sent to and subsequently verified by the end entity in question.
  • the applicable signature algorithm varies from one registration authority to another.
  • Public key certificate issuance requests from registration authorities are accepted by the CA server 71 in the certificate authority (CA) 70 .
  • the CA server 71 selects some of signature modules 72 a through 72 n in accordance with a table that associates each of the registration authorities (RA) 81 through 85 owned by the CA server 71 with a specific signature algorithm.
  • the CA server 71 generates public key certificates and sends them to the selected modules along with a signature execution instruction each.
  • the signature modules in question Upon receipt of the public key certificates along with the signature execution instruction, the signature modules in question carry out their respective signature processes using the applicable signature algorithms (e.g., RSA, ECDSA).
  • the signed public key certificates are returned to the CA server 71 .
  • the CA server 71 on receiving the signed public key certificates from the modules involved, forwards the certificates to the requesting registration authorities (RA) 81 through 85 .
  • RA requesting registration authorities
  • Each of the signature modules 72 a through 72 n either receives externally or generates internally a certificate authority signature key in accordance with a particular signature algorithm for signature execution.
  • the signature modules 72 a through 72 n each comprise a hardware security module (HSM), i.e., a dedicated piece of hardware for signature execution; or a dedicated processor or CPU for carrying out a signature by use of a program capable of executing the applicable signature algorithm. Tamper-resistant, the signature modules 72 a through 72 n use signature keys to sign messages based on the components of a public key certificate generated by the CA server 71 .
  • HSM hardware security module
  • the HSM constituting a processing unit comprising a signature module may be replaced either by a dedicated processor for executing a signature using a program capable of executing the relevant signature algorithm, or by a CPU-equipped module carrying out a software-based signature process.
  • Typical signature processes performed by the signature modules 72 a through 72 n include Rivest-Shamir-Adleman (RSA) cryptosystem and elliptic curve digital signature algorithm (ECDSA). With each cryptosystem, different key lengths entail different computing speeds and afford different levels of security. The most-often utilized key lengths are 512 bits, 1,024 bits or 2,048 bits for the RSA cryptosystem; and 160 bits, 192 bits or 224 bits for the ECDSA.
  • RSA Rivest-Shamir-Adleman
  • EDSA elliptic curve digital signature algorithm
  • F(p)(p is a prime number or 2 to an n-th power) characteristic “p,” orders “r, “a” and “b”; and by a base point (Gx, Gy) on the curve.
  • a public key certificate is issued by a third party called a certificate authority (CA) attesting to the validity of a public key for use by two parties for cross-certification in exchanging data or encryption data therebetween.
  • CA certificate authority
  • a typical format of the public key certificate adopted by the inventive system is described below in detail by referring to FIGS. 4 and 5.
  • the format example shown in FIGS. 4 and 5 is based on the public key certificate format X.509, V3.
  • a “version” field indicates the version of the certificate format in use.
  • a “serial number” field accommodates a serial number attached to a public key certificate by the certificate authority (CA).
  • a “signature algorithm identifier—algorithm, parameters” field records a signature algorithm and algorithm parameters used in the public key certificate in question.
  • the signature algorithm is typically elliptic curve cryptography (ECC), RSA, or others. If the ECC is in effect, parameters and a key length are recorded; if the RSA is in use, then a key length is recorded. If any other cryptosystem is adopted, the identifier of that cryptosystem is recorded in this field.
  • An “issuer” field records as a distinguished name the name of a public key certificate issuer, i.e., of the certificate authority (CA) in effect.
  • CA certificate authority
  • a “validity—not before, not after” field accommodates a starting date and time (Not Before) as well as an ending date and time (Not After).
  • a “subject” field records the name of a subject, i.e., of a user who utilizes the certificate. Specifically, the subject may be represented by the ID of a user device or of a service offering entity.
  • a “subject public key information-algorithm, subject public key” field contains a key algorithm as the user's public key information, and key information itself.
  • An “authority key identifier—key identifier, authority certificate issuer, authority certificate serial number” field contains information for identifying a certificate authority (CA) key.
  • a key identifier (octal number), the name of the certificate authority, and a certificate serial number are recorded in this field.
  • a “subject key identifier” field accommodates identifiers for identifying a plurality of keys for use in a public key certificate.
  • a “key usage” field designates the purpose of key usage selected from among the following: (0) for digital signature, (1) for repudiation prevention, (2) for key encryption, (3) for message encryption, (4) for distribution of a common key, (5) for verification of a certificate signature, or (6) for verification of a signature on a certificate revocation list.
  • a “private key usage period—not before, not after” field records the usage period of a private key owned by the user.
  • a “certificate policies” field records certificate issuance policies applicable to the certificate authority (CA) and registration authority (RA) in question. For example, IDs of certification policies based on the ISO/IEC 9384-1 are recorded in this field.
  • a “policy mappings—issuer domain policy, subject domain policy” field is used only when the certificate authority needs to be certified.
  • the field records mappings regarding the policy of the certificate authority as a certificate issuer, and the policy of the subject.
  • a “supported algorithms—algorithm identifier, intended usage, intended certificate policies” field defines attributes of a directory (X.500). Where the opposite party of communication is to use directory information, definitions in this field inform that party of the directory attributes in advance.
  • “subject alternative name” field records an alternative name of the user.
  • An “issuer alternative name” field records an alternative name of the certificate issuer.
  • a “subject directory attributes” field accommodates any attributes of the user.
  • a “basic constraints—CA, path length constraint” field is used to specify whether the public key subject to certification is to be used for signature by the certificate authority (CA) or by the user.
  • a “name constraints—permitted subtrees, base, minimum, maximum, excluded subtrees” field indicates effective domains of a certificate used only when the subject is the certificate authority.
  • a “policy constraints—require explicit policy, inhibit policy mapping” field describes constraints requiring explicit policy IDs and inhibit policy mapping for the remaining certification paths.
  • a “CRL (certificate revocation list) distribution points” field describes points at which the user, upon utilizing a certificate, references a certificate revocation list (CRL) to see whether the certificate is revoked.
  • a “signature” field contains the signature of the certificate authority (CA).
  • the above signature attached to a public key certificate is a digital signature executed onto data constituting the certificate through the use of a private key issued by a public key certificate issuer (certificate authority or CA).
  • a public key issued by the certificate authority the user of a public key certificate is able to check whether the certificate has been tampered with.
  • ECDSA elliptic curve digital signature algorithm
  • step S 1 it is assumed that “p” represents a characteristic; that “a” and “b” denote coefficients of an elliptic curve ( 4 a 3 + 27 b 2 ⁇ 0 (mod p)); and that “G” stands for a base point on the elliptic curve, “r” for the order of “G,” and “Ks” for a private key (0 ⁇ Ks ⁇ r).
  • a message is input to the hash function for compression into data of a predetermined bit length.
  • the compressed result is output as a hash value.
  • the hash function has a number of distinct characteristics: it is difficult to predict an input from a given hash value (output); a change of a single bit in the input data to the hash function leads to changes of numerous bits in the resulting hash value; and it is also difficult to find different input data having the same hash value.
  • the hash function most frequently used is MD 4 , MD 5 , or SHA- 1 ; it may also be DES-CBC.
  • the final output value MAC (check value, equivalent to ICV) makes up the hash value.
  • step S 3 a random number “u” (0 ⁇ u ⁇ r) is generated.
  • step S 4 a coordinate “V” (Xv, Yv) is calculated using the base point multiplied by “u.”
  • An addition and a diploid operation on the elliptic curve are defined as follows:
  • step S 6 If in step S 6 the value “c” turns out to be 0, then step S 3 is reached again in which another random number is generated. Likewise if the value “d” is found to be 0 in step S 8 , step S 3 is reached again and a new random number is generated.
  • step S 12 a check is made to see if the digital signature data “c” and “d” satisfy the conditions of 0 ⁇ c ⁇ r and 0 ⁇ d ⁇ r.
  • step S 17 a check is made to see if the point P is an infinite point. If the point P is not an infinite point, step S 18 is reached. In fact, whether the point P is an infinite point is determined in step S 16 .
  • step S 18 a calculation is made of “Xp mod r” for comparison with the digital signature data “c.” If there is a match between the compared values, step S 19 is reached in which the digital signature is judged valid.
  • step S 12 If in step S 12 the digital signature data “c” or “d” fail to satisfy the condition 0 ⁇ c ⁇ r or 0 ⁇ d ⁇ r, then step S 20 is reached. If in step S 17 the point P turns out to be an infinite point, step S 20 is also reached. A mismatch in step S 18 between the value “Xp mod r” and the digital signature data “c” also leads to step S 20 .
  • step S 20 the digital signature is judged invalid. That means the data have been tampered with or that the party in possession of the private key corresponding to the public keys has not generated the electronic signature.
  • FIG. 8 is a flowchart of steps for generating public and private keys used for signature generation and verification based on RSA cryptosystem.
  • FIG. 9A is a flowchart of steps constituting an RSA signature generation process
  • FIG. 9B is a flowchart of steps constituting an RSA signature verification process.
  • prime numbers “p” and “q” are first selected (of about 150 digits each) in step S 21 .
  • step S 24 a positive integer “e” less than “n” and not sharing a common factor with the value “L” is selected to let (n, e) be public keys.
  • FIGS. 9A and 9B Signature generation and verification using the above public and private keys are conducted as shown in FIGS. 9A and 9B.
  • each public key certificate determines its validity. As described above, verification of the signature requires executing encryption processing based on a signature algorithm.
  • the signature algorithm of interest must be executable by any device acting as an end entity.
  • a common signature algorithm is employed by end entities under control of each registration authority (RA).
  • the organ called the certificate authority (CA) issuing public key certificates takes the form of a digital certification apparatus which, possessing a plurality of signature modules as described, is capable of executing diverse signature algorithms including RSA and ECDSA. Structured to accommodate multiple, different signature algorithm and parameters, the certificate authority (CA) selects signature modules as requested by registration authorities (RA) and causes the selected modules to generate signatures based on the respective cryptosystems such as RSA cryptosystem and ECDSA signature algorithm before issuing a public key certificate containing the generated signatures.
  • RA registration authorities
  • a public key certificate issuance request is accepted by the CA server 71 of the certificate authority (CA).
  • Relevant modules 72 a through 72 n are selected as per the table that associates the registration authorities 81 through 85 under control of the CA server 71 with the assigned signature algorithms.
  • the selected signature modules are sent a public key certificate each along with a signature execution instruction.
  • each selected signature module Upon receipt of the public key certificate and signature execution instruction, each selected signature module generates a signature based on the applicable signature algorithm (e.g., RSA, ECC) and returns the signed public key certificate to the CA server 71 .
  • the CA server 71 transmits the signed public key certificate to the registration authority (one of RAs 81 through 85 ) that originated the public key certificate issuance request.
  • the certificate authority has a CA server 100 and a plurality of signature modules 150 executing as many signature algorithms.
  • the CA server 100 transmits a public key certificate including the above-described structure data (see FIGS. 4 and 5) to any of the signature modules (HSM) 150 .
  • the signature module 150 that received the public key certificate generates a signature and returns the signed public key certificate to the CA server 100 through the HSM interface 114 .
  • a PCI bus or a network such as the Ethernet may connect the CA server 100 with the signature modules 150 . All communication paths between the server and the modules are established as secure paths.
  • the CA server 100 includes three databases: an RA management database 121 that manages information about registration authorities (RA) under control of the CA server, a verification key database 122 that stores keys for verifying public key certificates, and a repository database 123 that accommodates issued public key certificates, a list of public key certificates, and public key certificate revocation list information. These databases are accessed via a database interface (DB-I/F) 116 .
  • RA management database 121 that manages information about registration authorities (RA) under control of the CA server
  • a verification key database 122 that stores keys for verifying public key certificates
  • a repository database 123 that accommodates issued public key certificates, a list of public key certificates, and public key certificate revocation list information.
  • the CA server 100 performs cross-certification with the registration authorities (RA) 181 through 183 to verify their identities before receiving a public key certificate issuance request from any of them via a network interface 115 .
  • the CA server 100 Given the issuance request from any registration authority, the CA server 100 generates a public key certificate containing the data items explained above and determines a signature algorithm or algorithms based on relevant information in the RA management database 121 or on the request itself. Thereafter, the CA server 100 selects the signature module 150 -x to execute the determined signature algorithm, and transmits to the selected module the generated public key certificate through the HSM interface 114 .
  • Data for signature generation such as a key length and parameters may also be sent along with the public key certificate if necessary.
  • the signature module 150 -x On receiving the public key certificate, the signature module 150 -x generates a signature based on its executable signature algorithm such as RSA or ECDSA and returns a signed public key certificate to the CA server 100 .
  • the CA server 100 retrieves an applicable verification key from the verification key database 122 to determine whether the certificate is correctly signed. After registration with the repository database 123 , the CA server 100 transmits the signed public key certificate to the registration authority (RA) that issued the request.
  • RA registration authority
  • a CPU 111 controls the above series of steps while a RAM 112 and a ROM 113 offer a storage area for accommodating processing program necessary for performing these processes and a work area in which the programs are carried out.
  • a display unit 117 and an input unit 118 are used by an operator entering and viewing data and commands.
  • FIG. 11 is a tabular view depicting a typical structure of the RA (registration authority) management database 121 .
  • This database contains a table that associates RA-specific signature algorithms with the registration authorities (RA) from which the certificate authority (CA) accepts public key issuance requests.
  • a registration authority identified as RA0001 is shown using the RSA cryptosystem as its signature algorithm with a key length of 1,024 bits. It is also shown that the RSA cryptosystem is executed by a signature module HSM-001.
  • RA0002 Another registration authority identified as RA0002 is shown using the RSA cryptosystem as its signature algorithm with a key length of 2,048 bits. It is indicated that the RSA cryptosystem is executed by a load-distributed setup that employs three modules HSM-002, HSM-003 and HSM-004 in combination.
  • a registration authority identified as RA0003 utilizes both RSA and ECC as its signature algorithms.
  • a circle in a “multiple-signature algorithm” column indicates that the registration authority in question permits execution of a plurality of signature algorithms.
  • the multiple-signature algorithm is implemented in one of two ways.
  • a registration authority may request the certificate authority (CA) to selectively execute, say, either an ECC signature or an RSA signature, and the certificate authority may comply with the request.
  • the certificate authority may furnish a single public key certificate with a plurality of signatures executed by as many signature algorithms.
  • the signature algorithm in use is the elliptic curve digital signature algorithm (ECDSA)
  • EDSA elliptic curve digital signature algorithm
  • the table contains elliptic curve parameters to be adopted in addition to the applicable key length.
  • a signature module for executing a signature is fixedly associated with key length data and a parameter, then the signature is executed by use of the key length and parameter assigned to the signature module in question. If a signature module is capable of executing signatures based on a plurality of key lengths or parameters, then the CA server retrieves the applicable key lengths or the relevant key lengths and parameters from the RA management database and transmits what is retrieved to the module in question so that the latter will execute signatures according to the key lengths or the key lengths and parameters received from the CA server.
  • FIG. 12 is a tabular view indicating a typical structure of the verification key database.
  • This database associates signature module identifiers identifying the signature modules for executing signatures, with keys for verifying the signatures executed by these modules.
  • the database contains HSM-IDs as signature module identifiers, names of signature algorithms executed by the associated modules, key lengths to be used, parameters, and verification keys, all listed in mutually associated relation.
  • the verification keys are public keys that correspond to the private keys generated by the signature modules as their signature keys.
  • the CA server receives the generated private keys from the signature modules and stores what is received into the verification key database.
  • the CA server retrieves the corresponding verification key (public key) from the verification key database 122 and verifies that the signature is valid before sending the certificate to the registration authority (RA) that originated the certificate issuance request.
  • RA registration authority
  • HSM hardware security module
  • Each HSM has a signature module that executes a specific signature algorithm. Designed to be tamper-resistant, the HSM has its stored information such as private key information for signature generation erased if tampered with.
  • the HSM 150 comprises: a communication interface 152 for exchanging data with a CA server; a CPU 151 for controlling processing within the HSM; a signature module 160 for executing a particular signature algorithm such as RSA or ECDSA; a nonvolatile memory 153 that stores various HSM-specific data such as an HSM identifier (ID); a ROM 154 that records processing programs for identifying signature algorithms and performing analyses in obtaining key lengths, parameter information and others from signature request data from the CA server; and a RAM 155 that accommodates variable settings such as private keys, signature algorithm identification information, key lengths, and parameter information either generated by the signature module or received from outside.
  • a communication interface 152 for exchanging data with a CA server
  • a CPU 151 for controlling processing within the HSM
  • a signature module 160 for executing a particular signature algorithm such as RSA or ECDSA
  • a nonvolatile memory 153 that stores various HSM-specific data such as an HSM identifier (ID)
  • a ROM 154
  • the signature module 160 includes a random number generation unit 161 , a signature generation unit 162 , and a hash calculation unit 163 .
  • the signature module carries out the steps constituting the process flow described above with reference to FIG. 6; if the RSA signature algorithm is to be performed, the signature module performs the steps making up the process flow explained above by referring to FIGS. 9A and 9B.
  • each signature module executes a signature based on a specific signature algorithm such as RSA or ECDSA.
  • a private key for signature execution by each signature module may be either generated internally by the module in question or acquired from a particular, external signature module that has generated its own key. Where a plurality of signature modules are to store a common key, an externally generated key may effectively be sent to the modules involved for storage therein.
  • Reading and writing of signature keys should preferably be subject to strict security rules to prevent leaks.
  • all operators should be certified using passwords or like means based on dedicated software, and any signature module to which to write a key should be ascertained by checking its ID number.
  • FIG. 14 is a schematic view of a setup where a signature key is generated by a signature module 1 and transmitted to a plurality of other signature modules 2 through n.
