System and method of transferring shortcut information from certificate used for encryptation operations

FIELD: physics, computer technology.

SUBSTANCE: invention deals with data protection systems. Certificate-based encryptation mechanism failing to envisage the client source computer access to the whole of the certificate corresponding to the client target computer during encryptation of the e-message to be transferred to the client target computer. Instead the client source computer addresses the certificate server a request for but part of the certificate. The certificate part referred to contains encryptation information but may fail to include (completely or partly) the certificate self-checking information. The certificate server preferably carries out any check of the certificate authenticity before transfer of encryptation information to the client source computer which enables obviation of the need to specifically perform certificate authenticity check with the client source computer especially if the certificate server has been checked for trustworthiness with the client source computer.

EFFECT: reduction of amount of memory and processor resources used for certificate-based encryptation as well as minimisation of requirements to the width of band between certificate server and client source device.

36 cl, 8 dwg

 

Background of the invention

1. References to related applications

This applicant claims the priority of provisional patent application U.S. 60/428,080, dated November 20, 2002 for "System and method for transferring condensed information from the certificate to perform cryptographic operations".

2. The technical field

The present invention relates to secure communications. More specifically, the present invention relates to the use of certificates to encrypt the transmission.

3. Prior art

Computer and network technology has transformed the way people work and methods of games. Networking has become so effective that a simple computer system with networking capabilities can communicate with any of a million other computer systems distributed worldwide conglomerate networks, often defined by the concept of "the Internet". Such computer systems may include a desktop, laptop or tablet personal computers; personal digital assistants (PDA - PDA), telephones, or any other computer or device that has the ability to communicate via the digital network.

To communicate in a network, one computer system (defined here as computer system-source" or "client computer") creates or p who receives access otherwise to an email message and sends an electronic message over the network to another computer system (defined here as "a computer system of the recipient or client computer-recipient"). The electronic message can be read by the user, as in the case when the electronic message is an e-mail message or a message dialog messaging, or it can be read by the application, executable in a host computer system. The electronic message may be created by an application running in a transmitting computer system, with the possible assistance of the user.

Although such electronic communication is the preferred way allows computer systems to exchange information and maintain related users in ways that were previously unknown, e-mail messages subject to interception. Depending on the sensitivity of the information content of the electronic message, this can damage and even be fatal in some cases. To protect e-mail messages from being intercepted, they are often encrypted so that only those who have a certain binary sequence (called the key)can decrypt the e-mail message to gain access to the information provided in the email message. Efforts are made so that only the host computer system had access to the key required to decode e-mail messages. The meet is but any unauthorized interceptor without extraordinary extraordinary effort, could have access only to encrypted e-mail messages.

In symmetric encryption, the same key used to encrypt electronic messages, can be used to decode e-mail messages. In asymmetric encryption, a public key and a secret key associated with a particular computer system. The public key is known for a wide range of computer systems, while the secret key is not applicable. The secret key can be used to decode any messages encrypted using the public key. The secret key is more sensitive than the public key, because the host computer system must be the only computer system capable of interpreting electronic messages destined for this computer system.

To facilitate encryption, the transmitting computer system often gets access to the certificate associated with the host computer system. In Fig. 8 shows the data structure of the certificate 800 corresponding to the prior art. Certificate 800 includes information 803 validation. Information 803 checks DOS is Evernote allows the transmitting computer system to confirm the accuracy, that the certificate actually corresponds to the host computer system, and that the certificate has not been revoked. The X.509 certificate is a type of certificate that is widely used at present. Information confirming the validity of the X.509 certificate may include, for example, URL (uniform resource locator)that can be accessed to check whether the certificate is a computer system to a recipient. Information confirming the validity of the X.509 certificate can also include a list of cancellation of the certificate to indicate whether the certificate is cancelled or not.

Certificate 800 also includes information 802 identification certificate, which allows the transmitting computer system to identify the certificate. For example, the X.509 certificate may include, for example, the key ID or possibly a combination of the identifier of the requesting party and the sequence number.

Certificate 800 also includes information 801 encryption (for example, the public key of the X.509 certificate). Information encryption allows the transmitting computer system to encrypt the electronic message so that it could be interpreted by a computer system receiver in accordance with the certificate. For example, if the transfer is a common computer system encrypts the email message using the public key, the respective computer system to a recipient, the computer system-the recipient will be in the ideal case, the only computer system that has the corresponding private key needed to decode e-mail messages.

There are important cases when the certificate is used in the encryption. For example, usually when encrypting e-mail, which uses the S/MIME certificate for the host computer system is used in the transmitting computer system to support the implementation of encryption in transmitting computer system. MIME (multipurpose mail extensions Internet) is a specification for formatting messages in the code other than ASCII (American standard code for information interchange), so that they can be transmitted over the Internet. Many client computers with e-mail support at present, the MIME specification, which allows them to send and receive graphics, audio and video files through the postal system, the Internet. The MIME specification was defined in 1992 Problematic design group Internet engineering task force (IETF). S/MIME is a standard that defines the encryption method and coding information content of e-mail, which is overestima MIME. S/MIME is based on the technology of encryption using the public key described above. It is expected that S/MIME will be widespread that will enable the user to send secret emails to each other, even if they use different e-mail application.

There are a number of potential drawbacks that prevent widespread adoption and use of encryption technologies, based on the certificate, such as technology, determined by the S/MIME standard, in particular, in mobile devices with limited memory. At the present time for message encryption in accordance with the technology-based encryption certificate, you must obtain access to the entire certificate. The X.509 certificate can often have the volume much more than 1 kilobyte for each certificate. The certificate is typically used for each potential message recipient. Some messages may have multiple recipients, thereby increasing the amount of memory required to store certificates. This would significantly reduce the characteristics of the work environment in a mobile device that typically has limited memory and limited processor capabilities.

In addition, the transmitting computer system often receives certificates from the village of the natives of the computer system through a connection with a significant waiting time and/or narrow bandwidth (for example, code a call or a wireless connection). In particular, certificates are often stored in centralized repositories (repositories) or directories for access by users of e-mail. The size of the certificate significantly affect users of e-mail messages that connect with these stores slowly through existing network connections. Thus, the preferred would be such a technology-based encryption certificate, which would reduce the memory requirements, CPU and bandwidth.

The invention

The above-described problems inherent in the prior art, are overcome by the principles of the present invention directed to an encryption certificate-based, where the full certificate is not used in the encryption, thereby saving memory and processor resources at the point of encryption. In addition, when the item encryption no longer has access to the certificate, the smaller part, and not the entire certificate is transmitted to the point of encryption, thereby conserving bandwidth (and memory) in comparison with the transfer (and save) the entire certificate.

