Senior Fitness - Exercise and Nutrition for Aging Men and Women
FREE Article Feed for your website.
Home Ownership Magazine
Party Planning Information
Article Marketing Resources
Bio-Medical Research Article Database
Informative Articles on Life, Love and Happiness
Tutorials on Business to Writing
Famous Quotes from Famous People
Song Lyric Information
New US Patent Information
Comprehensive List of Content by Category
Online Auctions and Shopping Related Articles
Article Search
Most Recent Articles
Title: Intermittent stress augmentation pacing for cardioprotective effect
Patent Number: 7,437,191 Issued on 10/14/2008 to Pastore,   et al.

Title: Drum lid for minimal liquid carryover in a vacuum system
Patent Number: 6,767,380 Issued on 07/27/2004 to von Stackelberg, Jr.

Title: Method and apparatus for chemical mechanical planarization
Patent Number: 6,767,428 Issued on 07/27/2004 to Gotkis,   et al.

Title: Electronic device including a self-assembled monolayer, and a method of fabricating the same
Patent Number: 7,132,678 Issued on 11/07/2006 to Kagan,   et al.

Title: Oblique angled suspension caster fork for wheelchairs
Patent Number: 6,892,421 Issued on 05/17/2005 to Cooper,   et al.

Title: Methods and systems for implementing a profitability model
Patent Number: 7,124,104 Issued on 10/17/2006 to Casciano,   et al.

Title: Process for the preparation of aryl-pyridinyl compounds
Patent Number: 6,765,097 Issued on 07/20/2004 to Giordano,   et al.

Title: Removable mother/daughter peripheral card
Patent Number: 6,893,268 Issued on 05/17/2005 to Harari,   et al.

Title: Feed conveyor/rock trap and header drive for an agricultural combine
Patent Number: 6,705,067 Issued on 03/16/2004 to Schroeder,   et al.

Title: Computer-generated hologram and its fabrication process, reflector using a computer-generated hologram, and reflective liquid crystal display
Patent Number: 7,054,044 Issued on 05/30/2006 to Hamano,   et al.

Title: Station identification for a local area augmentation system on a visual display
Patent Number: 6,950,036 Issued on 09/27/2005 to Snodgrass,   et al.

Title: Phenol resin forming material for pulley used in motor vehicles and phenol resin pulley for motor vehicles
Patent Number: 6,765,051 Issued on 07/20/2004 to Yazawa,   et al.

Title: Method and apparatus for dithering or undithering data words in a data stream
Patent Number: 7,054,037 Issued on 05/30/2006 to Mevissen

Title: Methods and apparatus for controlling a motor/generator
Patent Number: 7,116,073 Issued on 10/03/2006 to Sorkin

Title: Unified control of vehicle dynamics using force and moment control
Patent Number: 6,892,123 Issued on 05/10/2005 to Hac

Title: Polygon mirror and optical scanning device having the same
Patent Number: 7,054,047 Issued on 05/30/2006 to Tamaru

Title: Copy protection apparatus and method
Patent Number: 6,865,553 Issued on 03/08/2005 to Morito,   et al.

Title: Stacked polysilicon layer for boron penetration inhibition
Patent Number: 6,762,454 Issued on 07/13/2004 to Ibok,   et al.

Title: Optical sub-assembly module for suppressing optical back-reflection and effectively guiding light from light source to optical waveguide
Patent Number: 6,945,710 Issued on 09/20/2005 to Chen,   et al.

Title: Low-contaminative hose and rubber composition for use in making the same
Patent Number: 6,737,480 Issued on 05/18/2004 to Ikeda,   et al.

Title: Cup lid having combined straw slot depression and tear back lid retainer
Patent Number: 6,948,633 Issued on 09/27/2005 to Freek,   et al.

Title: High-accuracy capacitor digital-to-analog converter
Patent Number: 7,123,072 Issued on 10/17/2006 to Bu,   et al.

Title: Apparatus for adaptively adjusting a data receiver
Patent Number: 7,123,046 Issued on 10/17/2006 to Keeth

Title: Method of making multilevel MEMS structures
Patent Number: 6,861,363 Issued on 03/01/2005 to Harchanko,   et al.

