[0001] This relates to digital certificates in general and, more particularly, to apparatus and methods for generating combined digital certificates.

BACKGROUND

[0002] Public-key cryptography refers to a cryptographic system requiring two separate keys, one to lock or encrypt plaintext, and one to unlock or decrypt cyphertext. One of these keys is published or public (a public key) and the other is kept private (a private key). If the lock/encryption key is the one published then the system enables private communication from the public to the unlocking key's owner. If the unlock/decryption key is the one published then the system serves as a signature verifier of documents locked by the owner of the private key.

[0003] Several different public-key primitives can be used to provide a digital signature.

Some are based on a discrete logarithm problem and are referred to as discrete logarithm-based public-key cryptosystem. A public-key cryptosystem can be employed in various schemes for providing confidentiality, integrity, authentication or non-repudiation function. Non-repudiation or authentication can be achieved through a digital certificate such as a public key digital certificate. A public key digital certificate can include two parts: the data and a signature of the data. The data can include the public-key and a unique identifier of a subscriber to a trusted third party: the certificate authority (CA). A signature of the CA on the subscriber's public-key conveys an authentic binding between the subscriber public key and the subscriber's identity (ID).

SUMMARY

[0004] One example relates to a system that can comprise a memory to store computer readable instructions and a processing unit to access the memory and to execute the computer readable instructions. The computer readable instructions can comprise a certificate manager configured to request generation of N number of random values, where N is an integer greater than or equal to one. The certificate manager can also be configured to request a digital certificate from at least one certificate authority of at least two certificate authorities. The request can include a given one of the N number of random values. The certificate manager can also be configured to generate a private key of a public-private key pair, wherein the private key is generated based on a private key of each of the at least two certificate authorities.

[0005] Another example relates to a method for generating a combined digital certificate.

The method can comprise generating, at a computer, N number of values at a computer, wherein N is an integer greater than or equal to two. The method can also comprise, providing, from the computer, a request that includes a given one of the N number of random values to a

corresponding certificate authority of N number of certificate authorities. The method can further comprise receiving, at the computer, a digital certificate from each of the N number of certificate authorities. The method can still further comprise generating, at the computer, a private key for the computer based on a combination of data received from each of the N number of certificate authorities. The method can yet further comprise generating, at the computer, a combined digital certificate based on a combination of each digital certificate received from each of the N number of certificate authorities.

[0006] Yet another example relates to a method for generating a combined digital certificate. The method can comprise generating, at a computer, a random value. The method can also comprise providing, from the computer, the random value to a first of two certificate authorities. The method can further comprise receiving, at the computer, a digital certificate from a second of the two certificate authorities. The digital certificate can be based on a digital certificate generated at the first certificate authority. The method can still further comprise generating, at the computer, a private key for the computer based on a number from each of the two certificate authorities. The method can yet further comprise generating, at the computer, a combined digital certificate based on data included in the digital certificate received at the computer. BRIEF DESCRIPTION OF THE DRAWINGS

[0007] FIG. 1 illustrates an example of a system for generating a combined digital certificate.

[0008] FIGS. 2 A and 2B illustrate a flowchart of an example method for generating a combined digital certificate.

[0009] FIGS. 3A and 3B illustrate another flowchart of an example method for generating a combined digital certificate.

[0010] FIG. 4 illustrates another example of a system for generating a combined digital certificate.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

[0011] In one example, a computer, such as a crypto processor can be employed to generate and manage a combined digital certificate. The combined digital certificate can include data for generating a public key that is generated based on data received from multiple certificate authorities. Moreover, the computer can also generate a corresponding private key, which shall be stored separately (and securely) from the combined digital certificate. The private key can also be based on data provided from multiple certificate authorities. In this manner, even if an unauthorized user (e.g., a hacker) compromises one of the multiple certificate authorities, such an unauthorized user would be unable to determine the private key.

