Patent•
Data cryptography operations using control vectors
IBM1
30 Aug 1989-
TL;DR: In this paper, the authors propose a control vector which provides the authorization for the uses of the data cryptography key intended by the originator of the key, among the uses specified by the control vector are limitations on encryption, decryption, authentication code generation and verification, translation of the user's data.
Abstract: Data cryptography is achieved in an improved manner by associating with the data cryptography key, a control vector which provides the authorization for the uses of the key intended by the originator of the key. Among the uses specified by the control vector are limitations on encryption, decryption, authentication code generation and verification, translation of the user's data. Complex combinations of data manipulation functions are possible using the control vectors, in accordance with the invention. The system administrator can exercise flexibility in changing the implementation of his security policy by selecting appropriate control vectors in accordance with the invention. Complex scenarios such as encrypted mail box, session protection, file protection, ciphertext translation center, peer-to-peer ciphertext translation, message authentication, message authentication with non-repudiation and many others can be easily implemented by a system designer using the control vectors, in accordance with the invention.
Citations
More filters
Patent•
25 Mar 2002
TL;DR: In this paper, the authors propose a system and method for communicating information between a first party and a second party, comprising the steps of receiving, by an intermediary, an identifier of desired information and accounting information for a transaction involving the information from the first party, and negotiating, by the intermediary, a comprehension function for obscuring at least a portion of the information communicated between the first parties and the second parties.
Abstract: A system and method for communicating information between a first party and a second party, comprising the steps of receiving, by an intermediary, an identifier of desired information and accounting information for a transaction involving the information from the first party, transmitting an identifier of the first party to the second party, and negotiating, by the intermediary, a comprehension function for obscuring at least a portion of the information communicated between the first party and the second party. The data transmission may be made secure with respect to the intermediary by providing an asymmetric key or direct key exchange for encryption of the communication between the first and second party. The data transmission may be made secure with respect to the second party by maintaining the information in encrypted format at the second party, with the decryption key held only by the intermediary, and transmitting a secure composite of the decryption key and a new encryption key to the second party for transcoding of the data record, and providing the new decryption key to the first party, so that the information transmitted to the first party can be comprehended by it.
1,193Â citations
Patent•
03 Apr 2007
TL;DR: A banking transaction processing system includes customer stations and at least one server provider station as mentioned in this paper, and each automated banking machine includes a card reader that reads indicia on user cards corresponding to financial accounts.
Abstract: A banking transaction processing system includes customer stations and at least one server provider station. The customer stations include automated banking machines. Each automated banking machine includes a card reader that reads indicia on user cards corresponding to financial accounts. Each automated banking machine also includes a cash dispenser. Service providers at service provider stations are enabled to communicate with customers at automated banking machines to help carry out transactions. Customers at automated banking machines may also carry out banking transactions without the involvement of service providers. Pneumatic tube transport systems may be used for moving items between local service providers and customers. In some embodiments, computers operating facial image transformation software and vocal sound transformation software enable outputs at customer stations which correspond to facial images and vocal sounds that customers may find more acceptable than those produced by the actual service provider.
570Â citations
Patent•
14 Jan 2000
TL;DR: In this article, a message gateway router (MGR) is used to convert messages from a variety of external message formats used by the external devices and authorization systems, to a common internal message format used within the system.
Abstract: A financial transaction processing system ( 10 ) enables processing transactions from various types of card activated terminal devices ( 12 ) which communicate using a variety of electronic message formats. The transaction processing system may operate to authorize transactions internally using information stored in a relational database ( 32 ) or may communicate with external authorization systems ( 18 ). The transaction processing system includes among its software components message gateway routers (MGRs) ( 24, 164 ) which operate using information stored in the relational database to convert messages from a variety of external message formats used by the external devices and authorization systems, to a common internal message format used within the system. The system further uses database information to internally route messages to message processing programs (MPPs) ( 108, 138 ) which process messages and generate messages to the external devices and authorization systems. The MGR also converts the outgoing messages from the internal message format to the external message formats which can be interpreted by the external devices and systems to which the messages are directed.
259Â citations
Patent•
IBM1
TL;DR: In this paper, the authors describe a method and apparatus for securely distributing an initial Data Encryption Algorithm (DEA) key-encrypting key by encrypting a key record (consisting of the key encryption key and control information associated with it) using a public key algorithm and a private key belonging to the intended recipient.
Abstract: The patent describes a method and apparatus for securely distributing an initial Data Encryption Algorithm (DEA) key-encrypting key by encrypting a key record (consisting of the key-encrypting key and control information associated with that key-encrypting key) using a public key algorithm and a public key belonging to the intended recipient of the key record. The patent further describes a method and apparatus for securely recovering the distributed key-encrypting key by the recipient by decrypting the received key record using the same public key algorithm and private key associated with the public key and re-encrypting the key-encrypting key under a key formed by arithmetically combining the recipient's master key with a control vector contained in the control information of the received key record. Thus the type and usage attributes assigned by the originator of the key-encrypting key in the form of a control vector are cryptographically coupled to the key-encrypting key such that the recipient may only use the received key-encrypting key in a manner defined by the key originator. The patent further describes a method and apparatus to improve the integrity of the key distribution process by applying a digital signature to the key record and by including identifying information (i.e., an originator identifier) in the control information of the key record. The integrity of the distribution process is enhanced by verifying the digital signature and originator identifier at the recipient node.