Title: Marine vessel monitoring system
Patent Number: 6,816,088 Issued on 11/09/2004 to Knoska,   et al.

Title: Router bit system
Patent Number: 7,140,817 Issued on 11/28/2006 to Phillips,   et al.

Title: Concrete stamping apparatus
Patent Number: 7,140,804 Issued on 11/28/2006 to Gregg

Title: Imaging apparatus having a carrier support and drive arrangement
Patent Number: 7,140,793 Issued on 11/28/2006 to Cook

Title: Joint structure for power transmitting member and method for producing the same
Patent Number: 7,140,800 Issued on 11/28/2006 to Sugiyama,   et al.

Title: Casing arrangement
Patent Number: 7,140,836 Issued on 11/28/2006 to Balsdon

Title: Rotary-die-method and fill wedge for producing capsules, in particular soft capsules
Patent Number: 6,935,090 Issued on 08/30/2005 to Stolz

Title: Restraint coupling
Patent Number: 6,962,394 Issued on 11/08/2005 to Anthony,   et al.

Title: Split and merge design flow concept for fast turnaround time of circuit layout design
Patent Number: 6,898,770 Issued on 05/24/2005 to Boluki,   et al.

Title: Corner cooled turbine nozzle
Patent Number: 7,140,835 Issued on 11/28/2006 to Lee,   et al.

Title: Attachment for forming shapes following excavation
Patent Number: 7,140,831 Issued on 11/28/2006 to Wollgast,   et al.

Title: Optical disc drive and optical disc discriminating method
Patent Number: 6,956,801 Issued on 10/18/2005 to Horimoto

Title: Method of drilling lateral wellbores from a slant well without utilizing a whipstock
Patent Number: 6,964,308 Issued on 11/15/2005 to Zupanick

Title: Capacitor for semiconductor device, manufacturing method thereof, and electronic device employing the same
Patent Number: 7,105,401 Issued on 09/12/2006 to Lee,   et al.

Title: Flexure mechanism for interface device
Patent Number: 7,193,607 Issued on 03/20/2007 to Moore,   et al.

Title: Aggregate dryer burner with compressed air oil atomizer
Patent Number: 6,969,249 Issued on 11/29/2005 to Marino,   et al.

Title: Manufacturing method of semiconductor device
Patent Number: 7,105,400 Issued on 09/12/2006 to Imai,   et al.

Title: Semiconductor constructions, and methods of forming semiconductor constructions
Patent Number: 7,105,402 Issued on 09/12/2006 to McQueen,   et al.

Title: Shaped anchor
Patent Number: 7,140,826 Issued on 11/28/2006 to Powers,   et al.

Title: Roadway for decelerating and/or accelerating a vehicle including an aircraft
Patent Number: 6,969,213 Issued on 11/29/2005 to Rastegar,   et al.

Title: Ignition system for internal combustion engine and ignition method of fuel charged in a fuel chamber
Patent Number: 6,796,299 Issued on 09/28/2004 to Isono

Title: Dual seat valve
Patent Number: 6,796,323 Issued on 09/28/2004 to Taylor

Title: Damper system with sealing plug
Patent Number: 6,796,328 Issued on 09/28/2004 to Myles

Title: Multiple person high altitude recycling breathing apparatus
Patent Number: 6,796,307 Issued on 09/28/2004 to Hughson,   et al.

Title: Backup power system
Patent Number: 7,042,108 Issued on 05/09/2006 to Farkas

Title: Methods of cleaning vaporization surfaces
Patent Number: 6,796,313 Issued on 09/28/2004 to Marsh

Title: System and method for searching for duplicate data
Patent Number: 6,795,903 Issued on 09/21/2004 to Schultz,   et al.

Title: Shared memory interface with conventional access and synchronization support
Patent Number: 6,795,901 Issued on 09/21/2004 to Florek,   et al.

Title: Line control arrangement for continuously variable valve timing system
Patent Number: 6,796,276 Issued on 09/28/2004 to Kim

Title: Method and apparatus for determining a match address in an intra-row configurable cam device
Patent Number: 6,795,892 Issued on 09/21/2004 to Pereira,   et al.

Title: Mixture fitting for a combustible gas burner system
Patent Number: 6,796,302 Issued on 09/28/2004 to Butler,   et al.