  • Dedicated software shown in FIG. 14 refers illustratively to a program held in a ROM of the CA server.
  • an operator may issue a key generation instruction to one particular signature module and causes a key (private key) generated by the module to be transmitted to the other multiple signature modules (HSMs).
  • HSMs multiple signature modules
  • a verification key (public key) corresponding to the generated private key is written to the verification key database in the CA server in association with each of the HSM identifiers involved.
  • a password-based certification process or other suitable steps should preferably be carried out between the transmitting and receiving parties to forestall illegal data transfers. Only when the parties involved are certified should the generated signature key and other related data or commands be allowed to be transmitted.
  • FIG. 15 is a flowchart of steps constituting a typical process performed by the CA server using dedicated software. This process involves having a key generation instruction issued to a specific signature module (signature module 1 ) to get a signature key generated by the module 1 before transmitting the key to other signature modules.
  • signature module 1 a specific signature module
  • step S 101 The operator who would perform steps to generate and store a signature key is first authenticated in step S 101 . Only a previously registered operator is authorized to carry out the signature key generation process. A check is made in step S 102 to see whether the submitted password, fingerprint data, etc., attest to the valid operator. If the operator is judged valid, step S 103 is reached in which a key generation-transmission instruction is issued to the signature module 1 (HSM 1 ) requesting the latter to generate the signature key.
  • HSM 1 signature module 1
  • step S 104 cross-certification is carried out between the signature module 1 (HSM 1 ) on the one hand, and the apparatus that has issued the key generation-transmission instruction (e.g., CA server) on the other hand.
  • the cross-certification is executed based on common key cryptosystem or public key cryptosystem. Keys for such certification are retained in advance by the devices involved.
  • the CA server waits for a signature key and a verification key to arrive from the signature module.
  • the verification key is stored into the verification key database in step S 107 .
  • step S 108 a signature key store instruction is output to another signature module (HSM) that will utilize the same signature key.
  • HSM signature module
  • step S 109 cross-certification is performed with the new signature module.
  • An acknowledgment received from the signature module in step S 111 indicates that the key has been normally stored inside, thus signaling the end of the key write operation to the current signature module.
  • Steps S 108 through S 111 are repeated on all signature modules to which the signature key is to be written. When the key is judged written to all signature modules involved in step S 112 , the process is terminated.
  • step S 121 the signature module 1 receives a key generation-transmission instruction.
  • step S 122 cross-certification is carried out between the signature module 1 and dedicated software (embodied by the CA server).
  • step S 123 the signature module 1 generates a key pair consisting of a signature key and a verification key in step S 124 .
  • step S 125 the signature key is retained by the device itself in step S 126 .
  • the generated signature key and verification key are further transmitted to the dedicated software (CA server) in step S 127 .
  • the transmission is judged successful in step S 128 , the process is terminated.
  • step S 131 the signature modules 2 through N receive a signature key store instruction each.
  • step S 132 cross-certification is carried out between the signature modules 2 through N on the one hand and the dedicated software (CA server) on the other hand.
  • CA server dedicated software
  • step S 133 the signature key is stored into each of the signature modules involved in step S 134 .
  • step S 135 a storage complete notice is transmitted to the dedicated software (CA server) in step S 136 .
  • step S 137 the transmission of the notice is judged successful in step S 137 , the process is terminated.
  • Processing by the CA server will now be described in two categories: (1) processing performed upon key generation by a signature module (HSM), and (2) processing carried out upon issuance of a public key certificate and upon signature execution.
  • HSM signature module
  • FIG. 18 The process by the CA server upon key generation by the signature module (HSM) is described below by referring to FIG. 18.
  • the process shown to the left is that which is performed by the CA server, while the process indicated to the right is carried out by an HSM having a signature module.
  • cross-certification steps are not shown in FIG. 18, these steps are still carried out between the CA server and the signature module in the same manner as FIG. 16 and 17 if they are interconnected in an externally accessible manner.
  • step S 201 the CA server issues a key generation instruction to the HSM.
  • the key generation instruction may include a key length and a parameter if necessary. It is possible to issue a plurality of key generation instructions based on different key lengths and different parameters.
  • the HSM On receiving the instruction in step S 211 , the HSM generates at least one key pair consisting of a signature key and a verification key in step S 212 .
  • the verification key is transmitted to the CA server in step S 214 .
  • the signature key is retained by the device itself in step S 215 .
  • the CA server Upon receipt of the verification key from the HSM in step S 202 , the CA server stores the received key into the verification key database in step S 203 . Where necessary, the RA management database and the repository database are updated in step S 204 .
  • the verification key database and other databases accommodate key lengths, parameters and other data with regard to each data entry.
  • step S 231 of FIG. 19 the CA server generates certificate data (see FIGS. 4 and 5) in response to a certificate issuance request from a registration authority.
  • step S 232 the CA server determines HSMs that should perform signature execution.
  • step S 251 of FIG. 20 the CA server receives a certificate issuance request from a registration authority (RA). Based on the identifier of the requesting registration authority, the CA server searches through the RA management database (see FIG. 11) in step S 252 . A check is first made to see if the requesting registration authority is subject to load distribution on the basis of the applicable load distribution entry in the RA management database. If the registration authority in question is judged subject to load distribution, step S 258 is reached. In step S 258 , a plurality of HSMs are selected according to predetermined criteria for sequential or parallel use of the selected HSMs.
  • RA registration authority
  • step S 254 a check is made by referencing the RA management database (FIG. 11) to see whether the registration authority in question corresponds to multiple signature algorithms. If in step S 254 the registration authority is judged corresponding to multiple signature algorithms, step S 255 is reached. In step S 255 , a search is made through the RA management database for data entries corresponding to the requested signature algorithms in the public key certificate issuance request. If relevant data entries are found in step S 256 , HSM identifiers associated with the RA identifier are acquired from the database, and the HSMs having the obtained HSM identifiers are determined as the signature modules.
  • the CA server may alternatively select HSMs by making a search through the RA management database in accordance with the designated signature algorithms, key lengths and parameters.
  • step S 233 of FIG. 19 is reached in which the generated public key certificate data are transmitted to the selected HSMs.
  • the HSMs execute signatures in step S 242 and transmit a signed certificate to the CA server in step S 243 .
  • the CA server Upon receipt of the signed certificate from the HSMs in step S 234 , the CA server retrieves verification keys associated with the HSM identifiers from the verification key database in step S 235 . In step S 236 , the CA server verifies the signatures using the retrieved verification keys. If the verification is judged successful in step S 237 , the CA server transmits the signed certificate to the requesting registration authority (RA), which terminates the process.
  • RA requesting registration authority
  • FIG. 21 illustrates a typical configuration including an end entity (EE) 300 , registration authorities (RA) 311 and 312 , a certificate authority (CA) server 321 ; and HSMs 331 , 332 and 333 having a signature module each.
  • the end entity 300 issues a public key certificate issuance request to the CA server 321 through the registration authority 311 or 312 .
  • the RA management database of the CA server contains data such as those shown in subfigure (a) of FIG. 21 and that the verification key database accommodates data listed illustratively in subfigure (b) of FIG. 21.
  • the registration authority 311 identified as RA 1 allows a signature module HSM 1 to execute a signature based on the RSA signature algorithm with a key length of 1,024 bits.
  • the verification key database contains signature algorithms, key lengths, parameter information, and verification keys corresponding to the HSMs configured.
  • the end entity (EE) 300 sends a public key certificate issuance request to a given registration authority (RA).
  • RA registration authority
  • FIG. 22 shows an example in which the end entity (EE) 300 outputs a public key certificate issuance request to the registration authority (RA 1 ) 311 .
  • Numerals (1) through (10) in FIG. 22 represent steps to be taken by the parties involved. These steps are described below in ascending order.
  • the end entity (EE) 300 transmits to the registration authority (RA 1 ) 311 data including user data necessary for issuing a public key certificate in the form of a public key certificate issuance request.
  • the registration authority (RA 1 ) 311 verifies that what is received is a legitimate certificate issuance request from the end entity (EE) 300 , registers the recasting user, and carries out other related steps.
  • the registration authority 311 then transmits the certificate issuance request to the CA server 321 , along with a certificate issuance request command, necessary message data including certificate storage data, and a registration authority identifier (ID).
  • the CA server 321 Upon receipt of the certificate issuance request, the CA server 321 references the RA management database to determine an HSM for signature execution.
  • a module HSM 1 is selected as the signature execution module in accordance with the RA management database entries shown in subfigure (a) of FIG. 21.
  • the CA server 321 outputs a signature generation instruction to the signature module (HSM 1 ) 331 .
  • the instruction as shown in subfigure (b) of FIG. 22, contains a signature generation instruction command and message data for a certificate to be generated. If the module HSM 1 is capable of generating variable length keys, the signature generation instruction may include data for specifying a key length.
  • the module (HSM 1 ) 331 performs signature execution in keeping with the signature generation instruction.
  • the module executes its signature based on the RSA algorithm
  • the module (HSM 1 ) 331 transmits a signed public key certificate to the CA server 321 .
  • the CA server 321 retrieves a verification key from the verification key database to check whether the signature on the received public key certificate is valid.
  • the CA server 321 sends the signed public key certificate to the requesting registration authority (RA 1 ) 311 .
  • the registration authority (RA 1 ) 311 forwards the signed public key certificate received to the requesting end entity (EE) 300 .
  • FIG. 23 shows another example in which the end entity (EE) 300 outputs a public key certificate issuance request to the registration authority (RA 2 ) 312 .
  • Numerals (1) through (10) in FIG. 23 represent steps to be taken by the parties involved. These steps are described below in ascending order.
  • the end entity (EE) 300 transmits to the registration authority (RA 2 ) 312 data including user data necessary for issuing a public key certificate in the form of a public key certificate issuance request.
  • the registration authority (RA 2 ) 312 verifies that what is received is a legitimate certificate issuance request from the end entity (EE) 300 , registers the requesting user, and carries out other related steps.
  • the registration authority 312 then transmits the certificate issuance request to the CA server 321 , along with a certificate issuance request command, necessary message data including certificate storage data, a registration authority identifier (ID); and data specifying a signature algorithm, a key length and parameters, as shown in subfigure (a) of FIG. 23.
  • the CA server 321 Upon receipt of the certificate issuance request, the CA server 321 references the RA management database to determine an HSM for signature execution.
  • a module HSM 3 is selected as the signature execution module in accordance with the RA management database entries shown in subfigure (a) of FIG. 21.
  • the CA server 321 outputs a signature generation instruction to the signature module (HSM 3 ) 333 .
  • the instruction as shown in subfigure (b) of FIG. 23, contains a signature generation instruction command, message data for a certificate to be generated, and data designating the key length and parameters.
  • the module (HSM 3 ) 333 performs signature execution in accordance with the signature generation instruction.
  • the module executes its signature based on the ECDSA.
  • the module (HSM 3 ) 333 transmits a signed public key certificate to the CA server 321 .
  • the CA server 321 retrieves a verification key from the verification key database to check whether the signature on the received public key certificate is valid.
  • the CA server 321 sends the signed public key certificate to the requesting registration authority (RA 2 ) 312 .
  • the registration authority (RA 2 ) 312 forwards the signed public key certificate received to the requesting end entity (EE) 300 .
  • FIG. 24 shows yet another example in which the end entity (EE) 300 outputs a public key certificate issuance request to the registration authority (RA 2 ) 312 , soliciting simultaneous execution of a plurality of signatures.
  • Numerals (1) through (14) in FIG. 24 denote steps to be taken by the parties involved. These steps are described below in ascending order.
  • the end entity (EE) 300 transmits to the registration authority (RA 2 ) 312 data including user data necessary for issuing a public key certificate in the form of a public key certificate issuance request.
  • the registration authority (RA 2 ) 312 verifies that what is received is a legitimate certificate issuance request from the end entity (EE) 300 , registers the requesting user, and carries out other related steps.
  • the registration authority 312 then transmits the certificate issuance request to the CA server 321 , along with a certificate issuance request command, necessary message data including certificate storage data, a registration authority identifier (ID); and data specifying a plurality of signature algorithms, key lengths and parameters, as shown in subfigure (a) of FIG. 24.
  • the CA server 321 Upon receipt of the certificate issuance request, the CA server 321 references the RA management database to determine HSMs for signature execution.
  • modules HSM 2 and HSM 3 are selected as the signature execution modules in accordance with the RA management database entries shown in subfigure (a) of FIG. 21.
  • the CA server 321 outputs a signature generation instruction first to the signature module (HSM 2 ) 332 .
  • the instruction as shown in subfigure (b) of FIG. 24, contains a signature generation instruction command, message data for a certificate to be generated, and data designating a key length.
  • the module (HSM 2 ) 332 performs signature execution in accordance with the signature generation instruction.
  • the module executes its signature based on the ECDSA.
  • the module (HSM 2 ) 332 transmits a signed public key certificate to the CA server 321 .
  • the CA server 321 retrieves a verification key from the verification key database to check whether the signature on the received public key certificate is valid.
  • the CA server 321 then outputs the signature generation instruction to the signature module (HSM 3 ) 333 .
  • the instruction as shown in subfigure (c) of FIG. 24, contains a signature generation instruction command, message data for a certificate to be generated, and data designating the key length and parameters.
  • the module (HSM 3 ) 333 performs signature execution in accordance with the signature generation instruction. In this case, the module executes its signature based on the ECDSA.
  • the module (HSM 3 ) 333 After the signature execution, the module (HSM 3 ) 333 transmits a signed public key certificate to the CA server 321 .
  • the CA server 321 retrieves verification keys from the verification key database to check whether the signatures on the received public key certificate are valid.
  • the CA server 321 sends the signed public key certificate to the requesting registration authority (RA 2 ) 312 .
  • the registration authority (RA 2 ) 312 forwards the signed public key certificate received to the requesting end entity (EE) 300 .
  • FIG. 25 is a block diagram outlining the setup of this example. As shown in FIG. 25, the setup includes a certificate authority (CA) 401 and a registration authority (RA) 402 each having a signature module structure management table.
  • CA certificate authority
  • RA registration authority
  • the signature module structure management table associates signature algorithm identifiers (1 through n) with HSMs executing their respectively assigned signature algorithms.
  • This table is generated by the certificate authority (CA) 401 randomly associating the signature algorithm identifiers with the HSMs involved. The table is updated periodically or as needed.
  • the generated table is delivered to each registration authority (RA) 402 .
  • the registration authority (RA) 402 When requested to issue a public key certificate by an end entity, the registration authority (RA) 402 generates a certificate issuance request furnished with a signature algorithm identifier (any one of 1 through n) and sends the request to the certificate authority (CA) 401 .
  • the certificate authority (CA) 401 searches the signature module structure management table for an HSM based on the signature algorithm identifier contained in the certificate issuance request received. When the corresponding HSM is selected, the certificate authority (CA) 401 outputs a signature request to the HSM in question.
  • a leaked signature module structure management table does not result in any essential signature algorithm leaking out. This makes it possible effectively to prevent illegal signature generation by a third party. It is preferred that the signature module structure management table be made tamper-resistant by having it signed by the certificate authority.
  • RA registration authority
  • the process of ECC signature generation may be divided into such steps as hash value generation, random number generation, generation of a coordinate value V, etc., as described earlier with reference to FIG. 6. These steps are carried out individually by independent modules.
  • the result of processing by one module is forwarded to the next downstream module for another process.
  • the data transferred from one module to another are given an intermediate signature by each transmitting module; each receiving module adds another intermediate signature to the collection of the transferred data and intermediate signatures furnished so far.
  • the last-signed result is received by the CA server 501 from the module 60 n.
  • Signature generation thus involves the series of steps being carried out in a predetermined order by all modules involved.
  • HSM signature modules
  • the module HSM 1 ( 601 ) may execute an RSA signature
  • the module HSM 2 ( 602 ) may execute an ECDSA signature “a”
  • the module HSMx ( 60 x ) may carry out an ECDSA signature “x” using a different parameter.
  • the result of the execution of these multiple signatures is transmitted to the CA server 501 .
  • each transmitting module also executes an intermediate signature onto the message
  • each receiving module adds another intermediate signature to the collection of the transferred message data and intermediate signatures furnished so far.
  • the CA server 501 in this setup is required individually to manage verification keys regarding the different modules.
  • signatures are generated by a plurality of signature modules under control of the certificate authority (CA), the modules performing their respectively assigned signature generation processes while transferring a public key certificate made of signature-supplemented message data from one module to another in a predetermined order. Because signature generation based on any single signature module is impossible, the generation of an illegal signature by a third party taking advantage of data leaks from any module is made effectively unfeasible.
  • CA certificate authority
  • CA certificate authority
  • RA registration authority
  • CA certificate authority
  • the single certificate authority can issue public key certificates each bearing a signature of a different algorithm.
  • a certificate authority which has a plurality of signature modules each executing a different signature algorithm such as RSA or ECDSA and which allows some of the signature modules selectively to execute a plurality of signatures as requested by any registration authority (RA) under control of the certificate authority.
  • the certificate authority in this setup permits generation of a single public key certificate carrying a plurality of signatures based on different algorithms.
  • public key certificate issuing system public key certificate issuing method, digital certification apparatus, and program storage medium, it is possible to provide a plurality of signature modules each executing part of steps representing various signature algorithms such as RSA and ECDSA, the modules being suitably coordinated to execute an integral signature process made up of the steps. This arrangement also forestalls illegal signature generation by a third party utilizing a leak of data from an individual signature module.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

