Claims
1. A Cryptographic Key Router system for routing requests regarding key operations and facilitating access and use of private keys securely in a unified manner, the claimed system comprises of characterised key router device and plurality of end user device wherein
a) the said characterised key router device employing characterised software configured,
i. to register end-user with a unique handle representing each end-user and maintaining each end user records wherein registration of the said end-user shall be carried out either with
1. a detachable secure key device connected to a uniquely and permanently addressable end user device, by generation of new key or
2. a detachable secure key device connected to a end user device which is uniquely and transiently addressable, by generation of new key or
3. a detachable secure key device where a key pair is already available prior to registration or
4. an end-user device where a keypair is hosted internally by way of a Trusted Platform Module (TPM) without any detachable secure key device.
ii. to identify ‘secure key device and registered user handle thereof’ of respective end-user device and associate/disconnect unique network address of the end-user device with the registered user handle upon intimation from the said end-user device;
iii. to register any external computing device using public key based authentication followed by creation and association of a human readable handle that is mutually agreed upon between the said external computing device and the said key router device such that the said human readable handle uniquely identifies such external computing device at all times wherein if the registered external computing device is found to be authentic with respect to plurality of transactions with various end users then such external computing device shall designated as trusted external computing device.
iv. to receive request regarding key operations from a registered external computing device for a specified registered end-user, ascertaining authenticity of the said external computing device, identifying the respective end user's current path and sending message to the respective end user device to connect with the requesting external computing device;
v. to associate a digital certificate with an end-user identity, periodically checking and updating status of the said digital certificate, maintaining all succession of public key relating to end users, sending status of the said digital certificate upon request from the said external computing device and
vi. to appoint one or more nominee upon request from an end-user subject to acceptance by the said nominee wherein such nominees shall be end-users in the claimed key router system.
b) the said end user device owning at least one asymmetric key-pair configured,
i. to facilitate to host private key of key-pair securely;
ii. to receive message from the said key router device regarding requesting external computing device, contacting respective external computing device and accepting/rejecting to authenticate key operation wherein display regarding the said key operations invoked by user interface for end user to take decision.
2. A process of associating an End User device with a requesting external computing device in the key router system of claim 1, which process is a precondition to perform a key operation, wherein the claimed process comprises of
a) receiving a request from an registered external computing device by the key router device, to associate a registered user handle from the respective end user device with requesting external computing device;
b) checking by the key router device
i. validity of the requesting external computing device with respect to end user or alternately the requesting external computing device is trusted external computing device ,
ii. authenticity of registered user's qualified certificate and
iii. checking availability of respective end user network location, wherein if validity is authentic or requesting external computing device is trusted external computing device, registered user's qualified certificate is active and end user network location is available then sending message to respective end user device to connect with the requesting external computing device and sending message to external computing device to get end user assent regarding association and proceed to step(iii) wherein if validity is not authentic and external computing device is not a trusted external computing device or registered user's qualified certificate is revoked or end user network location is not available sending message to requesting external computing device that the request shall not performed and terminate the process without proceeding to step (c);
c) connecting the requesting external computing device by the respective end user device and sending assent by the respective end user device to the requesting external computing device;
d) sending assent of the respective end user device to the said key router device by the requesting external computing device thereby the said key router device establishes association between respective End User device with a requesting external computing device in the key router system wherein once association exist between a particular End User Device with a particular external computing device, the subsequent key operation process does not demand such association.
3. A process of securely routing requests regarding key operations and facilitating access and use of private keys securely in a unified manner employing Cryptographic Key Router system comprising of characterised key router device and plurality of end user device as claimed in claim 1, without disclosing details of key operation to the said key router device, the claimed process comprises of following step;
a) registering a temporary presence of an end user device with the said key router device by activating key pair by the end user and thereby establishing a temporary path with the said end user device and key router device upon ascertaining the validity of the said end user device;
b) receiving a request from an registered external computing device to connect a registered user handle from the respective end user device with requesting external computing device;
c) checking the availability of temporary path of step a by the key router device wherein if the temporary path is available then proceed to step (d) wherein if the temporary path is not available then identifying the respective registered user handle and ascertaining the said external computing device is associated with the respective registered user handle and optionally ascertaining validity of registered user's qualified certificate by the said key router device wherein if validity is active and association exists between external computing device and registered user handle then proceed to step (d) wherein if validity is revoked or no association exists between external computing device and registered user handle then intimate the requesting external computing device that connection between respective end user device and external computing device shall not be established and terminate the request;
d) sending message by the said key router device to the respective end user device to connect with the requesting external computing device ;
e) end user connecting the respective end user device with the requesting external computing device and obtaining the details of key operations to be performed by the respective end user device wherein the details of key operation shall be displayed to the respective end user device by initiating User Interface;
f) sending assent or decline from the respective end user device by the end user to the requesting external computing device wherein if the said end user assent the key operation then the said key operation shall be performed, wherein if the said end user decline the key operation then the requesting external computing device will receive message of user refusal and the connection between the respective end user device with the requesting external computing device shall be terminated.
4. The said key router device in any of the preceding claims includes aggregation of computing systems with network interfaces.
5. The said external computing device in any of the preceding claims are real world applications computing device which includes an Internet Banking Application computing device, Income tax return filing application computing device and the like.
6. The said end user device in any of the preceding claims includes personal computer, mobile phone, smart TV and the like.
7. The said secure key device in any of the preceding claims includes cryptographic token, a hardware security module, a smart card, or other such device capable of generating asymmetric key-pair.
8. The said key operations in any of the preceding claims includes authenticating end users, facilitating user transactions, managing encryption of messages for one or more of end-users registered in the key router system, creating digital signatures, decrypting data using private key, transaction to be authorized by the end-user, a document to be signed by the end-user, decrypt a message or key that is previously encrypted using the public key of the end-user key pair or other such operation.

