WO1999004530A1 - File encryption with key recovery - Google Patents

File encryption with key recovery

Info

Publication number
WO1999004530A1
WO1999004530A1 PCT/US1998/014201 US9814201W WO1999004530A1 WO 1999004530 A1 WO1999004530 A1 WO 1999004530A1 US 9814201 W US9814201 W US 9814201W WO 1999004530 A1 WO1999004530 A1 WO 1999004530A1
Authority
WO
Grant status
Application
Patent type
Prior art keywords
key
file
recovery
value
encrypted
Prior art date
Application number
PCT/US1998/014201
Other languages
French (fr)
Inventor
Lee K. Stanton
James F. Chen
Jieh-Shan Wang
Christopher T. Brook
Original Assignee
V-One Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB

Abstract

Tampering with a key recovery key used to provide access to an encrypted file by a key recovery agent is prevented by combining (160) the key recovery key with a hash of the encrypted file and a unique value (110) used to generate the key recovery key (120) and to decrypt the file, thus enabling recovery of the unique value (110) for use in decryption only if the key recovery key has not been tampered with.

Description

FILE ENCRYPTION WITH KEY RECOVERY

BACKGROUND OF THE INVENTION

1. Field of the Invention

This invention relates to a file encryption method and system. The invention also relates to a file encryption method and system of the type which uses a strong encryption algorithm based either on a shared secret key or a public key/private key cryptosystem, but which provides for emergency access to the file by legal authorities. The invention further relates to a file encryption method and system in which a "key recovery key" accessible by a key recovery agent is prepended to the encrypted file, and in which tampering with the key recovery key will prevent decryption of the encrypted file.

2. Discussion of Related .krt Current encryption methods and systems, including both shared secret key and public/private key methods and systems, are sufficiently powerful that without the key required to unlock a given message or file, the message or file cannot be recovered, even by law enforcement and national security agencies . To prevent such encryption methods and systems from being used by international criminal or terrorist organizations, or by hostile nations, the U.S. Government has prohibited their export unless provision for emergency access by legal authorities is included.

One solution to the problem of including emergency access to strongly encrypted files is described in U.S. Patent Nos . 5,557,346 and 5,557,765, which are assigned to Trusted Information Systems (TIS). The solution described in these patents, which as disclosed is limited to symmetric or shared secret key based systems, is essentially to encrypt the shared secret key by means of a public key, the corresponding private key of which is held by an escrow or key recovery agent, and to prepend the encrypted secret key to the encrypted file. The effect of the public key encryption of the secret key is to form a "digital lockbox, , containing a "spare secret key," as described in TIS promotional literature.

The use of a "digital lockbox" to store the "spare secret key" is only effective so long as the spare secret key contained therein has not been tampered with. As a result, the TIS method and system also includes provision for verifying the authenticity of a "law enforcement access field" (LEAF) containing the spare secret key and for terminating the decryption procedure if the LEAF is not authentic. However, because the secret key protected by the LEAF in the TIS system is a "spare, " it is still possible for anyone with the original secret key and access to the encrypted file to decrypt the encrypted file by also tampering with the decryption software so as to simply bypass the step in the decryption process which terminates the decryption procedure when the LEAF is not authentic, even as the party attempting to gain access through the spare key is prevented from doing so. This appears to be a critical flaw in the TIS system, and is the principal problem addressed by the present invention.

There are of course ways to protect decryption software from tampering that would effectively overcome this flaw in the TIS system, allowing use of the basic procedure without compromising security, by encoding the software in tamper- resistant hardware. This was the premise behind the U.S. Government's "clipper initiative," for which the TIS system is promoted as a replacement. In the "clipper" system and method, the encryption and decryption algorithms are kept entirely secret, as are the encryption keys, even from the user, by building the algorithms and keys into an integrated circuit referred to as the "clipper chip." However, for reasons which are described in detail in the TIS patents, including the complete surrender of key control and the requirement that all users purchase the special hardware, the purely software- implemented TIS "digital lockbox" concept offers a far more viable solution to the problem of emergency access than does the clipper initiative. As a result, it would be desirable to overcome the vulnerability of the TIS system to tampering with the decryption software without resorting to a "clipper chip" type hardware solution.

