GB2401006A - Cryptographic method and apparatus - Google Patents

Cryptographic method and apparatus Download PDF

Info

Publication number
GB2401006A
GB2401006A GB0309157A GB0309157A GB2401006A GB 2401006 A GB2401006 A GB 2401006A GB 0309157 A GB0309157 A GB 0309157A GB 0309157 A GB0309157 A GB 0309157A GB 2401006 A GB2401006 A GB 2401006A
Authority
GB
United Kingdom
Prior art keywords
data
party
key
encryption key
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB0309157A
Other versions
GB0309157D0 (en
Inventor
Liqun Chen
Martin Sadler
Keith Alexander Harrison
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hewlett Packard Development Co LP
Original Assignee
Hewlett Packard Development Co LP
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett Packard Development Co LP filed Critical Hewlett Packard Development Co LP
Priority to GB0309157A priority Critical patent/GB2401006A/en
Priority to GB0311786A priority patent/GB2401009A/en
Publication of GB0309157D0 publication Critical patent/GB0309157D0/en
Priority to DE602004001273T priority patent/DE602004001273T2/en
Priority to EP04252330A priority patent/EP1471680B1/en
Priority to US10/831,549 priority patent/US7574596B2/en
Publication of GB2401006A publication Critical patent/GB2401006A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/302Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Algebra (AREA)
  • Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

First data to be sent by a first party (20) to a second party (30) is encrypted using an encryption key that comprises a hash value generated using second data and a secret, shared with a trusted party (40), that serves as identification of the first party (20). The second data comprises, for example, one or more conditions that serve as identifiers of the second party (30), and a hash-value element generated by hashing the first data. The encrypted first data and the encryption key is made available to the second party (20) which forwards the encryption key to the trusted party (40) with a request for the corresponding decryption key. The trusted party (40) carries out at least one check on the basis of data contained in the encryption key and, if this at least one check is satisfactory, provides a decryption key to the second party.