Title: Ironing board ajdustable in height
Patent Number: 6,796,059 Issued on 09/28/2004 to Denisart,   et al.

Title: Selective memory controller access path for directory caching
Patent Number: 6,795,897 Issued on 09/21/2004 to Benveniste,   et al.

Title: Method for restarting an apparatus if the integrity of data in a memory is lost during micro-outage of power supply
Patent Number: 6,795,913 Issued on 09/21/2004 to Ricordel

Title: Duct repairing material, repairing structure, and repairing method
Patent Number: 6,796,334 Issued on 09/28/2004 to Ishikawa,   et al.

Title: Optical viewer instrument with photographing function
Patent Number: 6,914,636 Issued on 07/05/2005 to Hirunuma,   et al.

Title: Internal combustion engine with valve train
Patent Number: 6,796,281 Issued on 09/28/2004 to Shimoyama,   et al.

Title: Method for diagnosing a network
Patent Number: 6,795,941 Issued on 09/21/2004 to Nickels

Title: Priority coloring for VLSI designs
Patent Number: 6,795,961 Issued on 09/21/2004 to Liebmann,   et al.

Title: Methods and apparatus for ManArray PE-PE switch control
Patent Number: 6,795,909 Issued on 09/21/2004 to Barry,   et al.

Title: Prevention of power state change in response to chassis intrusion when computer system is not in powered up power state
Patent Number: 6,795,926 Issued on 09/21/2004 to Matula,   et al.

Title: Ignition spark enhancing device
Patent Number: 6,796,298 Issued on 09/28/2004 to Kiker

Title: Intake pressure sensor arrangement for engine
Patent Number: 6,796,291 Issued on 09/28/2004 to Suzuki,   et al.

Title: Single revolution cam engine
Patent Number: 6,796,284 Issued on 09/28/2004 to Von Wielligh

Title: Multiple traps after faulty access to a resource
Patent Number: 6,795,937 Issued on 09/21/2004 to Harris,   et al.

Title: Method and system for setting optical drive write strategies
Patent Number: 6,915,374 Issued on 07/05/2005 to Pereira

Title: Pulmonary aerosol delivery device and method
Patent Number: 6,796,303 Issued on 09/28/2004 to Zimlich, Jr.,   et al.

Title: Vertical internal combustion engine
Patent Number: 6,796,282 Issued on 09/28/2004 to Tsubouchi,   et al.

Title: Inductor and method for producing the same
Patent Number: 6,909,350 Issued on 06/21/2005 to Uriu,   et al.

Title: Diaphragm system
Patent Number: 6,796,336 Issued on 09/28/2004 to Ijspeert

Title: Protective packing structure for a cylindrical object and fitted with a fastener
Patent Number: 6,796,333 Issued on 09/28/2004 to Birkel,   et al.

Method and system for authentication when certification authority public and private keys expire Number:7,412,524 from the United States Patent and Trademark Office (PTO) owispatent

Home    Author Login    Submit Article    Article Search    Add Your Link    Edit Your Link    Contact Us    Advertising    Disclaimer

   

 
Web LinkGrinder.com

Top Breaking News
     Greek, Cypriot Leaders Resume Unification Talks in Nicosia by Nathan Morley
     Indonesia Tobacco Sales Grow, Raising Health Fears
     South Korea Allows Top Defector to Travel Overseas by VOA News

Title: Method and system for authentication when certification authority public and private keys expire

Abstract: This invention relates to a method for enabling the use of valid authentication certificates when the public key and private keys of any of the certifying authority have expired, comprising obtaining a server certifying authority chain (SCAC) certificate by the server from the said certifying authority, presenting the original valid authentication certificate along with the said server certifying authority chain certificate by the server to the browser during the SSL handshake, accepting the transaction by the browser after verification of the original authentication certificate using the expired public key of the certifying authority, and verifying the said SCAC certificate using the new public key of the said certifying authority.This invention further includes a system conducting secure transactions including a certifying authority for authenticating such transactions.

Patent Number: 7,412,524 Issued on 08/12/2008 to Gupta,   et al.