The principles of the present invention can be implemented in a network environment in which a client computer, the source is the point of encryption for e is in the message, which should be transferred to one or more client computers recipient. The certificate may be granted access to the certificate server, which provides the appropriate certificates for at least some of the potential client recipient computers for e-mail messages. The certificate includes information encryption, which allows having access to the certificate to encrypt the email message so that it could be interpreted object of the appropriate certificate. The certificate also includes information self-test, which allows having access to the certificate, to verify that the certificate is valid, that certification belongs to the corresponding object, and that the certificate has not been revoked.

The client computer accesses the electronic message to be transmitted to the client computer to the recipient, and then determines that the electronic message should be encrypted. The client computer generates a request to access only part of the certificate that matches the client computer to the recipient. This part includes information encryption, but it may be missing some or even all information self-test. The client computer C which transmits the request to the server certificate, which takes the request and in response returns only the requested portion of the certificate.

The returned portion of the certificate may be much less than the certificate in General. Therefore, returns only the requested part significantly reduces the bandwidth required between the server certificate and the client computer source. When the client computer receives the response, information encryption is used to encrypt e-mail messages so that it could desirious on the client computer to the recipient.

The encryption process may include a public key for direct encryption of the content of electronic messages. Alternatively, if the message should be plenty of client recipient computers, the information content of the electronic message may be encrypted with another key (e.g., session key). The electronic message may also include, for each client computer of the recipient, the session key encrypted with its public key.

Accordingly, because encryption is transmitted and is used less than the entire certificate, the memory and processing resources in the client computer are saved. This is especially important if the client computer is mobile the apparatus, which already has limited CPU resources and memory, and often has a limited bandwidth connection with other networks. The present invention particularly useful if synchronization is important, as well as the security of electronic messages.

Note that some of the information self-test certificate may not be included in the requested portion of the certificate. In order to preserve the security that is associated with the authentication certificate verification certificate may be made by the certificate server. Preferably, the server certificate has been verified trust the client computer source to the extent that if the certificate server performs this validation, the client computer must assume that the certificate is valid without independent verification of the validity of the certificate.

Additional characteristics and advantages of the invention are explained in the following description, and can partially be obvious from the description or may be learned during the implementation of the invention. The characteristics and advantages of the invention may be realized and obtained by means of the instruments and combinations particularly specified in the claims. These and other features of the present invention will be clearer from the following description and the forms of the crystals of the invention or can be studied in the process of implementation of the invention, as set forth below.

Brief description of drawings

In order to describe the method, which can be obtained from the above-described and other advantages and characteristics, a more particular description of the invention briefly described above will be illustrated with reference to specific embodiments of which are illustrated by the accompanying drawings. Based on the fact that these drawings depict only typical embodiments of the invention and therefore should not be construed as limiting its scope, the invention will be described and explained with additional clarification and detail using illustrative drawings showing the following:

Fig. 1 - suitable wireless device, which can be implemented characteristics of the present invention;

Fig. 2 is a suitable network environment in which can be used the principles of the present invention, including a client computer that uses the information from the server certificate to encrypt e-mail messages to be transmitted to the client computers recipient;

Fig. 3 is a block diagram of a method used by the client device, the source for the encryption of electronic messages to be delivered to one or more client devices-recipients, and certificate server providing the data, in accordance with the principles of the present invention;

Fig. 4 is a data structure of the certificate request in accordance with the principles of the present invention;

Fig. 5 - structure of the response data to the request in accordance with the principles of the present invention;

Fig. 6 is a data structure of an electronic message that is encrypted using a certificate (or part thereof) in accordance with the principles of the present invention;

Fig. 7 is a data structure of a partial certificate without information self-test in accordance with the principles of the present invention and

Fig. 8 is a data structure of a full certificate information self-test in accordance with the prior art.

Detailed description of preferred embodiments of the invention

The principles of the present invention relate to the encryption mechanism based on the certificate that the client source device does not receive access to the entire certificate corresponding to the client device to the recipient, when encrypting e-mail messages to be delivered to the client device to the recipient. Instead, the client source device only requests a portion of the certificate from the certificate server. This part includes information encryption, but may not have some or even all of the information Samarov the RCTs in the certificate. If implemented verification, the certificate server performs any validation certificate to the transfer of data encryption to the client source device. Does not require a separate certificate authentication client device source, especially if the server certificate has been verified trust the client device is a source.

Client source device uses a more limited part of the certificate (which may be defined as "mini-certificate" or "partial certificate)to encrypt the message. As a partial certificate is much smaller than the full certificate, this reduces the memory and CPU resources used to perform encryption, certificate-based, and also reduces the requirements on the bandwidth between the server certificate and the client device is a source.

Embodiments of the present invention may include specialized or General-purpose computer device including various computer hardware, as described in more detail below. Options for implementation included in the scope of the present invention, also include machine-readable media for transferring or storing machine-readable instructions or data structures stored on h is H. Such machine-readable media can be any available media that can access the universal or specialized computer. For example, but not as a limitation, such machine-readable media can comprise physical storage media such as RAM, ROM), EEPROM (electronically-erasable programmable read-only memory - EEPROM), CD-ROM on CD-ROM) or other memory devices, optical disks, magnetic disks, or magnetic memory, or other recording media that can be used to carry or store desired program code means in the form of executable computer instructions or data structures, and access to which can be made universal or specialized computer. Machine-readable data carrier may be a non-volatile memory, or the memory, executable program, or a combination of both.

Fig. 1 and the following discussion are intended to provide a brief generic description of a corresponding computing environment, which can be implemented in the invention. Although this is not required, the invention will be described in the General context of executable computer instructions, such as program modules, executable computer devices is mi. In principle, the software modules include a standard program (subprogram), programs, objects, components, data structures, and similar tools that perform particular tasks or implement particular abstract data types.

As shown in Fig. 1, the associated operating environment suitable for implementing the principles of the present invention includes a General-purpose computing device in the form of the wireless device 100. Although the wireless device 100 has the form of a wireless phone, a variety of devices have the ability currently to communicate over the wireless network and can benefit from the use of the principles of the present invention. For example, currently available portable computers, tablet PCs, personal digital assistants and other wireless devices. Other forms of wireless devices can be developed in the future. The principles of the present invention is not limited to the specific form of the wireless device.