Description

2401 006 Cryptographic Method and Apparatus
Field of the Invention
The present invention relates to cryptographic methods and apparatuses and, in particular, but not exclusively, to such methods and apparatuses that use Identifier-Based Encryption.
Background of the Invention
Identifier-Based Encryption (IBE) is an emerging cryptographic schema. In this schema (see Figure 1 of the accompanying drawings), a data provider 10 encrypts payload data 13 using an encryption key string 14 and public data 15 provided by a trusted authorityl2; the data provider 10 then provides the encrypted payload data <13> to a recipient 11 who decrypts it using a decryption key 16 provided by the trusted authority together with the latter's public data. The trusted authority's public data is derived by the authority using private data 17 and a one-way function 18. Important features of the IBE schema are that any kind of string (including a name, a role, etc.) can be used as an encryption key string 14, and that the generation of the decryption key 16 is effected by the trusted authority (process 19) using the encryption key string 14 and its private data 17, enabling the generation of the decryption key 16 to be postponed until needed for decryption.
A number of IBE algorithms are known, one of which is the "Quadratic Residuosity" (QR) method described in the paper: C. Cocks, "An identity based encryption scheme based on quadratic residues", Proceedings ofthe 8th IMA International Conference on Cryptography and Coding, LNCS 2260, pp 360-363, Springer-Verlag, 2001. A brief description of this form of IBE is given below.
In the QR method, the trusted authority's public data 15 comprises a value N that is a product of two random prime numbers p and q, where the values of p and q are the private data 17 ofthe trusted authority 12. The values of p and q should ideally be in the range of 25t and 25 [2 and should both satisfy the equation: p, q = 3 mod 4. However, p and q must not have the same value. Also provided is a hash function # which when applied to a string returns a value in the range O to N-l.
Each bit m of the user's payload data 13 is then encrypted as follows: The data provider 10 generates random numbers t+ (where t+ is an integer in the range [0, 2N]) until a value of t+ is found that satisfies the equationjacobi(t+,N)=m, where m has a value of -I or I depending on whether the corresponding bit of the user's data is O or I respectively. (As is well known, thejacobi function is such that where x2 --#mod N the Jacobi (#, N) = -1 if x does not exist, and = 1 if x does exist). The data provider 10 then computes the value: s+_ (t++#(encryption_keystring) /t+)modN where s+ corresponds to the encrypted value of the bit m concerned.
- Since #(encryption_keystring) may be non-square, the data provider additionally generates additional random numbers t (integers in the range [0, 2N)) until one is found that satisfies the equationjacob'(t,N)=m. The data provider 10 then computes the value: s -- (t -#(encryption_keystring) /t)modN as the encrypted value of the bit m concerned.
The encrypted values s+ and s for each bit m of the user's data are then made available to the intended recipient I 1, for example via e-mail or by being placed in a electronic public area; the identity ofthe trusted authority 12 and the encryption key string 14 will generally also be made available in the same way.
The encryption key string 14 is passed to the trusted authority 12 by any suitable means; for example, the recipient 11 may pass it to the trusted authority or some other route is used - indeed, the trusted authority may have initially provided the decryption key string. The trusted authority 12 determines the associated private key B by solving the equation: B2 _ #(encryption_keystring)modN ("positive" solution) If a value of B does not exist, then there is a value of B that is satisfied by the equation: B2 _ - #(encryption_keystring)modN ("negative" solution) As N is a product oftwo prime numbers p, q it would be extremely difficult for any one to calculate the decryption key B with only knowledge of the encryption key string and N. However, as the trusted authority 12 has knowledge of p and q (i.e. two prime numbers) it is relatively straightforward for the trusted authority 12 to calculate B. Any change to the encryption key string 14 will result in a decryption key 16 that will not decrypt the payload data 13 correctly. Therefore, the intended recipient 11 cannot alter the encryption key string before supplying it to the trusted authority 12.
The trusted authority 12 sends the decryption key to the data recipient 11 along with an indication of whether this is the "positive" or "negative" solution for B. If the 'positive" solution for the decryption key has been provided, the recipient 11 can now recover each bit m of the payload data 13 using: m = jacobi(s++2B,N) If the "negative" solution for the decryption key B has been provided, the recipient 11 recovers each bit m using: m=jacobi(s +2B,N) Other IBE algorithms are known such as the use of Well or Tate pairings - see, for example: D. Boneh, M. Franklin "Identity-based Encryption from the Well Pairing" in Advances in Crvptology - CRYPTO 2001, LNCS 2139, pp. 213-229, Springer-Verlag, 2001.
One application of IBE encryption is to enable the data provider 10 to provide encrypted payload data over an unprotected communications path for receipt and decryption by a recipient 11 that meets certain conditions, namely condition 1 and condition 2. These conditions serve to identify the intended recipient and can therefore be considered as the recipient's identifiers. To ensure that only recipients that match the identifiers can read the payload data 13, the conditions are placed in the IBE encryption key string 14 and sent along with the encrypted payload data. Upon receipt, the data receiver 11 passes the encryption key string to the trusted authority 12 with a request for the corresponding IBE decryption key 16. The trusted authority 12 onlyprovides the decryption key (over a secure channel) if satisfied that the conditions 1 and 2 included in the encryption key are met by the requesting data receiver 11.
The foregoing example exhibits a number of potential drawbacks. More particularly, the conditions (the identifiers of the intended data receiver) are transmitted in clear which may be undesirable. Furthermore, there is no sender authentication check enabling the recipient to reliable know who sent the message, nor any integrity check for the payload data; of course, these latter drawback could be overcome by the use of digital signatures and public key certificates based on RSA asymmetric key cryptography but this involves substantial additional cryptographic processing by the data receiver and a public key infrastructure (PKI) for supporting the use of public key certificates.
It is an object of the present invention to obviate one or more of the following drawbacks with no or minimal additional cryptographic processing by the data receiver.
Summary of the Invention
According to one aspect of the present invention, there is provided a data encryption method comprising encrypting first data using both: - an encryption key comprising a hash value generated using second data and a secret, shared with a trusted party, that serves as identification of the first party; and - public data provided by the trusted party and derived thereby using private data.