As a result, a need exists for an alternative both to the clipper initiative and to the TIS system, and in particular one which not only detects tampering with the "spare key" through which emergency access to an encrypted file can be obtained, but which also positively prevents decrypting of the encrypted file when the "spare key" has been tampered with without the need to also protect the decryption software from tampering. In addition, it would be desirable to provide a "spare key" system that can be used with a private key/public key cryptosystem, in which the recipient's private key is held only by the recipient, and yet which also prevents decryption when the spare key has been tampered with.

The main flaw in the TIS system can best be understood in connection with Figs. 7 and 8, which schematically and in simplified fashion illustrate the TIS system, and in particular by Fig. 8, which illustrates the decryption portion of the method and system. Basically, the flaw results from the fact that if the results of a tamper detection scheme are ignored, which can be accomplished by modifying block 1 in Fig. 8, then decryption of the encrypted file, which occurs at block 2 in Fig. 8, can be carried out based solely on information already in the possession of the decrypter, namely the original secret key Ks. The TIS patents describe two embodiments, but both suffer from the same defect. On the encryption side, as shown in Fig. 7, after encrypting the message or data file 3 using the secret session key 4 to form EK3(F) at block 5, a LEAF verification string (LVS) is generated based on authentication information, program identifiers, and public keys 6 and encrypted at block 7 to form an encrypted LVS (ELVS) which is prepended to the encrypted data file at block 8 and can then be used to verify the LEAF. The LEAF is formed separately by encrypting the secret key at block 9 and adding verification information and further encryption at block 10.

As shown in Fig. 8, tamper detection is carried out beginning at block 11 by decrypting ELVS using the decrypter's copy of the secret key 12 to recover the authentication information, program identifiers, and public keys 13, which can then be combined with the public key encrypted secret key, generated at block 14, to reconstruct the LEAF (block 15). The reconstructed LEAF is compared with the original LEAF at block 16 and used to decide whether to terminate decryption (block 17) or proceed to recover the original file 18. As is evident from Fig. 8, if the output of the comparator 16, or the decision making step 2, are tampered with, then there is nothing to stop file decryption from being carried out at block 2 based on the secret key 11 which is already in the possession of the decrypting party. The difference between the two embodiments described in the TIS patents lies in the contents of blocks 6 and 13, and the exact manner in which the LVS, ELVS, and LEAF fields are generated or reconstructed at blocks 7, 10, 12, and 15. These details have to do with the manner in which the LEAF is authenticated in order to detect tampering, and do not affect blocks 1, 2, and 16-18 in Fig. 8. In one embodiment, the LVS is constructed by combining a unique program identifier, a public portion of a program unique public key, and a digital signature made up of a combination of the unique program identifier and program unique first public key signed by the key recovery agent. The LVS is encrypted by session key Ks, while the LEAF itself is formed by encrypting the first public key, combining the first public key with the unique program identifier and a program unique first public key, so that the receiver can verify the sender's identity by using the secret key to decrypt the ELVS, check the digital signature using the public portion of key recovery agent's private key, and then recreate the LEAF. In the second embodiment described in the TIS patents, the LEAF is generated by splitting the secret key and encrypting the split parts under multiple key recovery agent public keys, and the ELVS is formed by an encrypted concatenation of the secret key parts, with the concatenation again being recovered by decrypting the encrypted leaf verification string, used to reconstruct the LEAF for comparing with the original LEAF prepended to the encrypted file. In both embodiments , the result is a comparison between the reconstructed LEAF and the LEAF prepended to the encrypted file, based on information extracted from the prepended ELVS, the comparison being used to determine whether to proceed with the decryption. No matter how the LEAF is authenticated, if the results of the authentication are ignored, decryption can still be carried out.