The wireless device 100 includes a user interface 101 to the user information input through the user interface 103 of the input. The user views the information provided through the user interface 102 is an ode. The user interface will greatly vary depending on the design characteristics of the wireless device. In the shown embodiment, in which the wireless device 100 is a portable computer, the user interface 102 output includes a speaker for providing audio information to the user, and a display 105 for presenting visual information to the user.

The user interface 103 of the input may include a microphone 106 for playback of audio information in electronic form. Additionally, the user interface 103 input includes control means 107 dial controls 108 navigation, which allow the user to enter information in the wireless device 100.

Means software code that contains one or more software modules may be stored in memory 112. One or more software modules may include an operating system 113, one or more application programs 114, other software modules 115 and program data 116. One or more software modules can be implemented as an instance in memory (volatile) or loaded from memory (non-volatile) and then can be processed using the process of the RA 111. The program code means may include non-volatile and volatile memory, and its form can vary greatly depending on the type of wireless device.

Although Fig. 1 represents a suitable operating environment for the present invention, the principles of the present invention can be used in any wireless device that can communicate in the wireless network. The wireless device shown in Fig. 1 is only illustrative, and in no way represents the smallest part of a wide variety of environments that can be implemented the principles of the present invention.

In Fig. 2 illustrates a network environment 200 in which can be used the principles of the present invention. The network environment 200 includes a client computer system, the source 210. In this description and in the claims the term "computer system" means any component of hardware or combination of hardware components that have the ability to perform the software by using one or more processors. The computer system may be a system or device that has processing tools. The computer system may represent, for example, a portable computer is lately, desktop computer, tablet computer, pocket computer, mobile phone or any other system or device processing as existing and that which will be developed in the future.

In this description and in the claims, the term "client computer system" or "client computer ("client"refers to any computer system that receives services from another computer system, regardless of whether this client computer system services to other computer systems. For example, the client computer 210 receives the service server 220 certificates, which acts to ensure the certificates (or portions thereof) to the client computer source 210 as needed. In this example, the client computer 210 receives access to the electronic message, regardless of whether he created it or not the e-mail message), which should be forwarded to one or more client computers 230 recipients, including any of client recipient computers 231, 232, 233, 234, among potential greater their number, as represented by vertical symbols 235. The client computer 210 and client computers recipient 231, 232, 233 and 234 may be configured as described above for the wireless is trojstva 100 or may have any other shape, which meets the definition of a computer system set forth above.

Fig. 3 illustrates a method 300 of the encryption client computer system, the source of the message that should be sent at least one of client recipient computers using server certificates in accordance with the principles of the present invention. Some of the steps and stages of method 300 can be performed by the client computer source 210, as represented by the left column in Fig. 3 under the heading "Client computer". Other steps of method 300 are performed by the server 220 certificates, as shown in the right column of Fig. 3 under the heading "Server certificates".

The client computer 210 first receives access to an electronic message that should be transmitted to at least one client computer to the recipient (step 301). The electronic message may be retrieved from the local memory or perhaps received from another computer system for delivery to a computer system to a recipient. In addition, the electronic message may be a preview of the final version of the email message that you want to surrender to the client computer to the recipient.

The client computer 210 then determines that the electron is the message must be encrypted before sending to the client computer source (step 302). This determination may be made in response to a configuration setting, the particular setting associated with the client computer-recipient or a group of client computers to which this client computer of the recipient, or perhaps in response to a request from a user of the client computer.

The client computer 210 then performs a functional, result-oriented step encryption to perform encryption certificate-based client computer, without requiring local access to the full certificate corresponding to the client computer to the recipient (step 303). This result-oriented step comprises any appropriate actions to achieve this result. However, in the illustrated embodiment, step 303 includes the appropriate steps 304, 305 and 309.

More specifically, the client computer 210 generates a request to access only part of the certificate that matches the client computer to the recipient. This part can be a certificate, as shown in Fig. 7 as a partial certificate 700. A partial certificate 700 includes information 701 necessary to encrypt e-mail messages so that it could desirious client computer of the recipient. the information 701 partial encryption certificate 700 may be similar to information 801 encryption full certificate. For example, if the full certificate 800 was a X.509 certificate, information 701 encryption can be a public key that corresponds to the secret key belonging to the client computer to the recipient.

A partial certificate 700 may also include information 702 identification certificate, which identifies the full certificate 800 corresponding to the partial certificate 700. Information 702 identification certificate may include, for example, at least part of the information 802 identification certificate relating to the full certificate. For example, if the full certificate 800 was a X.509 certificate, the information 702 identification certificate may include the ID of the key or, alternatively or in addition, the combination of the identifier of the requesting party and the serial number of the certificate. Although some of the information 803 validation may also be included in the partial certificate 700, no information 803 validation is not shown as contained in the composition of partial certificate. As a partial certificate 700 does not contain much of the information full certificate 800, the size of the partial certificate 700 is much smaller than the size of a full certificate.

After the client computer 210 SFOR the range of the access request of the certificate (step 304), the client computer 210 transmits a request to the server 220 certificate (step 305). This transmission is shown in Fig. 2 request 211 transmitted from the client computer 210 to server 220 certificates, as represented by arrow 211A.

In Fig. 4 schematically shows the structure of the query data 211 in accordance with the present invention. Request 211 includes information 401 header. This information 401 header may include any information used by the transmission Protocol. For example, if the electronic message is a request of the hypertext transfer Protocol (http) example request http POST), the request 211A will include information of the http header. Use http Protocol to send the request, it is useful in cases where the certificate server 220 is not in the same local network as the client computer source 210, and is available only through the Internet.

Request 211 also includes the identification of the client computer of the receiver 402. This identification may be in the form of, for example, a uniform resource locator (URL)addresses, Internet Protocol (IP)addresses, or email addresses associated with the client(s) computer(s)-recipient(s). If identification was in the form of unresolved behalf of the individual client computer is RA-recipient, the server 220 certificates can also carry out the resolution for the name of a particular client computer of the recipient and provide the result of this resolution to the client computer source 210 at the same time, when requested partial or full certificate is a server certificate to the client computer source. If identification was in the form of unresolved name or distribution list, the server certificate can expand the distribution list and then return to the client computer source 210 either partial or full certificate for each of the client computers recipient in accordance with the distribution list. The entries in the distribution list include individualized objects, and potentially one or more other subsidiaries of distribution lists. The expansion of a distribution list means the identification of each individualized object, included in the distribution list by, firstly, the inclusion of any custom object directly identified in the distribution list, and then recursively perform the same expansion for any one or more of the other subsidiaries of distribution lists. Through this recursive process, all individual objects in the list, the distribution is tion are identified, even if these individual objects are identified only in the child or another derived distribution list. Alternatively, this name resolution addresses can be performed separately by the server 220 certificates or some other resolution server (not shown) and/or by resolution mechanism, internal to the client computer 210.

