An Thi Le

49245155, May 8, 1990

Aug 24, 1989

7/398299

Stephen M. Matyas - Manassas VA
Dennis G. Abraham - Concord NC
William C. Arnold - Mahopac NY
Donald B. Johnson - Manassas VA
Ramesh K. Karne - Herndon VA
An V. Le - Arlington VA
Rostislaw Prymak - Dumfries VA
Steve R. White - New York NY
John D. Wilkins - Somerville VA

International Business Machines Coprporation - Armonk NY

H04L 902

380 25

A method and apparatus are disclosed for use in a data processing system which executes a program which outputs cryptographic service requests for operations with cryptographic keys which are associated with control vectors defining the functions which each key is allowed by its originator to perform. The improved method and apparatus enable the use of control vectors having an arbitrary length. It includes a control vector register having an arbitrary length, for storing a control vector of arbitrary length associated with an N-bit cryptographic key. It further includes a control vector checking means having an input coupled to the control vector register, for checking that the control vector authorizes the cryptographic function which is requested by the cryptographic service request. It further includes a hash function generator having an input coupled to the control vector register and an N-bit output, for mapping the control vector output from the control vector register, into an N-bit hash value. A key register is included for storing the N-bit cryptographic key.

51649888, Nov 17, 1992

Oct 31, 1991

7/786227

Stephen M. Matyas - Manassas VA
Donald B. Johnson - Manassas VA
An V. Le - Manassas VA
Rostislaw Prymak - Dumfries VA
William C. Martin - Concord NC
William S. Rohland - Charlotte NC
John D. Wilkins - Somerville VA

International Business Machines Corporation - Armonk NY

H04K 100

380 25

Device A in a public key cryptographic network will be constrained to continue to faithfully practice a security policy dictated by a network certification center, long after device A's public key PUMa has been certified. If device A alters its operations from the limits encoded in its configuration vector, for example by loading a new configuration vector, device A will be denied participation in the network. To accomplish this enforcement of the network security policy dictated by the certification center, it is necessary for the certification center to verify at the time device A requests certification of its public key PUMa, that device A is configured with the currently authorized configuration vector. Device A is required to transmit to the certification center a copy of device A's current configuration vector, in an audit record. the certification center then compares device A's copy of the configuration vector with the authorized configuration vector for device A stored at the certification center.

52010007, Apr 6, 1993

Sep 27, 1991

7/766533

Stephen M. Matyas - Manassas VA
Donald B. Johnson - Manassas VA
An V. Le - Manassas VA
Rostislaw Prymak - Dumfries VA
John D. Wilkins - Somerville VA

International Business Machines Corporation - Armonk NY

H04K 100

380 30

A data processing system, program and method are disclosed for managing a public key cryptographic system which includes a public key, private key pair generator. The method includes the step of generating a first public key, private key pair using a first seed value known to a user, the first seed value being generated from a passphrase. A first random number is generated using the first seed value and applied to generating the first key pair. The method then generates a first control vector defining a first use of the first public key, private key pair. The method then continues with the step of generating a second public key, private key pair using a second seed value unknown to the user, the second seed value being a true random number. The second random number is generated using the second seed value in a pseudorandom number generator and applied to generating the second key pair. The method generates a second control vector defining a second use of the second public key, private key pair.

49187287, Apr 17, 1990

Aug 30, 1989

7/401486

Stephen M. Matyas - Manassas VA
Dennis G. Abraham - Concord NC
Donald B. Johnson - Manassas VA
Ramesh K. Karne - Herndon VA
An V. Le - Arlington VA
Rostislaw Prymak - Dumfries VA
Julian Thomas - Lagrange NY
John D. Wilkins - Somerville VA
Phil C. Yeh - Poughkeepsie NY

International Business Machines Corporation - Armonk NY

H04L 900

380 21

Data cryptography is achieved in an improved manner by associating with the data cryptography key, a control vector which provides the authorization for the uses of the key intended by the originator of the key. Among the uses specified by the control vector are limitations on encryption, decryption, authentication code generation and verification, translation of the user's data. Complex combinations of data manipulation functions are possible using the control vectors, in accordance with the invention. The system administrator can exercise flexibility in changing the implementation of his security policy by selecting appropriate control vectors in accordance with the invention. Complex scenarios such as encrypted mail box, session protection, file protection, ciphertext translation center, peer-to-peer ciphertext translation, message authentication, message authentication with non-repudiation and many others can be easily implemented by a system designer using the control vectors, in accordance with the invention.

