Claims:WE CLAIM:

1. A Process of securing cryptographic device access through open networks using asymmetric cryptography employing characterized secure key host (SKH) computing system adapted to associate with a secure key hosted on a cryptographic device and configured to authenticate based on registration, a First owner, plurality of additional owners and plurality of users after verification by signing with the said secure key without any password authentication and placing the secure key distantly from the said First owners, additional owners and users thereby avoiding network exposures of passwords, utilizing a single secure key by plurality of individual, and fulfilling regulatory and standard-related requirement, the claimed process comprises of following steps;

a. creation of an owner auth block comprising of public key of the first owner key pair, Expiry date, and key type by signing using secure key of a first owner device housed with a first owner key pair;

b. registering the said first owner device with the said secure key host (SKH) computing system by sending the said owner auth block to the said secure key host (SKH) computing system wherein owner signature is replaced by secure key signature of the said secure key host (SKH) computing system upon verification and send back the verified owner auth block to the said first owner device;

c. creation of an additional owner auth block comprising of public key of the additional owner key pair, Expiry date, and key type by signing using secure key of first owner device upon submitting public key of additional owner to the said first owner device by additional owner device housed with additional owner key pair;

d. registering the said additional owner device with the said secure key host (SKH) computing system by sending the said additional owner auth block along with the verified owner auth block to the said secure key host (SKH) computing system by the said first owner device wherein first owner signature in the said additional owner auth block is replaced by secure key signature of the said secure key host (SKH) computing system upon verification and send back the verified additional owner auth block to the said first owner device which in turn sent to the said additional owner device;

e. creation of a shadow auth block comprising of public key of the user key pair, Expiry date, and key type by signing using secure key of first/additional owner device upon submitting public key of user to the said first/additional owner device by user device housed with user key pair;

f. registering the said user device with the said secure key host (SKH) computing system by sending the said shadow auth block along with the verified owner/ additional owner auth block to the said secure key host (SKH) computing system by the said first/additional owner device wherein first/additional owner signature in the said shadow auth block is replaced by secure key signature of the said secure key host (SKH) computing system upon verification and send back the verified shadow auth block to the said first/additional owner device which in turn sent to the said user device;

g. digital signing by secure key host (SKH) computing system of a document digest by sending a document digest with user signature by the said user along with verified shadow auth block of the said user wherein user signature in the said document digest is replaced by secure key signature of the said secure key host (SKH) computing system upon verification and send back the signed digest which forms digital signature to the said user device wherein the said user embeds digital signature in the said document thereby the said document being signed by the said Secure Key of secure key host (SKH) computing system and its digital certificate remotely without any password transaction.

2. The process as claimed in claim 1 wherein the said additional owner device upon registration with the said secure key host (SKH) computing system can act like a first owner and create plurality of additional owner auth blocks and registers plurality of additional owner devices with the said secure key host (SKH) computing system.

3. The process as claimed in claim 1 wherein the said key type is indication of owner or user.

4. The process as claimed in claim 1 wherein the said document comprises of any data or digital information.

5. The process as claimed in claim 1 wherein the said verification of owner auth block by secure key host (SKH) computing system comprises of verification of its own signature on the said owner auth block

6. The process as claimed in claim 1 wherein the said verification of additional owner auth block and shadow auth block by secure key host (SKH) computing system comprises of checking the expiry date and signature.

7. The process as claimed in claim 1 wherein the said secure key host (SKH) computing system is a processor with network interface and an USB or other port for receiving a cryptographic device hosted with secure key.

8. The process as claimed in claim 1 wherein the said cryptographic device is selected from a group comprising of HSM, Cryptographic USB token, Smart Card or other key protection device.

9. The process as claimed in claim 1 wherein the said owner device, additional owner device and user device is mobile phone, various home automation devices containing digital processing and storage capability, Industrial machinery containing digital processor and memory, personal computers with secure memory storage and similar devices

Dated this 2nd day of July 2021

For ODYSSEY TECHNOLOGIES LIMITED
By its Patent Agent

Dr.B.Deepa
, Description:Form 2

THE PATENT ACT, 1970 (39 of 1970)
&
THE PATENT RULES, 2003 COMPLETE SPECIFICATION
(See section 10 and rule 13)

“PROCESS OF SECURING CRYPTOGRAPHIC DEVICE ACCESS THROUGH OPEN NETWORKS USING ASYMMETRIC CRYPTOGRAPHY”

in the name of ODYSSEY TECHNOLOGIES LIMITED an Indian Company incorporated under the Companies Act 2013, having its registered office at ODYSSEY TECHNOLOGIES LIMITED, 5TH FLOOR, DOWLATH TOWERS, 63,TAYLORS ROAD, KILPAUK, CHENNAI -600010, TAMIL NADU, INDIA.

