Cryptography – Key management – Key escrow or recovery
Reexamination Certificate
1998-11-02
2003-03-18
Barrón, Gilberto (Department: 2132)
Cryptography
Key management
Key escrow or recovery
C380S281000, C380S277000, C380S030000, C713S193000, C713S168000
Reexamination Certificate
active
06535607
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention relates to a method and apparatus for providing interoperability between key recovery and non-key recovery systems. More particularly, the invention relates to a method and apparatus for ensuring, in a cryptographic communication system in which a sender transmits data encrypted under an encryption key to a receiver, the concomitant transmission of data sufficient to permit recovery of the encryption key by a key recovery entity.
2. Description of the Related Art
Data encryption systems are well known in the data processing art. In general, such systems operate by performing an encryption operation on a plaintext input block, using an encryption key, to produce a ciphertext output block. The receiver of an encrypted message performs a corresponding decryption operation, using a decryption key, to recover the plaintext block.
Encryption systems fall into two general categories. Symmetric (or private-key) encryption systems use the same secret key for both encrypting and decrypting messages. Perhaps the best-known symmetric encryption system is the Data Encryption Algorithm (DEA), implementing the Data Encryption Standard (DES) as described in the National Institute of Standards and Technology (NIST) publications “Data Encryption Standard (DES)”, FIPS PUB 46-2 (1980), and “DES Modes of Operation”, FIPS PUB 81 (1988). In the DES system, a 64-bit key is used to transform a plaintext message comprising one or more 64-bit plaintext blocks into a ciphertext message comprising a like number of 64-bit ciphertext blocks, or vice versa. Of the 64 key bits, 56 bits are independently specifiable, while the remaining 8 bits provide a parity check.
Asymmetric (or public-key) encryption systems, on the other hand, use different keys that are not feasibly derivable from one another for encryption and decryption. A person wishing to receive messages generates a pair of corresponding encryption and decryption keys. The encryption key is made public, while the corresponding decryption key is kept secret. Anyone wishing to communicate with the receiver may encrypt a message using the receiver's public key. Only the receiver may decrypt the message, however, since only he has the private key. Perhaps the best-known asymmetric encryption system is the RSA encryption system, named after its originators Rivest, Shamir and Adleman and described in B. Schneier,
Applied Cryptography
(1996), pages 466-474, incorporated herein by reference.
Asymmetric encryption systems are generally more computationally intensive than symmetric encryption systems, but have the advantage that they do not require a secure channel for the transmission of encryption keys. For this reason, asymmetric encryption systems are often used for the one-time transport of highly sensitive data such as symmetric encryption keys.
Data encryption systems of all types have attracted the attention of government intelligence agencies and law enforcement agencies, since the same cryptographic strength that prevents decryption by unauthorized third parties also prevents decryption by intelligence or law enforcement officials having a legitimate reason for wanting to access the plaintext data. Because of such concerns, governments have either prohibited the use or export of strong encryption systems or have conditioned their approval on the use of weakened keys that are susceptible to key-exhaustion attacks (i.e., systematically testing all possible keys until the right one is found). Such weak encryption systems have the obvious disadvantage that they are just as vulnerable to unauthorized third parties as they are to authorized government officials.
Various cryptographic key recovery systems have recently been proposed as a compromise between the demands of communicating parties for privacy in electronic communications and the demands of law enforcement agencies for access to such communications when necessary to uncover crimes or threats to national security. Generally, in such key recovery systems, all or part of the key used by the communicating parties is made available to one or more key recovery agents, either by actually giving key-related recovery information to the key recovery agents ahead of time (in which case the recovery information is said to be “escrowed”) or by providing sufficient information in the communication itself (as by encrypting the key portions) which the key recovery agents could obtain after the communication occurred. Key recovery agents would reveal the escrowed or regenerated key information to a requesting law enforcement agent only upon presentation of proper evidence of authority, such as a court order authorizing the interception. The use of multiple key recovery agents, all of which must cooperate to recover the key, minimizes the possibility that a law enforcement agent can improperly recover a key by using a corrupt key recovery agent or that a compromise in the physical security of a single key recovery agent will expose the key.
Key recovery systems serve the communicants' interest in privacy, since their encryption system retains its full strength against third parties and does not have to be weakened to comply with domestic restrictions on encryption or to meet export requirements. At the same, key recovery systems serve the legitimate needs of law enforcement by permitting the interception of encrypted communications in circumstances where unencrypted communications have previously been intercepted (as where a court order has been obtained).
In addition to serving the needs of law enforcement, key recovery systems find application in purely private contexts. Thus, organizations may be concerned about employees using strong encryption of crucial files where keys are not recoverable. Loss of keys may result in loss of important stored data.
Key recovery systems of various types are described in U.S. Pat. Nos. 5,557,346 (Lipner et al.); 5,815,573 (Johnson et al.); and 5,796,830 (Johnson et al.), as well as in copending U.S. patent applications Ser. Nos. 08/725,102, filed Oct. 2, 1996 (Gennaro et al.); 08/775,348, filed Jan. 3, 1997 (Gennaro et al.); and 08/899,855, filed Jul. 24, 1997 (Chandersekaran et al.), all of which are incorporated herein by reference.
An important aspect of key recovery systems is the method used to ensure that correct recovery information is provided. If the recovery information provided is not correct, either through unintentional error, or deliberate attempt to corrupt, the functionality of the key recovery system can be thwarted. Ordinarily, in the absence of some earlier validation check, any deficiency in the key recovery information is only detected when key recovery is attempted by a key recovery entity, which is generally too late to cure the deficiency.
Validation can be provided in several ways, including direct checking by the participants, checking by the recovery agents, and checking by the recovery entity. Access to accurate key recovery information can also be ensured by redundant calculation and disclosure of the recovery information by more than one of the communicating parties.
In a network of interconnected computer systems, where some computer systems are key recovery enabled (KR-enabled)—i.e., are capable of generating key recovery information —and some are non-KR-enabled, it would be desirable to permit a KR-enabled computer to interoperate with both KR-enabled and non-KR-enabled computers only if key recovery is enforced.
FIG. 1
shows a cryptographic system
100
comprising a KR-enabled computer system
102
coupled to a non-KR-enabled computer system
104
via a communications channel
106
. We assume the following model of trusted and untrusted components:
1. The KR-enabled system
102
has a key recovery subsystem
108
that provides key recovery and other cryptographic services to one or more application programs
110
. KR subsystem
108
may be implemented as software, as hardware, or as some combination of the two.
2. The non-KR-enabled system
104
has a cryptograp
Chandersekaran Coimbatore S.
Gennaro Rosario
Gupta Sarbari
Matyas, Jr. Stephen M.
Safford David R.
Barrón Gilberto
International Business Machines - Corporation
Kinnaman, Jr. William A.
Zand Kambiz
LandOfFree
Method and apparatus for providing interoperability between... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and apparatus for providing interoperability between..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and apparatus for providing interoperability between... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3016787