According to another aspect of the present invention, there is provided a data encryption method comprising encrypting first data using both: - an encryption key comprising: - a first component comprising the public key of a public/private key pair associated with the first party and the private key of which is available to the trusted party; - a second component comprising none, one or more non-confidential conditions serving as identifiers of an intended recipient of the first data; - a third component comprising a hash value generated using the private key of said public/private key pair and second data comprising said non- confidential conditions if any, one or more confidential conditions that also serve as identifiers of said intended recipient, and a hash-value element generated by hashing the first data; and - a fourth component formed by encrypting data comprising said confidential conditions if any, and said hash-value element generated by hashing the first data; and - public data provided by the trusted party and derived thereby using private data.
According to a further aspect of the present invention, there is provided a data transfer method comprising: - encrypting first data at a first party using an encryption method according to either of the preceding two paragraphs and sending the encrypted first data and the encryption key to a second party; - providing the encryption key from the second party to the trusted party; - at the trusted party, carrying out at least one check on the basis of data contained in the encryption key and, if said at least one check is satisfactory, providing a decryption key to the second party, this decryption key being generated by the trusted party using the encryption key and its private data.
By using an encryption key that comprises a hash value generated using second data and a secret shared by the first party and the trusted party, provided the trusted party also has access to the elements making up the second data, the trusted party can check that the second data is associated with the party identified by the shared secret. Preferably, the second data comprises a hash of the first data thereby enabling the trusted party to assure the second party about the origin of the message and provide it with the means for checking its integrity.
The present invention also envisages apparatus for carrying out the encryption method of the invention, and apparatus for carrying out the actions of the trusted party according to the data transfer method of the invention. The present invention further envisages a computer program product for conditioning programmable apparatus for carrying out the encryption method of the invention, and a computer program product for conditioning programmable apparatus for carrying out the actions of the trusted party according to the data transfer method of the invention. s
Brief Description of the Drawings
Embodiments of the invention will now be described, by way of nonlimiting example, with reference to the accompanying diagrammatic drawings, in which: Figure I is a diagram illustrating the operation of a prior art encryption schema known as Identifer-Based Encryption; Figure 2 is a diagram of a system embodying the present invention; and Figure 3 is a flow chart of a process carried out by a trusted authority of the Figure 2 system.
Best Mode of Carrying Out the Invention Figure 2 illustrates a system embodying the present invention, the system comprising a first computing entity 20 associated with a data provider party; a second computing entity 30 associated with a data receiver party; and a third computing entity 40 associated with a trusted authority. The computing entities 20, 30 and 40 are typically based around general purpose processors executing stored programs but may include dedicated cryptographic hardware modules. The computing entities 20,30 and 40 inter-communicate as needed (see arrows 50-53) via, for example, the internet or other network, though it is also possible that at least some of the entities actually reside on the same computing platform.
In the following, references to the data provider, data receiver and the trusted authority are generally used interchangeably with references to their respective computing entities 20,30 and 40.
In functional terms, the data-provider entity 20 comprises a communications module 24 for communicating with the entities 30 and 40, a control module 21 for controlling the general operation of the entity 20, and a cryptographic module 22 for executing certain cryptographic functions comprising a hash function and an IBE encryption function.
The data-receiver entity 30 comprises a communications module 34 for communicating with the entities 20 and 40, a control module 31 for controlling the general operation of the entity 30, and a cryptographic module 32 for executing certain cryptographic functions comprising a hash function (the same as that used by the entity 20) and an IBE decryption function.
The trusted authority entity 40 comprises a communications module 48 for communicating with the entities 20 and 30, a control module 41 for controlling the general operation of the entity 40, a cryptographic module 42 for executing certain cryptographic functions, a condition checking module 43, and a user registration module 44. The cryptographic module 42 is arranged to implement both a hash function (the same as that used by the entity 20) and an IBE decryption function; in addition, the module 42 includes a unit 45 for generating an IBE decryption key using both a supplied encryption key and private data securely held in local store 46.
The system employs Identifier-Based Encryption with the computing entities 20,30 and 40 having, in respect of IBE encryption/decryption, the roles of the data provider 10, data recipient 11 and trusted authority 12 ofthe Figure 1 IBE arrangement. The IBE algorithm used is, for example, the QR algorithm described above with respect to Figure 1 with the private data held in store 46 being random prime numbersp,q and the corresponding public data being number N. Consider the situation where the data provider 20 wishes to encrypt message data ("msg") for sending over an unprotected communications path for receipt and decryption by a recipient that meets certain conditions, namely Condition 1 and Condition 2. These Conditions l and 2 are unknown to the data receiver 30 and the data provider 20 wishes to keep Condition 2 confidential from the data receiver 30.
It is assumed that the data provider 20 has previously registered with the trusted authority and obtained (see arrow 50) a public / private key pair K20pUb',c / K20pnVac where K20pUb',c is simply a public identifier of provider 20 (such as a name) and K20pr,Vae is the IBE decryption key formed by the trusted authority using the K20pUb'c as an IBE encryption key and its private data p,q. The user registration module 44 is responsible at the time of registration for ensuring that the public key K20pUb',c is a correct identifier of the data provider 20; the module 44 is also arranged to keep a record of currently valid registered users.