Thus, while the procedure described in U.S. Patent Nos . 5,557,765 and 5,557,346 verifies the sender of a message and detects tampering with the LEAF, which corresponds generally to the key recovery key of the present invention, it does not affirmatively prevent the receiver from decrypting the message even if the key recovery key is not verified, because the LEAF is not necessary to the decryption process. Instead, the secret key Ks used to encrypt and decrypt the file is assumed to be possessed by both the sender and receiver or "negotiated" between the sender and receiver (col. 12, lines 47-49 and col.13, lines 13-15), and by itself is all that is necessary to decrypt the encrypted file.

This ability to alter the LEAF as described above essentially negates the utility of the TIS method and system, since alteration of the LEAF under the TIS system would be undetectable by the key recovery agent until access to the encrypted file was required, at which point the encrypted message might already also be in the possession of a party with possession of the shared secret key, and it would be too late to prevent damage caused by opening the contents of the file to the decrypting party. SUMMARY OF THE INVENTION

It is accordingly an objective of the invention to provide a file encryption system and method that permits access to the encrypted file by an investigating agency via a key recovery key, and therefore complies with U.S. export regulations, while preventing decryption of the encrypted file if the key recovery key has been tampered with.

It is also an objective of the claimed invention to provide a file encryption system and method of the type described above, in which file decryption is prevented if the key recovery key has been tampered with, thus allowing both detection of tampering and at the same time preventing access to the file by anyone if tampering has occurred, and which also makes it impossible to avoid the decryption prevention features by tampering with the decryption software.

It is a further objective of the invention to provide a file encryption system and method of the type described above, which can be applied to both symmetric (shared secret key) and asymmetric (public key/private key) cryptosystems .

It is yet another objective of the invention to provide a file encryption system and method of the type described above, in which tampering with the decryption software so as to avoid decryption-prevention features is accomplished without the need to protect the decryption software by hardware. In its broadest form, the invention achieves these objectives by basing file encryption and decryption on a unique value and by combining the unique value with the key recovery key in such a manner that the unique value cannot be recovered by the recipient of the file unless the key recovery key has not been tampered with.

In the case of a symmetric cryptosystem, the above objectives are achieved by basing file encryption and decryption on a session key formed from the shared secret key and a unique value, the unique value being generated during the encryption process and combined with the key recovery key so that decryption is only possible when the correct key recovery key is prepended to the file to be decrypted.

In the case of an asymmetric cryptosystem, the above objectives also achieved by combining the unique value with the key recovery key, except that instead of generating a session key, the file is encrypted by the unique value and the combination of the unique value and the key recovery key is encrypted by a public key of the recipient for prepending to the encrypted file along with the key recovery key.

In a preferred embodiment of a symmetric version of the invention, the session key is a random number or other session specific value or string encrypted by the shared secret key, the key recovery key is the session key encrypted by the key recovery agent's public key, and the encrypted data file is stored with the key recovery key and a tamper-prevention string consisting of a combination of the original random number or other session specific value or string, the key recovery key and a hash of the encrypted data file. To recover the unique value necessary to regenerate the session key without unlocking the key recovery key, the decrypting party must combine the hash of the encrypted file and the key recovery key. If the key recovery key has been tampered with in any way, then the original random number cannot be recovered, no matter how the decryption software is altered.

On the other hand, in a preferred embodiment of the asymmetric version of the invention, the unique value, which could also be a random number or other session specific value or string, is used to encrypt the data file directly, is encrypted by the key recovery agent's public key to form the key recovery key, and is combined with the key recovery and, optionally, other values such as the hash of the encrypted file, to form an altered unique value which is then encrypted using a public key of the recipient and prepended to the file. The altered unique value is protected because it can only be recovered using the private key of the recipient, while the original unique value necessary to decrypt the file can only be recovered if the key recovery key prepended to the file has not been tampered with.

As a result, according to the principles of the preferred embodiment of the invention, even though the file encryption method and system of the invention utilizes a shared secret key or private key under exclusive control of the user or users, the session key or unique value necessary to decrypt the encrypted file is not shared but rather can only be recovered by the decrypting party if the unique value is known by the decrypter, and the unique value can only be known to the decrypter if the key recovery key prepended to the file is correct. Moreover, the correct key recovery key cannot be recreated by the decrypter in order to reconstruct the original random number or session specific value or string because the key recovery key depends on the original session key or unique value.

