System and methods for verifying a cryptographic access code
Uložené v:
| Názov: | System and methods for verifying a cryptographic access code |
|---|---|
| Patent Number: | 12052,374 |
| Dátum vydania: | July 30, 2024 |
| Appl. No: | 17/892649 |
| Application Filed: | August 22, 2022 |
| Abstrakt: | A system and method for verifying a cryptographic access code is provided. If a set of cryptographic access components are quantum-aware, the system can obtain a post-quantum encryption and/or decryption algorithm from a context-specific non-critical extension in a private OID namespace, such as SABER, Kyber, Enhanced McEliece, or RLCE. If the set of cryptographic access components are quantum-aware, the system can obtain a post-quantum signature or verification algorithm from the private OID namespace. The system can validate a root of trust specified in a TAL record; confirm that a respective certificate, CRL, or TAL is specified in at least one Manifest record; confirm that a hash of the respective certificate, CRL, or TAL matches a recorded hash in a respective Manifest listing the respective certificate, CRL, or TAL; and confirm that a respective CRL or Manifest is fresh. |
| Inventors: | QuSecure, Inc. (San Mateo, CA, US) |
| Assignees: | QuSecure, Inc (San Mateo, CA, US) |
| Claim: | 1. A method of verifying a cryptographic access code, comprising: responsive to a set of cryptographic access components being quantum-aware: obtaining a post-quantum encryption or decryption algorithm from a context-specific extension in a private Object Identifier (OID) namespace, the post-quantum encryption or decryption algorithm comprising at least one of: SABER; Kyber; McEliece; or Random Linear Code Encryption Scheme (RLCE); and obtaining a post-quantum signature or verification algorithm from the private OID namespace; validating a root of trust specified in a Trust Anchor Locator (TAL) record; confirming that a respective certificate, Certificate Revocation List (CRL), or the TAL is specified in at least one Manifest record; confirming that a hash of the respective certificate, the CRL, or the TAL matches a recorded hash associated with the respective certificate, the CRL, or the TAL in a respective Manifest listing the respective certificate, the CRL, or the TAL; and confirming that the respective CRL or the Manifest is fresh. |
| Claim: | 2. The method of claim 1 , further comprising communicating with instructions executed by an access or authorization device, and wherein the set of cryptographic access components includes the instructions. |
| Claim: | 3. The method of claim 2 , wherein the access or authorization device comprises a Cryptographic Access Card (CAC). |
| Claim: | 4. The method of claim 2 , wherein the private OID namespace is stored in the access or authorization device. |
| Claim: | 5. The method of claim 2 , wherein the access or the authorization device comprises a payment card. |
| Claim: | 6. The method of claim 2 , wherein communicating with the instructions executed by the access or authorization device comprises communicating via one or more modalities of direct connection with the access or the authorization device using an integrated circuit (IC) chip reader; a card reader; or contactless communication. |
| Claim: | 7. The method of claim 1 , further comprising, responsive to the set of cryptographic access components not being quantum-aware, obtaining an interoperable non-quantum encryption or decryption algorithm. |
| Claim: | 8. The method of claim 1 , further comprising: checking specification compliance of a public key infrastructure (PKI) object; discovering a path from a certificate to the root of trust; and computationally validating the path. |
| Claim: | 9. A computing system configured to verify a cryptographic access code, the computing system comprising: a non-transitory memory; and at least one processor coupled to the non-transitory memory and configured to: responsive to a set of cryptographic access components being quantum-aware: obtain a post-quantum encryption or decryption algorithm from a context-specific extension in a private Object Identifier (OID) namespace, the post-quantum encryption or decryption algorithm comprising at least one of: SABER; Kyber; McEliece; or Random Linear Code Encryption Scheme (RLCE); and obtain a post-quantum signature or verification algorithm from the private OID namespace; validate a root of trust specified in a Trust Anchor Locator (TAL) record; confirm that a respective certificate, Certificate Revocation List (CRL), or the TAL is specified in at least one Manifest record; confirm that a hash of the respective certificate, the CRL, or the TAL matches a recorded hash associated with the respective certificate, the CRL, or the TAL in a respective Manifest listing the respective certificate, the CRL, or the TAL; and confirm that the respective CRL or the Manifest is fresh. |
| Claim: | 10. The computing system of claim 9 , wherein the at least one processor is further configured to communicate with instructions executed by an access or authorization device, and wherein the set of cryptographic access components includes the instructions. |
| Claim: | 11. The computing system of claim 10 , wherein the access or authorization device comprises a Cryptographic Access Card (CAC). |
| Claim: | 12. The computing system of claim 10 , wherein the private OID namespace is stored in the access or the authorization device. |