Dated this 7thday of December 2018

For CYBERNEME PRIVATE LTD
By its Patent Agent

Dr.B.Deepa

, Description:Form 2

THE PATENT ACT, 1970
(39 of 1970)
&
THE PATENT RULES, 2003
COMPLETE SPECIFICATION
(See section 10 and rule 13)

“CRYPTOGRAPHIC KEY ROUTER SYSTEM AND LOCATION INDEPENDENT END USER KEY DEVICES”

in the name of CYBERNEME PRIVATE LTD an Indian National having address at 203, Akshaya Apartments, 48, Pachayappa College Hostel Road, Chetpet, Chennai-600031, Tamilnadu, India,

The following specification particularly describes the invention and the manner in which it is to be performed
FIELD OF THE INVENTION:
The present invention relates generally to public key systems and devices for securely using private keys in internet transactions for authentication and privacy. More particularly the present invention relates to a key router system and process in a network that routes the requests for key operations from applications to the key owner and facilitates the owner to access and use the private keys securely in a unified manner.
BACK GROUND OF THE INVENTION:
Public Key Cryptography is used for user authentication and authorization by way of digital signatures and for solving key distribution and management problems in encryption systems. While Public Key Infrastructures and Certification Authorities help in binding a public key to an identified entity, they do not help in locating and accessing a key on an as needed basis.
The systems that need the user to authenticate himself using his private key like an transaction terminal require that the user initiate such interactions and further that the methods of using his private key are closely tied to the interaction system.
The systems that facilitate public key encryption of messages also require that the decryption systems should have an inherent feature to interact with the private key of the user doing the decryption.
This requires application systems to be engineered with the ability to access private key storage devices like smart cards if they were to use the Public Key Cryptosystems. Further, it generally requires that the owner of the private key is also the initiator of the usage process.
Protocols like PKCS#11 and Microsoft CAPI have sought to isolate the key usage mechanisms to make them broadly accessible to applications. These still need the key owner to be in control of the application as well as key usage processes. Even with standard key access mechanisms like PKCS#11, each application tends to offer its own customized user interface for the act of signing or decryption making user learning complex.
Though a considerable amount of world's commerce has moved to mobile phones and other devices, there is as yet no easy way for users to use their private keys in mobile applications. This limits the widespread usage of public key cryptography. Thus there exists a need in the state of art to solve the above problems by providing a solution for secured routing for key operation.
OBJECT OF THE INVENTION:
The main object of the present invention is to develop a Cryptographic Key Router system for routing requests regarding key operations and facilitating access and use of private keys securely in a unified manner.
Another object of the present invention is to develop a Cryptographic Key Router system comprises of characterised key router device and plurality of end user device hosted with key pair.
Yet another object of the present invention is to develop a novel process employing developed Cryptographic Key Router system for routing requests regarding key operations and facilitating access and use of private keys securely in a unified manner.
Yet another object of the present invention is to employ the developed system and process for secured key operation.
BRIEF DESCRIPTION OF DRAWINGS:
Figure 1 depicts the topology of the Cryptographic Key Router system of the present invention.
Figure 2 depicts the expanded version of end user devices of the present invention.
SUMMARY OF THE INVENTION:
The present invention shall disclose a Cryptographic Key Router system for routing requests regarding key operations and facilitating access and use of private keys securely in a unified manner. The Cryptographic Key Router system of the present invention comprises of characterised key router device and plurality of end user device. The present invention also discloses a process of securely routing requests regarding key operations and facilitating access and use of private keys securely in a unified manner employing Cryptographic Key Router system of the present invention.

