1. Technical Field
The present invention relates generally to an improved data processing system and, in particular, to a system, apparatus and method for processing Personal InFormation EXchange Syntax (PFX) objects formatted according to interoperability standards.
2. Description of Related Art
Public-key cryptography is the technology in which encryption and decryption involve different keys. The two keys are the public key and the private key, and either can encrypt or decrypt data. A user gives his or her public key to other users, keeping the private key to himself or herself. Data encrypted with a public key can be decrypted only with the corresponding private key, and vice versa.
As public-key cryptography has gained acceptance, standards have become necessary so that software at two different sites could work together even when the software is developed by different vendors. In particular, standards have been developed to allow agreement on digital signatures, digital enveloping, digital certification, and key agreement. However, interoperability requires strict adherence to communicable formats, and PKCS, or “Public Key Cryptography Standard,” provides a basis for interoperable standards in heterogeneous environments.
PKCS is a set of documents published by RSA Laboratories that serves to define data types and algorithms used in public-key cryptography. The first set of ten PKCS standards was released in 1991. In the 1993 release PKCS #2 and #4 were incorporated into PKCS #1, so the set of standards included:                PKCS #1: RSA Encryption Standard;        PKCS #3: Diffie-Hellman Key Agreement Standard;        PKCS #5: Password-Based Encryption Standard;        PKCS #6: Extended-Certificate Syntax Standard;        PKCS #7: Cryptographic Message Syntax Standard;        PKCS #8: Private-Key Information Syntax Standard;        PKCS #9: Selected Attribute Types; and        PKCS #10: Certification Request Syntax Standard.        
PKCS continues to evolve and the following standards have been added since 1993:                PKCS #11: Cryptographic Token Interface Standard;        PKCS #12: Personal Information Exchange Syntax Standard;        PKCS #13: Elliptic Curve Cryptography Standard; and        PKCS #15: Cryptographic Token Information Format Standard.        
Two independent levels of abstraction have been provided by these standards. The first level is message syntax, and the second level is specific algorithms. The intention has been that message syntax and specific algorithms should be orthogonal. In other words, a standard for the syntax of digitally signed messages should be able to work with any public-key algorithm, not just RSA, the public-key algorithm invented by Rivest, Shamir, and Adleman involving exponentiation modulo the product of two large prime numbers; and a standard for RSA should be applicable to many different message syntax standards.
One of these standard documents, PKCS #9, defines a set of attributes that can be used in other PKCS standards. In particular, PKCS #9 defines selected attribute types for use in PKCS #6 extended certificates, PKCS #7 digitally signed messages, PKCS #8 private-key information, PKCS #12 personal information, and PKCS #15 cryptographic token information.
PKCS #12 describes a standard that defines the syntax for the secure transfer of personal identity information, such as private keys, certificates, Certificate Revocation Lists (CRLs), and the like. Under this standard, data is packaged into a well-defined Protocol Data Unit (PDU) according to Personal InFormation EXchange Syntax (PFX). Over time, such a standard protocol data unit has become known familiarly as a “PFX”. The PFX can then be encoded into a standard format byte stream according to the Distinguished Encoding Rules (DER). This standard format allows PFX objects produced on one system, i.e. the operating environment defined by the hardware system, operating system and application, to be transmitted to a completely different system and decoded there.
Each data item in a PFX can be independently protected from exposure during transmission by one of two privacy modes:                1. Public-key privacy mode, in which the data is encrypted with the public key of the receiver and the data can be decrypted at the receiver with the corresponding private key; and        2. Password-based privacy mode, in which the data is encrypted with a shared secret key (symmetric key) derived from an input password and the data can be decrypted with the same key at the receiver. Alternatively, the data may be left unprotected, i.e. no encryption.        
The PFX is itself protected from data tampering by one of two integrity modes:                1. Public-key integrity mode, in which a digital signature on the entire PFX is produced using the sender's private key and the signature can be verified using the corresponding public key at the receiver; and        2. Password-based integrity mode, in which a message authentication code is produced by digesting the entire PFX with the HMAC-SHA1 message digest algorithm. The HMAC key is derived from an input password. At the receiver, the digest is re-generated using the same input password and compared against the attached digest. If the two digests match, the content integrity is verified. The password used for data integrity may or may not match password(s) used for data privacy. As with data privacy, there is the option that no mechanism be used to protect data integrity.        
Thus, individual personal information data items can be packaged into a PFX and each data item may be independently protected by data encryption. Data integrity of the entire PFX can be assured by the attachment of a digital signature or message digest. The final PFX can then be DER encoded into a standard format and transmitted to a receiving entity. The receiver decodes the DER encoded object into a PFX and verifies the data integrity. Finally, individual data items are extracted by decrypting with the appropriate key.
With all the attributes that are part of a PFX object, administrators, applications developers, and other users can easily be lost in details. They may have access to all the integral objects used in creating a PFX object, such as certificate files, private key files, and any passwords or keys used for data protection, but they may lack the application or means to merge the objects together to create a PFX object. In other situations, users may receive a PFX object as an external file for which they do not have a targeted application or that they do not wish to be automatically included in a targeted application.
Therefore, it would be advantageous to have an improved system, apparatus and method for presenting and manipulating secure data objects using interoperable standards in a heterogeneous environment, such as using PKCS within a distributed computing environment. It would be still more advantageous to provide users with a system, apparatus and method to graphically construct a PFX object as well as view and manipulate a PFX object that has been stored or received.