To encrypt the message data msg. the data provider 20 first forms an IBE encryption key KENC comprising: K20publc 10:: Condition 1 :: H(K20pr,Vae:: H(msg) :: nonce:: Condition 1:: Condition 2) :: E(K20pUb',c, N.; (H(msg) :: nonce:: Condition 2)) where: - :: means concatenation, - H(x) means the hash of data x using any suitable hash function such as SHA1, - E(k,n;y) means the IBE encryption of data y using encryption key k and the public data n of a trusted authority, and - a nonce is a one-time use random number selected by the data provider 20 and provided for freshness.
The process of forming the encryption key KENC is carried out by the cryptographic module 22 under the direction of the control module 21.
As can be seen, whilst Condition I is visible in the encryption KENC, the Condition 2 only appears in encrypted form. Furthermore, the encryption key KENC includes a hash of the message data msg. and a hashed quantity that includes both the data-provider's private key K20pr,Vae and the message data hash; as will be seen hereinafter, this enables the trusted authority 40 to check the origin of the encryption key KENC and the integrity of the message hash.
After the key KENC has been generated, the control module 21 causes the cryptographic module 22 to use the key and the trusted authority's public data N to encrypt the message data msg. The encrypted data and the encryption key KENC are then made available by the communications module 24 to the data receiver 30 (see arrow i 11 On receiving the encrypted message data and the encryption key KENC, the control module 31 of the data receiver 30 may, if it understands the structure of the encryption key, examine the identity K20pUb,c of the data provider 20 and the unencrypted Condition 1. If the data receiver determines that it wants to read the message data and that it meets Condition 1, or if the data receiver decides to proceed without checking Condition 1 (for example, because it does not know the structure ofthe encryption key), the control module 31 causes the encryption key KENC to be sent (arrow 52) to the trusted authority 40 with a request for the corresponding decryption key KDEC On receipt ofthe request from the data receiver 30 for the decryption key KDEc, the control module 41 of the trusted authority 40 oversees the processing represented by the flow chart of Figure 3. More particularly, the control module 41 first parses (step 61) the encryption key KENC provided with the request into its four constituent components (the four concatenated components listed above) - this typically being done on the basis of predetermined separators inserted between the concatenated components.
Next, the control module 41 passes the component formed by the data provider's public key K20pUbc to the module 44 in order to determine whether the data provider 20 is still a valid registered user ofthe services ofthe trusted authority40 (step 62). If this check fails, a negative response is returned to the requesting data receiver 30 (step 72) and processing terminates; otherwise processing proceeds. In fact, the trusted authority 40 may decide to skip this check and simply proceed directly to the following processing steps.
The next processing step (step 63) involves the control module 41 passing the Condition 1 component extracted from the encryption key KENC to the condition checking module 43 for it to determine whether the data receiver 30 satisfies this condition. Condition checking may involve the consultation of internal andlor external databases and/or the interrogation of the data receiver 30 (for which purpose the latter may be implemented on a trusted computing platform). If this check fails, a negative response is returned to the requesting data receiver 30 (step 72) and processing terminates; otherwise processing proceeds.
The following step (step 64) involves the control module 41 obtaining the data provider's private key K20pr'Vae Whilst this key could have been stored in the user registration module 44 and retrieved against the data provider's public key K20pub,c (as extracted from the encryption key KENC) , it is simpler to have the key generation unit 45 regenerate the K20pr, Vae using the data provider's public key K20pUb',c and the private data p, q held in storage 46.
Once the private key K20pr,vae has been obtained, it is used (step 65) to decrypt the encrypted component of the encryption key KENC in order to reveal: H(msg) :: nonce:: Condition 2 this expression thereafter being separated into its three constituent elements.
Next, the control module 41 passes the now-decrypted Condition 2 to the condition checking module 43 for it to determine whether the data receiver 30 satisfies this condition (step 66). If this check fails, a negative response is returned to the requesting data receiver (step 72) and processing terminates; otherwise processing proceeds.
Following the successful check of Condition 2, the control module 41 causes the hash: H(K20pr,Vae:: H(msg) :: nonce:: Condition 1:: Condition 2) to be recomputed (step 67) using the key K20pnvae obtained in step 64, the values of H(msg), the nonce and Condition 2 obtained by the decryption in step 65 of the encrypted data contained in KENC, and the Condition 1 obtained in step 61 from parsing KENC. This re-computed hash value is then compared (step 68) with the corresponding component contained in the encryption KENC. If these hash values are different then clearly something is wrong and a negative response is returned to the requesting data receiver 30 (step 72) and processing terminates.
However, if the hash values match, the trusted authority 40 accepts that the data provider is the entity associated with the private key K20pr,Vae and thus with the public key K20pUb',c; the trusted authority also accepts that the message hash H(msg) is reliable. The control module 41 now causes the key generation unit 45 to compute (step 69) the decryption key KDEC using the encryption key KF.NC and the private data p,q. Finally, the trusted authority returns (step 70) the decryption key KDEC together with H(msg) to the data receiver 30 (see arrow 53, Figure 2).
It will be appreciated that the ordering of the checking steps 62, 63, 66 and 68 relative to each other and to the other steps of the Figure 3 is not critical (subject to the items concerned having become available) save that the steps 62, 63, 66 and 68 need to be carried out before the decryption key KDEC is sent to the data receiver in step 70.
On receiving the decryption key KDEC the data receiver 30 uses it to decrypt the encrypted message data after which it computes the hash of the message and compares it with that received from the trusted authority 40 as a final check on the message integrity. The data receiver 30 now has the integrity-checked decrypted message and can be sure that the trusted authority 40 is happy that the data provider 20 is as identified by the public key K20pUb,c included in clear in the encryption key KENC.
In the foregoing process, the only additional burden placed on the data receiver 30 is the message integrity check involving forming a hash ofthe message and comparing it with the message hash supplied by the trusted authority 40; otherwise, the functioning of the data receiver 30 is exactly as for any basic IBE system with the data receiver 30 passing the encryption key KENC to the trusted authority 40 and receiving back the decryption key KDEC. If the data receiver is prepared to pass the encrypted message to the trusted authority, then even the message integrity check can be carried out by the trusted authority.