DETAILED DESCRIPTION OF THE INVENTION:
The present invention shall disclose a Cryptographic Key Router system for routing requests regarding key operations and facilitating access and use of private keys securely in a unified manner and process thereof.
The Cryptographic Key Router system of the present invention comprises of characterised key router device and plurality of end user device (Figure 2).
The characteristic features of the Cryptographic Key Router system of the present invention is as follows.
In a network including a key router device and multiple end-users with each end-user owning at least one asymmetric keypair, a method for registering the public key of the end-user with a unique handle representing each end-user
Associating a permanent, network addressable Id for each end-user device like a personal computer or a mobile phone which can host the keypair internally by way of a Trusted Platform Module (TPM) or allow an external secure key device to be connected; secure key device being a cryptographic token, a hardware security module, a smart card, or other such device capable of generating asymmetric key-pair; hosting the private key of the key-pair securely; creating digital signatures or decrypting data using such private key
A mechanism in the key router system that associates a temporary network path to a computing device to which the secure key device is temporarily connected; such path being not identical to the path referred in (2) above
A mechanism in the key router system to register an external computing system running specific software with an identity and the public key of an asymmetric key pair where the corresponding private key is in the possession of the external computing system. Such external computing system is used for the purpose of authenticating users, facilitating user transactions or managing encryption of messages for one or more of end-users registered in the key router system
A mechanism in the key router for receiving a request from a registered external computing system for a specified registered end-user and identifying the user's current path and sending a message to the end user device to connect with the requesting external computing system
A mechanism in the end-user device for connecting to the referred external computing system and accepting a request from such system to authenticate a message, where such message may be a transaction to be authorized by the end-user, a document to be signed by the end-user or other such operation and invoking a user-interface to display the details of such message to the end-user and facilitating the end-user to sign the message and return it to the external computing system
A mechanism in the end-user computing device for accepting a request to decrypt a message or key that is previously encrypted using the public key of the end-user key pair
A mechanism in the key router system for associating a digital certificate with an end-user identity, where the public key in the digital certificate matches the public key registered for the end-user
A mechanism in the key router system for periodically verifying the revocation status of the associated digital certificates by connecting to the issuing certifying authorities and updating such status in the end-user record maintained by the key router system; and further communicating to the registered external computing systems such status when the external computing system queries the key router for the use of a end-user's key and the certificate associated to the key is in a revoked status
A mechanism in the key router system to accept a request from an end-user to appoint one or more nominees, where such nominees are also end-users in the key router system; a further mechanism to present such appointments to the appointed nominees and obtaining their concurrence by way of a digitally signed acceptance; a further mechanism to suspend or cancel the usage of a end-user identity on a request from such registered nominee of that end-user
A mechanism in the key router system to permit succession of one public key by another relating to an end-user where the succeeded key has reached its natural expiry or is revoked or is discontinued by the end-user intent; and to keep a history of all such successions relating to the end-user
The process (Figure 1) of securely routing requests regarding key operations and facilitating access and use of private keys securely in a unified manner employing Cryptographic Key Router system of the present invention involves following steps.
1. Registration where a new key is generated in a detachable secure key device connected to a uniquely addressable mobile device
2. Registration where a new key is generated in a detachable secure key device connected to a computing system or device which is not uniquely addressable by itself
3. Registration where a key pair is available in the secure key device prior to registration
4. Registration where the user does not carry a secure key device but a TPM module is integrated into a device which is at all times uniquely addressable
5. Process of the end-user computing device which senses that a secure key device is connected to such computing device and intimating the key router that such device has been connected
5a. Key router process of identifying the secure key device (5) and its associated registered user handle thereof and temporarily associating the unique network address of the end-user computing device with the registered user handle
5b. Process of the end-user computing device which senses that the secure key device connected to such computing device is disconnected and intimating such disconnection to the key router
5c. Key router process of removing the association between the registered user handle belonging to the secure key device and the temporary network address (5a)
6. Associating a Digital Certificate with the registered user handle where such certificate is already available in the key carriage device prior to registration