Because the method and system of the invention cannot be defeated by collaboration or tampering with the key recovery key and decryption software, it will be understood that the method and system of the invention is equally applicable to encryption of communications between remote parties, and also to encryption of files for storage purposes, for example to protect data on an individuals hard disk, so that if the computer were stolen or data on the a server were accessed, it could not be read and become available to others .

BRIEF DESCRIPTION OF THE DRAWINGS

Fig. 1 is a flowchart illustrating the shared secret key based file encryption and key recovery key generating process, as well as the steps by which decryption of the encrypted file is made dependent on the authenticity of the key recovery key in order to prevent tampering, according to the method of a first preferred embodiment of the invention.

Fig. 2 is a flowchart illustrating a file decryption process according to the method of the first preferred embodiment of the invention.

Fig. 3 is a flowchart illustrating a public key/private key based file encryption and decryption process according to the method of a second preferred embodiment of the invention.

Fig. 4 is a schematic depiction of the file encryption process of the first preferred embodiment, and of a system for implementing the preferred encryption process.

Fig. 5 is a schematic depiction of the file decryption process of the first preferred embodiment, and of a system for implementing the preferred decryption process.

Fig. 6 is a schematic depiction of the file both the file encryption and decryption processes of the second preferred embodiment, and of a system for implementing the preferred processes .

Fig. 7 is a schematic depiction of the prior art TIS file encryption system and method. Fig. 8 is a schematic depiction of the decryption portion of the prior art TIS file encryption system and method.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

In its broadest form, the invention is a method and system in which file encryption and decryption are based on a unique value and the unique value is combined with a key recovery key in such a manner that the unique value cannot be recovered by the recipient of the file unless the key recovery key has not been tampered with.

The two principal embodiments of this broad concept are an application to a shared secret key based system, and an application to a public key/private key cryptosystem. The first embodiment is illustrated in Figures 1, 2, 4, and 5, and the second embodiment is illustrated in Figures 3 and 6.

In the method and system of the first preferred embodiment of the invention, a shared secret key is used to encrypt a session specific value to form a session key, the session key is used to encrypt a file and in turn is encrypted by the public key of a key recovery agent to form a key recovery key, and the session specific value is combined with the key recovery key and also prepended to the file so as to permit recovery of the session specific value, and therefore regeneration of the session key, if and only if the key recovery key has not been tampered with. Fig. 1 illustrates the steps by which a file is encrypted and the key recovery key (KRK) is generated according to the first preferred embodiment of the invention. As illustrated in Fig. 1, a random number is generated by the encrypting party (step 100) and the shared secret key Ks is used to encrypt the randomly generated number R, producing the session key or data encrypting key DEK=EK3(R) (step 110). The session key DEK is then encrypted by a public key of the key recovery agent to form the key recovery key (step 120) and the data file F is encrypted using the session key DEK to form the encrypted data file EDEK(F) (step 130), to which the key recovery key KRK is prepended (step 140).

These steps are similar to those disclosed in the above- cited TIS patents, except that the session key is not negotiated between parties but rather is generated by the encrypting party based on a shared secret key and a session specific value in the form of a random number.

While generating a session key in this manner is known in contexts unconnected with the key recovery problem or the method and system described in the TIS patents, in those contexts the random number is simply prepended to the encrypted file so that it can be used by the decrypting party to regenerate the session key based on the shared secret key already in possession of the decrypting party, whereas the present invention combines the random number, which is initially known only to the encrypting software, with a key recovery key, thereby preventing decryption of the encrypted file whenever the key recovery key has been tampered with.

The shared secret key Ks can be any value or string usable in an encryption and decryption process, and may be stored in, generated by, or negotiated by the encryption and decryption hardware and/or software in such a manner that it is known only to the party or parties wishing to encrypt the file and subsequently decrypt it. In addition, generation of the session key by encrypting the random number or other session specific value using the shared secret key can be accomplished by any suitable algorithm, such as the DES encryption algorithm, the encryption algorithm used to form the session key forming no part of the present invention.