Inventors: Gupta; Deepak (Delhi, IN), Chillakuru; Vamsavardhana Reddy (Mount Kisco, NY)
Assignee: International Business Machines Corporation (Armonk, NY)
Appl. No.: 09/626,637
Filed: July 27, 2000

Current U.S. Class: 709/229 ; 713/155; 713/157; 713/158
Current International Class: G06F 15/16 (20060101)
Field of Search: 713/157,156,158,175,155 380/30 709/229

References Cited [Referenced By]
U.S. Patent Documents
5175765 December 1992 Perlman
5241599 August 1993 Bellovin et al.
5978918 November 1999 Scholnick et al.
6044462 March 2000 Zubeldia et al.
6076163 June 2000 Hoffstein et al.
6094485 July 2000 Weinstein et al.
6230266 May 2001 Perlman et al.
6233565 May 2001 Lewis et al.
6324525 November 2001 Kramer et al.
6367009 April 2002 Davis et al.
6373950 April 2002 Rowney
6668322 December 2003 Wood et al.
6775772 August 2004 Binding et al.
Foreign Patent Documents
09-261218 Oct., 1997 JP
10-020779 Jan., 1998 JP
10-051442 Feb., 1998 JP
2000-49766 Feb., 2000 JP
2000-059353 Feb., 2000 JP
2001-344368 Dec., 2001 JP
WO 97/18655 May., 1997 WO

Other References

PCT/GB02/00308; Response to the Examiner's Communication (8 pages)--EPO. cited by other .
PCT/GB02/00308; Response to the Examiner's Communication (8 pages)--EPO, date unknown. cited by other.

Primary Examiner: Jaroenchonwanit; Bunjob
Assistant Examiner: Shin; Kyung H
Attorney, Agent or Firm: Schmeiser, Olsen & Watts Steinberg; William H.
Claims


The invention claimed is:

1. A method for enabling use by a browser of valid authentication certificates in relation to a transaction between the browser and a server when a private key and public key of a certifying authority of the server has expired, comprising: receiving an original authentication certificate together with a server certifying authority chain (SCAC) certificate by the browser from the server during a SSL handshake between the browser and the server, said SCAC certificate having been previously obtained by the server from the certifying authority; verifying by the browser the original authentication certificate using the expired public key or the certifying authority; and verifying by the browser the SCAC certificate using a new public key of the certifying authority.

2. The method of claim 1, wherein the SCAC certificate is obtained by the server whenever the certifying authority invalidates its public key, wherein the certificate is obtained by: contacting the certifying authority using the server's private key for authentication to make a request for the SCAC certificate; verifying the request by the certifying authority using the server's public key; and generating the SCAC certificate by the certifying authority using new private key of the certifying authority and forwarding the SCAC certificate to the server.

3. The method of claim 2 wherein generating the SCAC certificate includes authenticating the server name, the server public key, old certifying authority public key, and certifying authority name.

4. The method of claim 1, further comprising issuing by the certifying authority a client (CCAC) certificate, said CCAC certificate being functionally the same as the SCAC certificate subject to the roles of the browser and the server being interchanged.

5. The method of claim 1, wherein the method further comprises presenting the CCAC certificate to the server during the handshake.

6. The method of claim 1, further comprising accepting the transaction by the browser after said verifying the original authentication certificate and after said verifying the SCAC certificate.

7. The method of claim 1, wherein obtaining the SCAC certificate comprises using the new private key of the certifying authority.
Description


FIELD OF THE INVENTION

This invention relates to a method and system for a solution to the problems arising from the expiry of digital certificates of the certifying authority used in a secure communication environment over a public network such as the internet.

BACKGROUND OF THE INVENTION

Digital Certificates are used all over the Secure Internet world for Authentication and Data Integrity. To set up a secure Web Server, the servers request a certificate from Certification Authorities (CA). CAs are trusted third parties that are recognized and trusted by all Internet population including all Web Servers and Web Browsers. The Server Certificate is a signature by the CA that the Server has been validated by it and can be trusted. It is a signature by the CAs private key on the server's public key, its Domain Name and other information like Address etc. The self-signed Certificates of the CAs are provided in all the Servers and Browsers. So in a normal SSL Handshake between a web server and a client i.e. a Browser, when the server presents its certificate to the browser the Browser software validates the Certificate by checking the signature of the CA on the certificate with the help of the CA certificate it has.

