Patents by Inventor Stephen M. Matyas

Stephen M. Matyas has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 5231666
    Abstract: A data processing system, method and computer program provide for the secure updating an electronic purse which includes a list of purse records. The method includes the step of defining an authentication tree with an authentication tree function comprising a one way function of purse records in the list, the authentication tree having a first root for a first list of the purse records and storing the first root in a cryptographic facility. The authentication tree includes authentication MDC vectors, one for each purse record in the list. The method includes the step of receiving a transaction record in the cryptographic facility, including an authentication code, a cryptographic key, and an authentication MDC vector, for updating an existing purse record in the first list. The method then performs the step of performing a purse update function in the cryptographic facility.
    Type: Grant
    Filed: April 20, 1992
    Date of Patent: July 27, 1993
    Assignee: International Business Machines Corporation
    Inventor: Stephen M. Matyas
  • Patent number: 5214698
    Abstract: A cryptographic facility implements a multiple key part import procedure. The installation manager can verify that a key part has been correctly entered and has not been compromised. The security requirement for the procedure is that no single party can subvert the system security by misusing the procedure. This is accomplished by the use of a control-vector-dependent verification pattern to indicate that each key part has been accepted by using the proper control vector and the use of different key switch positions to specify whether the key part is a master key part or an operational key part and whether the key part is a first part or a subsequent key part. The apparatus provides an automatic reset of the key part register at the completion of each key-entry instruction so that each key part can be imported only once. This prevents the same key part from being imported twice as different key part types. The apparatus also prevents a key part from being combined with itself to create a known key.
    Type: Grant
    Filed: March 20, 1991
    Date of Patent: May 25, 1993
    Assignee: International Business Machines Corporation
    Inventors: Ronald M. Smith, Sr., Phil C. Yeh, Randall J. Easter, Donald B. Johnson, An Van Le, Stephen M. Matyas, Julian Thomas, John D. Wilkins
  • Patent number: 5201000
    Abstract: A data processing system, program and method are disclosed for managing a public key cryptographic system which includes a public key, private key pair generator. The method includes the step of generating a first public key, private key pair using a first seed value known to a user, the first seed value being generated from a passphrase. A first random number is generated using the first seed value and applied to generating the first key pair. The method then generates a first control vector defining a first use of the first public key, private key pair.The method then continues with the step of generating a second public key, private key pair using a second seed value unknown to the user, the second seed value being a true random number. The second random number is generated using the second seed value in a pseudorandom number generator and applied to generating the second key pair. The method generates a second control vector defining a second use of the second public key, private key pair.
    Type: Grant
    Filed: September 27, 1991
    Date of Patent: April 6, 1993
    Assignee: International Business Machines Corporation
    Inventors: Stephen M. Matyas, Donald B. Johnson, An V. Le, Rostislaw Prymak, John D. Wilkins
  • Patent number: 5200999
    Abstract: A data processing system, method and program are disclosed, for managing a public key cryptographic system. The method includes the steps of generating a first public key and a first private key as a first pair in the data processing system, for use with a first public key algorithm and further generating a second public key and a second private key as a second pair in the data processing system, for use with a second public key algorithm. The method then continues by assigning a private control vector for the first private key and the second private key in the data processing system, for defining permitted uses for the first and second private keys. Then the method continues by forming a private key record which includes the first private key and the second private key in the data processing system, and encrypting the private key record under a first master key expression which is a function of the private control vector.
    Type: Grant
    Filed: September 27, 1991
    Date of Patent: April 6, 1993
    Assignee: International Business Machines Corporation
    Inventors: Stephen M. Matyas, Donald B. Johnson, An V. Le, Rostislaw Prymak, William C. Martin, William S. Rohland, John D. Wilkins
  • Patent number: 5177791
    Abstract: A working key of a certain key type is to be transmitted from a first system (having a first usage-control value associated with keys of the certain type) and a second system (having a second usage-control value associated with keys of the certain type). A translation control value, associated with the certain key type, is generated, functionally relating the first and second usage-control values. The translation control value is used in a cryptographic function to send or receive the working key between systems, the cryptographic function being designed to produce valid results when the correct translation control value, and usage-control values, are employed, and unpredictable results otherwise. Effectively, the first usage-control value is translated to the second usage-control value.
    Type: Grant
    Filed: August 30, 1991
    Date of Patent: January 5, 1993
    Assignee: International Business Machines Corp.