The process described above with respect to Figures 2 and 3 not only provides the advantages of data-provider authentication carried out by the trusted authority 40, and a check on the integrity ofthe message hash, but also enables the data provider 20 to include a hidden condition (Condition 2 in the example) in the encryption key KENC only visible to the trusted authority 40 and not to the data receiver 30. Whilst the data provider 20 must, of course, know how to form the multi-component encryption key KENC, the data receiver 30 need know nothing of the structure of this key, it being relieved of this burden by the trusted authority 40. Placing all the provider authentication and message integrity components into the encryption key KFNc intimatelyties these components to the encrypted message data.
Many variants are possible to the above-described embodiment. For example, instead of the QR IBE method being used for the encrypting and decrypting the message data msg.
other, analogous, cryptographic methods can be used such as IBE methods based on Well or Tate pairings.
In the above-described embodiment, the dataprovider's public key K20pub', c is used in clear in the encryption key KENC to identify the data provider and to encrypt the encrypted component of the encryption key KENC, whilst the corresponding private key K20pr'Vae is used as an authenticator of the identity of the data provider by its inclusion in the hashed component of the encryption key KENC. Although in the above embodiment this public / private key pair K20pUb,C / K20pr'Vae is an IBE encryption/decryption key pair, this need not be the case and the public/private key pair could, for example, be an RSA public/private key pair. In this case, the private key used to authenticate the data provider 20 cannot be computed in step 64 and must be accessed by look up in a database kept by the user registration module 44 relating private key to the data-provider identifier, such as the public key, included in clear in the encryption key KENC. A potential drawback of using an RSA public/private key pair is that if the public key is used as the in-clear data-provider identifier included in the encryption key KENC, the realworld identity ofthe data provider may not be apparent to the data receiver and will generally need translation. In fact, the in- clear data-provider identifier included in the encryption key KENC need not be the public key of the public/private key pair (whether IBE or RSA based) but can be any valid identity for the data provider that is known and accepted by the trusted authority as corresponding to the private key it holds for the data provider 20.
It is also possible to use a symmetric key known only to the data provider and the trusted authority to form the encrypted component of the encryption key KENC and for inclusion in the hashed component in place of K20pr,vae. In this case, the in-clear identifier of the data provider that is included in the encryption key KENC would not, of course, be this key but would be an identifier known by the trusted authority as associated with the data provider and thus with the symmetric key concerned.
It may be noted that the key used for encrypting the encrypted component ofthe encryption key KENC need not be cryptographically related to the key used in the hashed component of KENC - all that is required is that the key used for encrypting the encrypted component of the encryption key KENC is confidential to the data provider 20 and the trusted authority 40 and is known by the latter to belong to the same party as the key used in the hashed component of the key KENC.
It may also be noted that where there are only a few users registered with the trusted authority, it would be possible to omit the first component K20pUb,c (or other in-clear identifier of the data provider 20) and simply arrange for the trusted authority 40 to try out the keys / key pairs of all registered users to see if the message came from a registered user.
If a key / key pair was found that both sensibly decrypted the encrypted component of KENC and gave rise to a computed hash matching the hashed component of KENC, the identity of the data provider can be considered as established and can be passed to the data receiver if the latter needed to know this identity.
As already indicated, the form of encryption key KENC described above with reference to Figures 2 and 3 serves at least three purposes besides encryption of the message data msg; more particularly, it provides for passing a condition in confidence to the trusted authority, for authentication of the data provider to the trusted authority, and for the transmission and checking of message integrity data (the message hash). However, where only one or two of these functions is required, the form of the encryption key KENC can be simplified.
Considering first the authentication of the data provider, this is achieved by including in the encryption key KENC a hash of a shared secret known to the data provider 20 and the trusted authority 40; in the illustrated embodiment this shared secret is the private key K20pr,Vae but, as discussed, could be an RSA private key of the data provider or a symmetric key, or indeed any shared secret. The presence in the encryption key of the Conditions I and 2 is not relevant to this data- provider authentication function so that the example encryption key KENC given above can be reduced to: K20publc :: H(K20pr,Vate:: H(msg) :: nonce) 5:: E(K2OpUbl,c, N.; (H(msg) :: nonce)) As already noted, where there are only a few users registered with the trusted authority, the first component K20pUb,c can be omitted. Furthermore, the nonce could be omitted from both the encrypted and hashed components of KENC provided freshness was not required.
However, retention of the message hash H(msg) in both the hashed component and the encrypted (or, alternatively, in the in-clear) component of KENCis necessary where it is desired to retain a link between the originator identity established for the encryption key KENC and a message encrypted with this key- removal ofthe message hash H(msg) would enable the encryption key KENC to be used by a third party for encrypting a message which might then appear to come from the data provider 20 in view of the latter's identity being embedded in the encryption key KENC. In fact, it is possible to envisage circumstances where the original ofthe encryption key KENc is of asignificance independent ofthe origin of a message encrypted with that key. For example, where the encryption key KENC includes one or more conditions in clear and/or in the encrypted component, then these may represent standard terms and conditions of a party which wishes to establish this fact independently of any message encrypted with the encryption key; in this case, the conditions (or a hash of the conditions) would need to be included in the hashed component of the encryption key to enable a check on their integrity. Where only non confidential conditions were involved, such as Condition 1, then the encryption key KENC K20publc :: Condition 1 :: H(K20pr,Vae:: nonce:: Condition 1) :: E(K20pUb,c, N; nonce) If the nonce is not required, then the encrypted component can be omitted. The condition or conditions included in such an encryption key can be replaced, or supplemented, by other data not intended to be an identifier of the data receiver 30 such as data about the data provider 20. This other data can, like the conditions, be included in clear andlor in the encrypted component and should also be included, directly or after hashing, in the hashed component if it is to be linked to the originator identity established for the encryption key KENC.