49930699, Feb 12, 1991

Nov 29, 1989

7/443418

Stephen M. Matyas - Manassas VA
Dennis G. Abraham - Concord NC
Donald B. Johnson - Manassas VA
An V. Le - Arlington VA
Rostislaw Prymak - Dumfries VA
John D. Wilkins - Somerville VA
Phil C. Yeh - Poughkeepsie NY

International Business Machines Corporation - Armonk NY

H04K 100

380 23

A cryptographic system and method is provided which accepts a key K encrypted under a key formed by exclusive-ORing a key-encrypting key KK with a first control vector C5 and outputs the same key K encrypted under a key formed by exclusive-ORing KK with a second control vector C6. The set (C5, C6) represents a mapping of the type and usage of the key K defined by the control vector C5 to the type and usage defined by the control vector C6. The set of allowable control vector mappings, that is from C5 to C6, are defined in a control vector translation table, which is specified in advance by authorized installation personnel.

52009998, Apr 6, 1993

Sep 27, 1991

7/766260

Stephen M. Matyas - Manassas VA
Donald B. Johnson - Manassas VA
An V. Le - Manassas VA
Rostislaw Prymak - Dumfries VA
William C. Martin - Concord NC
William S. Rohland - Charlotte NC
John D. Wilkins - Somerville VA

International Business Machines Corporation - Armonk NY

H04K 100

380 25

A data processing system, method and program are disclosed, for managing a public key cryptographic system. The method includes the steps of generating a first public key and a first private key as a first pair in the data processing system, for use with a first public key algorithm and further generating a second public key and a second private key as a second pair in the data processing system, for use with a second public key algorithm. The method then continues by assigning a private control vector for the first private key and the second private key in the data processing system, for defining permitted uses for the first and second private keys. Then the method continues by forming a private key record which includes the first private key and the second private key in the data processing system, and encrypting the private key record under a first master key expression which is a function of the private control vector. The method then forms a private key token which includes the private control vector and the private key record, and stores the private key token in the data processing system. At a later time, the method receives a first key use request in the data processing system, requiring the first public key algorithm.

54148332, May 9, 1995

Oct 27, 1993

8/144161

Paul C. Hershey - Manassas VA
Donald B. Johnson - Manassas VA
An V. Le - Manassas VA
Stephen M. Matyas - Manassas VA
John G. Waclawsky - Frederick MD
John D. Wilkins - Somerville VA

International Business Machines Corporation - Armonk NY

H04L 900

395575

A system and method provide a security agent, consisting of a monitor and a responder, that respond to a detected security event in a data communications network, by producing and transmitting a security alert message to a network security manager. The alert is a security administration action which includes setting a flag in an existing transmitted protocol frame to indicate a security event has occurred. The security agent detects the transmission of infected programs and data across a high-speed communications network. The security agent includes an adaptive, active monitor using finite state machines, that can be dynamically reprogrammed in the event it becomes necessary to dynamically reconfigure it to provide real time detection of the presence of a suspected offending virus.

54328497, Jul 11, 1995

Aug 10, 1993

8/103953

Donald B. Johnson - Manassas VA
An V. Le - Manassas VA
Stephen M. Matyas - Manassas VA
Rostislaw Prymak - Dumfries VA
John D. Wilkins - Somerville VA

International Business Machines Corporation - Armonk NY

H04L 900

380 21

The invention described herein suggests methods of cryptographic key management based on control vectors in which the control vectors are generated or derived internal to a cryptographic facility implementing a set of cryptographic operations. The methods of alternate control vector enforcement described in the present application provide a high-integrity facility to ensure that cryptographic keys are used in a manner consistent with the type and usage attributes assigned to the keys by the originator of those keys. Since the control vectors are generated or derived internal to the cryptographic facility on the basis of data contained in each cryptographic service request to the cryptographic facility, control vectors need not be stored or managed outside the cryptographic facility.