In the case of a program that encrypts files for storage on a hard disk to protect against unauthorized access to the computer or theft of the computer or hard disk, the shared secret key Ks can easily be protected by storage on a smart card or other removable media which is inserted into a smart card reader for use in both file encryption and decryption, whereas in the case of remote communications the shared secret key can be stored with the respective encryption and decryption software so long as the software itself is secure.

It will therefore be appreciated by those skilled in the art that the illustrated encryption scheme could utilize any key-generating algorithm, and that the encrypted file could either be used to protect communications between computers, or to protect data on an individual's hard disk, so that if the computer were stolen or data on a server were accessed, the data could not be read and thus become available to others.

The specific steps in the encryption process during which decryption of the encrypted file is prevented if the key recovery key has been tampered with are also illustrated in Fig. 1. In this example, a portion of the encrypted file, such as the first 16 bytes, is hashed, for example by computing the MD5 hash value (step 150), and the resulting hash value is then combined with the session specific value R and the key recovery key KRK to obtain a modified value R'= R XOR (MD5(F1.16) XOR KRK (step 160), which is prepended to the data file (step 170) in place of the R value that would, in conventional systems, be prepended to the file to permit recovery of the session key.

The procedure for accessing the file using the key recovery key is not illustrated but simply involves using the private key of the key recovery agent to decrypt the key recovery key KRK and thereby recover the encrypted session key DEK, which can then be used to directly decrypt the encrypted file. Because the session key DEK rather than the shared secret key Ks is recovered, the integrity of the shared secret key is protected, and knowledge by the key recovery agent of the random number is not necessary. On the other hand, as illustrated in Fig. 2, the owner of the shared secret key Ks does not have direct access to the session key DEK, and therefore must recover the session specific value or random number R in order to re-generate the session key and decrypt the encrypted file. This is accomplished by requiring, as a pre-requisite to decryption of the encrypted data file EDEX(F) following retrieval of the encrypted data file, the key recovery key, and the value R' (step 190), that the hash of a portion of the encrypted data file be performed (step 200) and that the result be combined with the key recovery key and the value R' using the same operation (step 210) as was performed during encryption, namely an exclusive OR operation on the key recovery key, the MD5 hash of the first 16 bytes of the encrypted file, and R' , resulting in recovery of the original session specific value R. Once R is extracted from R' , decryption of the file content can proceed in the known fashion by encrypting the session specific value R using the shared secret key Ks to obtain the session key DEK (step 220), and then decrypting the encrypted file using the session key DEK to recover the original file F (step 230).

The method illustrated in Figs. 1-2 can be further understood in connection with Figs. 4 and 5. As shown in Fig. 4, the respective encryption operations of generating the session key, the key recovery key, the MD5 hash, and the prepended value R', and encrypting the original file, are indicated by elements 300-340 respectively, while input, retrieval, or generation of the original random number R, shared secret key Ks, data file F, and public key of the key recovery agent are indicated by blocks 350-380, and the resulting file to be stored or transmitted is indicated by block 390, with elements 320 and 330 in particular being unique to the present invention.

On the decryption side of the preferred system and method, as shown in Fig. 5, are elements which generate an MD5 hash of a portion of the decrypted file (block 400), and extract R by performing an exclusive OR operation on the MD5 hash, the key recovery key, and the prepended value R' (block 410). Also included are a session key generator (block 420) identical to block 300 on the encryption side, which uses shared secret key input 430 and extracted value R to generate key DEK, and the file decryption block 440 for recovering the original data file, indicated in this figure by reference numeral 450. It will be apparent from an examination of Figs . 4 and 5 , that all of the illustrated operations can be performed either by software on a general purpose computer or with the assistance of dedicated circuitry. The file represented by block 390 can be stored on or transmitted by any desired medium and, as indicated above, the shared secret key Ks can be stored with the encryption software or separately stored, as necessary, or can be negotiated with or obtained from a remote party using a variety of known methods. The public key of the key recovery agent must of course be obtained from the key recovery agent, but could either be pre-packaged with the encryption software or obtained and stored by other well-known methods.

