摘要 |
A single cryptographically enhanced product is capable of exposing various strengths of cryptography. When first installed, the product exposes only a low-level, exportable strength cryptography that may be used in both the U.S. or overseas with a general export license. Stronger cryptography is implemented in the product, but is not exposed to the user. To enable the stronger cryptography, the user must obtain an authorization certificate issued from a certifying authority. The authorization certificate contains an identity of the certifying authority and a token granted by the product's provider. The token contains capabilities to expose the stronger cryptography in the product and an encoded ID of the certifying authority, which binds the token to a specific certifying authority. The cryptographic product evaluates the authorization certificate and token to verify that the certificate is from the certifying authority, the token is from the product provider, and the token contains the hash digest of the certifying authority. The product also determines whether the certificate or token has been revoked or has expired. If everything checks out, the product uses the capabilities included in the token to expose the higher strength cryptography to the user; otherwise, the product denies the request for higher strength cryptography and continues to use only the low strength cryptography.
|