1. Field of the Invention
The present invention relates in general to data processing systems and, in particular, to a computer system and method for generating a self-verifying certificate. Still more particularly, the present invention relates to a computer system and method to generate a self-verifying certificate for use only within the computer system for authenticating internal operations, wherein only the system administrator can create the certificate.
2. Description of the Related Art
Personal computer systems are well known in the art. They have attained widespread use for providing computer power to many segments of today's modern society. Personal computers (PCs) may be defined as a desktop, floor standing, or portable microcomputer that includes a system unit having a central processing unit (CPU) and associated volatile and non-volatile memory, including random access memory (RAM) and basic input/output system read only memory (BIOS ROM), a system monitor, a keyboard, one or more flexible diskette drives, a CD-ROM drive, a fixed disk storage drive (also known as a “hard drive”), a pointing device such as a mouse, and an optional network interface adapter. One of the distinguishing characteristics of these systems is the use of a motherboard or system planar to electrically connect these components together. Examples of such personal computer systems are IBM's NetVista series, Aptiva series, and Intellistation series.
Encryption algorithms are known to ensure that only the intended recipient of a message may read and access the message. One known encryption algorithm is an asymmetric, or public key, algorithm. The public key algorithm is a method for encrypting messages sent from a first entity to a second entity. This algorithm provides for a key pair comprised of a private key and public key which are mathematically related such that if the private key is used to encrypt data then only the matched public key can be used to decrypt the data, and visa versa.
Inherent in a public key encryption algorithm is the need for strong trust relationships. Individual trust relationships are typically enabled through a Certificate Authority (CA). A Certificate Authority is a mutually trusted agent that vouches for the authenticity of a sender of a message, which may be either a group or an individual.
In Intranet, Internet, Virtual Private Networks, e-mail, and e-commerce applications, communication connections may traverse backbones and routers as well as machines at secured or non-secured sites. In certain circumstances, it is imperative that users of the above-referenced applications employ systems and methods which provide for secure transactions and communications.
A Public Key Infrastructure (PKI), a system for using public key methodologies, enables users of an essentially non-secured public network, such as the Internet, to securely and privately exchange information and authenticate identities using a public/private cryptographic key pair.
Certificate Authorities are entities that can issue digital certificates. Certificate Authorities are, in essence, a commonly trusted third party that is relied upon to verify the matching of public keys to identity, e-mail name, or other such information.
A digital certificate may be described as an attachment to an electronic message used for security purposes which establishes credentials when doing business or other transactions on the Web. Digital certificates link details about an individual, or an organization to a public key, and are able to identify individuals, or organizations. A common use of a digital certificate is to verify that a user sending a message is the person the user claims to be. The digital certificate may contain your name, a serial number, expiration dates, a copy of the certificate holder's public key, and the digital signature of a Certificate Authority. The digital certificate contains the digital signature of the CA so that anyone can verify that the certificate is real.
Certificates are beneficial when two entities both trust the same CA. This allows them to learn each other's public key by exchanging a certificate signed by that CA. A digital signature is an electronic signature, rather than a written signature, that can be used by someone to authenticate the identity of the sender of a message or of the signer of a document. It can also be used to ensure that the original content of a message or document that has been conveyed is unchanged. A digital signature can be used with any kind of message, whether it is encrypted or not, simply so that the receiver can be sure of the sender's identity and that the message has arrived in the manner intended by the sender. When a public key is known, it can be used to encrypt data, individuals can send it to one another, or it can be used to verify signatures on documents.
Directory services in the PKI include one or more directories where the certificates (with their public keys) are held. A registration authority is an authority in a network that acts as the verifier for the CA before a digital certificate is issued to a requestor. The registration authority tells the CA to issue the certificate if the verification process so dictates.
Individuals who desire to send an encrypted message can request a digital certificate from a CA. The CA can issue a signed digital certificate containing the applicant's public key and other identification information. The CA may make its own public key readily available through print materials, through the Internet, or via other means.
The recipient of an encrypted message uses the CA's public key to decode the digital certificate attached to the message, verifies it as issued by the CA and then obtains the sender's public key and identification information held within the certificate.
A certificate is typically requested by a user through an application such as a browser or email. The certificate request, and target Public Key utilized to create the certificate, is routed to the CA. After the identity of the requester is verified, the CA generates the certificate. The certificate is then returned to the requester and installed into their system.
The certificates and certificate authority of the prior art are utilized when information is transmitted from one computer system to another computer system that is separate from the transmitting computer system. Therefore, the certificates are transmitted externally from one computer system across some type of network and are received by another computer system.
Therefore a need exists for a method and system to build a trust relationship internally within a single computer system by generating a self-verifying certificate for use only within the computer system to establish trust for internal purposes.