209Â citations
Patent•
02 Jan 2007TL;DR: In this paper, a two-way, public key/private key encryption system is implemented to transmit the product and usage information between the server providing the software product and the customer computer system.
Abstract: A product distribution and payment system for limited use or otherwise restricted digital software products. Digital content data comprising a software product to be rented is made available to customers through a detachable local storage medium, such as a DVD or CD-ROM disc, or over a network connection. The product digital content is capable of being accessed and played back through a computer or game console at the customer site. The software product may comprise a limited use product that is restricted in the number of plays or duration of use. The customer is allowed to download and purchase the product using his computer or playback console. The product purchase information is encoded and transmitted to the content distributor. When the preset time or number of plays has elapsed the software program is frozen and access to the program is not allowed. In one embodiment of the present invention, a two-way, public key/private key encryption system is implemented to transmit the product and usage information between the server providing the software product and the customer computer system.
163Â citations
References
More filters
Patent•
23 Jun 1982
TL;DR: In this article, an efficient end-to-end encryption system including key management procedures for providing secure, financial data communication between a system user at one of a plurality of transaction terminals of one of the plurality of acquirer institutions and one of an issuer institutions, with selected elements of the data being encrypted, decrypted and processed using a onetime session key which is similarly encrypted with master keys and efficiently sent along with the specific segments of the request and response messages.
Abstract: An efficient end-to-end encryption system including key management procedures for providing secure, financial data communication between a system user at one of a plurality of transaction terminals of one of a plurality of acquirer institutions and one of a plurality of issuer institutions, with selected elements of the data being encrypted, decrypted, and processed using a onetime session key which is similarly encrypted with master keys and efficiently sent along with the specific segments of the request and response messages. A session key authentication code is utilized to prevent the replay of a previously used session key, thereby precluding undetected message replay or undetected message or data element substitution or insertion.
483Â citations
255Â citations
Patent•
IBM1
TL;DR: In this paper, a common session key for data transmissions between different domains of a multiple-domain communication network where each domain includes a host system and its associated resources of programs and communication terminals is proposed.
Abstract: A communication security system for data transmissions between different domains of a multiple domain communication network where each domain includes a host system and its associated resources of programs and communication terminals. The host systems and communication terminals include data security devices each having a master key which permits a variety of cryptographic operations to be performed. When a host system in one domain wishes to communicate with a host system in another domain, a common session key is established at both host systems to permit cryptographic operations to be performed. This is accomplished by using a mutually agreed upon cross-domain key known by both host systems and does not require each host system to reveal its master key to the other host system. The cross domain key is enciphered under a key encrypting key designated as the sending cross domain key at the sending host system and under a different key encrypting key designated as the receiving cross domain key at the receiving host system. The sending host system creates an enciphered session key and together with the sending cross-domain key performs a transformation function to reencipher the session key under the sending cross domain key for transmission to the receiving host system. At the receiving host system, the receiving host system using the receiving cross-domain key and the received session key, performs a transformation function to reencipher the received session key fron encipherment under the sending cross domain key to encipherment under the receiving host system master key. With the common session key now available in usable form at both host systems, a communication session is established and cryptographic operations can proceed between the two host systems.
178Â citations
Patent•
IBM1
TL;DR: Secure hardware for cryptographically generating a verification pattern which is a function of a potential computer user's identity number, the potential computer users' separately entered password, and a stored test pattern is provided in this paper.
Abstract: Secure hardware is provided for cryptographically generating a verification pattern which is a function of a potential computer user's identity number, the potential computer user's separately entered password, and a stored test pattern. The test pattern for each authorized computer user is generated at a time when the physical security of the central computer and its data can be assured, such as in a physically guarded environment with no teleprocessing facilities operating. Secure hardware for generating verification patterns during authentication processing and for generating test patterns during the secure run is disclosed which uses a variation of the host computer master key to reduce risk of compromise of total system security. The use of a variant of the host master key prevents system programmers and/or computer operators from compromising the integrity of the authentication data base by, for example, interchanging entries and/or inserting new entries.
163Â citations
Patent•
IBM1
TL;DR: In this paper, a method for controlling the use of a cryptographic key at a using station by a generating station in a network of generating and using stations is disclosed, where the key and control value are authenticated via a special authentication code before use by the using station and coupled during key generation such that the key is recovered only if a correct control value is specified.
Abstract: A method for controlling the use of a cryptographic key at a using station by a generating station in a network of generating and using stations is disclosed. A control value specifying the use of the cryptographic key is transmitted with a generated cryptographic key to at least two designated using stations one of which may be the generating station. Each of the generating and using stations have cryptographic facilities that securely store a master key. Two techniques are described for controlling the use of the cryptographic key. In the first, the key and the control value are authenticated via a special authentication code before use by the using station. In the second, the key and control value are coupled during key generation such that the key is recovered only if a correct control value is specified. In addition, two techniques are described for controlling who may use the cryptographic key. In the first, each using station has a unique secret transport key shared with the generating station which generates the key in such a way that it can be recovered or regenerated only by the designated using station possessing the correct secret transport key. In the second, secret transport keys are shared by pairs of using stations and cryptographic separation is achieved by using public or nonsecret values unique to each using station.
121Â citations