Request 211 also includes a request 403 certificate, which contains the indication of the requested whether the full version of the certificate (as represented by the field 404 full version) or a partial version of the certificate (as represented by the field 405 partial version). If there is more than one client computer of the recipient, respectively, the certificate request, the request may specify that all client computers recipient desirable full version of the certificate, or that for all client recipient computers desirable partial version of the certificate. Alternatively, the request may determine that a partial certificate must be returned only to a specified group of client recipient computers and that the entire certificate must be returned to the others. In addition, the request may determine that a full certificate may only be returned for the specified group of client recipient computers and partial certification is ikat must be returned to the others. The following describes a concrete example of a certificate request in the request form "getcert" (to get a certificate).

Team "getcert" can be a part of the HTTP POST request and include the text "cmd=getcert", in order to identify that the request is intended to request the certificate.

Address field "addrs=[ADDRESS] may specify a list of one or more addresses of one or more client computers recipient certificates are required. If the capital letters enclosed in square brackets, it means that the actual value of the type described in capital letters, will replace the square brackets and their contents in the message. For example, [ADDRESS] will be replaced with the actual address of the client computer of the recipient, or unresolved name will be allowed by the certificate server in the form of addresses. On the command "getcert" these permissions are not returned back to the client computer source, and returns only the certificate for the resolved address.

The optional field "minicert=[t/f]"if set to true, causes the return of the server 220 partial certificates of the certificate, and not the full certificate. Otherwise, if it is set to "false" or if the field minicert is missing, you will be refunded the full certificate. Field minicert may correspond to a specific client is Tsomo computer-recipient, presents addrs field or may represent some or all of the client computers recipient, presents addrs field in the query.

The server 220 certificate receives the request from the client computer 210 (step 306), determines that the request is only a partial certificate (step 307), and then responds by returning only partial certificate to the client computer of the recipient (step 308). In accordance with Fig. 2, the server 220 certificates returns a response 212 to the client computer source 210, as represented by arrow A.

In Fig. 5 shows the sample structure of the response data 212. The response includes information 501 header. For example, if the request 211 was a Protocol request http response 212 may be the answer http Protocol, and in this case, the header information must be information response header of the http Protocol. The response also includes a certificate 503 for each of the client computers of the recipients of your email messages. The certificate can be a full certificate, as represented by element 504, or may be a partial certificate, as represented by element 505. However, in accordance with the principles of the present invention, a partial certificate is returned for at least one of the client computers recipient is, to receive an e-mail message.

Below is a possible schema for the response contained in the HTTP response POST (line numbers added for clarity)

1.<a:response mlns:a="http://schemas.microsoft.com/exchange/webmail">
2.<a:cert>[CERTIFICATE]</a:cert>
3.</a:response>

Lines 1-3 represent an element in the XML language (XML element) "answer". The attribute "xmlns" is the namespace that corresponds to an XML element, which can be used to parse and interpret and determine the value of the XML element.

Line 2 represents the XML element "cert", which can be repeated for each client computer of the recipient (or their group when the address is a distribution list), which was presented addrs field in the query.

Content item cert is the certificate or certificates relevant to the item addrs that can have the following form (line numbers added for clarity):

1. [DWORD: size of the full content of the item cert]

2. [DWORD: total number of recipients for which the item cert contains the certificate (may be zero if the recipient was unresolved]

3. [DWORD: total number of found certificates (can be zero, if not what was found valid certificates]

4. [certificate 1]

5..

6..

7..

8. [certificate M]

Rows 1-3 are double words (DWORDs)representing information about the full content of the item cert. Lines 4-8 are that there can be many sections of the certificates. In this case, the certificate includes the certificate 1...M, where the rows 5-7 shows the vertical symbols representing a variable number of certificates between the first and M-th certificate. Each section of the certificate can be structured as follows (line numbers added for clarity):

1. [WORD: the size of the certificate]

2. [WORD: flags (can show whether a certificate of full or partial certificate, and identified whether the certificate key ID]

3. [ACTUALLY PARTIAL OR COMPLETE CERTIFICATE]

According to a more generalized example shown in Fig. 2 and 3, the client computer 210 receives only the requested portion of the certificate from the server (step 309). At this stage, the client computer 210 is now ready to encrypt the electronic message for receipt by each of client recipient computers, which should be transmitted electronic message. Because only a partial certificate was returned for some, or even all, of client recipient computers, which should be transferred to the electron is the second message, and because the partial certificate is much less (maybe even an order of magnitude)than the full certificate, the certificate can be delivered much faster and use much less bandwidth from the server 220 certificate to the client computer source.

The client computer then uses the information encryption part of the certificate to encrypt the email message. As mentioned earlier, information 701 encryption presented in partial certificate 700 in Fig. 7. Information encryption can represent, for example, the public key corresponding to the client computer to the recipient, which must be sent to the e-mail message.

If the electronic message is to be sent to multiple client computers recipient, the electronic message may be encrypted for each client computer of the recipient. This may be performed by a separate encryption content for each client computer of the recipient using the corresponding public key for each client computer of the recipient. However, if there were plenty of client recipient computers, it would be a task requiring intensive treatment, which could result in high memory usage and Shir the NY strip at the delivery of electronic messages.

In order to reduce CPU requirements, memory, and bandwidth, the electronic message may be an alternative structured, like the electronic message 600, shown in Fig. 6. Contents 601 e-mail messages encrypted using the key 602 session. Each client computer of the recipient shall be informed of the key 602 session by encrypting the key 602 session using the public key corresponding to the client computer to the recipient. For example, suppose that an electronic message 600 is sent to each of client recipient computers 231-234, with the appropriate public keys 1-4. In this case, the key 602 communication session must be encrypted separately using public keys 1-4.