A public key certificate issuing system is disclosed which comprises a certificate authority for issuing a public key certificate used by an entity, and a registration authority which, on receiving a public key certificate issuance request from any one of entities under jurisdiction thereof, transmits the received request to the certificate authority. The certificate authority, having a plurality of signature modules each executing a different signature algorithm, selects at least one of the plurality of signature modules in accordance with the public key certificate issuance request from the registration authority, and causes the selected signature module to attach a digital signature to message data constituting a public key certificate.

Description

    BACKGROUND OF THE INVENTION
  • The present invention relates to a public key certificate issuing system, a public key certificate issuing method, a digital certification apparatus, and a program storage medium for processing the issuance of a public key certificate proving the validity of a public key used by an electronic delivery system in transmitting encrypted data. More particularly, the invention relates to a public key certificate issuing system, a public key certificate issuing method, a digital certification apparatus, and a program storage medium for use by a certificate authority (CA) that issues a public key certificate compatible with a plurality of signature algorithms, whereby entities utilizing such public key certificates are afforded enhanced convenience. [0001]
  • Today, diverse kinds of software data such as game program data, voice data, image data, and word-processing program data (generically called contents) are being exchanged over networks and particularly over the Internet. Electronic commerce is also on the increase, characterized by online shopping outlets and networkbased merchandising schemes. [0002]
  • In such a network-based data communication environment, it is customary to ensure data security, i.e., to make sure that the transmitting and receiving sides are a legitimate party to each other before exchanging the necessary data. One representative technique for implementing data security during data transfer involves combining data encryption with signing of data. [0003]
  • Encrypted data are decrypted to plain text data by use of a predetermined procedure. Various methods for encrypting and decrypting information using an encryption key and a decryption key respectively have been known. [0004]
  • One of the diverse methods of data encryption and decryption based on encryption and decryption keys is so-called public key cryptosystem. This system involves a transmitting party having one key and a receiving party possessing another key, one of the keys being used as a public key for use by indefinite users, the other key being kept private. Illustratively, a data encryption key may be used as a public key and a decryption key as a private key. As another alternative, an authentication code generation key may be used as a private key and an authentication code decryption key as a public key. [0005]
  • Compared with so-called common key cryptosystem using a common key in both encryption and decryption, the public key cryptosystem is advantageous in terms of key management in that the private key need only be possessed by one particular person. Because of its lower data processing speed than the common key cryptosystem, the public key cryptosystem is more often utilized in applications involving limited amounts of data such as delivery of private keys and digital signatures. A representative example of the public key cryptosystem is RSA (Rivest-Shamir-Adleman) cryptosystem. The system uses a product of two very large prime numbers (e.g., of 150 digits each), taking advantage of the difficulty in factorizing the product of two large prime numbers into prime factors (and in obtaining the discrete logarithm of the product). [0006]
  • Another representative example of the public key cryptosystem is elliptic curve cryptography (ECC). This scheme capitalizes on the fact that computations can be defined between points on an elliptic curve whereby something similar to a discrete logarithmic problem (elliptic discrete logarithmic problem) can be created. [0007]
  • Whereas the RSA cryptosystem based on the factorization into prime factors is subject to subexponential decryption, elliptic discrete logarithmic problems can only be solved by exponential decryption. While the RSA cryptosystem has a key size of 512, 1,024 or 2,048 bits, schemes utilizing elliptic curve cryptography (ECC) such as elliptic curve digital signature algorithm (ECDSA) have a key size of as small as 160, 192 or 224 bits and still ensure the same degree of security as the RSA. Because of its reduced key size, the ECDSA provides a significantly high processing speed. [0008]
  • The public key cryptosystem is structured to offer public keys for use by an indefinite number of people. As such, the system most often utilizes what is known as a public key certificate proving that a distributed public key is valid. For example, suppose that a user A generates a key pair consisting of a public key and a private key and sends the generated public key to a certificate authority. In turn, the certificate authority sends back a public key certificate to the user A. The user A then discloses the public key certificate thus obtained to the public. An indefinite number of users go through a predetermined procedure to acquire the public key from the public key certificate, encrypt documents or other desired data using the acquired public key, and transmit what is encrypted to the user A. The user A decrypts the encrypted documents or data received using the previously generated private key. The user A also attaches signatures to the documents using the private key. The indefinite number of users go through the predetermined procedure to obtain the public key from the public key certificate and have the attached signatures verified. [0009]
  • The public key certificate will now be described by referring to FIG. 1. The public key certificate is a certificate issued by a certificate authority (CA; also called an issuing authority or IA) on public key cryptosystem. When a user submits his ID and a public key to be included into a certificate, the certificate authority completes the certificate by furnishing it with a signature. [0010]
  • A typical public key certificate shown in FIG. 1 includes: a certificate version number; a serial number allocated to a certificate user by a certificate authority (CA); algorithm and parameters used for signature by the RSA, ECDSA, etc.; a certificate authority name; the period of certificate validity; the certificate user's name (user ID); the user's public key; and a digital signature. [0011]
  • The digital signature is generated to attest the whole range of certified items: certificate version number, certificate authority serial number, signature algorithm and parameters, certificate authority name, certificate validity, user ID, and user's public key. Illustratively, a hash value is generated using hash function, and the certificate authority's private key is applied to the hash value to generate the signature. [0012]
  • The certificate authority issues public key certificates such as the one shown in FIG. 1, updates expired public key certificates; and creates, manages and distributes a certificate revocation list that repudiates unscrupulous users. The certificate authority also generates public and private keys as needed. [0013]
  • When utilizing a public key certificate, a user gets a digital signature on his public key certificate verified using a certificate authority's public key in his possession. After the successful verification of the digital signature, the user utilizes the public key by extracting it from the public key certificate. It follows that all users employing public key certificates must have a common public key of the certificate authority. [0014]
  • A data transmission system may include a public key cryptosystem like the above-described scheme using public key certificates issued by the certificate authority. In that setup, the system allows each user to have the digital signature of his public key certificate verified and to extract the public key from the public key certificate after the successful signature verification. The user is then allowed to carry out a certification process based on the public key cryptosystem or to encrypt or decrypt outgoing or incoming data using the cryptosystem. The problem is that end entities such as user devices performing various processes based on the public key cryptosystem are rarely compatible with all of such diverse encryption algorithms as the ECDSA, RSA and others. In most cases, each entity is capable of dealing with only one algorithm (ECDSA algorithm or RSA algorithm in particular). [0015]
  • Such devices each compatible with only a specific encryption algorithm can only be used with public key certificates based on that algorithm alone. Public key certificates signed by use of any other algorithm cannot be verified upon receipt. [0016]
  • One of the challenges to be addressed in establishing a certificate authority (CA) is how to store private keys as signature keys while ensuring security in providing signatures. Another challenge is how to improve the speed of signature computation, which is conducive to boosting system performance of the certificate authority. One way to ensure signature security and boost computing speed is by resorting to dedicated hardware (HSM: hardware security modules) for signature key (private key) storage and signature provision. Highly tamper-resistant, HSMs play a significant role in enhancing the level of security. At present, there are systems utilizing HSMs but none of them is compatible with multiple different signature algorithms. Hence the growing need for the certificate authority (CA) to accommodate a plurality of signature algorithms. [0017]
  • Conventionally, as shown in FIG. 2, an ECDSA end entity (device) [0018] 23 (compatible with the ECDSA algorithm) requests an ECDSA registration authority (ECDSA-RA) 22 (performing a signature process based on the ECDSA algorithm) to issue or update a public key certificate. The ECDSA registration authority 22 certifies entities or devices taking part in various services, receives public key certificate issuance requests from these entities or devices, and forwards the requests to an ECDSA certificate authority (ECDSA-CA) 21 that performs a signature process based on the ECDSA algorithm. In turn, the ECDSA certificate authority 21 issues public key certificates based on the signature process using the ECDSA algorithm, and distributes the certificates to the ECDSA end entities 23 via the ECDSA registration authority 22.
  • On the other hand, an RSA end entity (device) [0019] 33 (compatible with the RSA algorithm) requests an RSA registration authority (RSA-RA) 32 (performing a signature process by use of the RSA algorithm) to issue or update a public key certificate. The RSA registration authority 32 certifies entities or devices participating in diverse services, receives public key certificate issuance requests from these entities or devices, and forwards the requests to an RSA certificate authority (RSA-CA) 31 that performs a signature process based on the RSA algorithm. In turn, the RSA certificate authority 31 issues public key certificates based on the signature process using the RSA algorithm, and distributes the certificates to the RSA end entities 33 via the RSA registration authority 32.
  • As described, two (or more) different processing blocks are established to deal with two different signature algorithms. Each processing block constitutes a closed system wherein a public key cryptosystem specific to that block alone is used to effect certification and transmit encrypted data. [0020]
  • The ECDSA [0021] end entity 23 is incapable of verifying a public key certificate received from the RSA device 33 with a signature in RSA algorithm. The received public key certificate will not serve as a certificate as long as its validity is not established. Conversely, the RSA end entity 33 cannot verify a public key certificate received from the ECDSA end entity 23 with a signature in ECDSA algorithm; the validity of the public key certificate remains uncertain following its receipt.
  • If the [0022] ECDSA end entity 23 and RSA end entity 33 in FIG. 2 were to verify the validity of a public key certificate coming from the other party, each party must resort to a circuitous validation procedure: the received public key certificates are first transmitted respectively to the ECDSA registration authority 22 and RSA registration authority 32, and forwarded from there to the ECDSA certificate authority 21 and RSA certificate authority 31. The ECDSA certificate authority 21 and RSA certificate authority 31 then exchange queries about the respective certificates. The results of the queries are sent back finally to the respective end entities for certification purposes.
  • It is therefore an object of the present invention to overcome the above and other deficiencies of the related art, particularly of data communication systems based on the public key cryptosystem dealing with public key certificates, and to provide a public key certificate issuing system, a public key certificate issuing method, a digital certification apparatus, and a program storage medium for allowing a single certificate authority to support a plurality of encryption algorithms and to issue a public key certificate with signatures in different algorithms so that devices each compatible with a particular encryption algorithm alone, such as ECDSA end entities or RSA end entities, may effectively utilize the public key certificate from one another for cross-certification and data communication therebetween. [0023]
  • SUMMARY OF THE INVENTION
  • In carrying out the invention and according to a first aspect thereof, there is provided a public key certificate issuing system including: a certificate authority for issuing a public key certificate used by an entity; and a registration authority which, on receiving a public key certificate issuance request from any one of entities under jurisdiction thereof, transmits the received request to the certificate authority; wherein the certificate authority, having a plurality of signature modules each executing a different signature algorithm, selects at least one of the plurality of signature modules in accordance with the public key certificate issuance request from the registration authority, and causes the selected signature module to attach a digital signature to message data constituting a public key certificate. [0024]
  • In one preferred structure according to the first aspect of the invention, the certificate authority may have a plurality of signature modules and a certificate authority server for outputting a signature processing request to the plurality of signature modules; the certificate authority server may receive the public key certificate issuance request from the registration authority, select at least one of the plurality of signature modules in response to the public key certificate issuance request, and output the signature processing request to the selected signature module; and each of the plurality of signature modules may attach a digital signature to the message data constituting the public key certificate in response to the signature processing request received from the certificate authority server. [0025]
  • In another preferred structure of the invention, the certificate authority may have a registration authority management database which stores registration authority management data for associating registration authorities issuing public key certificate issuance requests with a signature algorithm specific to each of the registration authorities; and given a public key certificate issuance request from any registration authority, the certificate authority may select the signature module associated with the relevant signature algorithm based on the registration authority management data. [0026]
  • According to a further preferred structure of the invention, the registration authority management data may include key length and parameter information applicable to signatures. [0027]
  • In an even further preferred structure of the invention, the registration authority management data may include signature module identification information applicable to signatures. [0028]
  • In a still further preferred structure of the invention, the registration authority may transmit signature algorithm designation information along with the public key certificate issuance request to the certificate authority; and the certificate authority, based on the signature algorithm designation information received along with the public key certificate issuance request, may select a signature module applicable to the designated signature algorithm. [0029]
  • In a yet further preferred structure of the invention, the signature algorithm designation information may include key length and parameter information applicable to signatures. [0030]
  • In another preferred structure of the invention, the certificate authority may have a verification key database which stores keys for signature verification in association with each of the plurality of signature modules; and the certificate authority may verify signatures generated by each of the plurality of signature modules. [0031]
  • In a further preferred structure of the invention, the certificate authority may use at least two of the plurality of signature modules to attach at least two different digital signatures to one public key certificate. [0032]
  • In an even further preferred structure of the invention, the certificate authority may select at least two of the plurality of signature modules in order to have signature processing executed in steps by each of the selected signature modules used in concert for digital signature generation. [0033]
  • In a still further preferred structure of the invention, the certificate authority and the registration authority may each have a signature module structure management table which associates signature algorithm identifiers with identifiers of the plurality of signature modules; the registration authority may issue to the certificate authority a public key certificate issuance request designating a signature algorithm identifier in accordance with the signature module structure management table; and the certificate authority, upon receipt of the signature algorithm identifier from the registration authority, may select the signature module applicable to the received identifier from the signature module structure management table. [0034]
  • In a yet further preferred structure of the invention, at least part of the plurality of signature modules may have a common signature key stored therein. [0035]
  • In another preferred structure of the invention, a plurality of signature algorithms may be executed by each of the plurality of signature modules. [0036]
  • According to a second aspect of the invention, there is provided a public key certificate issuing method for use with a certificate authority for issuing a public key certificate used by an entity, and with a registration authority which, on receiving a public key certificate issuance request from any one of entities under jurisdiction thereof, transmits the received request to the certificate authority, the method comprising the steps of: causing the certificate authority selects, from among a plurality of signature modules each executing a different signature algorithm, at least one of the signature modules in accordance with the public key certificate issuance request from the registration authority; and causing the selected signature module to attach a digital signature to message data constituting a public key certificate. [0037]
  • In one preferred variation according to the second aspect of the invention, the public key certificate issuing method may further comprise the steps of: causing a certificate authority server to receive a public key certificate issuance request from the registration authority; causing the certificate authority server to select at least one of the plurality of signature modules in response to the public key certificate issuance request; and causing the certificate authority server to output a signature processing request to the selected signature module. [0038]
  • In another preferred variation of the invention, the step involving the certificate authority server selecting the signature module may include selecting the signature module based on a registration authority management database which stores registration authority management data for associating registration authorities issuing public key certificate issuance requests with a signature algorithm specific to each of the registration authorities. [0039]
  • In a further preferred variation of the invention, the step involving the certificate authority server selecting the signature module may include selecting the signature module based on signature algorithm designation information received along with the public key certificate issuance request. [0040]
  • In an even further preferred variation of the invention, the public key certificate issuing method may further include the step of causing the certificate authority to verify signatures generated by each of the plurality of signature modules. [0041]
  • In a still further preferred variation of the invention, the public key certificate issuing method may further include the step of causing the certificate authority to use at least two of the plurality of signature modules to attach at least two different digital signatures to one public key certificate. [0042]
  • In a yet further preferred variation of the invention, the public key certificate issuing method may further include the step of causing the certificate authority to select at least two of the plurality of signature modules in order to have signature processing executed in steps by each of the selected signature modules used in concert for digital signature generation. [0043]
  • In another preferred variation of the invention, the certificate authority and the registration authority may each have a signature module structure management table which associates signature algorithm identifiers with identifiers of the plurality of signature modules, and the public key certificate issuing method may further comprise the steps of: causing the registration authority to issue to the certificate authority a public key certificate issuance request designating a signature algorithm identifier in accordance with the signature module structure management table; and causing the certificate authority, upon receipt of the signature algorithm identifier from the registration authority, to select the signature module applicable to the received identifier from the signature module structure management table. [0044]
  • In a further preferred variation of the invention, the public key certificate issuing method may further comprise the step of having a plurality of signature algorithms executed by each of the plurality of signature modules. [0045]
  • According to a third aspect of the invention, there is provided a digital certification apparatus for constituting a certificate authority which issues a public key certificate used by an entity: wherein the digital certification apparatus, having a plurality of signature modules each executing a different signature algorithm, selects at least one of the plurality of signature modules in accordance with a public key certificate issuance request received from outside, and causes the selected signature module to attach a digital signature to message data constituting a public key certificate. [0046]
  • In one preferred structure according to the third aspect of the invention, the digital certification apparatus may further comprise a plurality of signature modules and a certificate authority server for outputting a signature processing request to the plurality of signature modules; wherein the certification authority may receive the public key certificate issuance request, select at least one of the plurality of signature modules in response to the public key certificate issuance request, and output the signature processing request to the selected signature module; and wherein each of the plurality of signature modules may attach a digital signature to the message data constituting the public key certificate in response to the signature processing request received from the certificate authority server. [0047]
  • In another preferred structure of the invention, the digital certification apparatus may further comprise a registration authority management database which stores registration authority management data for associating registration authorities issuing public key certificate issuance requests with a signature algorithm specific to each of the registration authorities; wherein, given a public key certificate issuance request from any registration authority, the digital certification apparatus may select the signature module associated with the relevant signature algorithm based on the registration authority management data. [0048]
  • In a further preferred structure of the invention, the registration authority management data may include key length and parameter information applicable to signatures. [0049]
  • In an even further preferred structure of the invention, the registration authority management data may include signature module identification information applicable to signatures. [0050]
  • In a still further preferred structure of the invention, the digital certification apparatus may, based on signature algorithm designation information received along with the public key certificate issuance request, select a signature module applicable to the designated signature algorithm. [0051]
  • In a yet further preferred structure of the invention, the signature algorithm designation information may include key length and parameter information applicable to signatures. [0052]
  • In another preferred structure of the invention, the digital certification apparatus may further comprise a verification key database which stores keys for signature verification in association with each of the plurality of signature modules; wherein the digital certification apparatus may verify signatures generated by each of the plurality of signature modules. [0053]
  • In a further preferred structure of the invention, the digital certification apparatus may use at least two of the plurality of signature modules to attach at least two different digital signatures to one public key certificate. [0054]
  • In an even further preferred structure of the invention, the digital certification apparatus may select at least two of the plurality of signature modules in order to have signature processing executed in steps by each of the selected signature modules used in concert for digital signature generation. [0055]
  • In a still further preferred structure of the invention, the digital certification apparatus may further comprise a signature module structure management table which associates signature algorithm identifiers with identifiers of the plurality of signature modules; wherein the digital certification apparatus may, upon receipt of a signature algorithm identifier along with the public key certificate issuance request, select the signature module applicable to the received identifier from the signature module structure management table. [0056]
  • In a yet further preferred structure of the invention, at least part of the plurality of signature modules may have a common signature key stored therein. [0057]
  • In another preferred structure of the invention, a plurality of signature algorithms may be executed by each of the plurality of signature modules. [0058]
  • According to a fourth aspect of the invention, there is provided a program storage medium which stores a computer program executed by a computer system in carrying out public key certificate issuance processing to issue a public key certificate for use by an entity, the computer program comprising the steps of: selecting, from among a plurality of signature modules each executing a different signature algorithm, at least one of the signature modules in accordance with a public key certificate issuance request; and causing the selected signature module to attach a digital signature to message data constituting a public key certificate. [0059]
  • The program storage medium according to the fourth aspect of the invention is a medium that offers a computer program in computer-readable format for use on a general-purpose computer capable of executing diverse program codes. The medium may be any one of such storage media as CDs (compact discs), FDs (floppy discs) and MOs (magneto-optical discs); or of transmission media such as networks, and others. [0060]
  • The above type of program storage medium retains definitions of structural or functional relations of cooperation between the medium carrying the computer program on the one hand, and the computer program for implementing necessary computer program functions on the computer system on the other hand. That is, once the computer program is installed into the computer system by means of the program-carrying medium, the computer system performs cooperative operations based on the program providing the same effects as those of the other aspects of the present invention. [0061]
  • Other objects, features and advantages of the invention will become more apparent upon a reading of the following description and appended drawings.[0062]
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a schematic view of a typical public key certificate; [0063]
  • FIG. 2 is a schematic view outlining a conventional public key certificate issuing system; [0064]
  • FIG. 3 is a schematic view outlining a public key certificate issuing system according to this invention; [0065]
  • FIG. 4 is a tabular view detailing a data structure of a public key certificate; [0066]
  • FIG. 5 is another tabular view detailing the data structure of the public key certificate; [0067]
  • FIG. 6 is a flowchart of steps constituting an ECDSA signature generation process; [0068]
  • FIG. 7 is a flowchart of steps constituting an ECDSA signature verification process; [0069]
  • FIG. 8 is a flowchart of steps carried out to generate keys necessary for RSA signature processing; [0070]
  • FIG. 9A is a flowchart of steps constituting an RSA signature generation process; [0071]
  • FIG. 9B is a flowchart of steps constituting an RSA signature verification process; [0072]
  • FIG. 10 is a block diagram showing a typical structure of a certificate authority (CA) server; [0073]
  • FIG. 11 is a tabular view depicting a typical structure of a registration authority (RA) management database owned by the certificate authority server; [0074]
  • FIG. 12 is a tabular view indicating a typical structure of a verification key database owned by the certificate authority server; [0075]