The following specification particularly describes the invention and the manner in which it is to be performed
FIELD OF THE INVENTION:

The present invention relates to cryptographic communication. More particularly the present invention relates to process of securing cryptographic device access through open networks using asymmetric cryptography.

BACKGROUND OF THE INVENTION:

Asymmetric Key cryptography and digital signatures have gone main stream in the recent years. As is well known, the asymmetric key cryptography is the most accepted and reliable technology for the creation of digital signatures. There are two major algorithmic branches within namely the RSA crypto systems and Elliptic Key Cryptosystems (ECC) with multiple variations of these two main systems in vogue. One requirement of all these systems is that the key has to be created in a secure environment and that the private key be continued to be kept in the same secure environment and used from therein.

For several high security and financially sensitive applications, the acceptable key security devices are restricted in number. Such devices include Cryptographic USB tokens, Cryptographic Smartcards and Hardware Security Modules which in effect are very large Cryptographic Tokens capable of storing and using multiple secure keys. Most countries which have a regulated Public Key Infrastructure (PKI) also restrict the key storage to devices that are certified by FIPS or Common Criteria. User control over the keys in such devices is usually exercised through physical possession or by password authentication.

With the increase in the cloud usage and many applications being deployed in multiple locales, the ability to exercise physical control over the devices is reduced. Several models and standards have been proposed in the recent times by bodies such as cloud signature consortium for facilitating the end user to access his keys that are resident in a distant server or in an unknown location in the cloud.

Unfortunately, password authentication does not extend well into public networks. As long as the device is physically at hand, the owner can get by with authenticating himself with a password. Sending the password through a network to a far off destination is rife with risks.

The standard bodies have been trying to grapple with this problem by attempting to secure the channel with increased controls or by extending the secure channels all the way into the kernel of the cryptographic devices. Today’s threats easily overwhelm the former. The latter, on the other hand is extremely complicated to build, verify and operate and none of the implementations existing today are provably secure and acceptable. This can be seen from the poor adoption rate.

Thus in spite of its obvious utility to the community wider adoption of the technology and associated infrastructures has been inhibited by various technical and techno-legal issues. Hence there exists a need in the state of art to for a novel process of securing cryptographic device access through open networks using asymmetric cryptography which removes the above said drawbacks.

OBJECT OF THE INVENTION:

The main object of the present invention is to develop a novel process of securing cryptographic device access through open networks using asymmetric cryptography.

Another object of the present invention is to employ characterized secure key host (SKH) computing system for the novel process of securing cryptographic device access.

Yet another object of the present invention is to develop a novel process of securing cryptographic device access which utilizes a single secure key by plurality of users, and fulfilling regulatory and standard-related requirement and also eliminates network exposure of passwords.

Further object of the present invention is to utilize the developed process for secure access of cryptographic device through open networks using asymmetric cryptography employing characterized secure key host (SKH) computing system.

SUMMARY OF THE INVENTION:

The present invention shall disclose a process of securing cryptographic device access through open networks using asymmetric key cryptography employing characterized secure key host (SKH) computing system. The secure key host (SKH) computing system is adapted to associate with a secure key hosted on a cryptographic device and configured to authenticate based on registration, a First owner, plurality of additional owners and plurality of users after verification by signing with the secure key without any password authentication and placing the secure key distantly from the First owners, additional owners and users and avoiding network exposures of passwords, utilizing a single secure key by plurality of individual, and fulfilling regulatory and standard-related requirement. The process of the present invention comprises of following steps; (a) creation of an owner auth block; (b) registering first owner device with the secure key host (SKH) computing system; (c) creation of an additional owner auth block; (d) registering the additional owner device with the secure key host (SKH) computing system; (e) creation of a shadow auth block; (f) registering the user device with the secure key host (SKH) computing system and (g) digital signing by secure key host (SKH) computing system of a document digest.

DETAILED DESCRIPTION OF THE INVENTION:

The present invention shall disclose a process of securing cryptographic device access through open networks using asymmetric cryptography employing characterized secure key host (SKH) computing system.