7. Assisting Digital Certificate issuance from a trusted third party or a qualified certifying authority where the user is already registered with the key router and has possession of his keypair in a secure key device
8. Key router process of periodically searching the Certificate Revocation Lists of the Certifying Authorities who had issued certificates that are associated with one or more users
9. Key router process of updating the status of the user key where the associated certificate has been revoked
10. Key router process of registering an external computing system with the public key of a key pair generated by such external computing system for this purpose
10a. Key router process of ascertaining the proof of possession of private key by the external computing system (10)
10b. Key router process of creating and associating a human readable handle that is mutually agreed upon between the external computing system and the key router such that the handle uniquely identifies such external computing system at all times
11. Key router process of receiving a request from an external computing system to associate a user handle with such external computing system
12. Key router process of obtaining user consent for the association of the user handle with the requesting external computing system (11)
13. Key router process of receiving a request from a registered external computing system to connect to a registered user for key operations providing a temporary network address where the requesting external computing system can be connected to
14. Key router process of identifying the user denoted in (13), ascertaining that such user's handle is associated with the requesting registered external computing system
15. Key router process of further ascertaining that the registered user's qualified certificate, if associated with the registered user is valid and has not been revoked (8)
16. Key router process of identifying the most recent temporary network address associated with the registered user and if no such temporary network address is found then finding the permanent network address associated with the registered user
17. Key router process of responding to the requesting external computing system with a 'user unavailable' message where neither a temporary (16) nor a permanent network address (16) for the registered user is ascertainable at that moment
18. Key router process of sending the temporary network address (13) to the end user computing device in the network address found (16)
19. End user device process of connecting to the requesting external computing system and obtaining the details of the key operations to be performed by that registered user
20. End User device process of instantiating a User Interface to display the details obtained from the external computing system to the registered user and seeking the such user's assent for performing the key operation, such key operation being affixing of a digital signature on some data or decryption of some message previously encrypted with the public key of the registered user
21. End User device process of obtaining such assent from the registered user, and where the registered user declines to assent to the details displayed, communicating such user-refusal to the external computing system and terminating the connection to the external computing system established in (19)
22. End User device process of facilitating the digital signature or decryption as the case may be, on receiving the user's assent to the process and sending such digital signature or the decrypted plain text to the external computing system.
In one of the preferred embodiment the present invention shall disclose a Cryptographic Key Router system for routing requests regarding key operations and facilitating access and use of private keys securely in a unified manner. The Cryptographic Key Router system of the present invention comprises of characterised key router device and plurality of end user device. The characterised key router device employs characterised software and is configured to register end-user with a unique handle representing each end-user and maintaining each end user records. The registration of the end-user shall be carried out either with (i) a detachable secure key device connected to a uniquely and permanently addressable end user device, by generation of new key or (ii) a detachable secure key device connected to a end user device which is uniquely and transiently addressable, by generation of new key or (iii) a detachable secure key device where a key pair is already available prior to registration or (iv) an end-user device where a keypair is hosted internally by way of a Trusted Platform Module (TPM) without any detachable secure key device.
The characterised key router device is also configured to identify ‘secure key device and registered user handle thereof’ of respective end-user device and associate/disconnect unique network address of the end-user device with the registered user handle upon intimation from the end-user device.
The characterised key router device is further configured to register any external computing device using public key based authentication followed by creation and association of a human readable handle that is mutually agreed upon between the external computing device and the key router device such that the human readable handle uniquely identifies such external computing device at all times. Further if the registered external computing device is found to be authentic with respect to plurality of transactions with various end users then such external computing device shall designated as trusted external computing device.
The characterised key router device is furthermore configured to receive request regarding key operations from a registered external computing device for a specified registered end-user, ascertaining authenticity of the external computing device, identifying the respective end user's current path and sending message to the respective end user device to connect with the requesting external computing device.