The Problem in the above digital certificates is that the strength of the security lies in the strength of the keys used in the system. There are one pair of keys for each entity including the CA and the Web Server--the Private Key and the Public Key. Now as the CA certificates are available publicly and trusted by everyone, these keys need to be very strong and no one should be able to break them. However, this is not possible forever. Knowing the Public Key (available in the CA Certificate), with some time and money, the keys be broken. Each key has its own lifetime alter which it is assumed that it is no longer safe to use the as in that time period the keys can be broken. So the CAs expire their certificates alter some amount of time. This poses some problems as the servers using the Certificates from CAs whose certiticates expire become no longer valid (even though the servers certificates are valid i.e. not expired). Although the communication might still be secure the client throws up a message box to the user warning him that the CA has expired and it might not be a safe to transact with the server. This creates a lot of confusion for the user.

The first solution to the above problem currently is to get a new certificate for the Web server from the CA with the new CA keys generated.

The second solution to the above problem is to modify the browser software to automatically accept this connection even though the certificate has expired.

This problem was seen on 1 Jan. 2000 very much as one of the most used Verisign Certificate expired on the day and Sites using the certificates issued by the CA has to face problems as their users got an undesired pop up window from Browsers warning them of the expiration. The solution was either get the new Server Certificate from Verisign or use New versions of the Browsers. The new versions probably accepted the certificate irrespective of the date expiration. As there are a lot of CAs, each will have the same problem when their certificates expire. The users will have problems with the old versions of the Browsers, which might amount to a sizable amount of a Web Site's users. Verisign had advised users to get the newer versions of the browser.

The third solution would be to have a requirement for all CAs not to issue Certificates for period spanning more than their expiry date.

The problem with the first Solution is that it requires generating of a new Server Certiticate Request, Sending it to the CA, the CA validating and signing it, sending the Certificate to the server, and finally the server importing it and making it the default Certificate. This amounts to a lot of rework, in fact requires the entire process of Certificate generation to be done again.

The problem with the second solution is that it will work only with the newer versions of the Browser software thereby cutting a sizable amount of the Internet Population. Generally while dealing with Internet applications, users would not like to spend much time in downloading new software or might not like being advised of getting a new Browser. So sites might lose on some of their customers and hence some of their Business. Secondly, by accepting the expired CA, the newer versions defeat the purpose of having expired the Certificate at the first place and do pose a security threat.

The problem with the third solution is that it is practically not feasible and is not used currently. There are a lot of situations where CAs have to issue certificates for longer times. For e.g., the CA might generate keys for 2 years, after 1 year and 1 month, when an entity requests for a certificate for 1 year, the CA has to issue it for 1 year and cannot do that for 11 months and expect the user to get it reissued after that. The user will go to some other CA and the CA will lose its business.

OBJECTS AND SUMMARY OF THE INVENTION

The object of this invention is to obviate the above drawbacks by providing a server certifying authority chain certificate (SCAC certificate), which is issued by the certifying authority using its new keys, to validate the previously issued server certificate.

To achieve the said objective, this invention provides a method for enabling the use of valid authentication certificates when the private key and public key of any of the certifying authorities have expired comprising: obtaining a server certifying authority chain (SCAC) certificate by the server from the said certifying authority, presenting the original valid authentication certificate along with the said server certifying authority chain certificate, by the server to the browser during the SSL handshake, accepting the transaction by the browser after verification of the original authentication certificate using the expired public key of the certifying authority, and verifying the said SCAC certificate using the new public key of the said certifying authority.

The said server certifying authority chain (SCAC) certificate is obtained by each server whenever the certifying authority invalidates its public key, by: contacting the certifying authority using the server's private key for authentication, verifying the request by the certifying authority using the server's public key, generating the SCAC certificate by the certifying authority using its new private key and forwarding to the said server.

The generating of the said SCAC certificate includes the authentication of the server name and the server public key, old certifying authority public key and certifying authority name.

The certifying authority in case of client will also issue client certificates known as (CCAC) certificates, which will work the same way as (SCAC) certificates. During SSL, handshake when the client presents its certificate, it will also present the CCAC certificate to the server.

