Ramesh K. Karne

Bio: Ramesh K. Karne is an academic researcher from IBM. The author has contributed to research in topics: Key (cryptography) & Hash-based message authentication code. The author has an hindex of 7, co-authored 13 publications receiving 462 citations.

Secure management of keys using control vectors

Abstract: The invention is an apparatus and method for validating that key management functions requested for a cryptographic key by the program have been authorized by the originator of the key. The invention includes a cryptographic facility characterized by a secure boundary through which passes an input path for receiving the cryptographic service requests, cryptographic keys and their associated control vectors, and an output path for providing responses thereto. There can be included within the boundary a cryptographic instruction storage coupled to the input path, a control vector checking unit and a cryptographic processing unit coupled to the instruction storage, and a master key storage coupled to the processing means, for providing a secure location for executing key management functions in response to the received service requests. The cryptographic instruction storage receives over the input path a cryptographic service request for performing a key management function on a cryptographic key. The control vector checking unit has an input coupled to the input path for receiving a control vector associated with the cryptographic key and an input connected to the cryptographic instruction storage, for receiving control signals to initiate checking that the control vector authorizes the key management function which is requested by the cryptographic service request. The control vector checking unit has an authorization output connected to an input of the cryptographic processing means, for signalling that the key management function is authorized, the receipt of which by the cryptographic processing unit initiates the performance of the requested key management function with the cryptographic key. The invention enables the flexible control of many cryptographic key management functions in the generation, distribution and use of cryptographic keys, while maintaining a high security standard.

Data cryptography operations using control vectors

Abstract: Data cryptography is achieved in an improved manner by associating with the data cryptography key, a control vector which provides the authorization for the uses of the key intended by the originator of the key. Among the uses specified by the control vector are limitations on encryption, decryption, authentication code generation and verification, translation of the user's data. Complex combinations of data manipulation functions are possible using the control vectors, in accordance with the invention. The system administrator can exercise flexibility in changing the implementation of his security policy by selecting appropriate control vectors in accordance with the invention. Complex scenarios such as encrypted mail box, session protection, file protection, ciphertext translation center, peer-to-peer ciphertext translation, message authentication, message authentication with non-repudiation and many others can be easily implemented by a system designer using the control vectors, in accordance with the invention.

A data processor having multiple execution units for processing plural classes of instructions in parallel

Abstract: A data processor is disclosed which enables the selective simultaneous or asynchronous execution of mutually independent instructions of different classes in parallel coupled execution units and which enables the sequential execution of mutually dependent instructions of different classes by delaying the execution of a dependent instruction in a second execution unit until the completion of execution of a precursor instruction in a first execution unit. The instructions are dispatched to respective ones of a plurality of parallel coupled execution units, in accordance with their instruction class.

Secure management of keys using extended control vectors

Abstract: A method and apparatus are disclosed for use in a data processing system which executes a program which outputs cryptographic service requests for operations with cryptographic keys which are associated with control vectors defining the functions which each key is allowed by its originator to perform. The improved method and apparatus enable the use of control vectors having an arbitrary length. It includes a control vector register having an arbitrary length, for storing a control vector of arbitrary length associated with an N-bit cryptographic key. It further includes a control vector checking means having an input coupled to the control vector register, for checking that the control vector authorizes the cryptographic function which is requested by the cryptographic service request. It further includes a hash function generator having an input coupled to the control vector register and an N-bit output, for mapping the control vector output from the control vector register, into an N-bit hash value. A key register is included for storing the N-bit cryptographic key. It further includes a logic block having a first input coupled to the N-bit output of the hash function generator, and a second input connected to the key register, for forming at the output thereof a product of the N-bit key and the N-bit hash value. Finally, an encryption device is included having a first input for receiving a cleartext data stream and a key input coupled to the output of the logic block, for forming a ciphertext data stream at the output thereof from the cleartext data stream and the product. A decryption device can be substituted for the encryption device to perform decryption operations in a similar manner.