ID 612 of the key associated with the key 602 session, which was encrypted using the public key 1, identified by the identifier 612 key. ID 613 key associated with the key 602 session, which was encrypted using the public key 2, identified by the identifier 613 key. The combination of ID A of the requesting party and the serial number V associated with key 602 session, which was encrypted using the public key 3, which is unique for the combination A and B. The combination is of identificatory A of the requesting party and the serial number V associated with key 602 session which was encrypted using the public key 4, which is unique for the combination A and B. Upon receipt of a message 213 each client computer, the recipient can use the key identifier, or a combination of the identifier of the requesting party and the serial number to determine which encrypted form of the session key, he can decrypt. The client computer is the recipient then deshifriral the session key and uses the session key for decoding the information content.

Accordingly, because a secure connection is provided with certificates of reduced size, memory, CPU, and network bandwidth can be saved, and the time required to send a secure electronic message, may be reduced.

The present invention can be implemented in other specific forms without deviating from its essence or essential characteristics. Describes the different ways of implementation should be considered in all respects only as illustrative, but not restrictive. Therefore, the scope of the invention defined by the claims, but not the above description. All changes that are in the range of equivalency of the claims should include in their scope.

1. Way for the client to whom mputer source for the encryption of electronic messages, moreover, the client computer is the source encrypts the message for transmission to at least one of client recipient computers in a network environment that includes a client computer and a multitude of client recipient computers, and the client computer has the ability to send emails to multiple client recipient computers, the network environment includes one or more certificate servers, which have the possibility of checking the reliability and security certificates for at least a few of these one or more client computers recipient client computer source, and each certificate includes information necessary encryption to encrypt for the respective client computer of the recipient, and includes information self-test, which provides a determination that the certificate actually corresponds to the respective client computer to the recipient and was not cancelled, however, the above method includes the steps in which the client computer accesses the electronic message should be transmitted to the client computer of the recipient from a variety of client recipient computers,

determine that the electronic message should be encrypted before transmission to the client computer of the recipient, form a request for access only to part of the certificate that matches the client computer to the recipient, and this part includes information necessary encryption to encrypt e-mail messages so that you can decrypt on the client computer of the recipient,

transmit the request to the server certificate

take only the requested portion of the certificate from the certificate server and

use the information encryption to encrypt e-mail messages.

2. The method according to p. 1, wherein the request to access only part of the certificate is a request for a hypertext transfer Protocol (HTTP).

3. The method according to p. 1, wherein the requested portion of the certificate does not include information self-test to ensure the possibility of determining that the certificate actually corresponds to the respective client computer to the recipient and that it has not been canceled.

4. The method according to p. 3, wherein performing the validation by server certificate, the server certificate is checked to trust the client computer source.

5. The method according to p. 1, characterized in that the optionally transmit the encrypted electronic message to the client computer to the recipient.

6. The method according to p. 1, wherein the requested portion of the certificate includes the public key of the client computer client.

7. The method according to p. 6, wherein the encrypted electronic message includes the following:

the first data field that represents an email message that is encrypted using a session key, and

the second data field that represents the session key, encrypted using the public key.

8. The method according to p. 6, wherein the requested portion additionally includes a requestor of the certificate and the certificate serial number.

9. The method according to p. 8, wherein the encrypted electronic message includes the following:

the first data field that represents an email message that is encrypted using a session key, and

the second data field that represents the session key, the requesting party certificate and serial number, is encrypted using the public key.

10. The method according to p. 6, wherein the requested portion additionally includes a key identifier of the certificate.

11. The method according to p. 10, wherein the encrypted electronic message includes the following:

the first data field, which represents the t of the electronic message, encrypted using the session key, and

the second data field that represents the session key and the identifier of the key that is encrypted using the public key.

12. The method according to p. 1, wherein the client computer is the first recipient client computer of the recipient, which must be transmitted in encrypted form e-mail message, and a certificate associated with the first client computer to the recipient, is the first certificate of electronic message must be sent to the second client computer to a recipient, the method further includes the steps where

determine that the electronic message should be encrypted before sending to the second client computer to the recipient,

form a request for access only to part of the second certificate corresponding to the second client computer to the recipient, and this part includes information necessary encryption to encrypt e-mail messages so that it can be decrypted second client computer of the recipient,

transmit the request to the server certificate

take only the requested part of the second certificate from the certificate server and

use of information the encryption in the second certificate to encrypt the email message.

13. The method according to p. 12, wherein the request to access the portion of the first certificate and the access request of the second certificate are one and the same query.

14. The method according to p. 12, characterized in that it further transmit the encrypted electronic message.

15. The method according to p. 1, wherein the client computer is the first recipient client computer of the recipient, which must be transmitted in encrypted form e-mail message, and a certificate associated with the first client computer to the recipient, is the first certificate, and electronic message must also be sent to the second client computer to a recipient, the method further includes the steps where

determine that the electronic message should be encrypted before sending to the second client computer to the recipient,

form a request for access to the full second certificate corresponding to the second client computer to the recipient,

transmit the request to the server certificate

take a full second certificate from the certificate server and use information encryption in the second certificate to encrypt the email message.

16. The method according to p. 15, characterized in that the access request of the first certifications is that the access request of the second certificate are one and the same query.

17. Machine-readable media for use in a network environment that includes a client computer and a multitude of client recipient computers, and the client computer has the ability to send emails to multiple client recipient computers, the network environment includes a server certificate that has the ability to provide certificates for at least a few of these one or more client computers recipient client computer source, and each certificate includes information necessary encryption to encrypt for the respective client computer of the recipient, and includes information self-test, providing determining that the certificate actually corresponds to the respective client computer to the recipient and was not cancelled, while the machine-readable medium includes one or more of the recording media having machine-readable instructions, which when executed by one or more processors on a client computer, cause the client computer source

the steps of receiving by the client computer, access to the electronic message that Dol is but to be passed on to the client computer of the recipient from a variety of client recipient computers,

the steps of determining that the electronic message should be encrypted before transmission to the client computer of the recipient,

the steps of forming a request for access only to part of the certificate that matches the client computer to the recipient, and this part includes information necessary encryption to encrypt e-mail messages so that you can decrypt on the client computer of the recipient,

action request server certificates

the steps of receiving only the requested part of the certificate from the certificate server and

action use the information encryption to encrypt e-mail messages.

18. Machine-readable media on p. 17, wherein the one or more machine-readable media also feature a machine-readable instructions such that when executed by one or more processors on a client computer, the source additionally cause the client computer source actions send encrypted mail to a client computer to a recipient.

