Cryptography – Key management – Key escrow or recovery
Reexamination Certificate
1998-06-05
2001-05-22
Hayes, Gail (Department: 2131)
Cryptography
Key management
Key escrow or recovery
C380S278000, C380S028000, C380S029000, C713S171000
Reexamination Certificate
active
06236729
ABSTRACT:
BACKGROUND OF THE INVENTION
The present invention relates to a security security-ensuring technique such as data encipherment in a computer network, and more particularly to a key recovery (or key deposition) method and system.
One technique for ensuring the security of data such as electronic mail communicated through a network includes a data ciphering system, called a public-key cryptographic scheme, in which data is ciphered using numeric data, called a public key, and the ciphered data, is deciphered using numeric data called a secret key, having a numerical value different from that of the public key.
In the public-key cryptographic scheme, however, when a secret key is lost for some reason or other, it becomes virturally impossible to decipher the data which is ciphered by the public key paired with the secret key. For example, where the ciphered data is preserved in a file or the like from which it is later taken out, the restoration of this data is impossible if there is no the secret key. This is equivalent to the loss of data. The loss of a secret key is an untenable situation. Absent measures for the relief of this situation, significant trouble, difficulty or inconvenience may be encountered.
Therefore, a key recovery (or deposition) system has been proposed in which an individual or organization confidential information is backed-up by enabling the decipherment of ciphered data in the case where a secret key has been lost due to a.
In this system, provisions against the case of loss of one's own secret key are made by depositing the secret key in a third party (or key-preserving facility or agent) which performs confidential management. For example, one's own secret key is divisionally deposited in a plurality of key-preserving facilities so that in the case where the secret key has been lost, the secret key can be recovered by performing operational processing, such, as exclusive logical sum, addition or the like, for the divisional key parts deposited in the plurality of key-preserving facilities.
The above-mentioned techniques have been disclosed by, for example, Masahiro Manpo and Eiji Okamoto, “Impacts of Network Cryptograph Clippers”, BIT, Vol. 28, No. 2, February 1996, and Silvio Micali, “Fair Cryptosystems”, MIT/LCS1TR-579.c, Laboratory for Computer Science, Massachusette Institute of Technology, August 1994.
In the above-described conventional key recovery system, however, a secret key as the one and only means for deciphering data ciphered by one's own public key must be deposited in a third party or key preserving facility other than oneself beforehand. In this case, the secret key must be deposited in the key-preserving facility in such a manner as to ensure the confidentiality. This requires considerable labor, time and/or cost. Particularly, in the case where the secret key is divisionally deposited in a plurality of key-preserving facilities, a considerable burder is imposed on the user.
SUMMARY OF THE INVENTION
An object of the present invention is to provide a key-recovery method and system capable of eliminating labor, time and/or costs in which a cipher text receiver as a user operates using the user's own secret key deposited with a third party such as a key preserving facility. Another object of the present invention is to provide a computer-readable medium in which a program performing such a method is stored. A further object of the present invention is to provide a key-recovery method and system in which the security and reliability of a secret key can be improved by applying threshold logic.
To that end, a first aspect of the present invention provides a key-recovery method in which data obtained by converting a public key and used as a parameter at the time of generation of a cipher text is generated without using a secret key paired with the public key. The method comprises, on the transmitting side, a first processing of generating a data value satisfying a predetermined relational expression by which data obtained by converting a first public key and used as a parameter at the time of generation of a cipher text can be determined directly or indirectly if data obtained by converting at least one second public key is decided between the data obtained by converting the first public key and the data obtained by converting the second public key, a second processing of applying the cipher text with the data value generated in the first processing, and comprising, on the receiving side possessing a secret key paired with the second key, a third processing of determining the data obtained by converting the second public key, the determination being made from the secret key paired with the second key, and a fourth processing of determining the data obtained by converting the first public key and used as the parameter at the time of generation of the cipher text, the determination being made by introducing, the data value applied to the cipher text in the second processing and the data determined in the third processing, into the relational expression used in the first processing.
The data obtained by converting the public key is, for example, data obtained by operating a generated random number and the public key.
In the first aspect of the present invention, the cipher text is applied with the data value satisfying the predetermined relational expression by which the data obtained by converting the first public key and used as the parameter at the time of generation of the cipher text can be determined directly or indirectly if the data obtained by converting the second public key is decided between the data obtained by converting the first public key and the data obtained by converting the second public key.
The data obtained by converting the second public key can be determined from the secret key paired with the second public key.
Therefore, the data obtained by converting the first public key and used as the parameter at the time of generation of the cipher text can be determined by a possessor of the secret key paired with the second public key from the data value satisfying the predetermined relational expression.
Accordingly, it is possible to decipher the cipher text without a secret key paired with the first public key. In other words, even if one's own secret key (or the secret key paired with the first public key) is not deposited in a third party or key preserving facility other than oneself, it becomes possible for a possessor of a secret key paired with the second public key to perform key recovery.
As mentioned earlier, in the conventional key recovery system, one's own secret key must be deposited in a key preserving facility other than oneself. In this case, it is necessary that the secret key should be deposited in the key preserving facility in such a manner that the confidentiality can be ensured. This requires much labor, time and/or cost. Particularly, in the case where the secret key is divisionally deposited in a plurality of key preserving facilities, a considerable burden is imposed on the user.
In the first aspect of the present invention, on the other hand, it is possible to eliminate such a labor, time and/or cost, thereby reducing the burden imposed on the user.
In the first aspect of the present invention, the secret key paired with the second public key may be held by a plurality of information processors in a plurality of parts so that it is resortable through a predetermined operation for those parts. In this case, it is preferable that at least one of the plurality of information processors restores the secret key by performing the predetermined operation for the secret key parts possessed by the plurality of information processors and uses the restored secret key to determine the data obtained by converting the second public key. Thereby, it becomes possible for the receiving side to acquire the data obtained on the transmitting side by converting the second public key.
According to a second aspect of the present invention, there is provided a key recovery method of recoverin
Kurumatani Hiroyuki
Takaragi Kazuo
Antonelli Terry Stout & Kraus LLP
Hayes Gail
Hitachi , Ltd.
Seal James
LandOfFree
Key recovery method and system does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Key recovery method and system, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Key recovery method and system will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2488066