[0012] FIG. 1 illustrates an example of a system 2 for generating and managing a combined digital certificate 3. The combined digital certificate 3 can be generated by employing any discrete logarithm public key system, such as, but not limited to El-Gamal Signature, Schnorr Signature, Digital Secure Algorithm (DSA) or a variation thereof. Any of those schemes can use Elliptic curve cryptography (ECC) which provides inherently low memory and computation requirements. The system 2 can include, for example, a computer 4 that includes a memory 6 for storing machine readable instructions. The computer 4 could be implemented, for example, as a crypto processor, an application specific integrated circuit chip (ASIC), a smart card, a smart phone, a desktop computer, a notebook computer or the like. The memory 6 could be implemented, for example, as a non-transitory computer readable medium, such as random access memory (RAM), flash memory, a hard drive, etc. Some portions of the memory 6 can be accessed by external systems upon request. However, in some examples, some portions of the memory 6 can be secure and only accessible by internal components of the computer 4. The computer 4 can also include a processing unit 8 for accessing the memory 6 and executing the machine readable instructions. The processing unit 8 could be implemented, for example, as a processor core. The memory 6 can include a certificate manager 10 that can generate, modify and/or manage the combined digital certificate 3, which combined digital certificate 3, can also be stored in the memory 6. It is to be understood that in other examples, the certificate manager 10 could be stored on another system, such as an external system, such as a server or a host system, such a smart phone or other device that houses the computer 4.

[0013] The certificate manager 10 can initiate a generation of the combined digital certificate 3 in response to a condition being met. For instance, if the computer 4 is implemented as a crypto processor, the certificate manager 10 could initiate the generation of the digital certificate in response to an activation request from another system. In other examples, the certificate manager 10 could initiate the generation of the combined digital certificate 3 in response to user input.

[0014] The computer 4 can communicate with N number of certificate authorities 12 over a network 14, where N is an integer greater than or equal to two. The network 14 could be implemented, for example, as a public network (e.g., the Internet), a private network, or the like. Each certificate authority 12 of the N number of certificate authorities 12 can be implemented as a system that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (third parties) to rely upon signatures or assertions made by a private key that corresponds to the public key that is certified. In such a model of trust relationships, each of the 1-N certificate authorities 12 is a trusted third party that is trusted by both the subject (owner) of the certificate and the third party relying upon the certificate.

[0015] In one example, in response to initiation of the generation of the combined digital certificate 3, the certificate manager 10 can request that N number of random numbers be generated by the processing unit 8, which random numbers can be referred to as "rl ...rN." It is noted that in some examples, the certificate manager 10, can provide separate requests over a relatively large period of time for generation of the random numbers. For instance, the certificate manager 10 can be configured to request generation of rl at a time of manufacture. Additionally, the certificate manager 10 can be configured to request generation of r2-rN after delivery of the computer 4 to a customer site. As one example, the computer 4 can be embedded with rl and can be configured to request generation of r2-rN upon activation at the customer site.

[0016] The certificate manager 10 can send rl (or a multiple thereof) to certificate authority 1. In response, the certificate authority 1 can return a digital certificate 1 which can include data for generating a public key for the computer 4, wherein the public key is associated with the certificate authority 1. The certificate authority 1 can also include data, such as an integer for generating a private key that corresponds to the public key associated with the certificate authority 1. It is noted that in some examples, the digital certificate 1 and the data for generating the private key and public key associated with the certificate authority 1 can be embedded into the computer 4 at a time of manufacture of the computer 4. Additionally, the certificate manager 10 can send r2...rN to a corresponding certificate authority 12 of each of the 2-N certificate authorities 12. In response, each of the 2-N certificate authorities 12 can provide the computer 4 with a corresponding digital certificate, and data for generating a public key and corresponding private key for the computer 4, which can be associated with a corresponding 2-N certificate authority 12, which data can be referred to as certificate data. The certificate manager 10 and/or the processing unit 8 can employ the certificate data provided by each of the 1-N certificate authorities 12 to generate a private key for the computer 4, which private key can be referred to as SKey 16. Moreover, in some examples, the certificate manager 10 can also provide public key data 18 that is based on the digital certificates 1-N for generating a public key for the computer 4 that corresponds to Skey 16, which can be referred to as PKey. In some examples, the public key data 18 can be provided to a third party. In other examples, the public key data 18 can be known by the third party through other methods (e.g., a registration service). In some examples, the certificate manager 10 can also generate the combination certificate 3 that can include the public key data 18. In some examples, the combination certificate 3 can also include data for identifying each of the 1-N certificate authorities 12. By employing this technique, the certificate manager 10 can generate the combined digital certificate 3 that is based on digital certificates provided by each of the 1-N certificate authorities 12. Moreover, by employing this technique, none of the 1-N certificate authorities 12 need to communicate with each other.

