1. Technical Field
The present invention relates generally to an improved data processing system and, in particular, to a method and apparatus for processing cryptographic data objects formatted according to interoperable standards.
2. Description of Related Art
Public-key cryptography is the technology in which encryption and decryption involve different keys. The two keys are the public key and the private key, and either can encrypt or decrypt data. A user gives his or her public key to other users, keeping the private key to himself or herself. Data encrypted with a public key can be decrypted only with the corresponding private key, and vice versa.
As public-key cryptography has gained acceptance, standards have become necessary so that software at two different sites could work together even when the software is developed by different vendors. In particular, standards have been developed to allow agreement on digital signatures, digital enveloping, digital certification, and key agreement. However, interoperability requires strict adherence to communicable formats, and PKCS, or xe2x80x9cPublic Key Cryptography Standard,xe2x80x9d provides a basis for interoperable standards in heterogeneous environments.
PKCS is a set of documents published by RSA Laboratories that serves to define data types and algorithms used in public-key cryptography. The first set of ten PKCS standards was released in 1991. In the 1993 release PKCS #2 and #4 were incorporated into PKCS #1, so the set of standards included:
PKCS #1: RSA Encryption Standard;
PKCS #3: Diffie-Hellman Key Agreement Standard;
PKCS #5: Password-Based Encryption Standard;
PKCS #6: Extended-Certificate Syntax Standard;
PKCS #7: Cryptographic Message Syntax Standard;
PKCS #8: Private-Key Information Syntax Standard;
PKCS #9: Selected Attribute Types; and
PKCS #10: Certification Request Syntax Standard.
PKCS continues to evolve and the following standards have been added since 1993:
PKCS #11: Cryptographic Token Interface Standard;
PKCS #12: Personal Information Exchange Syntax Standard;
PKCS #13: Elliptic Curve Cryptography Standard; and
PKCS #15: Cryptographic Token Information Format Standard.
Two independent levels of abstraction have been provided by these standards. The first level is message syntax, and the second level is specific algorithms. The intention has been that message syntax and specific algorithms should be orthogonal. In other words, a standard for the syntax of digitally signed messages should be able to work with any public-key algorithm, not just RSA, the public-key algorithm invented by Rivest, Shamir, and Adleman involving exponentiation modulo the product of two large prime numbers; and a standard for RSA should be applicable to many different message syntax standards.
One of these standard documents, PKCS #9, defines a set of attributes that can be used in other PKCS standards. In particular, PKCS #9 defines selected attribute types for use in PKCS #6 extended certificates, PKCS #7 digitally signed messages, PKCS #8 private-key information, PKCS #12 personal information, and PKCS #15 cryptographic token information.
PKCS 190 7 describes a general syntax for data that may have cryptography applied to it. In other words, PKCS #7 defines the syntax for several cryptographically protected messages, including encrypted messages and messages with digital signatures. The syntax admits recursion, so that one envelope can be nested inside another or one party can sign previously enveloped digital data. PKCS 190 7 also allows arbitrary attributes, such as signing time, to be authenticated along with the content of a message, and it also provides for other attributes, such as countersignatures, to be associated with a signature. A degenerate case of the syntax provides a means for disseminating certificates and certificate-revocation lists. PKCS 190 7 can also support a variety of architectures for certificate-based key management.
Originally an outgrowth of Internet Privacy-Enhanced Mail, PKCS 190 7 has become the basis for the widely implemented Secure/Multipurpose Internet Mail Extensions (S/MIME) secure electronic mail specification, an Internet e-mail security standard that employs public key encryption. PKCS 190 7 has become a basis for message security in systems as diverse as the Secure Electronic Transaction (SET) specification for bank systems.
PKCS 190 7 is compatible with Privacy-Enhanced Mail (PEM) in that signed-data and signed-and-enveloped data content, constructed in a PEM-compatible mode, can be converted into PEM messages without any cryptographic operations. A PEM message can similarly be converted into the signed-data and signed-and-enveloped data content types, i.e. a form that can be processed by applications including or implementations including PKCS #7 without any cryptographic operations. The conversion process is xe2x80x9cflatxe2x80x9d in the sense that the encapsulated text of the PEM message becomes the xe2x80x9cinnerxe2x80x9d content of the PKCS 190 7 data. If the encapsulated text happens to contain privacy-enhanced messages, those messages are not implemented in the conversion process. PEM can effectively be viewed as a set of encoding rules analogous to the Basic Encoding Rules for ASN.1, abbreviated BER, for PKCS 190 7 data with these restrictions. Conversion from PKCS 190 7 to PEM may involve omission of attributes from PKCS #6 extended certificates, which is acceptable since the attributes are not essential to PEM.
The values produced according to PKCS 190 7 are intended to be BER-encoded. Abstract Syntax Notation One, abbreviated ASN.1, is a notation for describing abstract types and values. The Basic Encoding Rules for ASN.1 give one or more ways to represent any ASN.1 value as an octet string. The Distinguished Encoding Rules for ASN.1, abbreviated DER, are a subset of BER, and give exactly one way to represent any ASN.1 value as an octet string. DER is intended for applications in which a unique octet string encoding is needed, as is the case when a digital signature is computed on an ASN.1 value. ASN.1 and DER encoding are general purpose methods that can be applied to many domains in addition to PKCS.
A PKCS #7 SignedData object and the objects that may be contained within a SignedData object are defined in RFC 2630, xe2x80x9cCryptographic Message Syntax,xe2x80x9d June 1999. Within this standard, the attribute definition includes the object version number, a set of message digest algorithms, the content that is signed, a set of certificates, a set of Certificate Revocation Lists (CRLs), and a set of SignerInfo objects that, among other attributes, each contain the signature of the contents for a given certificate.
SignedData objects were designed for a heterogeneous environment in which the SignedData object and the objects within it can be DER-encoded into a stream of bytes. The DER encoding can be transferred from one system to a completely different system and decoded to reform the SignedData object.
With all the attributes that are part of a SignedData object, administrators, applications developers, and other users can easily be lost in details. They may have access to all the integral objects used in creating a SignedData object, such as the text file to be signed, a certificate file, and a private key file, but they may lack the application or means to merge the objects together to create a SignedData object. In other situations, users may receive a SignedData object as an external file or as part of an S/MIME object for which they do not have a targeted application or that they do not wish to be automatically included in a targeted application.
Therefore, it would be advantageous to have an improved method and system for presenting and manipulating secure data objects using interoperable standards within heterogeneous environments, such as using PKCS within a distributed computing environment. It would be still more advantageous to provide users with a method and system to graphically construct a PKCS SignedData object as well as view and manipulate a SignedData object that has been stored or received.
A method and system for processing signed data objects in a data processing system is presented. The signed data object may be formatted, i.e. maintain a syntax, as defined by PKCS (Public Key Cryptography Standard) standards. A signed data object utility allows a user to view and edit the contents of data objects embedded within a signed data object via a graphical user interface. Graphical objects represent the data objects embedded within a signed data object. A user may drag and drop objects onto other objects within the signed data object, and the signed data object utility automatically performs the necessary signing operations. Logical associations between data objects contained within the signed data object, such as between certificates and signer information objects, are determined or created, and the logical associations are displayed using visual indicators, such arrows or other links, between graphical objects representing the associated data objects. As data objects are added or deleted through user actions on the graphical objects, the visual indicators are updated to reflect any updates to the logical associations between the data objects. The user may direct other operations on the signed data object through the graphical user interface.