Steps in the working of the invention
1. A device (called the secure key host computing device or SKH for short) for associating a specific Id with a key (henceforth called a ‘secure key’) securely hosted in a HSM, Cryptographic USB token, Smart Card or other key protection device
2. A method for registering one or more external keys as the owner keys of the secure key wherein the registration data shall be cryptographically signed by the secure key such signed registration data being referred to as Owner Auth Block hereafter
a. The SKH may keep a copy of the Owner Auth Block but is not required to do so for the operation of the SKH
b. A Owner Auth Block would carry an identification or a flag indicating that it is a Owner Auth Block
c. A Owner Auth Block may also contain its own expiry date within
3. A method for registering an external key as the shadow key of the secure key wherein the registration data shall be cryptographically signed by the secure key and referred to as the Shadow Auth Block hereafter
4. A Shadow Auth Block may also contain an expiry date
5. A Owner Auth Block may be used to create other Owner Auth Blocks or Shadow Auth Blocks
6. The Secure Key generation and optionally obtaining a digital certificate can take place outside of the SKH as a preparatory step
7. The creation of the first Owner Authentication Block shall also take place outside and prior to the deployment of the SKH in a user environment
8. A method for creating additional Owner Auth Blocks as referred in step 5 above by
a. Obtaining the public key of the new, additional owner. The new owner’s key may use an algorithm that is different from the one employed by the ‘Secure Key’ as long as it employs an asymmetric cryptographic method
i. The generation, storage or use of the private key relating to the new Owner key is outside the purview of the SKH device
b. Forming a data object consisting of the public key of the new owner, flag indicating that it is a Owner Auth Block and the intended expiry date and signing it with the Owner Key of the current owner who is creating the additional Owner Auth Block
c. The Data Object signed by the current owner and the Owner Auth Block of the current owner shall be presented to the SKH
d. The SKH shall verify the current owner’s auth block and that it is signed by its own key
e. The SKH shall further verify the current owner’s signature on the additional Owner Auth Bloc and that it is verifiable by the current owner’s public key as found in the current owner’s auth block
f. On successful verification, it will digitally sign the new Owner Auth Block with the Secure Key effectively replacing the signature of the current owner in the new Owner Auth Block
g. The signed new Owner Auth Block shall be returned to the current owner who can then send it to the new owner through other means like email or other media
9. Shadow Auth Blocks are created for the use of intended end users of the SKH system. The creation process itself is administered by a Owner using his Owner Auth Block
10. A method for creating a Shadow Auth Block by
a. Obtaining the public key of the end user who seeks enrolment with the SKH as a shadow key. The key may use an algorithm that is different from the one employed by the ‘Secure Key’ as long as it employs an asymmetric cryptographic method
i. The generation, storage or use of the private key of the Shadow key is outside the purview of the SKH device
b. Forming a data object consisting of the public key part of the shadow key, a flag indicating that it is a Shadow Auth Block and the intended expiry date and signing it with the Owner Key of the current owner who is creating the Shadow Auth Block
c. The Data Object and the Owner Auth Block of the current owner shall be presented to the SKH
d. The SKH shall verify the current owner’s auth block and that it is signed by its own key
e. The SKH shall further verify the signature of the current owner on the new Shadow Auth Block and that it is verifiable by the key found in the current owner’s auth block
f. On successful verification, it will digitally sign the new Shadow Auth Block with the Secure Key effectively replacing the signature of the current owner in the Shadow Auth Block
g. The signed Shadow Auth Block shall be returned to the current owner who can then send it to the shadow key applicant through other means like email or other media
h. The Shadow Auth Block referred to in (g) above can also be directly delivered to the end user through software orchestrated delivery channels like web download etc.,
11. Steps for the actual use of the SKH device shall be
a. The end user prepares the document or other data object which needs to be signed with the key in the SKH
b. The end user creates a digest of the document to be signed and digitally signs the digest using his Shadow Key
c. He forms a signature request object consisting of the digest of the document, digital signature of the document with the shadow key and his own Shadow Auth Block to the SKH
d. The SKH verifies that the Shadow Auth Block is signed by itself
e. The SKH verifies that the document signature found in the request is verifiable using the public key in the Shadow Auth Block and that the signature matches the digest presented in the request
f. On successful verification, the SKH device digitally signs the digest with the Secure Key and returns the signature to the end user
g. The end user embeds the signature in the document
h. Now the document is signed by the Secure Key and its digital certificate

Working Description: The user’s key in a strong device like HSM is hosted in the cloud and protected by a device that is the subject of this invention. The device is configured to allow only data that is digitally signed by a particular asymmetric key which is in the user’s physical possession and precertified by the key in HSM by way of a shadow auth block. Every time the user wants to use the HSM based key to sign some data, he first signs it with the key in his possession and sends the signed data to the HSM secured by this invention. The device of this invention verifies the signature on the data and if it is valid, passes on the data to HSM for signature. Any physical security mechanisms that are built-in to the HSM like a password are handled by the invention that is closely coupled to the HSM and thus avoids network exposures. Thus physically placing the key devices anywhere in the cloud can now be achieved simply and securely.

