Abstract: The invention relates to the generation of digital signatures by the use of which the legally binding nature of a digital signature is enhanced. For this, an expanded digital signature is created which, in addition to the hash, contains other information, in particular information identifying the hardware and software environment used in generating the signature.

Abstract: A technique for cryptographic strength selection for at least one application is provided, in accordance with a framework for providing cryptographic support of the at least one application. Data encryption is performed at a first cryptographic strength when the at least one application is privileged to perform encryption at a first cryptographic strength. Data encryption is performed at a second cryptographic strength when the at least one application is not privileged to perform encryption at the first cryptographic strength. The first cryptographic strength is stronger than the second cryptographic strength.

Abstract: A method for creating, storing and reading a new certificate type for certification of keys is provided. In the new certificate type, several certificates, containing a minimum quantity of redundant data fields, are collated to form one certificate and all redundant information on the certificates is eliminated. An embodiment of the new certificate type is the group certificate. The group certificate is used where several keys are to be issued at the same time for the same user by the same certification instance. By means of the group certificate, all redundant data elements are eliminated and all data elements for a set of several keys subject to certification are grouped into one certificate. This substantially reduces the memory requirement, and handling of the certificates is simplified for the communication partners. A further embodiment of the new certificate type is the basic and supplementary certificate combination.

Abstract: An apparatus, method, and computer program product for achieving interoperability between cryptographic key recovery enabled and unaware systems. The method includes the steps of encrypting data using a cryptography key to generate ciphertext; generating a key recovery block containing key recovery information for the ciphertext; determining whether a receiver for the ciphertext is key recovery unaware; and sending the key recovery block to a key recovery client when it is determined that the receiver is key recovery unaware. In a preferred embodiment, the ciphertext is sent to the receiver only after receiving confirmation from the key recovery client of the receipt of the key recovery block. Also in a preferred embodiment, the key recovery block is sent as part of an Internet Message Control Protocol (ICMP) message.

Abstract: A technique for cryptographic strength selection for at least one application is provided, in accordance with a framework for providing cryptographic support of the at least one application. Data encryption is performed at a first cryptographic strength when the at least one application is privileged to perform encryption at a first cryptographic strength. Data encryption is performed at a second cryptographic strength when the at least one application is not privileged to perform encryption at the first cryptographic strength. The first cryptographic strength is stronger than the second cryptographic strength.

Abstract: An Improved CDSA system (CDSA-I) includes a standard CDSA framework coupled via an Application Program Interface to an application requiring cryptographic support. During manufacture, a cryptographic control privilege is incorporated into the application, as part of an exemption mechanism, which exemption may or may not be enforced by the CDSA framework. For maximum cryptographic strength, an application must be signed by a private key controlled by the CDSA framework vendor. Inside the CDSA framework, the corresponding public key is used to verify at runtime those applications that were appropriately signed. The CDSA framework is coupled via a Service Provider Interface (SPI) to a plurality of pluggable modules for performing cryptographic operations, storing signed digital certificates for applications, and trust policies relating to cryptographic strengths. The framework is initialized to provide the cryptographic support for the application.

Abstract: An apparatus, method, and computer program product for achieving interoperability between cryptographic key recovery enabled and unaware systems. The method includes the steps of encrypting data using a cryptography key to generate ciphertext; generating a key recovery block containing key recovery information for the ciphertext; determining whether a receiver for the ciphertext is key recovery unaware; and sending the key recovery block to a key recovery client when it is determined that the receiver is key recovery unaware. In a preferred embodiment, the ciphertext is sent to the receiver only after receiving confirmation from the key recovery client of the receipt of the key recovery block. Also in a preferred embodiment, the key recovery block is sent as part of an Internet Message Control Protocol (ICMP) message.

Abstract: An apparatus, method, and computer program product for high-availability multi-agent cryptographic key recovery. The present invention defines a key recovery block that specifies allowable subsets of the total set of key recovery agents that can participate in a key recovery. For each subset, key recovery information is computed and stored after the subset is specified. This key recovery information is only useable by that subset because it is computed using that subset of public keys of the agents. When key recovery is initiated, a trusted processor (a key recovery coordinator) validates the contents of the key recovery block and it uses and is allowed to use any of the subsets of the agents to process the key recovery request. Since many subsets could be specified, the likelihood of key recovery failure is greatly diminished.

Abstract: A method, system, and computer program are disclosed to transport an encrypted key across multiple, diverse systems which provides the relevant and necessary information to guarantee a successful decryption of the key. The method prepares an ASN.1 encoding file at the sender which contains the key. The receiver performs the method to decode the ASN.1 encoded file. In this manner, only the data and the contents of the portable key need to be sent to guarantee successful decryption at the receiver.