The characterised key router device is moreover configured to associate a digital certificate with end-user identity, periodically checking and updating status of the digital certificate, maintaining all succession of public key relating to end users, sending status of the digital certificate upon request from the external computing device.
The characterised key router device is additionally configured to appoint one or more nominee upon request from an end-user subject to acceptance by the nominee where such nominees shall be end-users in the key router system of the present invention.

The end user device owns atleast one asymmetric keypair and is configured to facilitate to host private key of key-pair securely. The end user device is also configured to receive message from the key router device regarding requesting external computing device, contacting respective external computing device and accepting/rejecting to authenticate key operation in which display regarding the key operations is invoked by user interface for end user to take decision.

In another preferred embodiment the present invention shall disclose a process of associating an End User device with a requesting external computing device in the key router system of the present invention. This process is a precondition to perform a key operation and comprises of following steps;
a) receiving a request from an registered external computing device by the key router device, to associate a registered user handle from the respective end user device with requesting external computing device;
b) checking by the key router device
i. validity of the requesting external computing device with respect to end user or alternately the requesting external computing device is a trusted external computing device ,
ii. autheticity of registered user's qualified certificate and
iii. checking availability of respective end user network location,
in which
• if validity is authentic or requesting external computing device is trusted external computing device, registered user's qualified certificate is active and end user network location is available then sending message to respective end user device to connect with the requesting external computing device and sending message to external computing device to get end user assent regarding association and proceed to step(iii).
• if validity is not authentic and external computing device is not a trusted external computing device or registered user's qualified certificate is revoked or end user network location is not available sending message to requesting external computing device that the request shall not performed and terminate the process without proceeding to step (c);

c) connecting the requesting external computing device by the respective end user device and sending assent by the respective end user device to the requesting external computing device;
d) sending assent of the respective end user device to the key router device by the requesting external computing device thereby the key router device establishes association between respective End User device with a requesting external computing device in the key router system in which once association exist between a particular End User Device with a particular external computing device, the subsequent key operation process does not demand such association.
In yet another preferred embodiment the present invention shall disclose a process of securely routing requests regarding key operations and facilitating access and use of private keys securely in a unified manner employing Cryptographic Key Router system comprising of characterised key router device and plurality of end user device, without disclosing details of key operation to the key router device. The process comprises of following step;
a) registering a temporary presence of an end user device with the key router device by activating key pair by the end user and thereby establishing a temporary path with the end user device and key router device upon ascertaining the validity of the end user device;
b) receiving a request from an registered external computing device to connect a registered user handle from the respective end user device with requesting external computing device;
c) checking the availability of temporary path of step a by the key router device in which
• if the temporary path is available then proceed to step (d).
• if the temporary path is not available then identifying the respective registered user handle and ascertaining the external computing device is associated with the respective registered user handle and optionally ascertaining validity of registered user's qualified certificate by the key router device in which
? if validity is active and association exists between external computing device and registered user handle then proceed to step (d)
? if validity is revoked or no association exists between external computing device and registered user handle then intimate the requesting external computing device that connection between respective end user device and external computing device shall not be established and terminate the request.
d) sending message by the key router device to the respective end user device to connect with the requesting external computing device ;
e) end user connecting the respective end user device with the requesting external computing device and obtaining the details of key operations to be performed by the respective end user device in which the details of key operation shall be displayed to the respective end user device by initiating User Interface;
f) sending assent or decline from the respective end user device by the end user to the requesting external computing device in which
? if the end user assent the key operation then the key operation shall be performed,
? if the end user decline the key operation then the requesting external computing device will receive message of user refusal and the connection between the respective end user device with the requesting external computing device shall be terminated.

