1. Technical Field
The present invention relates generally to an improved data processing system and in particular to a method and apparatus for facilitating cryptographic operations. Still more particularly, the present invention provides a method and apparatus for managing keys used in cryptographic operations.
2. Description of Related Art
Public Key Infrastructure (PKI) defines the policies and procedures for establishing a secure method for exchanging information within an organization, an industry, a nation, or worldwide. PKI includes the use of certification authorities (CAs) and digital signatures, as well as all the hardware and software used to manage the process. In PKI, cryptography is used to provide for security in transactions and transfers of data. Cryptography involves the conversion of data into a secret code for transmission over a public network. The original text, or plaintext, is converted into a coded equivalent called ciphertext via an encryption algorithm. The ciphertext is decoded (decrypted) at the receiving end and turned back into plaintext.
The encryption algorithm uses a key, which is a binary number that is typically from 40 to 128 bits in length. The greater the number of bits in the key (cipher strength), the more possible key combinations and the longer it would take to break the code. The data is encrypted or “locked” by combining the bits in the key mathematically with the data bits. At the receiving end, the key is used to “unlock” the code and restore the original data. These operations are used in PKI, for example, to generate key pairs, add a certificate, delete a certificate, retrieve a certificate, sign data, verify a signature, and verify proof of possession of a private key.
In providing a framework for these types of operations, the Common Data Security Architecture (CDSA) has been developed. CDSA is a layered set of security services addressing communications and data security problems in the emerging Internet and intranet application space.
More specifically, CDSA is a set of layered services and associated programming interfaces, providing an integrated but dynamic set of security services to applications. The lowest layers begin with fundamental components, such as cryptographic algorithms, random numbers, and unique identification information. CDSA is designed to be used with cryptography operations. The layers build up to digital certificates, key management mechanisms, integrity and authentication credentials, and secure transaction protocols in higher layers.
A framework of application program interfaces (APIs) is present in CDSA. Applications requesting cryptographic operations, such as those involving Public Key Infrastructure (PKI), access a CDSA layer through API calls. Presently, each application must be able to translate cryptographic operations into the appropriate API calls to the CDSA layer. A single cryptographic operation often may require multiple calls to the CDSA layer. For example, a sign operation includes the following parameters: the handle to the keystore, the password to unlock the keystore, and the slot id, which is a way to specify one of several smart card devices on a machine. The call for the sign operation includes an index, which is the hash of the public key that all associated objects have; the type of signature to use (i.e. RSA); and the data to sign. The index is also called a key identifier. The sign operation returns the signature. Currently, application programmers are required to understand all of the different calls needed to perform cryptographic operations in designing an application using cryptographic operations.
Therefore, it would be advantageous to have an improved method and apparatus for performing cryptographic operations using a set of security services.