The present invention relates to verifying an entity""s identity and/or capabilities on a data network, and more particularly, to an apparatus and method for using hierarchically structured digital certificates containing authorization information to verify the identity and/or capabilities of an entity on a data network.
In everyday life, trust is granted between individuals based on characteristics defining the relationship of the individuals and the identity of the individual in question, such as familiarity, occupation, status, and third party voucher of the individual in question. However, trust between individuals communicating on a public internet is not typically granted in such a simple and straightforward manner, because individuals can assume almost any identity in cyberspace. While the public internet offers flexibility and freedom, the public internet also instills high levels of distrust, especially when granting authority to an individual or when transmitting private, sensitive, or confidential information.
On the public internet, a digital certificate is typically used to verify the identity and/or capabilities of a subject or sender of the digital certificate presented to a recipient or relying party of the digital certificate. A third party, referred to as a certificate authority or issuer of the digital certificate, researches the subject/sender desiring certification, and issues a digital certificate to the subject/sender to vouch that the subject/sender of the message is actually who they say they are. The certificate authority digitally signs the digital certificate. The subject of the digital certificate presents the signed digital certificate to the relying party who trusts the certificate authority. The relying party computes a cryptographic hash of contents of the digital certificate and uses the cryptographic hash together with a certificate authority""s public key, which is readily available, to verify the digital signature. The verification of the digital signature verifies that the digital certificate was issued by the certificate authority.
Basic public key digital certificates contain a public key and a name associated with the sender. Extended public key certificates typically contain additional fields of authorization information not found in the basic public key certificates. Authorization certificates omit the name, and bind the public key directly to authorization information. Attribute certificates omit the public key, and bind the name to authorization information.
Currently, the leading digital certificate standard is X.509 version 3 (X.509v3). The X.509v3 standard is an extended public key certificate standard, which can contain additional fields of authorization information not found in the basic public key certificates. The X.509v3 standard supports Secure Sockets Layer 3.0 encryption along with other encryption schemes. Both Netscape Communicator 4.0 and Microsoft""s Internet Explorer 4.0 support X509v3 certificates.
In X.509v3 digital certificates, each extension field has a criticality flag. The criticality flag is employed in situations where the recipient of a digital certificate is presented with one or more extension fields within the digital certificate that the recipient does not understand, perhaps because the extension field is newer than the computer program used by the recipient. If the criticality flag is not set, the recipient can ignore the unknown extension field. If the criticality flag is set, the relying party must reject the digital certificate.
In certain situations, it is convenient to collect information intended for multiple uses in the same digital certificate by using two or more unrelated fields within the digital certificate. This approach provides the simplicity of a single digital certificate for a wide variety of authentication and authorization needs. This approach, however, compromises confidentiality since all recipients have access to all fields, related or unrelated to the recipient""s requirements. For example, a single digital certificate may grant access to a Unix platform and also grant permission to sign purchase orders. In this example, the digital certificate has first type fields that specify a user ID and group ID for the Unix platform, as well as second type fields that specify a limit on the value of purchase orders that the recipient of the digital certificate is authorized to sign. Thus, when the digital certificate is used to access the Unix platform, the second type fields (i.e., the purchase order limit) are unrelated to the recipient""s requirements and may become visible to the Unix administrator, such as by being recorded on the system log. The Unix administrator has no need to know the limit on the value of purchase orders, and it would be best if this purchase order information were not disclosed unnecessarily.
Alternative approaches have been developed to work around the confidentiality problem that results from two or more unrelated fields residing within the same digital certificate. In a first alternative approach, confidentiality is achieved by encrypting some or all of the fields of the digital certificate. The first alternative approach only provides protection against a third party that eavesdrops on the transmission of the digital certificate to the relying party. This first alternative approach cannot provide confidentiality against the recipient itself, because the recipient needs access to the plaintext of the entire digital certificate in order to compute a cryptographic hash necessary to validate the digital certificate.
In a second alternative approach, the sender uses separate digital certificates instead of placing information in multiple, unrelated fields within a single digital certificate. For example, instead of using one digital certificate containing the public key and the name of the sender together with three types of fields containing authorization information for three unrelated applications, the second alternative approach uses four separate digital certificates. The four separate digital certificates include a first basic public key certificate binding the public key to the sender name, and three attribute certificates. Each attribute certificate binds the sender name to the corresponding authorization information contained in the field type of the given attribute certificate. This second alternative approach has an advantage in that the four digital certificates can be signed by four independent certificate authorities. On the other hand, the second alternative approach has the disadvantage in that it requires four digital signatures instead of one, and four transactions over a network instead of one when the certificate authority issues the digital certificate to the subject. Thus, the second approach is more computationally expensive and results in more network traffic than the certificate authority issuing a single digital certificate to the subject.