Data cryptography using control vectors

Abstract: Data cryptography is achieved in an improved manner by associating with the data cryptography key, a control vector which provides the authorisation for the uses of the key intended by the originator of the key. Among the uses specified by the control vector are limitations on encryption, decryption, authentication code generation and verification, translation of the user's data. Complex combinations of data manipulation functions are possible using the control vectors, in accordance with the invention. The system administrator can exercise flexibility in changing the implementation of his security policy by selecting appropriate control vectors in accordance with the invention. Complex scenarios such as encrypted mail box, session protection, file protection, ciphertext translation centre, peer-to-peer ciphertext translation, message authentication, message authentication with non-repudiation and many others can be easily implemented by a system designer using the control vectors, in accordance with the invention.

System and method for secure three-party communications

Abstract: A system and method for communicating information between a first party and a second party, comprising the steps of receiving, by an intermediary, an identifier of desired information and accounting information for a transaction involving the information from the first party, transmitting an identifier of the first party to the second party, and negotiating, by the intermediary, a comprehension function for obscuring at least a portion of the information communicated between the first party and the second party. The data transmission may be made secure with respect to the intermediary by providing an asymmetric key or direct key exchange for encryption of the communication between the first and second party. The data transmission may be made secure with respect to the second party by maintaining the information in encrypted format at the second party, with the decryption key held only by the intermediary, and transmitting a secure composite of the decryption key and a new encryption key to the second party for transcoding of the data record, and providing the new decryption key to the first party, so that the information transmitted to the first party can be comprehended by it.

Public key/signature cryptosystem with enhanced digital signature certification

Abstract: A public key cryptographic system is disclosed with enhanced digital signature certification which authenticates the identity of the public key holder. A hierarchy of nested certifications and signatures are employed which indicate the authority and responsibility levels of the individual whose signature is being certified. The certifier in constructing a certificate generates a special message that includes fields identifying the public key which is being certified, and the name of the certifiee. The certificate is constructed by the certifier to define the authority which is being granted and which may relate to a wide range of authorizations, delegation responsibilities or restrictions given to, or placed on the certifiee. Methodology is also disclosed by which multiple objects such as, for example, a cover letter, an associated enclosed letter, an associated graphics file, etc., are signed together. Methodology is also disclosed for digitally signing documents in which a digital signature is generated for both computer verification and for reverification if a document needs to be reconfirmed by reentering from a paper rendition.

Secure data parser method and system

Abstract: A secure data parser is provided that may be integrated into any suitable system for securely storing and communicating data. The secure data parser parses data and then splits the data into multiple portions that are stored or communicated distinctly. Encryption of the original data, the portions of data, or both may be employed for additional security. The secure data parser may be used to protect data in motion by splitting original data into portions of data, that may be communicated using multiple communications paths.

Automated banking machine system and method

Abstract: A banking transaction processing system includes customer stations and at least one server provider station. The customer stations include automated banking machines. Each automated banking machine includes a card reader that reads indicia on user cards corresponding to financial accounts. Each automated banking machine also includes a cash dispenser. Service providers at service provider stations are enabled to communicate with customers at automated banking machines to help carry out transactions. Customers at automated banking machines may also carry out banking transactions without the involvement of service providers. Pneumatic tube transport systems may be used for moving items between local service providers and customers. In some embodiments, computers operating facial image transformation software and vocal sound transformation software enable outputs at customer stations which correspond to facial images and vocal sounds that customers may find more acceptable than those produced by the actual service provider.

System and method for access control for portable data storage media

Abstract: The system and method of the present invention provides the support of high density removable media, such as CD-ROM or MO, to be used as a distributed media for storing data where access thereto is securely restricted. Through this system and method, the secure periodic distribution of several different sets of data information to the end user is achieved with access control selectively performed by at the user's site through communication with the billing/access center. User billing is based on the purchase of the decryption access codes as indicated by the access code attributes encoded on the media. Access code availability is further controlled by selectively providing for updates of decryption access codes.