[0017] In another example, upon initiation of the generation of the digital certificate, the certificate manager 10 can request that one random number be generated by the processing unit 8, which random number can be referred to as rl . The certificate manager 10 can send rl to certificate authority 1. In response, the certificate authority 1 can generate a digital certificate 1 and data (e.g., an integer) for generating a public key and corresponding private key for the computer 4. The certificate authority 1 can forward the data for generating the private key to the computer 4 and forward the digital certificate 1 to a certificate authority 2, wherein the private key is associated with certificate authority 1. Moreover, the certificate authority 2 can authenticate the certificate authority 1 to ensure that the digital certificate 1 originated from certificate authority 1 and not from an unauthorized source (e.g., a hacker). Certificate authority 2 can generate a digital certificate 2 based on the digital certificate 1 and forward the digital certificate 2 to the certificate manager 10, which digital certificate can include public key data 18 for generating a PKey associated with both certificate authority 1 and certificate authority 2. The certificate authority 2 can also provide data (e.g., an integer) for generating a private key associated with the certificate authority 2. The certificate manager 10 and/or the processing unit 8 can generate an SKey 16 based on data provided from the certificate authority 1 and the certificate authority 2, wherein the SKey 16 corresponds to the PKey . The certificate manager 10 and/or the processing unit 8 can also generate the combined digital certificate 3 based on the digital certificate 2. In some examples, the combined certificate 3 can include the public key data 18 which can be employed to generate the PKey. By employing this technique, the size of the combined certificate can be reduced, which can save memory. [0018] In both techniques, the combined digital certificate 3 can be based on data provided by 1-N certificate authorities 12. In the first technique, even if an unauthorized user (e.g., a hacker) gains access to any one of the 1-N certificate authorities 12, the combined digital certificate 3 would not be compromised. In fact, to compromise the security of the combined digital certificate 3, such an unauthorized user would need to compromise to all of the 1-N certificate authorities 12. In the second technique, since the certificate authority 1 is

authenticated by certificate authority 2, data provided by the certificate authority 1 can be trusted by the certificate authority 2. Thus, the combined digital certificate 3 provides significant resistance to security breaches. Moreover, liability for such security breaches would be distributed over each of the 1-N certificate authorities 12.

[0019] In view of the foregoing structural and functional features described above, example methodologies will be better appreciated with reference to FIGS. 2A, 2B, 3A and 3B. While, for purposes of simplicity of explanation, the example methods of FIGS. 2A, 2B, 3A and 3B are shown and described as executing serially, the present examples are not limited by the illustrated order, as some actions could in other examples occur in different orders and/or concurrently from that shown and described herein.

[0020] FIGS. 2A and 2B illustrate an example flowchart of an example method 200 that could be employed to generate a combined digital certificate, such as the combined digital certificate 3 illustrated in FIG. 1.

[0021] At 210, certificate generation can be initiated. The certificate initiation could be initiated, for example, by a certificate manager, such as the certificate manager 10 illustrated in FIG. 1. In such a situation, the certificate manager could be executing on a computer, such as a crypto processor. In the method 200, the combined certificate can be generated by employing techniques from ECC. However, other cryptographic techniques could additionally or alternatively be employed. In ECC, points along a curve E can define a finite field. In one example, Equation 1 can define the finite field employed for the method 200.

Equation 1 : y ² = x ³ + ax + b; wherein Q= {XQ,VQ}; and P and Q are points on the curve E.

[0022] Additionally, in ECC, the number of points on the curve E can be represented as a finite integer V. In such a situation, Equations 2 and 3 can represent a relationship between n, P and Q.

Equation 2: nP = P + P + P ... + P

Equation 3: Q = nP

[0023] At 220, N number of random numbers can be generated, for example, by a processing unit, such as the processing unit 8 illustrated in FIG. 1. Each of the N number of random numbers can be calculated as points on the curve E. For instance, in one example, the processing unit can generate a random number, r;, where i is an integer between 1 and N. The processing unit can employ elliptic curve point multiplication to calculate rj.G, where G is a number points on the curve E defined at a generator point G such that r;.G is a point on the curve E. At 230, the certificate manager can provide a random number r; to a corresponding certificate authority i, which certificate authority i could be implemented as one of the 1-N certificate authorities 12 illustrated in FIG. 1. In such a situation, the certificate authority i can have a private key and noted as CcAi and a public key denoted as QcAi- In such a situation, Equation 4 can depict the relationship between CcAi and QcAi- It is noted that Equation 4 denotes elliptic curve multiplication.