| Claim: | 13. The computing system of claim 10 , wherein the access or the authorization device comprises a payment card. |
| Claim: | 14. The computing system of claim 10 , wherein to communicate with the instructions executed by the access or the authorization device comprises to communicate via one or more modalities of direct connection with the access or the authorization device using an integrated circuit (IC) chip reader; a card reader; or contactless communication. |
| Claim: | 15. The computing system of claim 9 , wherein the at least one processor is further configured, responsive to the set of cryptographic access components not being quantum-aware, to obtain an interoperable non-quantum encryption or decryption algorithm. |
| Claim: | 16. The computing system of claim 9 , wherein the at least one processor is further configured to: check specification compliance of a public key infrastructure (PKI) object; discover a path from a certificate to the root of trust; and computationally verify the path. |
| Claim: | 17. A non-transitory computer readable medium storing executable sequences of instructions to: responsive to a set of cryptographic access components being quantum-aware: specify a post-quantum encryption or decryption algorithm within a context-specific extension in a private Object Identifier (OID) namespace, the post-quantum encryption or decryption algorithm comprising at least one of: SABER; Kyber; McEliece; or Random Linear Code Encryption Scheme (RLCE); and specify a post-quantum signature or verification algorithm within the private OID namespace; specify a root of trust within a Trust Anchor Locator (TAL) record; specify a respective certificate, Certificate Revocation List (CRL), or the TAL in at least one Manifest record; provide a hash of the respective certificate, the CRL, or the TAL, wherein the hash matches a recorded hash associated with the respective certificate, the CRL, or the TAL in a respective Manifest listing the respective certificate, the CRL, or the TAL; and provide a future update field for the respective CRL or the Manifest. |
| Claim: | 18. The non-transitory computer readable medium of claim 17 , wherein the instructions are configured to be executed by an access or authorization device, and wherein the set of cryptographic access components includes the instructions. |
| Claim: | 19. The non-transitory computer readable medium of claim 18 , wherein the non-transitory computer readable medium is configured to be read by the access or authorization device via one or more modalities of direct connection with the access or the authorization device using an integrated circuit (IC) chip reader; a card reader; or contactless communication. |
| Claim: | 20. The non-transitory computer readable medium of claim 17 , wherein the non-transitory computer readable medium is stored within a Cryptographic Access Card (CAC). |
| Claim: | 21. The non-transitory computer readable medium of claim 17 , wherein the non-transitory computer readable medium is stored within a payment card. |
| Claim: | 22. The non-transitory computer readable medium of claim 17 , wherein the private OID namespace is stored within the non-transitory computer readable medium. |
| Claim: | 23. The non-transitory computer readable medium of claim 17 , wherein the instructions further comprise instructions, responsive to the set of cryptographic access components not being quantum-aware, to specify an interoperable non-quantum encryption or decryption algorithm. |
| Claim: | 24. The non-transitory computer readable medium of claim 17 , wherein the instructions further comprise instructions to: check specification compliance of a public key infrastructure (PKI) object; discover a path from a certificate to the root of trust; and computationally validate the path. |
| Patent References Cited: | 6456716 September 2002 Arnold 7797281 September 2010 Greene 10742420 August 2020 Griffin 11122346 September 2021 Kumar 11240014 February 2022 Maganti 20070130621 June 2007 Marinescu 20080307494 December 2008 Holtzman 20100115267 May 2010 Guo 20130132718 May 2013 Agrawal 20210377049 December 2021 Nix 20220138349 May 2022 Saarinen 20220278855 September 2022 Jacquin 20230261854 August 2023 Dottax |
| Primary Examiner: | Schwartz, Darren B |
| Attorney, Agent or Firm: | Hooser, Barry Van Feldman, Baruch Jennings, Derek |
| Prístupové číslo: | edspgr.12052374 |
| Databáza: | USPTO Patent Grants |
| Abstrakt: | A system and method for verifying a cryptographic access code is provided. If a set of cryptographic access components are quantum-aware, the system can obtain a post-quantum encryption and/or decryption algorithm from a context-specific non-critical extension in a private OID namespace, such as SABER, Kyber, Enhanced McEliece, or RLCE. If the set of cryptographic access components are quantum-aware, the system can obtain a post-quantum signature or verification algorithm from the private OID namespace. The system can validate a root of trust specified in a TAL record; confirm that a respective certificate, CRL, or TAL is specified in at least one Manifest record; confirm that a hash of the respective certificate, CRL, or TAL matches a recorded hash in a respective Manifest listing the respective certificate, CRL, or TAL; and confirm that a respective CRL or Manifest is fresh. |
|---|