Sohail A Malik, 566700 Metropolitan Center Dr APT 104, Springfield, VA 22150

6396929, May 28, 2002

Dec 31, 1998

09/224892

Sekar Chandersekaran - Potomac MD
Sohail Malik - Gaithersburg MD
Michael Muresan - Gaithersburg MD
Narayanan Vasudevan - Gaithersburg MD

International Business Machines Corporation - Armonk NY

H04L 930

380286, 713181, 380 30

An apparatus, method, and computer program product for high-availability multi-agent cryptographic key recovery. The present invention defines a key recovery block that specifies allowable subsets of the total set of key recovery agents that can participate in a key recovery. For each subset, key recovery information is computed and stored after the subset is specified. This key recovery information is only useable by that subset because it is computed using that subset of public keys of the agents. When key recovery is initiated, a trusted processor (a key recovery coordinator) validates the contents of the key recovery block and it uses and is allowed to use any of the subsets of the agents to process the key recovery request. Since many subsets could be specified, the likelihood of key recovery failure is greatly diminished.

6715077, Mar 30, 2004

Mar 22, 2000

09/533073

Narayanan Vasudevan - Gaithersburg MD
Sohail Malik - Gaithersburg MD

International Business Machines Corporation - Armonk NY

G06F 1100

713191, 713189, 713200

An Improved CDSA system (CDSA-I) includes a standard CDSA framework coupled via an Application Program Interface to an application requiring cryptographic support. During manufacture, a cryptographic control privilege is incorporated into the application, as part of an exemption mechanism, which exemption may or may not be enforced by the CDSA framework. For maximum cryptographic strength, an application must be signed by a private key controlled by the CDSA framework vendor. Inside the CDSA framework, the corresponding public key is used to verify at runtime those applications that were appropriately signed. The CDSA framework is coupled via a Service Provider Interface (SPI) to a plurality of pluggable modules for performing cryptographic operations, storing signed digital certificates for applications, and trust policies relating to cryptographic strengths. The framework is initialized to provide the cryptographic support for the application. The application requests a a crypto context representing the algorithm ID, key and key length from the CDSA framework at runtime to be used in subsequent API calls to the CDSA framework.

6877092, Apr 5, 2005

Nov 4, 2002

10/287172

Sekar Chandersekaran - Potomac MD, US
Sohail Malik - Gaithersburg MD, US
Michael Muresan - Gaithersburg MD, US
Narayanan Vasudevan - Gaithersburg MD, US

International Business Machines Corporation - Armonk NY

H04L009/12
H04L009/00

713151, 380286

An apparatus, method, and computer program product for achieving interoperability between cryptographic key recovery enabled and unaware systems. The method includes the steps of encrypting data using a cryptography key to generate ciphertext; generating a key recovery block containing key recovery information for the ciphertext; determining whether a receiver for the ciphertext is key recovery unaware; and sending the key recovery block to a key recovery client when it is determined that the receiver is key recovery unaware. In a preferred embodiment, the ciphertext is sent to the receiver only after receiving confirmation from the key recovery client of the receipt of the key recovery block. Also in a preferred embodiment, the key recovery block is sent as part of an Internet Message Control Protocol (ICMP) message.

7096505, Aug 22, 2006

Feb 27, 2004

10/788855

Narayanan Vasudevan - Gaithersburg MD, US
Sohail Malik - Gaithersburg MD, US

International Business Machines Corporation - Armonk NY

G06F 11/00
G06F 17/60

726 30, 726 22, 726 19, 726 18, 380279, 380286, 380 45

A technique for cryptographic strength selection for at least one application is provided, in accordance with a framework for providing cryptographic support of the at least one application. Data encryption is performed at a first cryptographic strength when the at least one application is privileged to perform encryption at a first cryptographic strength. Data encryption is performed at a second cryptographic strength when the at least one application is not privileged to perform encryption at the first cryptographic strength. The first cryptographic strength is stronger than the second cryptographic strength.

6181795, Jan 30, 2001

Feb 27, 1998

9/031793

Sekar Chandersekaran - Potomac MD
Narayanan Vasudevan - Gaithersburg MD
Sohail Malik - Gaithersburg MD
Michael Muresan - Gaithersburg MD

International Business Machines Corporation - Armonk NY

H04L 900

380280

A method, system, and computer program are disclosed to transport an encrypted key across multiple, diverse systems which provides the relevant and necessary information to guarantee a successful decryption of the key. The method prepares an ASN. 1 encoding file at the sender which contains the key. The receiver performs the method to decode the ASN. 1 encoded file. In this manner, only the data and the contents of the portable key need to be sent to guarantee successful decryption at the receiver.

6061454, May 9, 2000

Jun 27, 1997

8/884134

Sohail malik - Gaithersburg MD
Michael Muresan - Gaithersburg MD

International Business Machines Corp. - Armonk NY

H04L 908
H04L 900
H04L 906

380278

A method is disclosed for communicating a key recovery block from a sender to a non-enabled receiver, without the danger of throwing the receiver into an indeterminant state, and without modifying the receiver. The method uses an unmodified communications protocol that has a standard method to receive and acknowledge arbitrary data. The sender sends a message using the standard method for arbitrary data, and includes in the message the key recovery block. The receiver responds with a standard acknowledgment message. The method thereby enables an entity coupled to the link, to monitor the key recovery block, even though the receiver is not enabled to process it.