For reasons stated above and for other reasons presented in greater detail in the Description of the Preferred Embodiments section of the present specification, there is a need for an improved type of digital certificate and corresponding improved methods of employing the digital certificate so that when the sender of a digital certificate presents the digital certificate to the recipient of the digital certificate for a given purpose, only those fields of the digital certificate that have to be inspected by the recipient are revealed to the recipient. The desired digital certificate should provide this recipient confidentiality protection without the added computational and network traffic overhead resulting from issuing multiple digital certificates.
The present invention provides a structured digital certificate for enabling a first recipient of the structured digital certificate to authorize a sender of the structured digital certificate. The structured digital certificate includes a first type field of authorization information relevant to the first recipient and readable by the first recipient. The structured digital certificate includes a first cryptographic folder containing a second type field of authorization information relevant to a second recipient. The second type field of authorization information is not readable by the first recipient.
In one embodiment, the structured digital certificate includes a second cryptographic folder containing the first type field. In one embodiment, the first type field is not contained in a folder. In one embodiment, there are multiple first type fields in the structured digital certificate.
In one embodiment, the structured digital certificate includes a sender name and a public key associated with the sender.
In one embodiment of the present invention, the cryptographic folders of authorization information are structured fields, containing a plurality of nested fields. Each of the plurality of nested fields can be a folder itself. In one embodiment, the digital certificate is an X.509v3 digital certificate. The X.509v3 digital certificate may include extension fields that describe how the certification can be used. The extension fields include one or more criticality flags. In one embodiment the unrelated cryptographic folders contain an encrypted hash value.
The present invention also provides a method of providing confidentiality of authorization information in a digital certificate shared by multiple recipients. The method provides cryptographic folders in the digital certificate. At least one first type cryptographic folder contains at least one first type field of authorization information relevant to a first recipient. At least one second type cryptographic folder contains at least one second type field of authorization information relevant to a second recipient. The certificate authority issues the digital certificate by signing the digital certificate and sending the signed digital certificate to the subject. The subject then delivers the signed digital certificate to the first recipient. The at least one first type field of authorization information is readable by the first recipient. The at least one second type field of authorization information is not readable by the first recipient. The first recipient verifies the authenticity of the signed digital certificate.
The present invention further provides a method of signing a digital certificate at a certificate authority. The method provides cryptographic folders in the digital certificate having authorization information. The certificate authority closes all of the cryptographic folders in the digital certificate. A cryptographic hash of the digital certificate is computed with all folders closed. Digital certificate signature is computed with the computed cryptographic hash of the digital certificate and a private key of the certificate authority.
In one embodiment, a given cryptographic folder X is closed according to the present invention in the following manner. All of the nested folders in folder X are recursively closed. A cryptographic hash is computed of the contents of folder X including all recursively closed nested folders in folder X. The contents of folder X are replaced with the computed cryptographic hash of the contents of folder X. A flag is set in the header of folder X to indicate that folder X is closed.
The present invention also provides a method of delivering a digital certificate from a subject of the digital certificate to a recipient of the digital certificate. The method provides cryptographic folders in the digital certificate having authorization information. A digital certificate signature is transmitted from a certificate authority to the subject of the certificate. An unsigned copy of the digital certificate is transmitted from the certificate authority to the subject of the certificate. Any folders in the unsigned copy of the digital certificate that do not have authorization information relevant to the recipient are closed. The unsigned copy of the digital certificate and the digital certificate signature are transmitted from the subject of the digital certificate to the recipient.
In one embodiment of the present invention, the step of transmitting a copy of the unsigned digital certificate from the certificate authority to the subject of the certificate is performed over a secure delivery channel. In one embodiment, the secure delivery channel is protected via Internet Protocol Security (IPSEC). In another embodiment, the secure delivery channel is protected by Secure Sockets Layer (SSL).
The present invention further provides a method of verifying a signature for a digital certificate sent by a subject of the digital certificate to a recipient of the digital certificate. The method provides cryptographic folders in the digital certificate having authorization information. The recipient obtains a public key of the certificate authority corresponding to a private key used by the certificate authority to sign the digital certificate. The recipient closes any of the cryptographic folders left open in the digital certificate by the subject of the digital certificate. The recipient computes a cryptographic hash of the digital certificate. The recipient authenticates the signature for the digital certificate with the public key and the computed hash of the digital certificate.
The structured digital certificate and corresponding methods of employing the structural digital certificate according to the present invention offer several advantages over conventional digital certificates. A single structured digital certificate according to the present invention can be utilized for multiple, unrelated purposes and still provide recipient confidentiality protection without the added computational and network traffic overhead resulting from sending multiple digital certificates. The hierarchical structure of cryptographic folders utilized within the present invention makes it possible to disclose only those fields of the structured digital certificate that have to be inspected by the recipient for a given specific purpose. Since all but one folder of a structured digital certificate will typically be closed (i.e., contents of the folder replaced with a cryptographic hash), when the digital certificate is transmitted from the sender to the recipient over a network, the time taken to transmit the digital certificate over the network is reduced.