Rather than using an un-keyed hash function such as SHAI, it is possible to use a keyed hash such as HMAC with the private key K20prvae (or other shared secret) being the hash key used for hashing the other element or concatenated elements ofthe hashed component.
In this case, the trusted authority would use the same keyed hash function in seeking to compute a hash value matching that in the encryption key KENC If the identity of the data provider is not an issue, then the encryption key KENC of the illustrated embodiment reduces to: K20publc 15:: Condition 1 :: H(H(msg) :: nonce:: Condition I:: Condition 2) :: E(K20pUb',c, N.; (H(msg) :: nonce:: Condition 2)) leaving only the elements forming the identifiers of the data receiver (Conditions I and 2) and those concerned with the message integrity (the in-clear component K20pub'c is retained to facilitate the trusted authority obtaining the key K20pr,vae for decrypting the encrypted component, though as already discussed, in appropriate circumstances the component K20pUb,c can be omitted). If only message integrity is of interest (for example, if there are no conditions), then the hashed component ofthis reduced form ofthe encryption key KENC can be removed leaving: K20publc :: E(K20pUb'c, N; (H(msg) :: nonce)) In fact, since K20pUb,c is public, encrypting the message hash does not serve much purpose as anyone wishing to provide a substitute message for that originally sent can also change the message hash and encrypt it accordingly. However, if the message hash, with or without the addition of a nonce, is encrypted using a private key (whether of a public/private key pair or a secret symmetric key) the message hash is protected from change and serves its purpose of providing a message integrity check for the original message. Rather than using the private key to encrypt the message hash, it can be used to form a keyed hash, such as HMAC, ofthe message. The trusted authority can be arranged to determine the correct private key to use for checking either by trial and error through a limited set of such keys, or by the inclusion in the encryption key KENC of a suitable indicator in clear.
Whether the message hash is included in a protected form or another form (such as in clear or encrypted with a public key) in the encryption key KENC, its inclusion permits detection of non malicious changes in the encrypted message such as may result from problems in the communications path. At its simplest, inclusion of the message hash, in clear or in a derived form, into the encryption key KENC provides a link between the encryption key and the message giving rise to the included hash value. Whilst this does have utilitywithout the addition of further data into the encryption key, it is primarily of interest for associating such further data included in the key KENC with the message, this further data being, for example, identity information of the data provider and/or data receiver as has already described.
As regards the inclusion in the encryption key KENC of conditions serving to identify the data receiver, it will be appreciated that the number of in-clear and encrypted conditions can be varied from that described above for the illustrated embodiment. Thus, there maybe none, one or more inclear conditions and none, one or more encrypted conditions, in any combination. Furthermore, where the conditions are already known to the data receiver 30, the conditions need not be included as such in the encryption key KENc but they should still included in the hashed component to enable the trusted authority to confirm that the conditions passed to it by the data receiver correspond to those intended by the data provider and included in the hashed component. In this case, for the illustrated embodiment, the encryption key KENC reduces to: K20publc :: H(K20pnVac:: H(msg) :: nonce:: Condition 1) 30:: E(K20pUb,c, N; (H(msg) :: nonce)) there being no Condition 2 as this example only involves conditions known to the data receiver. If the data- provider identity information and message hash data are not required and the nonce is omitted, the encryption key KENC further reduces to: H(Condition 1) This is of value because it ensures that the data receiver can only read the encrypted message data supplied by the data provider if it presents, and satisfies, the correct condition 1 to the trusted authority. The data receiver cannot alter the hash value to match a different condition as this would result in a decryption key KDF.C that would not serve to decrypt the received encrypted message data.
It may be noted that it is possible to achieve a similar result to that of the foregoing paragraph without using an IBE schema for the encryption and decryption keys KENC, KDEC Consider a situation where the trusted authority has a secret key KT which it uses to generate a secret key KP for the data provider 20 (the subscript "p" here standing for the data Provider): KP = HMAC(K], identifier of data provider) This enables the data provider 20 to generate a symmetric key KPR: KPR = HMAC(KP, identifier of data receiver) where the identifier of the data receiver is the Condition 1. The key KPR is then used with a symmetric encryption algorithm to encrypt the message data which the data provider then sends, along with its identifier, to the data receiver. In order for the data receiver to obtain the key KPR for decrypting the message data, it must provide its identifier (Condition 1) and that of the data provider to the trusted authority who can now compute the key KPR as it already knows KP or can re-compute it; assuming that the data receiver meets the Condition 1, the trusted authority then returns the key KPR to the data receiver to enable the latter to decrypt the encrypted message data. If the data receiver supplies a modified Condition 1, the resultant key will not decrypt the encrypted message data. By also sending a hash of the key KPR, the data provider can provide assurance to the trusted authority that KPR has been created by the data provider.
With regard to the above-described reduced forms of the encryption key KENC, it will be understood by persons skilled in the art that the Figure 3 process carried out by the trusted authority is appropriately modified to omit any unnecessary computation or checks and to effect any changes needed to take account of the changed form of the encryption key KENC It will also be understood by persons skilled in the art that where elements are concatenated before being operated upon by a hashing or encryption function, the order of concatenation can be varied from that described above provided that the ordering is used consistently (for example, the trusted authority 40,when computing the hash value in step 67 of Figure 3, must use the same ordering of the concatenated elements as used by the data provider 20 when generating the encryption key KENC).