  • FIG. 13 is a block diagram illustrating a typical HSM (hardware security module) structure including a signature module; [0076]
  • FIG. 14 is a schematic view of a setup where the same signature key is shared by a plurality of signature modules; [0077]
  • FIG. 15 is a flowchart of steps constituting the process of having the same signature key shared by a plurality of signature modules; [0078]
  • FIG. 16 is another flowchart of steps constituting the process of having the same signature key shared by a plurality of signature modules; [0079]
  • FIG. 17 is yet another flowchart of steps constituting the process of having the same signature key shared by a plurality of signature modules; [0080]
  • FIG. 18 is a flowchart of steps constituting the process of storing a signature key into a signature module; [0081]
  • FIG. 19 is a flowchart of steps constituting a signature process performed by a signature module using a signature key; [0082]
  • FIG. 20 is a flowchart of steps constituting a signature module determining process performed by a signature module during signature process execution; [0083]
  • FIG. 21 is a schematic view with subfigures for explaining a typical signature process performed by signature modules (as example 1); [0084]
  • FIG. 22 is a schematic view with subfigures for explaining another typical signature process performed by signature modules (as example 2); [0085]
  • FIG. 23 is a schematic view with subfigures for explaining another typical signature process performed by signature modules (as example 3); [0086]
  • FIG. 24 is a schematic view with subfigures for explaining another typical signature process performed by signature modules (as example 4); [0087]
  • FIG. 25 is a schematic view of a typical setup for privately managing a signature module structure; and [0088]
  • FIG. 26 is a schematic view of the process of getting a plurality of signature modules to perform signature processes in cooperation.[0089]
  • DESCRIPTION OF THE PREFERRED EMBODIMENTS
  • Preferred embodiments of this invention will now be described in detail by referring to the accompanying drawings. Major terms used in the ensuing description are defined below. [0090]
  • A certificate authority (CA) is an organ that creates and issues public key certificates. [0091]
  • A registration authority (RA) is an organ that performs registration work for issuing public key certificates. The registration authority is requested to issue a public key certificate by a user, a service provider, a server or other party (called an end entity, to be defined later) desirous of utilizing a public key certificate. In turn, the registration authority sends a public key certificate issuance request to the certificate authority. In response to the request, the certificate authority issues a public key certificate to the registration authority which then forwards the certificate to the requesting party. [0092]
  • A hardware security module (HSM) is a piece of dedicated hardware for retaining a signature key and attaching it to a certificate. [0093]
  • An end entity (EE) is a subject to which a public key certificate is issued. As such, the end entity may be a device, a server, a user, a service provider, or any other entity utilizing the certificate. [0094]
  • [Certificate Authority (CA) Having a Plurality of Signature Modules][0095]
  • Described below is a typical structure of a certificate authority (CA) acting as a digital certification apparatus that possesses a plurality of signature modules. One of the challenges in establishing the certificate authority is how to store private keys securely in a system based on a public key cryptosystem while ensuring security in providing signatures. Another challenge is how to improve the computing speed of signature provision, which is conducive to boosting system performance of the certificate authority. [0096]
  • One way to ensure signature security and boost computing speed is by utilizing dedicated hardware (hardware security modules) for signature key (private key) storage and signature provision. Highly tamper-resistant, the HSM plays a significant role in enhancing the level of security. However, encryption algorithms executed by individual HSMs are fixed and cannot be altered in any way. [0097]
  • The inventive system comprises a certificate authority (CA) capable of accommodating a plurality of different signature algorithms, key lengths and parameters. More specifically, the certificate authority is structured to include a plurality of signature modules implemented either by dedicated hardware (HSM) or by software executing different signature algorithms. [0098]
  • FIG. 3 is a schematic view showing how a certificate authority acting as a digital certification apparatus (CA) comprising a plurality of signature modules typically operates. In FIG. 3, a [0099] CA server 71 in a certificate authority 70 receives via registration authorities (RA) 81 through 85 a public key certificate issuance request sent from any one of various end entities (EE) such as servers, users and service providers wishing to utilize a public key certificate.
  • The [0100] registration authorities 81 through 85 each have a specific signature algorithm such as Rivest-Shamir-Adleman (RSA) cryptosystem or elliptic curve cryptography (ECC) ready to be applied to a public key certificate that may be issued for use by end entities (EE) under jurisdiction of the registration authority in question. Of the signature algorithms thus furnished, one or more algorithms are selectively designated in a public key certificate issuance request bound for the certificate authority 70. The request with a specific signature algorithm designated therein requires having a signature executed in the specified algorithm. Given such a request from an end entity, one of the registration authorities (RA) 81 through 85 forwards the request to the certificate authority 70, calling on the latter to issue a public key certificate with the signature in the specified encryption algorithm. The public key certificate thus issued is sent to and subsequently verified by the end entity in question. The applicable signature algorithm varies from one registration authority to another.
  • Public key certificate issuance requests from registration authorities are accepted by the [0101] CA server 71 in the certificate authority (CA) 70. In turn, the CA server 71 selects some of signature modules 72 a through 72 n in accordance with a table that associates each of the registration authorities (RA) 81 through 85 owned by the CA server 71 with a specific signature algorithm. When the necessary signature modules are selected from the table, the CA server 71 generates public key certificates and sends them to the selected modules along with a signature execution instruction each.
  • Upon receipt of the public key certificates along with the signature execution instruction, the signature modules in question carry out their respective signature processes using the applicable signature algorithms (e.g., RSA, ECDSA). The signed public key certificates are returned to the [0102] CA server 71. The CA server 71, on receiving the signed public key certificates from the modules involved, forwards the certificates to the requesting registration authorities (RA) 81 through 85.
  • Each of the [0103] signature modules 72 a through 72 n either receives externally or generates internally a certificate authority signature key in accordance with a particular signature algorithm for signature execution. The signature modules 72 a through 72 n each comprise a hardware security module (HSM), i.e., a dedicated piece of hardware for signature execution; or a dedicated processor or CPU for carrying out a signature by use of a program capable of executing the applicable signature algorithm. Tamper-resistant, the signature modules 72 a through 72 n use signature keys to sign messages based on the components of a public key certificate generated by the CA server 71. In the description that follows, the HSM constituting a processing unit comprising a signature module may be replaced either by a dedicated processor for executing a signature using a program capable of executing the relevant signature algorithm, or by a CPU-equipped module carrying out a software-based signature process.
  • Typical signature processes performed by the [0104] signature modules 72 a through 72 n include Rivest-Shamir-Adleman (RSA) cryptosystem and elliptic curve digital signature algorithm (ECDSA). With each cryptosystem, different key lengths entail different computing speeds and afford different levels of security. The most-often utilized key lengths are 512 bits, 1,024 bits or 2,048 bits for the RSA cryptosystem; and 160 bits, 192 bits or 224 bits for the ECDSA. With the ECDSA in effect, the signature algorithm is determined and the level of security is varied by an elliptic curve y2=X3+ax+b in a field F(p)(p is a prime number or 2 to an n-th power) together with characteristic “p,” orders “r, “a” and “b”; and by a base point (Gx, Gy) on the curve. This signature algorithm will be described later in more detail.
  • [Public Key Certificate][0105]
  • A public key certificate is issued by a third party called a certificate authority (CA) attesting to the validity of a public key for use by two parties for cross-certification in exchanging data or encryption data therebetween. A typical format of the public key certificate adopted by the inventive system is described below in detail by referring to FIGS. 4 and 5. The format example shown in FIGS. 4 and 5 is based on the public key certificate format X.509, V3. [0106]
  • In the format shown in FIG. 4, a “version” field indicates the version of the certificate format in use. [0107]
  • A “serial number” field accommodates a serial number attached to a public key certificate by the certificate authority (CA). [0108]
  • A “signature algorithm identifier—algorithm, parameters” field records a signature algorithm and algorithm parameters used in the public key certificate in question. The signature algorithm is typically elliptic curve cryptography (ECC), RSA, or others. If the ECC is in effect, parameters and a key length are recorded; if the RSA is in use, then a key length is recorded. If any other cryptosystem is adopted, the identifier of that cryptosystem is recorded in this field. [0109]
  • An “issuer” field records as a distinguished name the name of a public key certificate issuer, i.e., of the certificate authority (CA) in effect. [0110]
  • A “validity—not before, not after” field accommodates a starting date and time (Not Before) as well as an ending date and time (Not After). [0111]
  • A “subject” field records the name of a subject, i.e., of a user who utilizes the certificate. Specifically, the subject may be represented by the ID of a user device or of a service offering entity. [0112]
  • A “subject public key information-algorithm, subject public key” field contains a key algorithm as the user's public key information, and key information itself. [0113]
  • The fields explained so far are included in the public key certificate format X.509, V1. The fields to be described below are those added to the public key certificate format X.509, V3. [0114]
  • An “authority key identifier—key identifier, authority certificate issuer, authority certificate serial number” field contains information for identifying a certificate authority (CA) key. A key identifier (octal number), the name of the certificate authority, and a certificate serial number are recorded in this field. [0115]
  • A “subject key identifier” field accommodates identifiers for identifying a plurality of keys for use in a public key certificate. [0116]
  • A “key usage” field designates the purpose of key usage selected from among the following: (0) for digital signature, (1) for repudiation prevention, (2) for key encryption, (3) for message encryption, (4) for distribution of a common key, (5) for verification of a certificate signature, or (6) for verification of a signature on a certificate revocation list. [0117]
  • A “private key usage period—not before, not after” field records the usage period of a private key owned by the user. [0118]
  • A “certificate policies” field records certificate issuance policies applicable to the certificate authority (CA) and registration authority (RA) in question. For example, IDs of certification policies based on the ISO/IEC 9384-1 are recorded in this field. [0119]
  • A “policy mappings—issuer domain policy, subject domain policy” field is used only when the certificate authority needs to be certified. The field records mappings regarding the policy of the certificate authority as a certificate issuer, and the policy of the subject. [0120]
  • A “supported algorithms—algorithm identifier, intended usage, intended certificate policies” field defines attributes of a directory (X.500). Where the opposite party of communication is to use directory information, definitions in this field inform that party of the directory attributes in advance. [0121]
  • “subject alternative name” field records an alternative name of the user. [0122]
  • An “issuer alternative name” field records an alternative name of the certificate issuer. [0123]
  • A “subject directory attributes” field accommodates any attributes of the user. [0124]
  • A “basic constraints—CA, path length constraint” field is used to specify whether the public key subject to certification is to be used for signature by the certificate authority (CA) or by the user. [0125]
  • A “name constraints—permitted subtrees, base, minimum, maximum, excluded subtrees” field indicates effective domains of a certificate used only when the subject is the certificate authority. [0126]
  • A “policy constraints—require explicit policy, inhibit policy mapping” field describes constraints requiring explicit policy IDs and inhibit policy mapping for the remaining certification paths. [0127]
  • A “CRL (certificate revocation list) distribution points” field describes points at which the user, upon utilizing a certificate, references a certificate revocation list (CRL) to see whether the certificate is revoked. [0128]
  • A “signature” field contains the signature of the certificate authority (CA). [0129]
  • [Signature Algorithms][0130]
  • The above signature attached to a public key certificate is a digital signature executed onto data constituting the certificate through the use of a private key issued by a public key certificate issuer (certificate authority or CA). By utilizing a public key issued by the certificate authority, the user of a public key certificate is able to check whether the certificate has been tampered with. [0131]
  • A digital signature algorithm based on elliptic curve cryptography (ECC) is described below with reference to FIG. 6. The flowchart of steps in FIG. 6 constitutes the process of generating digital signature data by use of ECDSA (elliptic curve digital signature algorithm (IEEE P1363/D3)). [0132]
  • Each of the steps in FIG. 6 will now described. In step S[0133] 1, it is assumed that “p” represents a characteristic; that “a” and “b” denote coefficients of an elliptic curve (4 a 3+27 b 2≠0 (mod p)); and that “G” stands for a base point on the elliptic curve, “r” for the order of “G,” and “Ks” for a private key (0<Ks<r). In step S2, a hash value of a message M is calculated (f=Hash(M)).
  • How to obtain a hash value using a hash function is explained here. A message is input to the hash function for compression into data of a predetermined bit length. The compressed result is output as a hash value. The hash function has a number of distinct characteristics: it is difficult to predict an input from a given hash value (output); a change of a single bit in the input data to the hash function leads to changes of numerous bits in the resulting hash value; and it is also difficult to find different input data having the same hash value. Illustratively, the hash function most frequently used is MD[0134] 4, MD5, or SHA-1; it may also be DES-CBC. In the last case, the final output value MAC (check value, equivalent to ICV) makes up the hash value.
  • In step S[0135] 3, a random number “u” (0<u<r) is generated. In step S4, a coordinate “V” (Xv, Yv) is calculated using the base point multiplied by “u.” An addition and a diploid operation on the elliptic curve are defined as follows:
  • Let P=(Xa, Ya), Q=(Xb, Yb), R=(Xc, Yc)=P+Q. If P≠Q (addition), then  [Expression 1]
  • Xc=λ 2 −Xa−Xb
  • Yc=λ×(Xa−Xc)−Ya
  • λ=(Yb−Ya)/(Xb−Xa)
  • If P=Q (diploid operation), then
  • Xc=λ 2−2Xa
  • Yc=λ×(Xa−Xc)−Ya
  • λ=(3(Xa)2 +a)/(2Ya)
  • Given the above factors, the point “G” is multiplied by “u.” The easiest computation, at the expense of speed, is performed as follows: G, 2×G, 4×G, . . . are calculated for expansion into binary numbers. To each position where a “1” exists is added 2i×G (a value of G doubled “i” times, where “i” denotes the bit location counted from the LSB of “u”). [0136]
  • In step S[0137] 5, “c=Xv mod r” is calculated. In step S6, a check is made to see if the result of step S5 is 0. If the resulting value is not 0, step S7 is reached in which a calculation is made of “d=[(f+cKs)/u] mod r.” Step S7 is followed by step S8 in which a check is made to see if the value “d” is 0. If the value “d” is not 0, then step S9 is reached in which the values “c” and “d” are output as digital signature data. If the value “r” is assumed to be 160 bits long, then the digital signature data have a length of 320 bits.
  • If in step S[0138] 6 the value “c” turns out to be 0, then step S3 is reached again in which another random number is generated. Likewise if the value “d” is found to be 0 in step S8, step S3 is reached again and a new random number is generated.
  • How to verify an ECC-based digital signature will now be described by referring to FIG. 7. In step S[0139] 11, it is assumed that “M” stands for a message and “p” for a characteristic; that “a” and “b” denote coefficients of an elliptic curve (y2=x3+ax+b); that “G” stands for a base point on the elliptic curve and “r” for the order of “G”; and that “G” and “Ks×G” represent public keys (0<Ks<r). In step S12, a check is made to see if the digital signature data “c” and “d” satisfy the conditions of 0<c<r and 0<d<r. If the conditions are judged satisfied, step S13 is reached in which a hash value of the message “M” is calculated (f=Hash(M)). In step S14, a calculation is made of “h=1/d mod r.” In step S15, “h1=fh mod r” and “h2=ch mod r” are calculated.
  • In step S[0140] 16, a calculation is made of a point “P=(Xp, Yp)=h1×G+h2.Ks×G” using the previously calculated “h1” and “h2.” Since the party currently verifying the digital signature already knows the public keys “G” and “Ks×G,” it is possible to compute a scalar multiple of a point on the elliptic curve in the same manner as in step S4 of FIG. 6. In step S17, a check is made to see if the point P is an infinite point. If the point P is not an infinite point, step S18 is reached. In fact, whether the point P is an infinite point is determined in step S16. That is, if adding up “P=(X, Y)” and “Q=(X, −Y) renders the calculation of λ impossible, that means “P+Q” constitutes an infinite point. In step S18, a calculation is made of “Xp mod r” for comparison with the digital signature data “c.” If there is a match between the compared values, step S19 is reached in which the digital signature is judged valid.
  • When the digital signature is judged valid, that means the data have not been tampered with. It is ascertained that the parity in possession of the private key corresponding to the public keys has indeed generated the digital signature in question. [0141]
  • If in step S[0142] 12 the digital signature data “c” or “d” fail to satisfy the condition 0<c<r or 0<d<r, then step S20 is reached. If in step S17 the point P turns out to be an infinite point, step S20 is also reached. A mismatch in step S18 between the value “Xp mod r” and the digital signature data “c” also leads to step S20.
  • In step S[0143] 20, the digital signature is judged invalid. That means the data have been tampered with or that the party in possession of the private key corresponding to the public keys has not generated the electronic signature.
  • A digital signature algorithm based on RSA cryptosystem is described below with reference to FIGS. 8, 9A and [0144] 9B. FIG. 8 is a flowchart of steps for generating public and private keys used for signature generation and verification based on RSA cryptosystem. FIG. 9A is a flowchart of steps constituting an RSA signature generation process, and FIG. 9B is a flowchart of steps constituting an RSA signature verification process.
  • In the flowchart of FIG. 8 for generating public and private keys for signature generation and verification, prime numbers “p” and “q” are first selected (of about 150 digits each) in step S[0145] 21. In step S22, “n=pq” is calculated. In step S23, a calculation is made of “L=(p−1) (q−1). In step S24, a positive integer “e” less than “n” and not sharing a common factor with the value “L” is selected to let (n, e) be public keys. In step S25, a positive integer “d” less than the value “L” and satisfying “de=1 mod L” is obtained to let (p, q, d) be private keys.
  • Signature generation and verification using the above public and private keys are conducted as shown in FIGS. 9A and 9B. Upon signature generation, as shown in FIG. 9A, “m=h(M)” is first generated in step S[0146] 31 by applying a hash function “h” to the message M that is the subject of signature generation. In step S32, “S=md mod n” is generated to let “S” be the signature.
  • Upon signature verification, as depicted in FIG. 9B, “m=h(M)” is first generated in step S[0147] 33 by applying a hash function “h” to the message M that is the subject of signature verification. A check is made in step S34 to see whether “m=Se mod n” holds. If the expression holds, then the signature is judged valid in step S35.
  • When the signature is judged valid, that means the data have not been tampered with. It is ascertained that the party in possession of the private keys corresponding to the public keys has indeed generated the digital signature. [0148]
  • If in step S[0149] 34 “m=Se mod n” does not hold, then step S36 is reached in which the signature is judged invalid. That means the data have been tampered with or that the party in possession of the private keys corresponding to the public keys has not generated the digital signature in question.
  • The signature verification process performed on each public key certificate determines its validity. As described above, verification of the signature requires executing encryption processing based on a signature algorithm. The signature algorithm of interest must be executable by any device acting as an end entity. Generally, a common signature algorithm is employed by end entities under control of each registration authority (RA). [0150]
  • [Structure of the Certificate Authority (CA)][0151]
  • In the inventive system, the organ called the certificate authority (CA) issuing public key certificates takes the form of a digital certification apparatus which, possessing a plurality of signature modules as described, is capable of executing diverse signature algorithms including RSA and ECDSA. Structured to accommodate multiple, different signature algorithm and parameters, the certificate authority (CA) selects signature modules as requested by registration authorities (RA) and causes the selected modules to generate signatures based on the respective cryptosystems such as RSA cryptosystem and ECDSA signature algorithm before issuing a public key certificate containing the generated signatures. [0152]
  • As described above with reference to FIG. 3, a public key certificate issuance request is accepted by the [0153] CA server 71 of the certificate authority (CA). Relevant modules 72 a through 72 n are selected as per the table that associates the registration authorities 81 through 85 under control of the CA server 71 with the assigned signature algorithms. The selected signature modules are sent a public key certificate each along with a signature execution instruction. Upon receipt of the public key certificate and signature execution instruction, each selected signature module generates a signature based on the applicable signature algorithm (e.g., RSA, ECC) and returns the signed public key certificate to the CA server 71. In turn, the CA server 71 transmits the signed public key certificate to the registration authority (one of RAs 81 through 85) that originated the public key certificate issuance request.
  • The CA server making up the digital certification apparatus acting as the certificate authority (CA) will now be described by referring to FIG. 10. In FIG. 10, the certificate authority has a [0154] CA server 100 and a plurality of signature modules 150 executing as many signature algorithms. Via an HSM interface 114, the CA server 100 transmits a public key certificate including the above-described structure data (see FIGS. 4 and 5) to any of the signature modules (HSM) 150. The signature module 150 that received the public key certificate generates a signature and returns the signed public key certificate to the CA server 100 through the HSM interface 114. Illustratively a PCI bus or a network such as the Ethernet may connect the CA server 100 with the signature modules 150. All communication paths between the server and the modules are established as secure paths.
  • The [0155] CA server 100 includes three databases: an RA management database 121 that manages information about registration authorities (RA) under control of the CA server, a verification key database 122 that stores keys for verifying public key certificates, and a repository database 123 that accommodates issued public key certificates, a list of public key certificates, and public key certificate revocation list information. These databases are accessed via a database interface (DB-I/F) 116.
  • The [0156] CA server 100 performs cross-certification with the registration authorities (RA) 181 through 183 to verify their identities before receiving a public key certificate issuance request from any of them via a network interface 115. Given the issuance request from any registration authority, the CA server 100 generates a public key certificate containing the data items explained above and determines a signature algorithm or algorithms based on relevant information in the RA management database 121 or on the request itself. Thereafter, the CA server 100 selects the signature module 150-x to execute the determined signature algorithm, and transmits to the selected module the generated public key certificate through the HSM interface 114. Data for signature generation such as a key length and parameters may also be sent along with the public key certificate if necessary. On receiving the public key certificate, the signature module 150-x generates a signature based on its executable signature algorithm such as RSA or ECDSA and returns a signed public key certificate to the CA server 100. Upon receipt of the signed public key certificate, the CA server 100 retrieves an applicable verification key from the verification key database 122 to determine whether the certificate is correctly signed. After registration with the repository database 123, the CA server 100 transmits the signed public key certificate to the registration authority (RA) that issued the request.
  • In the [0157] CA server 100, a CPU 111 controls the above series of steps while a RAM 112 and a ROM 113 offer a storage area for accommodating processing program necessary for performing these processes and a work area in which the programs are carried out. A display unit 117 and an input unit 118 are used by an operator entering and viewing data and commands.
  • FIG. 11 is a tabular view depicting a typical structure of the RA (registration authority) [0158] management database 121. This database contains a table that associates RA-specific signature algorithms with the registration authorities (RA) from which the certificate authority (CA) accepts public key issuance requests.
  • In the structure of FIG. 11, a registration authority identified as RA0001 is shown using the RSA cryptosystem as its signature algorithm with a key length of 1,024 bits. It is also shown that the RSA cryptosystem is executed by a signature module HSM-001. [0159]
  • Another registration authority identified as RA0002 is shown using the RSA cryptosystem as its signature algorithm with a key length of 2,048 bits. It is indicated that the RSA cryptosystem is executed by a load-distributed setup that employs three modules HSM-002, HSM-003 and HSM-004 in combination. [0160]
  • Another registration authority identified as RA0003 utilizes both RSA and ECC as its signature algorithms. A circle in a “multiple-signature algorithm” column indicates that the registration authority in question permits execution of a plurality of signature algorithms. As will be described later, the multiple-signature algorithm is implemented in one of two ways. A registration authority may request the certificate authority (CA) to selectively execute, say, either an ECC signature or an RSA signature, and the certificate authority may comply with the request. Alternatively, the certificate authority may furnish a single public key certificate with a plurality of signatures executed by as many signature algorithms. Where the signature algorithm in use is the elliptic curve digital signature algorithm (ECDSA), the table contains elliptic curve parameters to be adopted in addition to the applicable key length. [0161]
  • If a signature module for executing a signature is fixedly associated with key length data and a parameter, then the signature is executed by use of the key length and parameter assigned to the signature module in question. If a signature module is capable of executing signatures based on a plurality of key lengths or parameters, then the CA server retrieves the applicable key lengths or the relevant key lengths and parameters from the RA management database and transmits what is retrieved to the module in question so that the latter will execute signatures according to the key lengths or the key lengths and parameters received from the CA server. [0162]
  • FIG. 12 is a tabular view indicating a typical structure of the verification key database. This database associates signature module identifiers identifying the signature modules for executing signatures, with keys for verifying the signatures executed by these modules. As shown in FIG. 12, the database contains HSM-IDs as signature module identifiers, names of signature algorithms executed by the associated modules, key lengths to be used, parameters, and verification keys, all listed in mutually associated relation. [0163]
  • The verification keys are public keys that correspond to the private keys generated by the signature modules as their signature keys. Illustratively, the CA server receives the generated private keys from the signature modules and stores what is received into the verification key database. Upon receipt of a signed public key certificate from a given signature module, the CA server retrieves the corresponding verification key (public key) from the verification [0164] key database 122 and verifies that the signature is valid before sending the certificate to the registration authority (RA) that originated the certificate issuance request.