Equation 4: Q _CAi = c _CAi . G

[0024] In one example, for each subscriber A, each certificate authority i can assign a different identity number (e.g., a unique ID). In such a situation, each identity number could be implemented as the sum of each identity number attributed by each of the N number of certificate authorities Alternatively, a given one of the certificate authorities i can have on a unique identity number shared by the other certificate authorities i. At 240, certificate authority i can calculate ki.G, where ki is a random number within the interval [1, n-1]. At 250, the certificate authority i can employ Equation 5 to calculate Pi. It is noted that Equation 5 denotes elliptic curve addition.

Equation 5: Pj = rj. G + kj. G

[0025] At 260, certificate authority i can employ Equation 6 to calculate e;.

Equation 6: e _; = H(Pi ||ID)

wherein H is a one way hash function; P; is the resulting point of the elliptic curve addition given in Equation 5; and ID is a unique identifier for the computer.

[0026] At 270, the certificate authority i can employ Equation 7 or alternatively Equation

8 to calculate s;.

Equation 7: S _j = e _j . k _j - c _CAi (mod n)

Equation 8: s; = k; - ei.CcAi (mod n)

[0027] At 280, the certificate authority i can provide a digital certificate i and other data to the certificate manager, such that at least Pi, s; and e; are provided to the certificate manager. At 290, a determination can be made as to whether i is less than or equal to N. If the

determination is positive (e.g., YES), the method 200 can proceed to 300. If the determination is negative (e.g., NO), the method can proceed to 310 (FIG. 2B). At 300, the value of i can be increased by one and the method can return to 230.

[0028] At 310 of FIG. 2B, the certificate manager can calculate a private key for the associated computer, which private key can be denoted as "SKey." SKey can be stored, for example, in a secure memory of the computer. In examples where Equation 7 is employed to calculate s;, the certificate manager can employ Equation 9 to calculate SKey. Alternatively, in situations where Equation 8 is employed to calculate s;, the certificate manager can employ Equation 10 to calculate SKey.

Equation 9: SKey = \ ^ St + rfi (modn)

Equation 10: SKey

[0029] At 320, the certificate manager can determine public key data that can be employed (e.g., by a third party) to calculate a public key corresponding to SKey for the associated computer, which public key can be denoted as "PKey." In some examples, the public key data can include the Pi provided from each certificate authority i. In some examples, by employing Equations 11 and 12, the third party can employ the public key data to derive PKey. As shown in Equations 11 and 12, PKey can be based on QCA, which can be implemented as the sum of each QcAi received from the 1-N certificate authorities. In other examples, the third party can employ Equations 12 and 13 to compute PKey.

Equation 11 PKey =∑e _i P _i - Q ^■ ₍ CA

Equation 12 —∑i=i QcAi

Equation 13

[0030] At 330, the combined digital certificate can be generated. The combined digital certificate can identify each certificate authority i employed to generate the combined digital certificate. Moreover, in some examples, the combined digital certificate can include the public key data. By employing the method 200, no interaction between each of the certificate authorities i is needed. Furthermore, by employing ECC, a significant reduction of memory usage can be achieved in comparison to other encryption schemes.

[0031] FIGS. 3A and 3B illustrate an example flowchart of another example of a method

400 that could be employed to generate a combined digital certificate, such as the combined digital certificate 3 illustrated in FIG. 1.

[0032] At 410, certificate generation can be initiated. The certificate initiation could be initiated, for example, by a certificate manager, such as the certificate manager 10 illustrated in FIG. 1. In such a situation, the certificate manager could be executing on a computer, such as a crypto processor. In the method 400, the combined digital certificate can be generated by employing techniques from ECC. However, other cryptographic techniques could be additionally or alternatively employed. In one example, Equation 1 can be employed to define a finite field for the method 400. In such an example, an elliptical curve E can have a finite number of points 'n'. Moreover, as noted in Equation 1, points P and Q can be points on the curve E. Further, Equations 2 and 3 can define a relationship between n, P and Q.