    Inventors: Phil C. Yeh, Dennis G. Abraham, Donald B. Johnson, An Van Le, Stephen M. Matyas, Rotislaw Prymak, Ronald M. Smith, Sr., John D. Wilkins
  • Patent number: 5164988
    Abstract: Device A in a public key cryptographic network will be constrained to continue to faithfully practice a security policy dictated by a network certification center, long after device A's public key PUMa has been certified. If device A alters its operations from the limits encoded in its configuration vector, for example by loading a new configuration vector, device A will be denied participation in the network. To accomplish this enforcement of the network security policy dictated by the certification center, it is necessary for the certification center to verify at the time device A requests certification of its public key PUMa, that device A is configured with the currently authorized configuration vector. Device A is required to transmit to the certification center a copy of device A's current configuration vector, in an audit record. the certification center then compares device A's copy of the configuration vector with the authorized configuration vector for device A stored at the certification center.
    Type: Grant
    Filed: October 31, 1991
    Date of Patent: November 17, 1992
    Assignee: International Business Machines Corporation
    Inventors: Stephen M. Matyas, Donald B. Johnson, An V. Le, Rostislaw Prymak, William C. Martin, William S. Rohland, John D. Wilkins
  • Patent number: 5142578
    Abstract: The patent describes a method and apparatus for securely distributing an initial Data Encryption Algorithm (DEA) key-encrypting key by encrypting a key record (consisting of the key-encrypting key and control information associated with that key-encrypting key) using a public key algorithm and a public key belonging to the intended recipient of the key record. The patent further describes a method and apparatus for securely recovering the distributed key-encrypting key by the recipient by decrypting the received key record using the same public key algorithm and private key associated with the public key and re-encrypting the key-encrypting key under a key formed by arithmetically combining the recipient's master key with a control vector contained in the control information of the received key record.
    Type: Grant
    Filed: August 22, 1991
    Date of Patent: August 25, 1992
    Assignee: International Business Machines Corporation
    Inventors: Stephen M. Matyas, Donald B. Johnson, An V. Le, Rostislaw Prymak, John D. Wilkins, William C. Martin, William S. Rohland
  • Patent number: 5103478
    Abstract: A requested cryptographic function is validated for performance in conjunction with a cryptographic key, by inputting a first portion of an associated control vector into a first control vector checker, which outputs a first authorization signal if the requested cryptographic function has been authorized by the originator of the key. A second portion of the control vector is input to a second control vector checker, which outputs a second authorization signal if the requested cryptographic function has been authorized by the originator of the key. Both the first and the second authorization signals are applied to a cryptographic processor which initiates the execution of the requested cryptographic function.
    Type: Grant
    Filed: October 12, 1990
    Date of Patent: April 7, 1992
    Assignee: International Business Machines Corporation
    Inventors: Stephen M. Matyas, Dennis G. Abraham, Donald B. Johnson, Ramesh K. Karne, An V. Le, Patrick J. McCormack, Rostislaw Prymak, John D. Wilkins
  • Patent number: 5073934
    Abstract: A method and apparatus in a public crypto system, control the use of a public key, based on the level of import integrity for the public key. The method and apparatus generate a control vector associated with the public key, having a history field. The public key and the control vector are transmitted from the location of generation over a communications link to a receiving location, using the selected one of a plurality of levels of import integrity for the transmission. At the receiving location, the public key and the control vector are tested to determine the actual level of import integrity for the transmission. Then, a value is written into the history field of the control vector which characterizes the actual level of import integrity.
    Type: Grant
    Filed: October 24, 1990
    Date of Patent: December 17, 1991
    Assignee: International Business Machines Corporation
    Inventors: Stephen M. Matyas, Donald B. Johnson, An V. Le, William C. Martin, Rostislaw Prymak, William S. Rohland, John D. Wilkins
  • Patent number: 5007089
    Abstract: The invention includes a control vector checking code respository located either within the same system as the crytographic facility or alternately remotely from the system containing the cryptographic facility. The control vector checking code repository will be linked to the cryptographic facility by one of several means. A first means for linking the repository to the cryptographic facility would include a physically secure data communications link. A second means for connecting the repository to the cryptographic facility would be by using an insecure channel with authentication, wherein either a modification detection code or alternately a message authentication code would be transmitted to the cryptographic facility and then the desired control vector checking code would be transmitted over the link. The cryptographic facility will include a code authorization mechanism to compare the transmitted MAC or MDC with a corresponding value computed from the received control vector checking code.
    Type: Grant
    Filed: April 9, 1990
    Date of Patent: April 9, 1991
    Assignee: International Business Machines Corporation
    Inventors: Stephen M. Matyas, Donald B. Johnson, An V. Le, William C. Martin, Rostislaw Prymak, John D. Wilkins
  • Patent number: 4993069
    Abstract: A cryptographic system and method is provided which accepts a key K encrypted under a key formed by exclusive-ORing a key-encrypting key KK with a first control vector C5 and outputs the same key K encrypted under a key formed by exclusive-ORing KK with a second control vector C6. The set (C5, C6) represents a mapping of the type and usage of the key K defined by the control vector C5 to the type and usage defined by the control vector C6. The set of allowable control vector mappings, that is from C5 to C6, are defined in a control vector translation table, which is specified in advance by authorized installation personnel.