19. Machine-readable media on p. 17, wherein the client computer is the first recipient client computer is rum-recipient, which must be transmitted in encrypted form e-mail message, and a certificate associated with the first client computer to the recipient, is the first certificate, and electronic message must also be sent to the second client computer to the recipient, one or more machine-readable media also feature a machine-readable instructions such that when executed by one or more processors on a client computer, the source additionally cause the client computer source

the steps of determining that the electronic message should be encrypted before sending to the second client computer to the recipient,

the steps of forming a request for access only to part of the second certificate corresponding to the second client computer to the recipient, and this part includes information necessary encryption to encrypt e-mail messages so that it can be decrypted second client computer of the recipient,

action request server certificates

the steps of receiving only the requested part of the second certificate from the certificate server and

action use the information of the encryption in the second is certificate to encrypt e-mail messages.

20. Machine-readable media according to p. 19, wherein the request to access the portion of the first certificate and the access request of the second certificate are one and the same query.

21. Machine-readable media on p. 17, wherein the client computer is the first recipient client computer of the recipient, which must be transmitted in encrypted form e-mail message, and a certificate associated with the first client computer to the recipient, is the first certificate, and electronic message must also be sent to the second client computer to the recipient, one or more machine-readable media also feature a machine-readable instructions such that when executed by one or more processors on a client computer, the source additionally cause the client computer source

the steps of determining that the electronic message should be encrypted before sending to the second client computer to the recipient, the steps of forming a request for access to the full second certificate corresponding to the second client computer to the recipient,

action request server certificates

the steps of receiving full vtoro what about the certificate server certificates and the validity of the use of information encryption in the second

the certificate to encrypt the email message.

22. Machine-readable media on p. 17,

wherein the one or more machine-readable media are physical storage media.

23. Machine-readable media on p. 17, wherein the one or more machine-readable media include, at least partially, the memory allocated to an executable program.

24. Machine-readable media on p. 17, wherein the one or more machine-readable media include non-volatile memory.

25. A method for a client computer to encrypt e-mail messages on the basis of the certificate, and the client computer is the source encrypts the message for transmission to at least one of client recipient computers in a network environment that includes a client computer and a multitude of client recipient computers, and the client computer has the ability to send emails to multiple client recipient computers, the network environment includes a server certificate that has the ability to provide certificates for at least some of one or more of the balance of the recipient computers the client computer source, each certificate includes information necessary encryption to encrypt for the respective client computer of the recipient, and includes information self-test, which provides a determination that the certificate actually corresponds to the respective client computer to the recipient and was not cancelled, however, the above method includes the steps where

the client computer accesses the electronic message should be transmitted to the client computer of the recipient from a variety of client recipient computers,

determine that the electronic message should be encrypted before transmission to the client computer of the recipient,

perform encryption, certificate-based client computer to a recipient without local access to the full certificate corresponding to the client computer to the recipient.

26. The method according to p. 25, characterized in that the step of the encryption certificate-based client computer to a recipient without local access to the full certificate corresponding to the client computer to the recipient includes the steps where

form a request for access only to part of the certificate that matches the client computer to the recipient, and the KJV is Anuta part includes information encryption necessary to encrypt e-mail messages so that you can decrypt on the client computer of the recipient,

transmit the request to the server certificate

take only the requested portion of the certificate from the certificate server and

use the information encryption to encrypt e-mail messages.

27. The method of information encryption from the server certificates that contribute to the client computer source in the encryption of the message that should be transmitted to at least one of client recipient computers in a network environment that includes a client computer and a multitude of client recipient computers, and the client computer has the ability to send emails to multiple client recipient computers, the network environment includes a server certificate that has the ability to provide certificates for at least some of the one or more client computers recipient client computer source, and each certificate includes information necessary encryption to encrypt for the respective client computer of the recipient, and includes information self-test, providing definition wide-angle is also that the certificate actually corresponds to the respective client computer to the recipient and was not cancelled, however, the above method includes the steps where

accept a request from a client computer, determine that the request is for access only to part of the certificate that matches the client computer to the recipient, and this part includes information necessary encryption to encrypt e-mail messages in such a way as to have the possibility of its interpretation by the client computer of the recipient, and

respond to a request from a client computer by returning the requested part of the certificate to the client computer source.

28. The method according to p. 27, wherein the request is an HTTP Protocol request.

29. The method according to p. 27, wherein the client computer is the first recipient client computer of the recipient, and the certificate is the first certificate, the method further

determine that the request matches the access only to part of the second certificate corresponding to the second client computer to the recipient, information encryption necessary to encrypt e-mail messages so that it can be decrypted second client is tskim computer-recipient, and

respond to a request from a client computer by returning the requested portion of the second certificate to the client computer source.

30. The method according to p. 29, wherein the requested portion of the first certificate, and the requested portion of the second certificate is returned in the same response to the request.

31. The method according to p. 30, wherein the response is a response to the HTTP Protocol.

32. Machine-readable media for use in a network environment that includes a client computer and a multitude of client recipient computers, and the client computer has the ability to send emails to multiple client recipient computers, the network environment includes a server certificate that has the ability to provide certificates for at least some of the one or more client computers recipient client computer source, and each certificate includes information necessary encryption to encrypt for the respective client computer of the recipient, and includes information of the self-securing that the certificate actually corresponds to the respective client computer to the recipient and that he was not cancelled, and komputerny software product is designed to implement the method for a server certificate, contributing to the client computer source in the encryption of the message that should be transmitted, at least one of client recipient computers, while the machine-readable medium includes one or more of the recording media having machine-readable instructions, which when executed by one or more processors on the certificate server cause the server to perform certificates

the steps of receiving a request from a client computer,

the steps of determining that the request is for access only to part of the certificate that matches the client computer to the recipient, and this part includes information necessary encryption to encrypt e-mail messages in such a way as to have the possibility of its interpretation by the client computer of the recipient, and

action response to a request from a client computer by returning the requested part of the certificate to the client computer source.

33. Machine-readable media on p. 32, wherein the client computer is the first recipient client computer of the recipient, and the certificate is the first certificate, one or more machine-readable media facilities is but have machine-readable instructions such that when executed by one or more processors on the server certificate additionally cause the client computer source

the steps of determining that the request matches the access only to part of the second certificate corresponding to the second client computer to the recipient, information encryption necessary to encrypt e-mail messages so that it can be decrypted second client computer of the recipient, and actions respond to the request from the client computer by returning the requested portion of the second certificate to the client computer source.

34. Machine-readable media on p. 32, wherein the one or more machine-readable media are physical storage media.

35. Machine-readable media on p. 34, wherein the one or more machine-readable media include, at least partially, the memory allocated to an executable program.