In an arrangement of networked server and browser systems conducting secure transactions and including a certifying authority for authenticating such transactions, characterized in that it includes a means for authenticating transactions when the public and private key of the said certifying authority have expired but the authentication certificates of any of server or browser systems is still valid, comprising: a means for the server to obtain a certifying authority chain certificate using the new private key of the certifying authority, a means for presenting the said certifying authority chain certificate together with the original authentication certificate, to the browser, a means for verifying the original authentication certificate using the expired public key of the certifying authority, and verifying the certifying authority chain certificate using the new certifying authority public key by the browser.

The said means for the server to obtain a SCAC certificate from the said certifying authority whenever the said certifying authority withdraws its public key comprising: a means for contacting the said certifying authority and requesting certifying authority chain certificate using the server's private key for authentication, a means for verification of the request by the certifying authority, a means for generating and forwarding the certifying authority chain certificate to the server by the said certifying authority.

The said certifying authority have means to generate the said SCAC certificate containing authentication of the server name and the server public key old certifying authority public key and certifying authority name.

The said certifying authority have also means to issue client certificate known as (CCAC) certificates, which will work the same way as the (SCAC) certificate.

The system includes means to present CCAC certificates to the server during SSL handshake when the client presents its certificate.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will no be described with reference to the accompanying drawings:

FIG. 1 shows the flow diagram of the method for authenticating the server using the SCAC certificate.

FIG. 2 shows a flow diagram of a method for obtaining SCAC certificate from the certifying authority.

DETAILED DESCRIPTION OF THE DRAWINGS

Referring to the drawings, FIG. 1 shows the server presenting the valid server certificate (1.1) encrypted with the old CA public key along with the SCAC certificate (1.2) signed with a new private key, to the browser. The browser verifies the server certificate using the old CA certificate.

If the validation is unsuccessful, the transaction is rejected (3). If the verification is successful, then the browser verifies that SCAC certificate (4) using the mew CA public key. If this verification is unsuccessful, the transaction is rejected (3) but if it is successful, the transaction is accepted (5).

In FIG. 2 the server periodically checks (6 & 7) for the expiry of the certifying authority Public key. If the public key has not expired no further action is required. If however the certifying authority public key has expired. The server sends a request (9) to the certifying authority for issuance of an SCAC certificate. This request is encrypted using the server's private key. The certifying authority verifies the authenticity of the request by checking the request using the server's public key and issues the SCAC certificate (10), if the verification is successful. This SCAC certificate is signed using the certifying authority's new private key.

The above solution can be expanded to have chains of certificates.

The above solution will also work for Client Certificates issued by the CAs and will be known as Client CA Chain Certificates (CCAC) and will work exactly the same way as SCAC Certificates. The Clients can keep track of the expiry of CAs who signed their Certificates, and request for a CCAC Certificate from the CA. The CA will give/generate CCAC certificates for the clients. During SSL Handshake, when the client presents its certificate, it wilt also present the CCAC Certificate to the Server.

Advantages:

1. By using the above method a new certificate is not required. 2. The security is not compromised. If a hacker is able to break the old CA key, he/she will not be able to break the web site certificate as he will not be able to duplicate the New Certificate issued by the new CA Keys.

*


Free Web Sudoku Puzzles.
Solve with your browser.
    5 9 1   2    
    2           4
1     7     9    
6       7        
  3   4   5   7  
        3       1
    4     8     2
2           1    
    8   6 4 3    
What is it?



Add Your Site · Terms Of Service · Privacy Policy


DISCLAIMER
Linkgrinder is a free service that searches the Internet and indexes all files found so that you may search quickly and easily for shared files. These files are created and made available individually by users whose identity we are not aware of and who we have no control over. In essence we function like a search engine tool; these files ARE NOT STORED OR SERVED BY OUR NETWORK. We are not responsible for any materials obtained by using our service. We do not monitor any of the contents of these files. These files may contain viruses, illegal materials, materials inappropriate for minors, offensive files and the like. BY USING OUR SERVICE, YOU ASSUME FULL RESPONSIBILITY FOR DOWNLOADING THESE MATERIALS AND WILL INDEMNIFY US FOR ANY DAMAGES THAT MAY BE INCURRED.

For More Specific Information VIEW OUR TERMS OF SERVICE.

Thank you and Enjoy!