Claims (27)

1. A data encryption method comprising encrypting first data using both: an encryption key comprising a hash value generated using second data and a secret, shared with a trusted party, that serves as identification of the first party; and - public data provided by the trusted party and derived thereby using private data.
2. A method according to claim 1, wherein said hash value is generated by hashing a concatenation of the shared secret and the second data.
3. A method according to claim 1, wherein said hash value is generated using a keyed hash function with the shared secret forming the key used by this function and the second data forms the data operated on by the keyed hash function.
4. A method according to any one of the preceding claims, wherein the shared secret comprises the private key, generated by the trusted party, of a public/private key pair associated with the first party.
5. A method according to any one of claims 1 to 3, wherein the shared secret comprises a symmetric key.
6. A method according to any one of the preceding claims, wherein the second data comprises a hash-value element generated by trashing the first data, this hash-value element being included in the encryption key either in clear or in encrypted form for recovery by the trusted party.
7. A method according to any one of the preceding claims, wherein the second data comprises at least one condition serving as an identifier of an intended recipient ofthe first data.
8. A method according to claim 7, wherein a said condition is included in clear in the encryption key.
9. A method according to claim 7 or claim 8, wherein a said condition is included in encrypted form in the encryption key for recovery by the trusted party.
10. A method according to any one of the preceding claims, wherein the second data comprises a nonce, this nonce being included in encrypted form in the encryption key for recovery by the trusted party.
11. A method according to any one of claims I to 5, wherein the encryption key further comprises encrypted third data for recovery by the trusted party, this third data comprising at least one element in common with the second data where said at least one element comprises one or more of the following elements: - a hash-value element generated by hashing the first data; - at least one confidential condition serving as an identifier of an intended recipient of the first data; - a nonce.
12. A method according to claim 11, wherein the third data is encrypted using the public key of a public / private key pair associated with the first party where the private key of the key pair is available to the trusted party.
13. A method according to any one of the preceding claims, wherein the encryption key further comprises an identifier of the first party in clear.
14. A method according to claim 11, wherein the identifier is the public key of a public / private key pair associated with the first party, the private key of which forms the said shared secret.
15. A data encryption method comprising encrypting first data using both: - an encryption key comprising: - a first component comprising the public key of a public/private key pair associated with the first party and the private key of which is available to the trusted party; - a second component comprising none, one or more non-confidential conditions serving as identifiers of an intended recipient of the first data; - a third component comprising a hash value generated using the private key of said public/private key pair and second data comprising said non- confidential conditions if any, one or more confidential conditions that also serve as identifiers of said intended recipient, and a hash-value element generated by hashing the first data; and - a fourth component formed by encrypting data comprising said confidential conditions if any, and said hash-value element generated by hashing the first data; and - public data provided by the trusted party and derived thereby using private data.
16. A method according to any one of the preceding claims, wherein the encryption process effected using said encryption key and the public data of the trusted party is an identifier-based cryptographic process utilising quadratic residuosity.
17. A method according to any one of claims I to 15, wherein the encryption process effected using said encryption key and the public data of the trusted party is an identifier based cryptographic process utilising Well or Tate pairings.
18. Apparatus for carrying out the encryption method of any one of claims 1 to 17.
19. A computer program product for conditioning programmable apparatus for carrying out the encryption method of any one of claims I to 17.
20. A data transfer method comprising: - encrypting first data at a first party using an encryption method according to any one of claims 1 to 17 and sending the encrypted first data and the encryption key to a second party; - providing the encryption key from the second party to the trusted party; - at the trusted party, carrying out at least one check on the basis of data contained in the encryption key and, if said at least one check is satisfactory, providing a decryption key to the second party, this decryption key being generated by the trusted party using the encryption key and its private data.
21. A method according to claim 20, wherein said at least one check comprises a check on the hash value contained in the encryption key, this check comprising: - extracting the constituent elements of said second data from the encryption key, including by effecting any required decryption, and re- forming the second data; - obtaining said shared secret by lookup in a data store or by regeneration; - using the re-formed second data and the obtained shared secret to compute a hash value; comparing the hash value computed by the trusted party with that contained in the encryption key; the check being satisfactory if the compared values match.
22. A method according to claim 20 or 21, wherein the encryption key includes at least one said condition, the trusted party extracting said at least one condition from the encryption key including by effecting any required decryption; said at least one check comprising a check that the or each said at least one condition is met by the second party.
23. A method according to claim 21, wherein the encryption key includes at least one said condition which also forms an element ofthe second data, the trusted party extracting said at least one condition from the encryption key including by effecting any required decryption; the trusted party, as well as carrying out the hash value check, also carrying out a said check to check that the or each said at least one condition is met by the second party.
24. A method according to claim 21, wherein the second data comprises at least one said condition that is not included as such in the encryption key, the second party passing the or each such condition to the trusted party, the trusted party carrying out the hash value check with the or each said condition supplied by the second party being used in re-forming the second data, and the trusted party carrying out a further said check to check that the or each said at least one condition is met by the second party.
25. A method according to any one of claims 20 to 24, wherein said encryption key includes the hash of the first data in encrypted form and wherein in the event said at least I O one check is satisfactory, the trusted party passes the decrypted hash ofthe first data to the second party along with the decryption key; the second party, after decrypting the first data, checking its integrity by calculating its hash and comparing this calculated value with that provided by the trusted party.
26. Trusted party apparatus for carrying out the trusted party actions of the method of any one of claims 20 to 25.
27. A computer program product for conditioning programmable apparatus for carrying out the trusted party actions of the method of any one of claims 20 to 25.
GB0309157A 2003-04-23 2003-04-23 Cryptographic method and apparatus Withdrawn GB2401006A (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
GB0309157A GB2401006A (en) 2003-04-23 2003-04-23 Cryptographic method and apparatus
GB0311786A GB2401009A (en) 2003-04-23 2003-05-22 Identifier-based encryption
DE602004001273T DE602004001273T2 (en) 2003-04-23 2004-04-21 Method and device for identification-based encryption
EP04252330A EP1471680B1 (en) 2003-04-23 2004-04-21 Identifier-Based Encryption method and apparatus
US10/831,549 US7574596B2 (en) 2003-04-23 2004-04-22 Cryptographic method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0309157A GB2401006A (en) 2003-04-23 2003-04-23 Cryptographic method and apparatus