The present invention solves the problem of using a key device that is physically located far away from the user in a provably secure manner. The present invention differs from the existing prior art, well-known attempts by using public key cryptography to secure the key access and usage process. With the proliferation of mobile phones and other IOT devices, it has become possible and simple to use private keys that are always in the user’s possession or physical control. Using a physically controlled key to secure access to a distantly located key that fulfils the regulatory and standard-related requirement is the primary mechanism of this invention and is extremely elegant in its simplicity. The invention replaces or augments the passwords that are used to access the HSM based keys. Therefore, the invention, replaces a weak and complicated security mechanism with a strong and simple mechanism.

In one of the preferred embodiment, the present invention shall disclose a Process of securing cryptographic device access through open networks using asymmetric cryptography employing characterized secure key host (SKH) computing system. The secure key host (SKH) computing system is adapted to associate with a secure key hosted on a cryptographic device and configured to authenticate based on registration, a First owner, plurality of additional owners and plurality of users after verification by signing with the secure key without any password authentication and placing the secure key distantly from the First owners, additional owners and users thereby avoiding network exposures of passwords, utilizing a single secure key by plurality of individual, and fulfilling regulatory and standard-related requirement. The process of the present invention comprises of following steps;
a. creation of an owner auth block comprising of public key of the first owner key pair, Expiry date, and key type by signing using secure key of a first owner device housed with a first owner key pair;
b. registering the first owner device with the secure key host (SKH) computing system by sending the owner auth block to the secure key host (SKH) computing system in which owner signature is replaced by secure key signature of the secure key host (SKH) computing system upon verification and send back the verified owner auth block to the first owner device;
c. creation of an additional owner auth block comprising of public key of the additional owner key pair, Expiry date, and key type by signing using secure key of first owner device upon submitting public key of additional owner to the first owner device by additional owner device housed with additional owner key pair;
d. registering the additional owner device with the secure key host (SKH) computing system by sending the additional owner auth block along with the verified owner auth block to the secure key host (SKH) computing system by the first owner device in which first owner signature in the additional owner auth block is replaced by secure key signature of the secure key host (SKH) computing system upon verification and send back the verified additional owner auth block to the first owner device which in turn sent to the additional owner device;
e. creation of an shadow auth block comprising of public key of the user key pair, Expiry date, and key type by signing using secure key of first/additional owner device upon submitting public key of user to the first/additional owner device by user device housed with user key pair;
f. registering the user device with the secure key host (SKH) computing system by sending the shadow auth block along with the verified owner/ additional owner auth block to the secure key host (SKH) computing system by the first/additional owner device in which first/additional owner signature in the shadow auth block is replaced by secure key signature of the secure key host (SKH) computing system upon verification and send back the verified shadow auth block to the first/additional owner device which in turn sent to the user device;
g. digital signing of a document digest in a secure key host (SKH) computing system by sending a document digest with user signature by the user along with verified shadow auth block of the user in which user signature in the document digest is replaced by secure key signature of the secure key host (SKH) computing system upon verification and send back the signed digest which forms digital signature to the user device in which the user embeds digital signature in the document thereby the document is signed by the Secure Key of secure key host (SKH) computing system and its digital certificate remotely without any password transaction.

According to the invention, in the process the additional owner device upon registration with the secure key host (SKH) computing system can acts like a first owner and creates plurality of additional owner auth blocks and registers plurality of additional owner devices with the secure key host (SKH) computing system.

As per the invention, in the process, the key type is indication of owner or user.

In accordance with the invention, in the process, the verification of owner auth block by secure key host (SKH) computing system comprises of verification of its own signature on the owner auth block

According to the invention, in the process, the verification of additional owner auth block and shadow auth block by secure key host (SKH) computing system comprises of checking the expiry date and signature.

As per the invention, in the process, the secure key host (SKH) computing system is a processor with network interface and an USB or other port for receiving a cryptographic device hosted with secure key.

In accordance with the invention, in the process, the cryptographic device is selected from a group comprising of HSM, Cryptographic USB token, Smart Card or other key protection device.

According to the invention, in the process, the owner device, additional owner device and user device is a mobile phone, various home automation devices containing digital processing and storage capability, Industrial machinery containing digital processor and memory, personal computers with secure memory storage and similar devices.

In the description of the invention the word ‘document’ is used in a generic sense and will include any data or other digital information.

From the foregoing, it will be appreciated that various embodiments of the present disclosure have been described herein for purposes of illustration, and that various modifications may be made without departing from the scope and spirit of the present disclosure. Accordingly, the various embodiments disclosed herein are not intended to be limiting, with the true scope and spirit being indicated by the following claim.