  • Described below with reference to FIG. 13 is a typical structure of a hardware security module (HSM) containing a signature module as part of the digital certification apparatus. Each HSM has a signature module that executes a specific signature algorithm. Designed to be tamper-resistant, the HSM has its stored information such as private key information for signature generation erased if tampered with. [0165]
  • As shown in FIG. 13, the [0166] HSM 150 comprises: a communication interface 152 for exchanging data with a CA server; a CPU 151 for controlling processing within the HSM; a signature module 160 for executing a particular signature algorithm such as RSA or ECDSA; a nonvolatile memory 153 that stores various HSM-specific data such as an HSM identifier (ID); a ROM 154 that records processing programs for identifying signature algorithms and performing analyses in obtaining key lengths, parameter information and others from signature request data from the CA server; and a RAM 155 that accommodates variable settings such as private keys, signature algorithm identification information, key lengths, and parameter information either generated by the signature module or received from outside.
  • The [0167] signature module 160 includes a random number generation unit 161, a signature generation unit 162, and a hash calculation unit 163. Illustratively, if the ECDSA signature algorithm is to be executed, the signature module carries out the steps constituting the process flow described above with reference to FIG. 6; if the RSA signature algorithm is to be performed, the signature module performs the steps making up the process flow explained above by referring to FIGS. 9A and 9B.
  • [Process of Storing Keys into the Signature Module][0168]
  • As mentioned above, each signature module executes a signature based on a specific signature algorithm such as RSA or ECDSA. A private key for signature execution by each signature module may be either generated internally by the module in question or acquired from a particular, external signature module that has generated its own key. Where a plurality of signature modules are to store a common key, an externally generated key may effectively be sent to the modules involved for storage therein. [0169]
  • Reading and writing of signature keys should preferably be subject to strict security rules to prevent leaks. Illustratively, all operators should be certified using passwords or like means based on dedicated software, and any signature module to which to write a key should be ascertained by checking its ID number. [0170]
  • A typical process of having a signature key generated by a specific signature module and getting the generated key retained by HSMs having other signature modules will now be described by referring to FIGS. 14 through 17. FIG. 14 is a schematic view of a setup where a signature key is generated by a [0171] signature module 1 and transmitted to a plurality of other signature modules 2 through n. Dedicated software shown in FIG. 14 refers illustratively to a program held in a ROM of the CA server. Between the CA server and the signature modules, an operator may issue a key generation instruction to one particular signature module and causes a key (private key) generated by the module to be transmitted to the other multiple signature modules (HSMs). In that case, a verification key (public key) corresponding to the generated private key is written to the verification key database in the CA server in association with each of the HSM identifiers involved. When a key generation instruction is to be issued or key data are to be exchanged, a password-based certification process or other suitable steps should preferably be carried out between the transmitting and receiving parties to forestall illegal data transfers. Only when the parties involved are certified should the generated signature key and other related data or commands be allowed to be transmitted.
  • FIG. 15 is a flowchart of steps constituting a typical process performed by the CA server using dedicated software. This process involves having a key generation instruction issued to a specific signature module (signature module [0172] 1) to get a signature key generated by the module 1 before transmitting the key to other signature modules.
  • The operator who would perform steps to generate and store a signature key is first authenticated in step S[0173] 101. Only a previously registered operator is authorized to carry out the signature key generation process. A check is made in step S102 to see whether the submitted password, fingerprint data, etc., attest to the valid operator. If the operator is judged valid, step S103 is reached in which a key generation-transmission instruction is issued to the signature module 1 (HSM1) requesting the latter to generate the signature key.
  • In step S[0174] 104, cross-certification is carried out between the signature module 1 (HSM1) on the one hand, and the apparatus that has issued the key generation-transmission instruction (e.g., CA server) on the other hand. The cross-certification is executed based on common key cryptosystem or public key cryptosystem. Keys for such certification are retained in advance by the devices involved. When the cross-certification is successfully concluded in step S105, the CA server waits for a signature key and a verification key to arrive from the signature module. Upon receipt of the signature key and verification key from the signature module in step S106, the verification key is stored into the verification key database in step S107. In step S108, a signature key store instruction is output to another signature module (HSM) that will utilize the same signature key. In step S109, cross-certification is performed with the new signature module. When the cross-certification with the signature module in question is successfully concluded in step S110, the signature key is transmitted to that module. An acknowledgment received from the signature module in step S111 indicates that the key has been normally stored inside, thus signaling the end of the key write operation to the current signature module. Steps S108 through S111 are repeated on all signature modules to which the signature key is to be written. When the key is judged written to all signature modules involved in step S112, the process is terminated.
  • Another signature key generation process performed by the [0175] signature module 1 is described below by referring to FIG. 16. In step S121, the signature module 1 receives a key generation-transmission instruction. In step S122, cross-certification is carried out between the signature module 1 and dedicated software (embodied by the CA server). When the cross-certification is successfully concluded in step S123, the signature module 1 generates a key pair consisting of a signature key and a verification key in step S124. When the key pair is judged correctly generated in step S125, the signature key is retained by the device itself in step S126. The generated signature key and verification key are further transmitted to the dedicated software (CA server) in step S127. When the transmission is judged successful in step S128, the process is terminated.
  • A signature key storing process performed by [0176] signature modules 2 through N is described below with reference to FIG. 17. In step S131, the signature modules 2 through N receive a signature key store instruction each. In step S132, cross-certification is carried out between the signature modules 2 through N on the one hand and the dedicated software (CA server) on the other hand. When the cross-certification is judged successfully concluded in step S133, the signature key is stored into each of the signature modules involved in step S134. When the signature key is judged correctly stored in step S135, a storage complete notice is transmitted to the dedicated software (CA server) in step S136. When the transmission of the notice is judged successful in step S137, the process is terminated.
  • [Processing by the CA Server][0177]
  • Processing by the CA server will now be described in two categories: (1) processing performed upon key generation by a signature module (HSM), and (2) processing carried out upon issuance of a public key certificate and upon signature execution. [0178]
  • The process by the CA server upon key generation by the signature module (HSM) is described below by referring to FIG. 18. In FIG. 18, the process shown to the left is that which is performed by the CA server, while the process indicated to the right is carried out by an HSM having a signature module. Although cross-certification steps are not shown in FIG. 18, these steps are still carried out between the CA server and the signature module in the same manner as FIG. 16 and [0179] 17 if they are interconnected in an externally accessible manner.
  • In step S[0180] 201, the CA server issues a key generation instruction to the HSM. The key generation instruction may include a key length and a parameter if necessary. It is possible to issue a plurality of key generation instructions based on different key lengths and different parameters. On receiving the instruction in step S211, the HSM generates at least one key pair consisting of a signature key and a verification key in step S212. When the key pair is judged correctly generated in step S213, the verification key is transmitted to the CA server in step S214. The signature key is retained by the device itself in step S215.
  • Upon receipt of the verification key from the HSM in step S[0181] 202, the CA server stores the received key into the verification key database in step S203. Where necessary, the RA management database and the repository database are updated in step S204. The verification key database and other databases accommodate key lengths, parameters and other data with regard to each data entry.
  • The processes carried out by the CA server upon issuance of a public key certificate and upon signature execution are described below by referring to FIGS. 19 and 20. In step S[0182] 231 of FIG. 19, the CA server generates certificate data (see FIGS. 4 and 5) in response to a certificate issuance request from a registration authority. In step S232, the CA server determines HSMs that should perform signature execution.
  • How HSMs are determined is described below in detail by referring to FIG. 20. In step S[0183] 251 of FIG. 20, the CA server receives a certificate issuance request from a registration authority (RA). Based on the identifier of the requesting registration authority, the CA server searches through the RA management database (see FIG. 11) in step S252. A check is first made to see if the requesting registration authority is subject to load distribution on the basis of the applicable load distribution entry in the RA management database. If the registration authority in question is judged subject to load distribution, step S258 is reached. In step S258, a plurality of HSMs are selected according to predetermined criteria for sequential or parallel use of the selected HSMs.
  • If the check in step S[0184] 253 reveals that the requesting registration authority is not subject to load distribution, step S254 is reached. In step S254, a check is made by referencing the RA management database (FIG. 11) to see whether the registration authority in question corresponds to multiple signature algorithms. If in step S254 the registration authority is judged corresponding to multiple signature algorithms, step S255 is reached. In step S255, a search is made through the RA management database for data entries corresponding to the requested signature algorithms in the public key certificate issuance request. If relevant data entries are found in step S256, HSM identifiers associated with the RA identifier are acquired from the database, and the HSMs having the obtained HSM identifiers are determined as the signature modules.
  • If the certificate issuance request specifies signature algorithms, key lengths and parameters, then the CA server may alternatively select HSMs by making a search through the RA management database in accordance with the designated signature algorithms, key lengths and parameters. [0185]
  • When the HSMs for signature execution are determined as described above, step S[0186] 233 of FIG. 19 is reached in which the generated public key certificate data are transmitted to the selected HSMs. On receiving the public key certificate data in step S241, the HSMs execute signatures in step S242 and transmit a signed certificate to the CA server in step S243.
  • Upon receipt of the signed certificate from the HSMs in step S[0187] 234, the CA server retrieves verification keys associated with the HSM identifiers from the verification key database in step S235. In step S236, the CA server verifies the signatures using the retrieved verification keys. If the verification is judged successful in step S237, the CA server transmits the signed certificate to the requesting registration authority (RA), which terminates the process.
  • [Typical Processes of Issuing Public Key Certificates][0188]
  • Typical processes of issuing public key certificates performed between an end entity (EE), registration authorities (RA), and a certificate authority (CA) are explained below. [0189]
  • FIG. 21 illustrates a typical configuration including an end entity (EE) [0190] 300, registration authorities (RA) 311 and 312, a certificate authority (CA) server 321; and HSMs 331, 332 and 333 having a signature module each. The end entity 300 issues a public key certificate issuance request to the CA server 321 through the registration authority 311 or 312.
  • For the above setup, it is assumed that the RA management database of the CA server contains data such as those shown in subfigure (a) of FIG. 21 and that the verification key database accommodates data listed illustratively in subfigure (b) of FIG. 21. As evident from the RA management database entries in subfigure (a), the [0191] registration authority 311 identified as RA1 allows a signature module HSM1 to execute a signature based on the RSA signature algorithm with a key length of 1,024 bits. The registration authority 312 identified as RA2 permits signature execution based on multiple algorithms: RSA signature algorithm with a key length of 2,048 bits, ECDSA with a key length of 192 bits and a parameter p=xx . . . , and ECDSA with a key length of 192 bits and a parameter p=yy . . . For the registration authority RA2, RSA signature is executed by a signature module HSM2 and ECDSA signature by a signature module HSM3. The verification key database contains signature algorithms, key lengths, parameter information, and verification keys corresponding to the HSMs configured.
  • With these settings in effect, the end entity (EE) [0192] 300 sends a public key certificate issuance request to a given registration authority (RA). Some examples in which the request is output to the RA by the end entity will now be described.
  • FIG. 22 shows an example in which the end entity (EE) [0193] 300 outputs a public key certificate issuance request to the registration authority (RA1) 311. Numerals (1) through (10) in FIG. 22 represent steps to be taken by the parties involved. These steps are described below in ascending order.
  • (1) The end entity (EE) [0194] 300 transmits to the registration authority (RA1) 311 data including user data necessary for issuing a public key certificate in the form of a public key certificate issuance request.
  • (2) The registration authority (RA[0195] 1) 311 verifies that what is received is a legitimate certificate issuance request from the end entity (EE) 300, registers the recasting user, and carries out other related steps.
  • (3) The [0196] registration authority 311 then transmits the certificate issuance request to the CA server 321, along with a certificate issuance request command, necessary message data including certificate storage data, and a registration authority identifier (ID).
  • (4) Upon receipt of the certificate issuance request, the [0197] CA server 321 references the RA management database to determine an HSM for signature execution. In this example, a module HSM1 is selected as the signature execution module in accordance with the RA management database entries shown in subfigure (a) of FIG. 21.
  • (5) The [0198] CA server 321 outputs a signature generation instruction to the signature module (HSM1) 331. The instruction, as shown in subfigure (b) of FIG. 22, contains a signature generation instruction command and message data for a certificate to be generated. If the module HSM1 is capable of generating variable length keys, the signature generation instruction may include data for specifying a key length.
  • (6) The module (HSM[0199] 1) 331 performs signature execution in keeping with the signature generation instruction. In this example, the module executes its signature based on the RSA algorithm
  • (7) After the signature execution, the module (HSM[0200] 1) 331 transmits a signed public key certificate to the CA server 321.
  • (8) The [0201] CA server 321 retrieves a verification key from the verification key database to check whether the signature on the received public key certificate is valid.
  • (9) If the signature is judged valid, the [0202] CA server 321 sends the signed public key certificate to the requesting registration authority (RA1) 311.
  • (10) In turn, the registration authority (RA[0203] 1) 311 forwards the signed public key certificate received to the requesting end entity (EE) 300.
  • FIG. 23 shows another example in which the end entity (EE) [0204] 300 outputs a public key certificate issuance request to the registration authority (RA2) 312. Numerals (1) through (10) in FIG. 23 represent steps to be taken by the parties involved. These steps are described below in ascending order.
  • (1) The end entity (EE) [0205] 300 transmits to the registration authority (RA2) 312 data including user data necessary for issuing a public key certificate in the form of a public key certificate issuance request.
  • (2) The registration authority (RA[0206] 2) 312 verifies that what is received is a legitimate certificate issuance request from the end entity (EE) 300, registers the requesting user, and carries out other related steps.
  • (3) The [0207] registration authority 312 then transmits the certificate issuance request to the CA server 321, along with a certificate issuance request command, necessary message data including certificate storage data, a registration authority identifier (ID); and data specifying a signature algorithm, a key length and parameters, as shown in subfigure (a) of FIG. 23.
  • (4) Upon receipt of the certificate issuance request, the [0208] CA server 321 references the RA management database to determine an HSM for signature execution. In this example, a module HSM3 is selected as the signature execution module in accordance with the RA management database entries shown in subfigure (a) of FIG. 21.
  • (5) The [0209] CA server 321 outputs a signature generation instruction to the signature module (HSM3) 333. The instruction, as shown in subfigure (b) of FIG. 23, contains a signature generation instruction command, message data for a certificate to be generated, and data designating the key length and parameters.
  • (6) The module (HSM[0210] 3) 333 performs signature execution in accordance with the signature generation instruction. In this example, the module executes its signature based on the ECDSA.
  • (7) After the signature execution, the module (HSM[0211] 3) 333 transmits a signed public key certificate to the CA server 321.
  • (8) The [0212] CA server 321 retrieves a verification key from the verification key database to check whether the signature on the received public key certificate is valid.
  • (9) If the signature is judged valid, the [0213] CA server 321 sends the signed public key certificate to the requesting registration authority (RA2) 312.
  • (10) In turn, the registration authority (RA[0214] 2) 312 forwards the signed public key certificate received to the requesting end entity (EE) 300.
  • FIG. 24 shows yet another example in which the end entity (EE) [0215] 300 outputs a public key certificate issuance request to the registration authority (RA2) 312, soliciting simultaneous execution of a plurality of signatures. Numerals (1) through (14) in FIG. 24 denote steps to be taken by the parties involved. These steps are described below in ascending order.
  • (1) The end entity (EE) [0216] 300 transmits to the registration authority (RA2) 312 data including user data necessary for issuing a public key certificate in the form of a public key certificate issuance request.
  • (2) The registration authority (RA[0217] 2) 312 verifies that what is received is a legitimate certificate issuance request from the end entity (EE) 300, registers the requesting user, and carries out other related steps.
  • (3) The [0218] registration authority 312 then transmits the certificate issuance request to the CA server 321, along with a certificate issuance request command, necessary message data including certificate storage data, a registration authority identifier (ID); and data specifying a plurality of signature algorithms, key lengths and parameters, as shown in subfigure (a) of FIG. 24.
  • (4) Upon receipt of the certificate issuance request, the [0219] CA server 321 references the RA management database to determine HSMs for signature execution. In this example, modules HSM 2 and HSM3 are selected as the signature execution modules in accordance with the RA management database entries shown in subfigure (a) of FIG. 21.
  • (5) The [0220] CA server 321 outputs a signature generation instruction first to the signature module (HSM2) 332. The instruction, as shown in subfigure (b) of FIG. 24, contains a signature generation instruction command, message data for a certificate to be generated, and data designating a key length.
  • (6) The module (HSM[0221] 2) 332 performs signature execution in accordance with the signature generation instruction. In this example, the module executes its signature based on the ECDSA.
  • (7) After the signature execution, the module (HSM[0222] 2) 332 transmits a signed public key certificate to the CA server 321.
  • (8) The [0223] CA server 321 retrieves a verification key from the verification key database to check whether the signature on the received public key certificate is valid.
  • (9) The [0224] CA server 321 then outputs the signature generation instruction to the signature module (HSM3) 333. The instruction, as shown in subfigure (c) of FIG. 24, contains a signature generation instruction command, message data for a certificate to be generated, and data designating the key length and parameters.
  • (10) The module (HSM[0225] 3) 333 performs signature execution in accordance with the signature generation instruction. In this case, the module executes its signature based on the ECDSA.
  • (11) After the signature execution, the module (HSM[0226] 3) 333 transmits a signed public key certificate to the CA server 321.
  • (12) The [0227] CA server 321 retrieves verification keys from the verification key database to check whether the signatures on the received public key certificate are valid.
  • (13) If the signatures are judged valid, the [0228] CA server 321 sends the signed public key certificate to the requesting registration authority (RA2) 312.
  • (14) In turn, the registration authority (RA[0229] 2) 312 forwards the signed public key certificate received to the requesting end entity (EE) 300.
  • [Privately Managed Signature Module Structure][0230]
  • Described below is an example of how the signature module structure of a digital certification apparatus acting as a certificate authority is protected privately against external tampering. [0231]
  • FIG. 25 is a block diagram outlining the setup of this example. As shown in FIG. 25, the setup includes a certificate authority (CA) [0232] 401 and a registration authority (RA) 402 each having a signature module structure management table.
  • The signature module structure management table associates signature algorithm identifiers (1 through n) with HSMs executing their respectively assigned signature algorithms. This table is generated by the certificate authority (CA) [0233] 401 randomly associating the signature algorithm identifiers with the HSMs involved. The table is updated periodically or as needed. The generated table is delivered to each registration authority (RA) 402. When requested to issue a public key certificate by an end entity, the registration authority (RA) 402 generates a certificate issuance request furnished with a signature algorithm identifier (any one of 1 through n) and sends the request to the certificate authority (CA) 401.
  • The certificate authority (CA) [0234] 401 searches the signature module structure management table for an HSM based on the signature algorithm identifier contained in the certificate issuance request received. When the corresponding HSM is selected, the certificate authority (CA) 401 outputs a signature request to the HSM in question.
  • In the above setup, a leaked signature module structure management table does not result in any essential signature algorithm leaking out. This makes it possible effectively to prevent illegal signature generation by a third party. It is preferred that the signature module structure management table be made tamper-resistant by having it signed by the certificate authority. [0235]
  • [Distributed Signature Processing][0236]
  • How a signature is executed illustratively by a plurality of signature modules (HSM) will now be described by referring to FIG. 26. [0237]
  • A [0238] CA server 501 in FIG. 26, upon receipt of a public key certificate issuance request from a registration authority (RA), divides the signature execution process into a plurality of steps (exponentiating operation, hash value generation, etc.). The CA server 501 then requests different HSMs 601 through 60 n to perform the different steps of signature execution.
  • Illustratively, where the ECC signature algorithm is in use, the process of ECC signature generation may be divided into such steps as hash value generation, random number generation, generation of a coordinate value V, etc., as described earlier with reference to FIG. 6. These steps are carried out individually by independent modules. The result of processing by one module is forwarded to the next downstream module for another process. The data transferred from one module to another are given an intermediate signature by each transmitting module; each receiving module adds another intermediate signature to the collection of the transferred data and intermediate signatures furnished so far. The last-signed result is received by the [0239] CA server 501 from the module 60 n. Signature generation thus involves the series of steps being carried out in a predetermined order by all modules involved.
  • It is also possible for different signature modules (HSM) to execute different signatures successively onto a single message. For example, the module HSM[0240] 1 (601) may execute an RSA signature, the module HSM2 (602) may execute an ECDSA signature “a,” and the module HSMx (60 x) may carry out an ECDSA signature “x” using a different parameter. The result of the execution of these multiple signatures is transmitted to the CA server 501. In this case, each transmitting module also executes an intermediate signature onto the message, and each receiving module adds another intermediate signature to the collection of the transferred message data and intermediate signatures furnished so far. It should be noted that the CA server 501 in this setup is required individually to manage verification keys regarding the different modules.
  • As described, signatures are generated by a plurality of signature modules under control of the certificate authority (CA), the modules performing their respectively assigned signature generation processes while transferring a public key certificate made of signature-supplemented message data from one module to another in a predetermined order. Because signature generation based on any single signature module is impossible, the generation of an illegal signature by a third party taking advantage of data leaks from any module is made effectively unfeasible. [0241]
  • Through the use of the public key certificate issuing system, public key certificate issuing method, digital certification apparatus, and program storage medium according to the invention, there is provided as described a certificate authority (CA) which has a plurality of signature modules each executing a different signature algorithm such as RSA or ECDSA and which allows any one of the signature modules selectively to execute a signature as requested by any registration authority (RA) under control of the certificate authority. There is no need to establish a plurality of certificate authorities to deal with multiple signature algorithms; one certificate authority can address a plurality of registration authorities (RA) requesting different signature algorithms. The single certificate authority can issue public key certificates each bearing a signature of a different algorithm. [0242]
  • According to the inventive public key certificate issuing system, public key certificate issuing method, digital certification apparatus, and program storage medium, there is further provided a certificate authority (CA) which has a plurality of signature modules each executing a different signature algorithm such as RSA or ECDSA and which allows some of the signature modules selectively to execute a plurality of signatures as requested by any registration authority (RA) under control of the certificate authority. The certificate authority in this setup permits generation of a single public key certificate carrying a plurality of signatures based on different algorithms. [0243]
  • Also according to the inventive public key certificate issuing system, public key certificate issuing method, digital certification apparatus, and program storage medium, it is possible to provide a plurality of signature modules each executing part of steps representing various signature algorithms such as RSA and ECDSA, the modules being suitably coordinated to execute an integral signature process made up of the steps. This arrangement also forestalls illegal signature generation by a third party utilizing a leak of data from an individual signature module. [0244]
  • It is to be understood that while the invention has been described in conjunction with specific embodiments, it is evident that many alternatives, modifications and variations will become apparent to those skilled in the art in light of the foregoing description. Accordingly, it is intended that the present invention embrace all such alternatives, modifications and variations as fall within the spirit and scope of the appended claims. [0245]