As per the invention the key router device includes aggregation of computing systems with network interfaces.

In accordance with the invention the external computing devices are real world applications computing device which includes an Internet Banking Application computing device, Income tax return filing application computing device and the like.

According to the invention the end user device includes personal computer, mobile phone, smart TV and the like.

As per the invention the secure key device includes cryptographic token, a hardware security module, a smart card, or other such device capable of generating asymmetric key-pair.
In accordance with the invention the key operations includes authenticating end users, facilitating user transactions, managing encryption of messages for one or more of end-users registered in the key router system, creating digital signatures, decrypting data using private key, transaction to be authorized by the end-user, a document to be signed by the end-user, decrypt a message or key that is previously encrypted using the public key of the end-user key pair or other such operation.

Example 1
Process of associating an End User device with a requesting external computing device in the key router system

Step 1: receiving a request from a registered external computing device by the key router device, to associate a registered user handle from the respective end user device with requesting external computing device;
Step 2: checking by the key router device
i. validity of the requesting external computing device with respect to end user,
ii. validity of registered user's qualified certificate and
iii. checking availability of respective end user network location,

and found that validity is authentic and end user network location is available then sending message to respective end user device to connect with the requesting external computing device and sending message to external computing device to get end user assent regarding association

Step 3: connecting the requesting external computing device by the respective end user device and sending assent by the respective end user device to the requesting external computing device;

Step 4: sending assent of the respective end user device to the key router device by the requesting external computing device thereby the key router device establishes association between respective End User device with a requesting external computing device in the key router system

Example 2:
Process of decrypting a message by end user.
Step 1: registering a temporary presence of an end user device with the key router device by activating key pair by the end user;
Step 2: receiving a request from a registered external computing device to connect a registered user handle from the respective end user device with requesting external computing device;
Step 3: checking the availability of temporary path by the key router device and found to be available
Step 4: sending message by the key router device to the respective end user device to connect with the requesting external computing device ;
Step 5: end user connecting the respective end user device with the requesting external computing device and obtaining the details regarding decryption of message to be performed by the respective end user device;
Step 6: On user assenting, performing the decryption by the end user device and sending the decrypted message to the requesting external computing device.
Example 3:
Process of creating digital signature by end users
Step 1: registering a temporary presence of an end user device with the key router device by activating key pair by the end user;
Step 2: receiving a request from a registered external computing device to connect a registered user handle from the respective end user device with requesting external computing device;
Step 3: checking the availability of temporary path by the key router device and found to be unavailable, then identifying the respective registered user handle and ascertaining the external computing device is associated with the respective registered user handle and optionally ascertaining validity of registered user's qualified certificate by the key router device and found that validity is active and association exists between external computing device and registered user handle;
Step 4: sending message by the key router device to the respective end user device to connect with the requesting external computing device;
Step 5: end user connecting the respective end user device with the requesting external computing device and obtaining the details regarding creation of digital signature to be performed by the respective end user device;
Step 6: sending assent from the respective end user device by the end user to the requesting external computing device and thereby performing the creation of digital signature.
Although the invention has now been described in terms of certain preferred embodiments and exemplified with respect thereto, one skilled in art can readily appreciate that various modifications, changes, omissions and substitutions may be made without departing from the spirit thereof. It is intended therefore that the present invention be limited solely by the scope of the following claims.