36. Machine-readable media on p. 34, wherein the one or more machine-readable media include non-volatile memory.



 

Same patents:

FIELD: physics.

SUBSTANCE: invention is related to methods of usage data collection for television broadcast receivers. Method of usage data collection from broadcast receiver is suggested, whereat receiver is arranged to detect and save such usage data. Method involves representation (16, 18) of confidentiality policy to receiver that identifies not only the usage data subjected to collection, but also preset usage of such data. On receiver interactive or automatic determination (22) whether received policy of confidentiality is acceptable is carried out. If yes, receiver picks up (30) usage data identified in confidentiality policy from storage, and sends them (28) to sender of confidentiality policy.

EFFECT: increased confidentiality of usage of information about habits of users viewing.

15 cl, 3 dwg

FIELD: physics.

SUBSTANCE: invention is related to method for data recording for memory of portable terminal and to memory carrier. Method for recording data for memory of portable terminal contains a stage of reading, at which data is read that is saved on memory carrier of portable terminal; stage of data comparison, at which identifying data are compared, which are individual for user of portable terminal and read from memory carrier, with user registration data registered earlier, and a record command is brought to device of data reading/recording, only when data is approved; recording stage involving recording applied data required for portable terminal to memory carrier under the condition that at the stage of data comparison a record command is sent; stage of activation involving activation of portable terminal, to which memory carrier is connected. Memory carrier contains program, by means of which actions of the said method are enabled.

EFFECT: safety of saving data required for activation of portable telephone.

2 cl, 44 dwg

FIELD: information technology.

SUBSTANCE: registration page with the interface for user mandate input is available on the client system and the entered mandate is sent to the server. As a response to receipt of the user mandate, the server generates a unique session identifier for the client system. The server also receives a digital signature for the user mandate based on the current key in the memory of cyclically changed keys and unique session identifier. Then the server encrypts the digital signature and the user mandate based on the encryption key obtained from the current key and unique session identifier. The encrypted mandate being received with the client system, the keys from the memory of cyclically changed keys are used for checking validity of the mandate. With the user mandate not approved, the user is again transferred to the registration page.

EFFECT: provision of encrypted user mandate processing.

12 cl, 7 dwg

FIELD: information technology.

SUBSTANCE: publishing user is provided with the publication certificate from the DRM server, creates the content, ciphers it with the content key (CK), creates a rights mark for this content with open key of the DRM-server (PU-DRM), for generation (PU-DRM(CK)), restores (PU-ENTITY(PR-OLP)) from the publication certificate, applies secret key (PR-ENTITY) of the corresponding (PU-ENTITY) to the (PU-ENTITY(PR-OLP)) for obtaining (PR-OLP), sign the created rights mark using (PR-OLP), connects SRL and the publication certificate with encrypted content for creation a content package distributed to another user, that must connect with the DRM-server for obtaining a license with CK for playback of the content, creates the license data corresponding with the content package, with (CK), encrypted (PU-ENTITY) for generation of (PU-ENTITY(CK)), signs the license data using (PR-OLP) and attaches the publication certificate to the publication license.

EFFECT: possibility of the content publishing without initial receipt of permission from the server and license issuing for playback of the published content without permission from the server.

20 cl, 17 dwg

FIELD: technological processes.

SUBSTANCE: invention is related to the sphere of cryptographic devices and methods of checking electronic digital signature (EDS). In the method the secret key (SK) is formed, which includes three prime many-digit binary numbers ρ, q and γ. The open key (OK) is formed, which contains three many-digit binary numbers n, α and β, where n=Eρq+l, E - even number, α - number, which is related to index q by module n, and β - number, which is related to index γ by module q. Electronic document (ED) is accepted in the form of many-digit binary number H, electronic digital signature (EDS) Q is formed depending on values of SK, OK and many-digit binary number H, the first checking many-digit binary number A is formed depending on Q, intermediate many-digit binary number W is formed depending on OK and many-digit binary number H, the second checking many-digit binary number B is formed depending on W, and numbers A and B are compared. In case parameters of numbers A and B match, conclusion is drawn about authenticity of electronic digital signature.

EFFECT: reduces size of electronic digital signature without reduction of its resistance level.

8 cl

FIELD: technological processes.

SUBSTANCE: invention is related to the sphere of electrical communication, namely to the sphere of cryptographic devices and methods of electronic digital signature (EDS) check. In the method the secret key (SK) is formed, which includes three many-digit binary numbers (MDN) p, q and γ, where p, q are prime numbers and γ is composite number. The open key (OK) is formed in the form of two many-digit binary numbers n and α, where n = pq and α - number, which is related to index q by module n. Electronic document (ED) is accepted in the form of many-digit binary number H. Electronic digital signature (EDS) Q is formed depending on values of SK, OK and many-digit binary number H. The first checking many-digit binary number A is formed depending on Q. The intermediate many-digit binary number W is generated depending on OK and many-digit binary number H. The second checking many-digit binary number B is formed depending on W, and numbers A and B are compares. In case parameters of A and B numbers match, conclusion is drawn about authenticity of electronic digital signature.

EFFECT: reduces size of electronic digital signature without reduction of its resistance level.

10 cl, 6 ex

FIELD: digital rights control system.

SUBSTANCE: system contains first user device designed for query message setup and transfer, indicating transaction to be run in relation to digital content of at least one object of digital rights (OR), rights issuer aimed to receive query message from first user device, to identify transaction and to process this transaction and to provide access rights to digital content conjointly with server for second user device designed to receive information on stated access right concession. Receive of mentioned information by second user device on digital content access right concession is confirmation of execution of this right to second user device. Method describes operation of mentioned system.

EFFECT: ability of authorized user to transfer partially used or unused object of right to another user and return of OR.

49 cl, 15 dwg, 2 tbl

FIELD: portable electronic devices.

SUBSTANCE: portable electronic device includes memory to store a secret code in the form of pre-defined character sequence; rotating device with touch surface providing for user tactile impact and installed in such a manner as to provide for rotation around its axis; feedback tools separated from the rotating device to provide for feedback to user when turning the rotating device; conversion tool to convert each turn in sequence of turns of the rotating device to a character of corresponding ordered test character sequence, and verification tool to verify the test character sequence by comparing it with pre-defined character sequence.

EFFECT: user convenience during input of test character sequence along with provision of security and restriction of access to the device or to its individual functions.

33 cl, 7 dwg

FIELD: cryptography.