Claims (36)

What is claimed is:
1. A public key certificate issuing system comprising:
a certificate authority for issuing a public key certificate used by an entity; and
a registration authority which, on receiving a public key certificate issuance request from any one of entities under jurisdiction thereof, transmits the received request to said certificate authority;
wherein said certificate authority, having a plurality of signature modules each executing a different signature algorithm, selects at least one of said plurality of signature modules in accordance with said public key certificate issuance request from said registration authority, and causes the selected signature module to attach a digital signature to message data constituting a public key certificate.
2. A public key certificate issuing system according to claim 1, wherein said certificate authority has a plurality of signature modules and a certificate authority server for outputting a signature processing request to said plurality of signature modules;
wherein said certificate authority server receives said public key certificate issuance request from said registration authority, selects at least one of said plurality of signature modules in response to said public key certificate issuance request, and outputs said signature processing request to the selected signature module; and
wherein each of said plurality of signature modules attaches a digital signature to the message data constituting said public key certificate in response to said signature processing request received from said certificate authority server.
3. A public key certificate issuing system according to claim 1, wherein said certificate authority has a registration authority management database which stores registration authority management data for associating registration authorities issuing public key certificate issuance requests with a signature algorithm specific to each of said registration authorities; and
wherein, given a public key certificate issuance request from any registration authority, said certificate authority selects the signature module associated with the relevant signature algorithm based on said registration authority management data.
4. A public key certificate issuing system according to claim 3, wherein said registration authority management data include key length and parameter information applicable to signatures.
5. A public key certificate issuing system according to claim 3, wherein said registration authority management data include signature module identification information applicable to signatures.
6. A public key certificate issuing system according to claim 1, wherein said registration authority transmits signature algorithm designation information along with said public key certificate issuance request to said certificate authority; and
wherein said certificate authority, based on said signature algorithm designation information received along with said public key certificate issuance request, selects a signature module applicable to the designated signature algorithm.
7. A public key certificate issuing system according to claim 6, wherein said signature algorithm designation information includes key length and parameter information applicable to signatures.
8. A public key certificate issuing system according to claim 1, wherein said certificate authority has a verification key database which stores keys for signature verification in association with each of said plurality of signature modules; and
wherein said certificate authority verifies signatures generated by each of said plurality of signature modules.
9. A public key certificate issuing system according to claim 1, wherein said certificate authority uses at least two of said plurality of signature modules to attach at least two different digital signatures to one public key certificate.
10. A public key certificate issuing system according to claim 1, wherein said certificate authority selects at least two of said plurality of signature modules in order to have signature processing executed in steps by each of the selected signature modules used in concert for digital signature generation.
11. A public key certificate issuing system according to claim 1, wherein said certificate authority and said registration authority each have a signature module structure management table which associates signature algorithm identifiers with identifiers of said plurality of signature modules;
wherein said registration authority issues to said certificate authority a public key certificate issuance request designating a signature algorithm identifier in accordance with said signature module structure management table; and
wherein said certificate authority, upon receipt of said signature algorithm identifier from said registration authority, selects the signature module applicable to the received identifier from said signature module structure management table.
12. A public key certificate issuing system according to claim 1, wherein at least part of said plurality of signature modules have a common signature key stored therein.
13. A public key certificate issuing system according to claim 1, wherein a plurality of signature algorithms are executed by each of said plurality of signature modules.
14. A public key certificate issuing method for use with a certificate authority for issuing a public key certificate used by an entity, and with a registration authority which, on receiving a public key certificate issuance request from any one of entities under jurisdiction thereof, transmits the received request to said certificate authority, the method comprising the steps of:
causing said certificate authority selects, from among a plurality of signature modules each executing a different signature algorithm, at least one of the signature modules in accordance with said public key certificate issuance request from said registration authority; and
causing the selected signature module to attach a digital signature to message data constituting a public key certificate.
15. A public key certificate issuing method according to claim 14, further comprising the steps of:
causing a certificate authority server to receive a public key certificate issuance request from said registration authority;
causing said certificate authority server to select at least one of said plurality of signature modules in response to said public key certificate issuance request; and
causing said certificate authority server to output a signature processing request to the selected signature module.
16. A public key certificate issuing method according to claim 14, wherein said step involving said certificate authority server selecting the signature module comprises selecting the signature module based on a registration authority management database which stores registration authority management data for associating registration authorities issuing public key certificate issuance requests with a signature algorithm specific to each of said registration authorities.
17. A public key certificate issuing method according to claim 14, wherein said step involving said certificate authority server selecting the signature module comprises selecting the signature module based on signature algorithm designation information received along with said public key certificate issuance request.
18. A public key certificate issuing method according to claim 14, further comprising the step of causing said certificate authority to verify signatures generated by each of said plurality of signature modules.
19. A public key certificate issuing method according to claim 14, further comprising the step of causing said certificate authority to use at least two of said plurality of signature modules to attach at least two different digital signatures to one public key certificate.
20. A public key certificate issuing method according to claim 14, further comprising the step of causing said certificate authority to select at least two of said plurality of signature modules in order to have signature processing executed in steps by each of the selected signature modules used in concert for digital signature generation.
21. A public key certificate issuing method according to claim 14, wherein said certificate authority and said registration authority each have a signature module structure management table which associates signature algorithm identifiers with identifiers of said plurality of signature modules, said public key certificate issuing method further comprising the steps of:
causing said registration authority to issue to said certificate authority a public key certificate issuance request designating a signature algorithm identifier in accordance with said signature module structure management table; and
causing said certificate authority, upon receipt of said signature algorithm identifier from said registration authority, to select the signature module applicable to the received identifier from said signature module structure management table.
22. A public key certificate issuing method according to claim 14, further comprising the step of having a plurality of signature algorithms executed by each of said plurality of signature modules.
23. A digital certification apparatus for constituting a certificate authority which issues a public key certificate used by an entity:
wherein said digital certification apparatus, having a plurality of signature modules each executing a different signature algorithm, selects at least one of said plurality of signature modules in accordance with a public key certificate issuance request received from outside, and causes the selected signature module to attach a digital signature to message data constituting a public key certificate.
24. A digital certification apparatus according to claim 23, further comprising a plurality of signature modules and a certificate authority server for outputting a signature processing request to said plurality of signature modules;
wherein said certification authority server receives said public key certificate issuance request, selects at least one of said plurality of signature modules in response to said public key certificate issuance request, and outputs said signature processing request to the selected signature module; and
wherein each of said plurality of signature modules attaches a digital signature to the message data constituting said public key certificate in response to said signature processing request received from said certificate authority server.
25. A digital certification apparatus according to claim 23, further comprising a registration authority management database which stores registration authority management data for associating registration authorities issuing public key certificate issuance requests with a signature algorithm specific to each of said registration authorities;
wherein, given a public key certificate issuance request from any registration authority, said digital certification apparatus selects the signature module associated with the relevant signature algorithm based on said registration authority management data.
26. A digital certification apparatus according to claim 25, wherein said registration authority management data include key length and parameter information applicable to signatures.
27. A digital certification apparatus according to claim 25, wherein said registration authority management data include signature module identification information applicable to signatures.
28. A digital certification apparatus according to claim 23, wherein said digital certification apparatus, based on signature algorithm designation information received along with said public key certificate issuance request, selects a signature module applicable to the designated signature algorithm.
29. A digital certification apparatus according to claim 28, wherein said signature algorithm designation information includes key length and parameter information applicable to signatures.
30. A digital certification apparatus according to claim 23, further comprising a verification key database which stores keys for signature verification in association with each of said plurality of signature modules;
wherein said digital certification apparatus verifies signatures generated by each of said plurality of signature modules.
31. A digital certification apparatus according to claim 23, wherein said digital certification apparatus uses at least two of said plurality of signature modules to attach at least two different digital signatures to one public key certificate.
32. A digital certification apparatus according to claim 23, wherein said digital certification apparatus selects at least two of said plurality of signature modules in order to have signature processing executed in steps by each of the selected signature modules used in concert for digital signature generation.
33. A digital certification apparatus according to claim 23, further comprising a signature module structure management table which associates signature algorithm identifiers with identifiers of said plurality of signature modules;
wherein said digital certification apparatus, upon receipt of a signature algorithm identifier along with said public key certificate issuance request, selects the signature module applicable to the received identifier from said signature module structure management table.
34. A digital certification apparatus according to claim 23, wherein at least part of said plurality of signature modules have a common signature key stored therein.
35. A digital certification apparatus according to claim 23, wherein a plurality of signature algorithms are executed by each of said plurality of signature modules.
36. A program storage medium which stores a computer program executed by a computer system in carrying out public key certificate issuance processing to issue a public key certificate for use by an entity, said computer program comprising the steps of:
selecting, from among a plurality of signature modules each executing a different signature algorithm, at least one of the signature modules in accordance with a public key certificate issuance request; and
causing the selected signature module to attach a digital signature to message data constituting a public key certificate.
US10/041,964 2001-01-10 2002-01-09 Public key certificate issuing system, Public key certificate issuing method, digital certification apparatus, and program storage medium Abandoned US20020108042A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/659,289 US8214637B2 (en) 2001-01-10 2010-03-03 Public key certificate issuing system, public key certificate issuing method, digital certification apparatus, and program storage medium