[0033] At 420, a random number can be generated, for example, by a processing unit, such as the processing unit 8 illustrated in FIG. 1. The random number can be calculated as a point on the curve E. For instance, in one example, the processing unit can generate a random number, r. The processing unit can employ elliptic curve point multiplication to calculate r.G, where G is a number of points on the curve E defined at a generator point G such that r.G is a point on the curve E. At 430, the certificate manager can provide the random number r.G to a certificate authority 1 , which certificate authority i could be implemented as the certificate authority 1 illustrated in FIG. 1. In such a situation, the certificate authority 1 can have a private key, which private key can be referred to as CCAI and a public key denoted as QCAI- In such a situation, Equation 4 can depict the relationship between CCAI and QCAI- At 440, certificate authority 1 can calculate ki.G, where ki is a random number within the interval [1, n-1]. At 450, the certificate authority 1 can employ Equation 5 to calculate Pi. At 460, certificate authority 1 can employ Equation 14 to calculate Si . Equation 14: ^s i ⁼ ki + c _CA1 mod n

[0034] At 470, the certificate authority 1 can provide the certificate manager with data that includes at least si. At 475, certificate authority 1 can be authenticated by a certificate authority 2. Such an authentication can ensure that data provided from certificate authority 1 did in fact originate from certificate authority 1 and not from an unauthorized source (e.g., a hacker). At 480, the certificate authority 1 can provide the certificate authority 2 with Pi and Si . At 490 (FIG. 3B), the certificate authority 2 can calculate k ₂ .G, where k ₂ is a random number within the interval [1, n-1]. At 500, the certificate authority 2 can employ Equation 15 to calculate P. It is noted that Equation 15 employs elliptical point multiplication.

Equation 15: P = k ₂ . G + Pi

[0035] At 510, the certificate authority 2 can employ Equation 16 to calculate e.

Equation 16: e = H(P||ID)

wherein H is a one-way hash function; and ID is a unique identifier for the computer.

[0036] At 520, the certificate authority 2 can calculate s ₂ . In some examples, the certificate authority 2 can employ Equation 17 to calculate s ₂ .

Equation 17: s ₂ = e(k ₂ + c _CA2 )mod n

[0037] At 530, the certificate authority can provide the certificate manager with a digital certificate that includes at least P (Equation 15). Additionally, the certificate authority can provide the certificate manager with s ₂ . At 540, the processing unit can calculate a private key for the computer, which private key can be denoted as "SKey." In examples where Equation 17 is employed to calculate s ₂ , the processing unit can employ Equation 18 to calculate SKey. Equation 18 : SKey = + r) + s ₂ mod n

[0038] At 550, the certificate manager and/or the processing unit can determine public key data that can be employed to generate a public key for the associated computer, which public key can be denoted as "PKey." The public key data can include the P received from certificate authority 2. In this manner, a third party can employ the public key data to calculate PKey. For instance, in examples where Equation 18 is employed to calculate SKey, the third party can employ Equations 19 and 20 to calculate PKey.

Equation 19: QCA = QCA _I + QcA2

Equation 20: PKey = e(P + Q _CA )

[0039] At 560, the certificate manager can generate and store the combined digital certificate. In some examples, the combined digital certificate can include the public key data. By employing the method 400, a reduction of the memory can be achieve since only one value for P needs to be stored at the computer. Moreover, additional memory saving can be achieved by employing ECC. Still further, the method allows an increase in security since the combined digital certificate is based on public keys QCA _I , and QCA _I of two different certificate authorities.

[0040] FIG. 4 illustrates another example of a system 600 for generating and managing a combined digital certificate 602. The system 600 can include a host computer 604 with a crypto processor 606 stored thereon. The crypto processor 606 could be implemented, in a manner similar to the computer 4 illustrated in FIG. 1. For instance, the crypto processor 606 could be implemented as a dedicated computer on a chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, thereby providing the crypto processor 606 with a degree of tamper resistance. In one example, the crypto processor 606 could be implemented as a trusted platform module (TPM). The host computer 604 can include a memory 607 (e.g., a non-transitory computer readable medium, such as RAM, flash memory, a hard drive or the like) for storing machine-readable instructions. The host computer 604 can also include a processing unit 608 to access the memory 607 and execute the machine -readable instructions. The processing unit 608 can include a processor core. In some examples, the host computer 604 could be implemented as a smart phone, a desktop computer, a laptop computer, a server or the like.