Publications (2)

Publication Number Publication Date
GB0309157D0 GB0309157D0 (en) 2003-05-28
GB2401006A true GB2401006A (en) 2004-10-27

Family

ID=9957116

Family Applications (2)

Application Number Title Priority Date Filing Date
GB0309157A Withdrawn GB2401006A (en) 2003-04-23 2003-04-23 Cryptographic method and apparatus
GB0311786A Withdrawn GB2401009A (en) 2003-04-23 2003-05-22 Identifier-based encryption

Family Applications After (1)

Application Number Title Priority Date Filing Date
GB0311786A Withdrawn GB2401009A (en) 2003-04-23 2003-05-22 Identifier-based encryption

Country Status (1)

Country Link
GB (2) GB2401006A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7895666B1 (en) * 2006-09-01 2011-02-22 Hewlett-Packard Development Company, L.P. Data structure representation using hash-based directed acyclic graphs and related method
US11232093B2 (en) * 2012-03-02 2022-01-25 Pure Storage, Inc. Slice migration in a dispersed storage network

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2457491A (en) * 2008-02-15 2009-08-19 Listertalent Ltd Identifying a remote network user having a password

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020164026A1 (en) * 1999-02-11 2002-11-07 Antti Huima An authentication method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1425874B1 (en) * 2001-08-13 2010-04-21 Board Of Trustees Of The Leland Stanford Junior University Systems and methods for identity-based encryption and related cryptographic techniques
GB0216690D0 (en) * 2002-07-18 2002-08-28 Hewlett Packard Co Method and appatatus for encrypting data
GB0221639D0 (en) * 2002-09-17 2002-10-30 Hewlett Packard Co Method and apparatus for printing

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020164026A1 (en) * 1999-02-11 2002-11-07 Antti Huima An authentication method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
THE HP TIME VAULT SERVICE - http://www.hpl.hp.com/research/tsl/external%20publications/tech%20reports/HPL-2002-243.pdf *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7895666B1 (en) * 2006-09-01 2011-02-22 Hewlett-Packard Development Company, L.P. Data structure representation using hash-based directed acyclic graphs and related method
US11232093B2 (en) * 2012-03-02 2022-01-25 Pure Storage, Inc. Slice migration in a dispersed storage network
US11934380B2 (en) 2012-03-02 2024-03-19 Pure Storage, Inc. Migrating slices in a storage network

Also Published As

Publication number Publication date
GB0311786D0 (en) 2003-06-25
GB0309157D0 (en) 2003-05-28
GB2401009A (en) 2004-10-27

Similar Documents

Publication Publication Date Title
US7574596B2 (en) Cryptographic method and apparatus
US10903991B1 (en) Systems and methods for generating signatures
US20050005106A1 (en) Cryptographic method and apparatus
US7657037B2 (en) Apparatus and method for identity-based encryption within a conventional public-key infrastructure
US6868160B1 (en) System and method for providing secure sharing of electronic data
US6058188A (en) Method and apparatus for interoperable validation of key recovery information in a cryptographic system
EP1969762B1 (en) Certify and split system and method for replacing cryptographic keys
US7634085B1 (en) Identity-based-encryption system with partial attribute matching
Boyen et al. Identity-based cryptography standard (IBCS)# 1: Supersingular curve implementations of the BF and BB1 cryptosystems
EP1710952B1 (en) Cryptographic Applications of the Cartier Pairing
WO2018236908A1 (en) Secure communications providing forward secrecy
US7986778B2 (en) Cryptographic method and apparatus
EP2359524B1 (en) Method and apparatus for pseudonym generation and authentication
US20100031051A1 (en) Protocol And Method For Client-Server Mutual Authentication Using Event-Based OTP
US20040165728A1 (en) Limiting service provision to group members
EP2807773A1 (en) System and method for securing private keys issued from distributed private key generator (d-pkg) nodes
CN110113150B (en) Encryption method and system based on non-certificate environment and capable of repudiation authentication
CN114448641A (en) Privacy encryption method, electronic equipment, storage medium and chip
US7382877B2 (en) RSA cryptographic method and system
US20050021973A1 (en) Cryptographic method and apparatus
Rasmussen et al. Weak and strong deniable authenticated encryption: on their relationship and applications
GB2401006A (en) Cryptographic method and apparatus
KR100453113B1 (en) Method for producing and certificating id-based digital signature from decisional diffie-hellman groups
GB2401008A (en) Identifier based encryption
Hassouna et al. A New Level 3 Trust Hierarchal Certificateless Public Key Cryptography Scheme in the Random Oracle Model.

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)