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2001002220A JP2002207426A (en) 2001-01-10 2001-01-10 System and method for issuing public key certificate, electronic certification device, and program storage medium
JPP2001-002220 2001-01-10

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US12/659,289 Continuation US8214637B2 (en) 2001-01-10 2010-03-03 Public key certificate issuing system, public key certificate issuing method, digital certification apparatus, and program storage medium

Publications (1)

Publication Number Publication Date
US20020108042A1 true US20020108042A1 (en) 2002-08-08

Family

ID=18870765

Family Applications (2)

Application Number Title Priority Date Filing Date
US10/041,964 Abandoned US20020108042A1 (en) 2001-01-10 2002-01-09 Public key certificate issuing system, Public key certificate issuing method, digital certification apparatus, and program storage medium
US12/659,289 Expired - Fee Related US8214637B2 (en) 2001-01-10 2010-03-03 Public key certificate issuing system, public key certificate issuing method, digital certification apparatus, and program storage medium

Family Applications After (1)

Application Number Title Priority Date Filing Date
US12/659,289 Expired - Fee Related US8214637B2 (en) 2001-01-10 2010-03-03 Public key certificate issuing system, public key certificate issuing method, digital certification apparatus, and program storage medium

Country Status (2)

Country Link
US (2) US20020108042A1 (en)
JP (1) JP2002207426A (en)

Cited By (41)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030065921A1 (en) * 2001-09-28 2003-04-03 Chang Kae-Por F. Authority-neutral certification for multiple-authority PKI environments
US20040073785A1 (en) * 2002-10-09 2004-04-15 Tuija Hurtta Controlling delivery of certificates in a mobile communication system
US20040117314A1 (en) * 2002-12-16 2004-06-17 Francotyp-Postalia Ag &Co., Kg Method and arrangement for variably generating cryptographic securities in a host device
US20040156506A1 (en) * 2003-02-10 2004-08-12 Mauricio Sanchez Selecting cached RSA keys in response to RSA key requests
WO2005043807A1 (en) * 2003-10-28 2005-05-12 Certicom Corp. Method and apparatus for verifiable generation of public keys
US20050138386A1 (en) * 2003-12-22 2005-06-23 Le Saint Eric F. Trusted and unsupervised digital certificate generation using a security token
US20050257058A1 (en) * 2003-04-01 2005-11-17 Junji Yoshida Communication apparatus and authentication apparatus
US20050289349A1 (en) * 2002-09-17 2005-12-29 Siemens Aktiengesellschaft Method for generating and/or validating electronic signatures
WO2006021665A1 (en) * 2004-08-19 2006-03-02 France Telecom Method for assigning an authentication certificate and infrastructure for assigning said certificate
US20060075246A1 (en) * 2004-10-05 2006-04-06 Canon Kabushiki Kaisha Signature-generation method, signature-verification method, public-key distribution method, and information-processing apparatus
US20070121934A1 (en) * 2003-12-26 2007-05-31 Yuichi Futa Prime calculation device,method,and key issuing system
US20080060055A1 (en) * 2006-08-29 2008-03-06 Netli, Inc. System and method for client-side authenticaton for secure internet communications
WO2008058377A1 (en) * 2006-11-13 2008-05-22 Certicom Corp. Compressed ecdsa signatures
US20090022309A1 (en) * 2007-07-17 2009-01-22 Vanstone Scott A Method of providing text representation of a cryptographic value
US20090196418A1 (en) * 2008-02-04 2009-08-06 Freescale Semiconductor, Inc. Encryption Apparatus with Diverse Key Retention Schemes
US7599489B1 (en) * 2004-02-09 2009-10-06 Sun Microsystems Inc. Accelerating cryptographic hash computations
US20090300349A1 (en) * 2008-05-30 2009-12-03 Yoko Hashimoto Validation server, validation method, and program
US20100241852A1 (en) * 2009-03-20 2010-09-23 Rotem Sela Methods for Producing Products with Certificates and Keys
US20110145567A1 (en) * 2009-12-16 2011-06-16 Verisign, Inc. Method and system to combine multiple digital certificates using the subject alternative name extension
US20110145569A1 (en) * 2009-12-16 2011-06-16 Verisign, Inc. Method and system for provisioning multiple digital certificates
US20110154027A1 (en) * 2009-12-23 2011-06-23 Verisign, Inc. Method and system for co-termination of digital certificates
US20110161662A1 (en) * 2009-12-30 2011-06-30 Hong Fu Jin Precision Industry (Shenzhen) Co., Ltd System and method for updating digital certificate automatically
US20150095650A1 (en) * 2013-09-27 2015-04-02 Daniel Nemiroff Public key infrastructure for system-on-chip
US9055059B1 (en) 2009-12-16 2015-06-09 Symantec Corporation Combining multiple digital certificates
US20170257220A1 (en) * 2014-11-19 2017-09-07 Huawei Technologies Co., Ltd. Directional-traffic statistics method, device, and system
US20170324545A1 (en) * 2016-05-04 2017-11-09 International Business Machines Corporation Revocable pki signatures
WO2018027300A1 (en) 2016-08-08 2018-02-15 ISARA Corporation Using a digital certificate with multiple cryptosystems
US20180302400A1 (en) * 2017-04-18 2018-10-18 Servicenow, Inc. Authenticating access to an instance
WO2019079761A1 (en) * 2017-10-20 2019-04-25 Alibaba Group Holding Limited Digital certificate application method and device
US10305871B2 (en) * 2015-12-09 2019-05-28 Cloudflare, Inc. Dynamically serving digital certificates based on secure session properties
CN109992953A (en) * 2019-02-18 2019-07-09 深圳壹账通智能科技有限公司 Digital certificate on block chain signs and issues, verification method, equipment, system and medium
CN110011799A (en) * 2019-04-02 2019-07-12 河南管软信息技术有限公司 Communication security method in mobile office
CN112352238A (en) * 2018-06-28 2021-02-09 币即特株式会社 Multiple signature security account control system
CN113228560A (en) * 2018-10-23 2021-08-06 西门子股份公司 Issuing apparatus and method for issuing, and requesting apparatus and method for requesting digital certificate
CN113841360A (en) * 2019-05-14 2021-12-24 大众汽车股份公司 Implementation of butterfly key expansion scheme
US20220247731A1 (en) * 2019-03-25 2022-08-04 Micron Technology, Inc. Secure communication between an intermediary device and a network
US11443293B2 (en) * 2013-12-10 2022-09-13 China Unionpay Co., Ltd. Secure network accessing method for POS terminal, and system thereof
CN115442052A (en) * 2022-08-30 2022-12-06 云海链控股股份有限公司 Collaborative signature method, system, equipment and computer readable storage medium
TWI810957B (en) * 2022-06-01 2023-08-01 倍穎資訊股份有限公司 A remote node controlling management platform
US20230246819A1 (en) * 2022-02-01 2023-08-03 Juniper Networks, Inc. Public key infrastructure based session authentication
EP4440033A1 (en) 2023-03-31 2024-10-02 Sick Ag Authenticating data based on certificates

Families Citing this family (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7502945B2 (en) * 2002-06-28 2009-03-10 Microsoft Corporation Using a flexible rights template to obtain a signed rights label (SRL) for digital content in a rights management system
US7370212B2 (en) 2003-02-25 2008-05-06 Microsoft Corporation Issuing a publisher use license off-line in a digital rights management (DRM) system
FR2867001B1 (en) * 2004-02-27 2006-06-16 Gemplus Card Int METHOD FOR PRODUCING A DIGITAL CERTIFICATE, DIGITAL CERTIFICATE THEREOF, AND METHOD FOR USING SUCH A DIGITAL CERTIFICATE
JP2005303779A (en) * 2004-04-14 2005-10-27 Nippon Telegr & Teleph Corp <Ntt> Certificate issuing service method, certificate issuing service device, and certificate issuing service program
JP2006108886A (en) * 2004-10-01 2006-04-20 Sony Corp Information processor and information processing method, recording medium, and program
US7487358B2 (en) * 2004-11-29 2009-02-03 Signacert, Inc. Method to control access between network endpoints based on trust scores calculated from information system component analysis
US8438645B2 (en) 2005-04-27 2013-05-07 Microsoft Corporation Secure clock with grace periods
US20060265758A1 (en) 2005-05-20 2006-11-23 Microsoft Corporation Extensible media rights
JP5053756B2 (en) * 2007-08-09 2012-10-17 株式会社日立製作所 Certificate verification server, certificate verification method, and certificate verification program
US8468583B2 (en) * 2010-02-23 2013-06-18 Symantec Corporation Streamlined process for enrollment of multiple digital certificates
JP2011193416A (en) * 2010-03-17 2011-09-29 Hitachi Ltd Method of verifying certificate, verification server, program, and storage medium
JP5581863B2 (en) * 2010-07-12 2014-09-03 株式会社リコー Image forming apparatus and authentication system. Image forming apparatus control method and control program
US8756411B2 (en) * 2010-12-06 2014-06-17 Siemens Aktiengesellschaft Application layer security proxy for automation and control system networks
EA201200133A1 (en) * 2012-02-16 2013-08-30 Андрей Юрьевич ЩЕРБАКОВ METHOD OF DEVELOPMENT AND STORAGE OF DIGITAL CERTIFICATES AND METHOD OF DRAWING THE SOFTWARE (OPTIONS)
US9948695B2 (en) * 2012-03-16 2018-04-17 Alcatel Lucent Enabling delivery of protected content using unprotected delivery services
JP5346111B2 (en) * 2012-07-24 2013-11-20 株式会社日立製作所 Verification server, program, and verification method
JP2017130845A (en) * 2016-01-21 2017-07-27 株式会社オートネットワーク技術研究所 Authentication system, authentication request apparatus, on-vehicle electronic apparatus, computer program and authentication processing method
US11323274B1 (en) * 2018-04-03 2022-05-03 Amazon Technologies, Inc. Certificate authority
US11563590B1 (en) 2018-04-03 2023-01-24 Amazon Technologies, Inc. Certificate generation method
US11888997B1 (en) * 2018-04-03 2024-01-30 Amazon Technologies, Inc. Certificate manager
US10909250B2 (en) * 2018-05-02 2021-02-02 Amazon Technologies, Inc. Key management and hardware security integration
CA3112585A1 (en) 2018-10-02 2020-04-09 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
CN111368339B (en) * 2019-11-06 2020-12-01 胡金钱 Electronic signature loading method and device
TWI730549B (en) * 2019-12-18 2021-06-11 臺灣網路認證股份有限公司 System for checking key pair generating algorithm during certificate applying process and method thereof
CN111565107B (en) * 2020-07-14 2020-11-27 腾讯科技(深圳)有限公司 Key processing method and device based on cloud service platform and computer equipment
JP7283614B1 (en) 2022-05-18 2023-05-30 凸版印刷株式会社 Certification authority management system, certification authority management method, and program