SUBSTANCE: in accordance to the method, cryptographic module is provided with two types of data, which may be received even from a communication partner who is not cryptographically reliable, and which either remain in cryptographic module, or are connected to the document. The information, which remains in cryptographic module, is used to protect the information in the document by generation of a check value, and information which is transferred to document, is used to confirm the fact that the document is protected by a cryptographic module, during the check of document authenticity in a control device.

EFFECT: the contact between cryptographically reliable contact device and document creator is realized directly.

2 cl, 3 dwg

FIELD: infrastructure of public keys (PKI), namely, registration and activation of PKI functions in infrastructures of public keys in SIM-cards.

SUBSTANCE: in accordance to the method, reference code and corresponding activation code are recorded in a table at protection server integrated in PKI or connected to PKI. The user inputs reference code or number in record form together with his personal data, after that the form is sent to PKI and to protection server. After registration is confirmed from the side of PKI, the confirmation information is transmitted to user and supplemented with a request to input activation code at user terminal. Simultaneously, the activation code associated with reference code in the table and identification data of smart-card of user are transmitted to activation module in PKI, then activation code together with identification data of smart-card is transmitted from terminal to activation module and on receipt thereof the activation module determines whether the data coincides with activation code and identification data, provided in advance by protection server, and in case they do, the module performs command of activation of PKI-component of smart-card.

EFFECT: reduced processing time.

13 cl

FIELD: information protection.

SUBSTANCE: method for transferring messages while providing for confidentiality of identification signs of communication system objects with interaction of devices of communication system subscribers through central device for each communication session cryptographic conversion of subscriber device identifier is performed using encryption key of current subscriber device, while during said cryptographic conversion symmetrical cryptographic algorithm is used and two message transfer modes are taken in consideration, on initiative from subscriber device to central device and vice versa.

EFFECT: protection from unsanctioned access to identifiers of devices of system subscribers transferred via communication channels, in particular when providing for confidentiality of messages identification signs in communications systems with multiple subscriber devices.

6 dwg

FIELD: computer science.

SUBSTANCE: previously for sender and receiver a binary series of digital watermark k-bit long is formed as well as binary series of secret key, message is certified at sender side using binary series of digital watermark and secret key, certified message is sent to receiver, where authenticity of received message is checked using binary series of digital watermark and secret key.

EFFECT: higher reliability, higher efficiency.

4 cl, 5 dwg

FIELD: mobile communications.

SUBSTANCE: server generates one-time activation code, sends it to user via intellectual card in cell phone and when user inputs an activation code in his cell phone, inputted code is transmitted to server for verification, in case of positive result server sends a command to phone to provide for access, which opens access to appropriate set of functions of intellectual card, while portion of functions can contain, for example, PKI-functions, which were concealed and inaccessible for user until said moment, after that user can select his own PIN-code for authentication, encoding and signature for transactions, and, concerning activation of PKI functions, generation of necessary secret and open keys, and also necessary certification are carried out after verification of activation code.

EFFECT: higher efficiency, broader functional capabilities.

1 cl, 1 dwg

FIELD: computer science.

SUBSTANCE: system has center of certification, forming and distribution of keys, at least one user device and at least one distributed data processing server. Method describes operation of said system. Subsystem for forming open keys contains memory block for tables of secret substitutions of columns and rows of secret keys tables, memory block for table of symmetric substitution of columns and rows of external key table, register for sequence of transitive connection between rows of secret substitutions tables, block for logical output on sequence of transitive dependence, memory block for table of relative non-secret substitution of columns and rows of external key table, open key register, input commutation block and control block.

EFFECT: higher efficiency, broader functional capabilities.

5 cl, 15 dwg

Protection means // 2260840

FIELD: mobile communications.

SUBSTANCE: protection means has key module and blocking module. Mobile communication system has protection means and communication port. Method describes operation of said protection means and mobile device.

EFFECT: broader functional capabilities.

3 cl, 5 dwg

FIELD: electrical communications.

SUBSTANCE: proposed method that can be used in attack detection systems for on-line detection and blocking of unauthorized attacks in computer systems including Internet involves presetting of list of authorized connections as aggregate of reference connection identifiers, introduction of factor of urgency of reference authorized-connection identifiers and list of names of authorized processes, generation of list of unauthorized connections received in the course of checkup due to introduction of maximal admissible quantity of any of probable unauthorized connections, and their counting.

EFFECT: enhanced reliability of identifying unauthorized attacks in computer networks.

1 cl, 8 dwg

FIELD: systems and method for controlling transfer of keys for decoding or access to encoded information.

SUBSTANCE: each one of variants of information protection systems for controlling access to protected information has hardware means for storing at least one data element, including decoding key and appropriate information protection code, while information protection code sets number of operations of passage of decoding key, and first user, connected to encoded information, can determine through information protection code, whether second user can transfer code for information protection to third user, while number of generation of data is requested each time after receipt of query for transferring decoding key to another user and is decreased for one unit for each request, and as soon as it reaches zero, system denies all further requests.

EFFECT: improved level of information protection.

3 cl, 6 dwg

FIELD: engineering of object access means.

SUBSTANCE: device has saved standard, containing fingerprint of authorized user, combined with verification code. In case of match between fingerprint of authorized user with one stored in memory, verification code if generated. Device activated by key periodically transmits an identifier, on receipt by access device of identifier, matching one of identifiers stored in memory, appropriate access key is extracted and sent to device activated by key to allow access to user.

EFFECT: high level of protection from unauthorized access.

3 cl, 2 dwg

FIELD: radio engineering, in particular, authentication method for stationary regional wireless broadband access systems, possible use, for example, for protecting transferred data in stationary regional broadband access systems.

SUBSTANCE: in accordance to method, two main procedures are performed - authentication of client station and, also, authentication of base station.

EFFECT: increased protection level of transmitted data in stationary wireless broadband access systems.

4 cl, 6 dwg

FIELD: technology for checking authentication and authorization.

SUBSTANCE: method for checking rights of user of end telecommunication device for using a service, while device for accessing telecommunication network receives at least one certificate and identification data from telecommunication end device, after that network control device together with certification device checks, whether certificate, confirming identification data, is valid and whether it has positive status, whether additional privileges are given by additional certificates, and if that is so, then secret data is transferred to access device (session key), which are also transferred to telecommunication end device in form, encrypted by at least an open key, and access device provides free access by taking a decision, appropriate for rights of user of telecommunication network.

EFFECT: simple and efficient authentication and authorization of users for certain services or transactions, performed via telecommunication network.

11 cl, 1 dwg

Up!