    Type: Grant
    Filed: November 29, 1989
    Date of Patent: February 12, 1991
    Assignee: International Business Machines Corporation
    Inventors: Stephen M. Matyas, Dennis G. Abraham, Donald B. Johnson, An V. Le, Rostislaw Prymak, John D. Wilkins, Phil C. Yeh
  • Patent number: 4941176
    Abstract: The invention is an apparatus and method for validating that key management functions requested for a cryptographic key by the program have been authorized by the originator of the key. The invention includes a cryptographic facility characterized by a secure boundary through which passes an input path for receiving the cryptographic service requests, cryptographic keys and their associated control vectors, and an output path for providing responses thereto. There can be included within the boundary a cryptographic instruction storage coupled to the input path, a control vector checking unit and a cryptographic processing unit coupled to the instruction storage, and a master key storage coupled to the processing means, for providing a secure location for executing key management functions in response to the received service requests. The cryptographic instruction storage receives over the input path a cryptographic service request for performing a key management function on a cryptographic key.
    Type: Grant
    Filed: August 11, 1988
    Date of Patent: July 10, 1990
    Assignee: International Business Machines Corporation
    Inventors: Stephen M. Matyas, Dennis G. Abraham, Donald B. Johnson, Ramesh K. Karne, An V. Le, Rostislaw Prymak, Julian Thomas, John D. Wilkins, Phil C. Yeh
  • Patent number: 4924515
    Abstract: A method and apparatus are disclosed for use in a data processing system which executes a program which outputs cryptographic service requests for operations with cryptographic keys which are associated with control vectors defining the functions which each key is allowed by its originator to perform. The improved method and apparatus enable the use of control vectors having an arbitrary length. It includes a control vector register having an arbitrary length, for storing a control vector of arbitrary length associated with an N-bit cryptographic key. It further includes a control vector checking means having an input coupled to the control vector register, for checking that the control vector authorizes the cryptographic function which is requested by the cryptographic service request. It further includes a hash function generator having an input coupled to the control vector register and an N-bit output, for mapping the control vector output from the control vector register, into an N-bit hash value.
    Type: Grant
    Filed: August 24, 1989
    Date of Patent: May 8, 1990
    Assignee: International Business Machines Coprporation
    Inventors: Stephen M. Matyas, Dennis G. Abraham, William C. Arnold, Donald B. Johnson, Ramesh K. Karne, An V. Le, Rostislaw Prymak, Steve R. White, John D. Wilkins
  • Patent number: 4924514
    Abstract: Cryptographic PIN processing is achieved in an improved manner by associating control vectors with the PIN generating (verification) keys and PIN encrypting keys which provide authorization for the uses of the keys intended by the originator of the keys. The originator may be the local cryptographic facility (CF) and a utility program under the control of a security administrator, or the originator may be another network node which uses the key management methods described in the above-referenced copending patent applications to distribute said keys.Among the uses specified by the control vector are limitations on the authority to use the associated key with certain PIN processing instructions, such as PIN generation, verification, translation and PIN block creation. Furthermore, the control vector may limit the authority of certain instructions to process clear PIN inputs (such as in PIN verification).
    Type: Grant
    Filed: August 24, 1989
    Date of Patent: May 8, 1990
    Assignee: International Business Machines Corporation
    Inventors: Stephen M. Matyas, Dennis G. Abraham, Donald B. Johnson, Ramesh K. Karne, An V. Le, Rostislaw Prymak, Julian Thomas, John D. Wilkins, Phil C. Yeh, Ronald M. Smith
  • Patent number: 4918728
    Abstract: Data cryptography is achieved in an improved manner by associating with the data cryptography key, a control vector which provides the authorization for the uses of the key intended by the originator of the key. Among the uses specified by the control vector are limitations on encryption, decryption, authentication code generation and verification, translation of the user's data. Complex combinations of data manipulation functions are possible using the control vectors, in accordance with the invention. The system administrator can exercise flexibility in changing the implementation of his security policy by selecting appropriate control vectors in accordance with the invention.