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5659616A (en) * 1994-07-19 1997-08-19 Certco, Llc Method for securely using digital signatures in a commercial cryptographic system
US6035402A (en) * 1996-12-20 2000-03-07 Gte Cybertrust Solutions Incorporated Virtual certificate authority
US6202157B1 (en) * 1997-12-08 2001-03-13 Entrust Technologies Limited Computer network security system and method having unilateral enforceable security policy provision
US6490680B1 (en) * 1997-12-04 2002-12-03 Tecsec Incorporated Access control and authorization system
US6675296B1 (en) * 1999-06-28 2004-01-06 Entrust Technologies Limited Information certificate format converter apparatus and method

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5958051A (en) * 1996-11-27 1999-09-28 Sun Microsystems, Inc. Implementing digital signatures for data streams and data archives
JP3874127B2 (en) * 1997-04-10 2007-01-31 日本電信電話株式会社 Registration key duplication prevention device in authentication system
JPH10327147A (en) * 1997-05-21 1998-12-08 Hitachi Ltd Electronic authenticating and notarizing method and its system
US7404077B1 (en) * 1999-01-29 2008-07-22 International Business Machines Corporation Extension of X.509 certificates to simultaneously support multiple cryptographic algorithms
US7610614B1 (en) * 1999-02-17 2009-10-27 Certco, Inc. Cryptographic control and maintenance of organizational structure and functions
JP2002207427A (en) * 2001-01-10 2002-07-26 Sony Corp System and method for issuing public key certificate, information processor, information recording medium, and program storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5659616A (en) * 1994-07-19 1997-08-19 Certco, Llc Method for securely using digital signatures in a commercial cryptographic system
US6035402A (en) * 1996-12-20 2000-03-07 Gte Cybertrust Solutions Incorporated Virtual certificate authority
US6490680B1 (en) * 1997-12-04 2002-12-03 Tecsec Incorporated Access control and authorization system
US6202157B1 (en) * 1997-12-08 2001-03-13 Entrust Technologies Limited Computer network security system and method having unilateral enforceable security policy provision
US6675296B1 (en) * 1999-06-28 2004-01-06 Entrust Technologies Limited Information certificate format converter apparatus and method

Cited By (93)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8019990B2 (en) 2001-09-28 2011-09-13 Zoralco Fund Limited Liability Company Authority-neutral certification for multiple-authority PKI environments
US7328344B2 (en) * 2001-09-28 2008-02-05 Imagitas, Inc. Authority-neutral certification for multiple-authority PKI environments
US20030065921A1 (en) * 2001-09-28 2003-04-03 Chang Kae-Por F. Authority-neutral certification for multiple-authority PKI environments
US8621206B2 (en) 2001-09-28 2013-12-31 Zoralco Fund Limited Liability Company Authority-neutral certification for multiple-authority PKI environments
US20050289349A1 (en) * 2002-09-17 2005-12-29 Siemens Aktiengesellschaft Method for generating and/or validating electronic signatures
US20040073785A1 (en) * 2002-10-09 2004-04-15 Tuija Hurtta Controlling delivery of certificates in a mobile communication system
US7526642B2 (en) * 2002-10-09 2009-04-28 Nokia Corporation Controlling delivery of certificates in a mobile communication system
US7610247B2 (en) 2002-12-16 2009-10-27 Francotyp-Postalia Ag & Co. Kg Method and arrangement for variably generating cryptographic securities in a host device
DE10260406B4 (en) * 2002-12-16 2007-03-08 Francotyp-Postalia Gmbh Method and arrangement for different generation of cryptographic backups of messages in a host device
EP1432170A3 (en) * 2002-12-16 2005-05-18 Francotyp-Postalia AG &amp; Co. KG Method and apparatus for generating different cryptographic secure procedures concerning messages in a host device
EP1432170A2 (en) * 2002-12-16 2004-06-23 Francotyp-Postalia AG &amp; Co. KG Method and apparatus for generating different cryptographic secure procedures concerning messages in a host device
US20040117314A1 (en) * 2002-12-16 2004-06-17 Francotyp-Postalia Ag &Co., Kg Method and arrangement for variably generating cryptographic securities in a host device
US20040156506A1 (en) * 2003-02-10 2004-08-12 Mauricio Sanchez Selecting cached RSA keys in response to RSA key requests
US8290153B2 (en) 2003-02-10 2012-10-16 Hewlett-Packard Development Company, L.P. Managing a plurality of cached keys
US20090154695A1 (en) * 2003-02-10 2009-06-18 Mauricio Sanchez Managing a plurality of cached keys
US7483537B2 (en) * 2003-02-10 2009-01-27 Mauricio Sanchez Selecting cached RSA keys in response to RSA key requests
US20050257058A1 (en) * 2003-04-01 2005-11-17 Junji Yoshida Communication apparatus and authentication apparatus
US7721101B2 (en) * 2003-04-01 2010-05-18 Panasonic Corporation Communication apparatus and authentication apparatus
CN102868528A (en) * 2003-10-28 2013-01-09 塞尔蒂卡姆公司 Method and apparatus for verifiable generation of public keys
US8713321B2 (en) 2003-10-28 2014-04-29 Certicom Corp. Method and apparatus for verifiable generation of public keys
US9967239B2 (en) 2003-10-28 2018-05-08 Certicom Corp. Method and apparatus for verifiable generation of public keys
US9240884B2 (en) 2003-10-28 2016-01-19 Certicom Corp. Method and apparatus for verifiable generation of public keys
WO2005043807A1 (en) * 2003-10-28 2005-05-12 Certicom Corp. Method and apparatus for verifiable generation of public keys
US20050135606A1 (en) * 2003-10-28 2005-06-23 Brown Daniel R. Method and apparatus for verifiable generation of public keys
US9160530B2 (en) 2003-10-28 2015-10-13 Certicom Corp. Method and apparatus for verifiable generation of public keys
US20160294809A1 (en) * 2003-12-22 2016-10-06 Assa Abloy Ab Trusted and unsupervised digital certificate generation using a security token
US20050138386A1 (en) * 2003-12-22 2005-06-23 Le Saint Eric F. Trusted and unsupervised digital certificate generation using a security token
US10454675B2 (en) * 2003-12-22 2019-10-22 Assa Abloy Ab Trusted and unsupervised digital certificate generation using a security token
US9331990B2 (en) * 2003-12-22 2016-05-03 Assa Abloy Ab Trusted and unsupervised digital certificate generation using a security token
US9602497B2 (en) * 2003-12-22 2017-03-21 Assa Abloy Ab Trusted and unsupervised digital certificate generation using a security token
US7634084B2 (en) * 2003-12-26 2009-12-15 Panasonic Corporation Prime calculation device, method, and key issuing system
US20070121934A1 (en) * 2003-12-26 2007-05-31 Yuichi Futa Prime calculation device,method,and key issuing system
US7599489B1 (en) * 2004-02-09 2009-10-06 Sun Microsystems Inc. Accelerating cryptographic hash computations
WO2006021665A1 (en) * 2004-08-19 2006-03-02 France Telecom Method for assigning an authentication certificate and infrastructure for assigning said certificate
US20070283426A1 (en) * 2004-08-19 2007-12-06 France Telecom Method for Assigning an Authentication Certificate and Infrastructure for Assigning Said Certificate
US7685429B2 (en) * 2004-10-05 2010-03-23 Canon Kabushiki Kaisha Signature-generation method, signature-verification method, public-key distribution method, and information-processing apparatus
US20060075246A1 (en) * 2004-10-05 2006-04-06 Canon Kabushiki Kaisha Signature-generation method, signature-verification method, public-key distribution method, and information-processing apparatus
US20120204025A1 (en) * 2006-08-29 2012-08-09 Akamai Technologies, Inc. System and method for client-side authentication for secure internet communications
US20080060055A1 (en) * 2006-08-29 2008-03-06 Netli, Inc. System and method for client-side authenticaton for secure internet communications
US8181227B2 (en) * 2006-08-29 2012-05-15 Akamai Technologies, Inc. System and method for client-side authenticaton for secure internet communications
US8560834B2 (en) * 2006-08-29 2013-10-15 Akamai Technologies, Inc. System and method for client-side authentication for secure internet communications
US8631240B2 (en) 2006-11-13 2014-01-14 Certicom Corp. Compressed ECDSA signatures
WO2008058377A1 (en) * 2006-11-13 2008-05-22 Certicom Corp. Compressed ecdsa signatures
US20100023775A1 (en) * 2006-11-13 2010-01-28 Vanstone Scott A Compressed ecdsa signatures
EP2174445A4 (en) * 2007-07-17 2011-10-19 Certicom Corp Method of providing text representation of a cryptographic value
EP2174445A1 (en) * 2007-07-17 2010-04-14 Certicom Corp. Method of providing text representation of a cryptographic value
US8964971B2 (en) 2007-07-17 2015-02-24 Certicom Corp. Method of providing text representation of a cryptographic value
US20090022309A1 (en) * 2007-07-17 2009-01-22 Vanstone Scott A Method of providing text representation of a cryptographic value
EP2174445B1 (en) * 2007-07-17 2016-09-07 Certicom Corp. Method of providing text representation of a cryptographic value
WO2009009871A1 (en) 2007-07-17 2009-01-22 Certicom Corp. Method of providing text representation of a cryptographic value
US20090196418A1 (en) * 2008-02-04 2009-08-06 Freescale Semiconductor, Inc. Encryption Apparatus with Diverse Key Retention Schemes
US8175276B2 (en) * 2008-02-04 2012-05-08 Freescale Semiconductor, Inc. Encryption apparatus with diverse key retention schemes
US8819417B2 (en) * 2008-05-30 2014-08-26 Hitachi, Ltd. Validation server, validation method, and program
US20090300349A1 (en) * 2008-05-30 2009-12-03 Yoko Hashimoto Validation server, validation method, and program
US20120159158A1 (en) * 2008-05-30 2012-06-21 Hitachi, Ltd. Validation server, validation method, and program
US20100241852A1 (en) * 2009-03-20 2010-09-23 Rotem Sela Methods for Producing Products with Certificates and Keys
US8364954B2 (en) 2009-12-16 2013-01-29 Symantec Corporation Method and system for provisioning multiple digital certificates
US11251974B2 (en) 2009-12-16 2022-02-15 Digicert, Inc. Provisioning multiple digital certificates
US9055059B1 (en) 2009-12-16 2015-06-09 Symantec Corporation Combining multiple digital certificates
US20110145567A1 (en) * 2009-12-16 2011-06-16 Verisign, Inc. Method and system to combine multiple digital certificates using the subject alternative name extension
US20110145569A1 (en) * 2009-12-16 2011-06-16 Verisign, Inc. Method and system for provisioning multiple digital certificates
US8375204B2 (en) 2009-12-16 2013-02-12 Symantec Corporation Method and system to combine multiple digital certificates using the subject alternative name extension
US9100191B2 (en) 2009-12-16 2015-08-04 Symantec Corporation Combining multiple digital certificates
US20110154027A1 (en) * 2009-12-23 2011-06-23 Verisign, Inc. Method and system for co-termination of digital certificates
US9680819B2 (en) 2009-12-23 2017-06-13 Symantec Corporation Method and system for co-termination of digital certificates
US20110161662A1 (en) * 2009-12-30 2011-06-30 Hong Fu Jin Precision Industry (Shenzhen) Co., Ltd System and method for updating digital certificate automatically
US20150095650A1 (en) * 2013-09-27 2015-04-02 Daniel Nemiroff Public key infrastructure for system-on-chip
US9319224B2 (en) * 2013-09-27 2016-04-19 Intel Corporation Public key infrastructure for system-on-chip
US11443293B2 (en) * 2013-12-10 2022-09-13 China Unionpay Co., Ltd. Secure network accessing method for POS terminal, and system thereof
US20170257220A1 (en) * 2014-11-19 2017-09-07 Huawei Technologies Co., Ltd. Directional-traffic statistics method, device, and system
US10680829B2 (en) * 2014-11-19 2020-06-09 Huawei Technologies Co., Ltd. Directional-traffic statistics method, device, and system
US10893031B2 (en) * 2015-12-09 2021-01-12 Cloudflare, Inc. Dynamically serving digital certificates based on secure session properties
US10305871B2 (en) * 2015-12-09 2019-05-28 Cloudflare, Inc. Dynamically serving digital certificates based on secure session properties
US20170324545A1 (en) * 2016-05-04 2017-11-09 International Business Machines Corporation Revocable pki signatures
US10447467B2 (en) * 2016-05-04 2019-10-15 International Business Machines Corporation Revocable PKI signatures
WO2018027300A1 (en) 2016-08-08 2018-02-15 ISARA Corporation Using a digital certificate with multiple cryptosystems
US10812475B2 (en) * 2017-04-18 2020-10-20 Servicenow, Inc. Authenticating access to an instance
US20180302400A1 (en) * 2017-04-18 2018-10-18 Servicenow, Inc. Authenticating access to an instance
US11106775B2 (en) 2017-10-20 2021-08-31 Advanced New Technologies Co., Ltd. Digital certificate application
WO2019079761A1 (en) * 2017-10-20 2019-04-25 Alibaba Group Holding Limited Digital certificate application method and device
TWI696931B (en) * 2017-10-20 2020-06-21 香港商阿里巴巴集團服務有限公司 Digital certificate application method and device
US11106776B2 (en) 2017-10-20 2021-08-31 Advanced New Technologies Co., Ltd. Digital certificate application
CN112352238A (en) * 2018-06-28 2021-02-09 币即特株式会社 Multiple signature security account control system
CN113228560A (en) * 2018-10-23 2021-08-06 西门子股份公司 Issuing apparatus and method for issuing, and requesting apparatus and method for requesting digital certificate
CN109992953A (en) * 2019-02-18 2019-07-09 深圳壹账通智能科技有限公司 Digital certificate on block chain signs and issues, verification method, equipment, system and medium
US20220247731A1 (en) * 2019-03-25 2022-08-04 Micron Technology, Inc. Secure communication between an intermediary device and a network
US12120100B2 (en) * 2019-03-25 2024-10-15 Micron Technology, Inc. Secure communication between an intermediary device and a network
CN110011799A (en) * 2019-04-02 2019-07-12 河南管软信息技术有限公司 Communication security method in mobile office
CN113841360A (en) * 2019-05-14 2021-12-24 大众汽车股份公司 Implementation of butterfly key expansion scheme
US20230246819A1 (en) * 2022-02-01 2023-08-03 Juniper Networks, Inc. Public key infrastructure based session authentication
TWI810957B (en) * 2022-06-01 2023-08-01 倍穎資訊股份有限公司 A remote node controlling management platform
CN115442052A (en) * 2022-08-30 2022-12-06 云海链控股股份有限公司 Collaborative signature method, system, equipment and computer readable storage medium
EP4440033A1 (en) 2023-03-31 2024-10-02 Sick Ag Authenticating data based on certificates

Also Published As

Publication number Publication date
US8214637B2 (en) 2012-07-03
JP2002207426A (en) 2002-07-26
US20100228970A1 (en) 2010-09-09

Similar Documents

Publication Publication Date Title
US8214637B2 (en) Public key certificate issuing system, public key certificate issuing method, digital certification apparatus, and program storage medium
US7152158B2 (en) Public key certificate issuing system, public key certificate issuing method, information processing apparatus, information recording medium, and program storage medium
JP4796971B2 (en) Efficiently signable real-time credentials for OCSP and distributed OCSP
US9154306B2 (en) Privacy-preserving flexible anonymous-pseudonymous access
US6192130B1 (en) Information security subscriber trust authority transfer system with private key history transfer
CA2408589C (en) Url-based certificate in a pki
JP5130318B2 (en) Certificate-based encryption and public key structure infrastructure
US20100229241A1 (en) Method of accessing service, device and system thereof
US20040165728A1 (en) Limiting service provision to group members
US20060129847A1 (en) Methods and systems for providing a secure data distribution via public networks
CN109711184B (en) Block chain data access control method and device based on attribute encryption
US20070242830A1 (en) Anonymous Certificates with Anonymous Certificate Show
US20010034834A1 (en) Public-key-encryption data-communication system and data-communication-system forming method
US20020010861A1 (en) Access control system, access control method, device, access control server, access-control-server registration server, data processing apparatus, and program storage medium
CN109146479B (en) Data encryption method based on block chain
CN108696360A (en) A kind of CA certificate distribution method and system based on CPK keys
CN111614680B (en) CP-ABE-based traceable cloud storage access control method and system
EP2179534A1 (en) Method and system for generating implicit certificates and applications to identity-based encryption (ibe)
Win et al. Privacy enabled digital rights management without trusted third party assumption
CN115834067A (en) Ciphertext data sharing method in edge cloud collaborative scene
CN117896180B (en) Multi-system networking method based on attribute-based encryption technology, intelligent device and storage medium thereof
CN107360252A (en) A kind of Data Access Security method that isomery cloud domain authorizes
CN109146684B (en) Decentralized transaction verification method
Fan et al. Date attachable offline electronic cash scheme
US20020152383A1 (en) Method for measuring the latency of certificate providing computer systems

Legal Events

Date Code Title Description
AS Assignment

Owner name: SONY CORPORATION, JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:OKA, MAKOTO;ISHIBASHI, YOSHIHITO;MATSUYAMA, SHINAKO;AND OTHERS;REEL/FRAME:012786/0401;SIGNING DATES FROM 20020305 TO 20020306

STCB Information on status: application discontinuation

Free format text: ABANDONED -- AFTER EXAMINER'S ANSWER OR BOARD OF APPEALS DECISION