[0041] The host computer 604 can communicate with N number of certificate authorities

610 via a network 612. The network 612 could be implemented, for example, as the Internet, a private network or a combination thereof. In FIG. 4, the components of certificate authority 1 are shown in detail. It is to be understood that 2-N certificate authorities 610 could be implemented in a similar manner. Certificate authority 1 can be implemented as a computer, such as a trusted issuer of digital certificates.

[0042] Certificate authority 1 can include a memory 614 for storing machine-readable instructions. The memory 614 could be implemented, for example, as RAM, flash memory, a hard drive or the like. The certificate authority 1 can also include a processing unit 618 for accessing the memory 614 and executing machine readable instructions. The memory 614 can include a private key, CCAI 620 for the certificate authority 1. The certificate authority 1 can also include a public key, QCAI 622 for the certificate authority 1.

[0043] The memory 607 of the host computer 604 can include a certificate manager 616 that can initiate generation of the combined digital certificate 602. Initiation of the generation of the combined digital certificate 602 can be in response to user input. In response to initiation of the generation of the combined digital certificate 602, the certificate manager 616 can request that the crypto processor 606 generate one or more random numbers, such as described with respect to FIGS. 2A, 2B, 3A and 3B.

[0044] As described with respect to the methods 200 or 400 illustrated in FIGS. 2A, 2B,

3A and 3B, in response to initiation of the generation of the combined digital certificate 602, the certificate manager 616 can receive at least K digital certificates 624 from 1-N certificate authorities 610, where K is an integer greater than or equal to one, as well as data from each of the 1-N certificate authorities 610 (e.g., Si ...s _n ). The certificate manager 616 can provide the crypto processor 606 with data (e.g., certificate data) to generate a private key (SKey) 626 and public key data 628 for generating a corresponding public key (PKey) 629 for the crypto processor 606 based on data provided from the 1-N certificate authorities 610 (e.g., Si ...s _n and Pi ...P _n ). Additionally, the crypto processor 606 can employ the data provided by the certificate manager 616 to generate the combined certificate 602 In some examples, the combined certificate 602 can include the public key data 628. The combined certificate 602 can include, for example, an identification of each of the N number of certificate authorities 610 on which the combined digital certificate 602 is based.

[0045] At some point in time, the host computer 604 can employ the combined certificate to digitally sign a document 630. In such a situation, the certificate manager 616 can provide the document 630 to the crypto processor 606 along with a request for the digital signature 632. In one example, the crypto processor 606 can employ a digest algorithm to create a digest comprised of a portion of the document 630. The crypto processor 606 can employ the SKey 626 to sign the digest of the document 630, which signed digest can be the digital signature 632.

[0046] A third-party 634 (e.g., a computer system) can request the document 630. The document 630, the combined certificate 602 along with the digital signature 632 and a public key (Qc _A i) of a given certificate authority 610 of the N number of certificate authorities 610 can be provided to the third-party 634. The combined certificate can also include the digest algorithm employed for calculating the digest of the document 630. Additionally, the third party 634 can generate PKey 629 based on the public key data 628.

[0047] The third-party 634 can communicate with the given certificate authority 610 to validate the public key (Qc _A i) of the given certificate authority 610. In this manner, the third- party 634 can trust that PKey 629 was generated based on the private key (cc _A i) of the given certificate authority 610. Additionally, the third-party 634 can employ the digest algorithm to regenerate the digest of the document 630. The third-party 634 can verify the digital signature 632 with the PKey 629 included in the combined digital certificate 602, which can result in a verified digest. The third party 634 can compare the regenerated digital digest with the verified digest to ensure that the document 630 was signed by the crypto processor 606 and that the document 630 had not changed since the digital signature 632 for the document 630 was generated.

[0048] Those skilled in the art to which the invention relates will appreciate that modifications may be made to the described examples, and also that many other embodiments are possible, within the scope of the claimed invention.