    Type: Grant
    Filed: August 30, 1989
    Date of Patent: April 17, 1990
    Assignee: International Business Machines Corporation
    Inventors: Stephen M. Matyas, Dennis G. Abraham, Donald B. Johnson, Ramesh K. Karne, An V. Le, Rostislaw Prymak, Julian Thomas, John D. Wilkins, Phil C. Yeh
  • Patent number: 4908861
    Abstract: A cryptographic method and apparatus are disclosed which transform a message or arbitrary length into a block of fixed length (128 bits) defined modification detection code (MDC). Although there are a large number of messages which result in the same MDC, because the MDC is a many-to-one function of the input, it is required that it is practically not feasible for an opponent to find them. In analyzing the methods, a distinction is made between two types of attacks, i.e., insiders (who have access to the system) and outsiders (who do not). The first method employs four encryption steps per DEA block and provides the higher degree of security. Coupling between the different DEA operations is provided by using the input keys also as data in two of the four encryption steps. In addition, there is cross coupling by interchanging half of the internal keys.
    Type: Grant
    Filed: August 28, 1987
    Date of Patent: March 13, 1990
    Assignee: International Business Machines Corporation
    Inventors: Bruno O. Brachtl, Don Coppersmith, Myrna M. Hyden, Stephen M. Matyas, Jr., Carl H. W. Meyer, Jonathan Oseas, Shaiy Pilpel, Michael Schilling
  • Patent number: 4850017
    Abstract: A method for controlling the use of a cryptographic key at a using station by a generating station in a network of generating and using stations is disclosed. A control value specifying the use of the cryptographic key is transmitted with a generated cryptographic key to at least two designated using stations one of which may be the generating station. Each of the generating and using stations have cryptographic facilities that securely store a master key. Two techniques are described for controlling the use of the cryptographic key. In the first, the key and the control value are authenticated via a special authentication code before use by the using station. In the second, the key and control value are coupled during key generation such that the key is recovered only if a correct control value is specified. In addition, two techniques are described for controlling who may use the cryptographic key.
    Type: Grant
    Filed: May 29, 1987
    Date of Patent: July 18, 1989
    Assignee: International Business Machines Corp.
    Inventors: Stephen M. Matyas, Jr., Carl H. W. Meyer, Bruno O. Brachtl
  • Patent number: 4771461
    Abstract: A procedure is disclosed for initializing with security and integrity a large number of terminals in an EFT/POS network with cryptographic variables. Each terminal in the network is provided with a cryptographic facility which performs the necessary cryptographic functions. A key distribution center is established, and a public and secret key pair is generated for the key distribution center. Each terminal in the network is provided with a terminal identification known to the key distribution center, the public key of the key distribution center is stored in the cryptographic facility of each terminal. A terminal initializer is designated for each terminal, and the terminal initializer for each terminal is notified of two expiration times for the purposes of registering the terminal's cryptovariable with the key distribution center. The cryptovariable is generated by the terminal using its cryptographic facility.
    Type: Grant
    Filed: June 27, 1986
    Date of Patent: September 13, 1988
    Assignee: International Business Machines Corporation
    Inventor: Stephen M. Matyas
  • Patent number: 4757534
    Abstract: A cryptographic method for discouraging the copying and sharing of purchased software programs allows an encrypted program to be run on only a designated computer or, alternatively, to be run on any computer but only by the user possessing a designated smart card. Each program offering sold by the software vendor is encrypted with a unique file key and then written on a diskette. A user who purchases a diskette having written thereon an encrypted program must first obtain a secret password from the software vendor. This password will allow the encrypted program to be recovered at a prescribed, designated computer having a properly implemented and initialized encryption feature. The encryption feature decrypts the file key of the program from the password, and when the encrypted program is loaded at the proper computer, the program or a portion of it is automatically decrypted and written into a protected memory from which it can only be executed and not accessed for non-execution purposes.
    Type: Grant
    Filed: February 3, 1987
    Date of Patent: July 12, 1988
    Assignee: International Business Machines Corporation
    Inventors: Stephen M. Matyas, Jonathan Oseas
  • Patent number: 4755940
    Abstract: An electronic funds transfer system (EFT) is described in which retail terminals located in stores are connected through a public switched telecommunication system to card issuing agencies data processing centers. Users of the system are issued with intelligent secure bank cards, which include a microprocessor, ROS and RAM stores. The POS includes a personal key (KP) and an account number (PAN) stored on the card when the issuer issues it to the user. Users also have a personal identity number (PIN) which is stored or remembered separately.A transaction is initiated at a retail terminal when a card is inserted in an EFT module connected to the terminal. A request message including the PAN and a session key (KS) is transmitted to the issuers data processing center. The issuer generates an authentication parameter (TAP) based upon its stored version of KP and PIN and a time variant parameter received from the terminal.
    Type: Grant
    Filed: January 6, 1987
    Date of Patent: July 5, 1988
    Assignee: International Business Machines Corporation
    Inventors: Bruno Brachtl, Christopher J. Holloway, Richard E. Lennon, Stephen M. Matyas, Carl H. Meyer, Jonathan Oseas