Because the tamper-prevention procedure does not affect generation of the key recovery key KRK or encryption of the file using the session key DEK, the key recovery agent can still decrypt the file by recovering the data encryption key using the private key corresponding to the public key by which the session key was encrypted in the first place to form the key recovery key, which should make the method and system of the invention suitable for export.

The second preferred embodiment of the invention, illustrated in Figures 3 and 6, is essentially the same as the first preferred embodiment, except that the unique value modification and recovery aspects of the method and system of this embodiment, which prevent decryption if the key recovery key have been tampered with, are adapted for use with a public key/private key cryptosystem. This type of system and method has the advantage that the key necessary to decrypt the file is held only by the recipient, and need not be made available at any time either to key recovery agent or the sender of the file.

The method of this embodiment begins with generation of a unique value, which as in the first preferred embodiment can be any random or session specific value or string. However, instead of using this value to generate a session key (step 1000), the unique value R is used as the encryption key for file F (step 1010), and the key recovery key KRK is generated by encrypting the unique value with the public key of the key recovery agent (step 1020).

The key recovery key of this embodiment can be used in exactly the same way as in the first embodiment, i.e., by prepending it to the encrypted file so that the key recovery agent can recovery the unique value R using its private key and thereby decrypt the file. The recipient, on the other hand, is not given direct access to R, but rather to a modified value R' generated by first performing a has of the encrypted file (step 1030), and then combining the hash with the unique value R and the key recovery key KRK using a one-way or irreversible function such as the exclusive OR function (step 1040). The altered value R' is then encrypted using the recipient's public key so that it can only be decrypted by a private key of the recipient (step 1050), and the key recovery key KRK and recipient's recovery key RRK are prepended to the file for transmission or storage with the encrypted file (step 1060).

When the encrypted file is retrieved or received by a party other than the key recovery agent (step 1080), the altered value R' is recovered by decrypting the recipient's recovery key using the private key of the recipient (step 1090), and R is then recovered from R' in the same manner as in the first preferred embodiment of the invention, namely by generating a hash of the encrypted file (step 1100), and combining R', the hash, and the key recovery key KRK using a one way function such as an exclusive OR function (step 1110). Once R has been recovered, the file can be decrypted using R as the decryption key (step 1120).

The method of the second preferred embodiment of the invention can be further understood in connection with Fig. 6. As shown therein, the respective encryption operations of generating the key recovery key KRK, the MD5 hash, value R' , recipient's recovery key RRK, and encrypting the original file, are indicated by elements 1200-1240, respectively, while input, retrieval, or generation of the original unique value R, the public key of the key recovery agent, the public key of the recipient, the data file F, and the encrypted data file with prepended key recovery key and recipient's recovery key are indicated by blocks 1250-1290, respectively. On the decryption side of the system of this preferred embodiment of the invention are elements which decrypt the recipient's recovery key (block 1300) using the private key of the recipient (block 1310) to recover the altered value R' , generate a hash of the encrypted data file (block 1320), recover the original unique value by combining the altered value R' , the hash, and the key recovery key KRK (block 1330), and finally decrypt the encrypted data file using the unique value (block 1340).

As with the first preferred embodiment of the invention, in the second preferred embodiment of the invention the unique value necessary to decrypt the encrypted file can only be obtained if the key recovery key KRK has not been altered, because of the manner in which the unique value is combined with the key recovery key. Although the two embodiments differ in the manner in which the unique value is related to the encryption and decryption keys, it will be appreciated by those skilled in the art that both embodiment share the underlying concept of combining, with the key recovery key, some unique value necessary both to generation of the key recovery key and to decryption of the decrypted file, so that the unique value can only be recovered by a recipient of the file if the key recovery key has not been altered. Having thus described various preferred embodiments of the invention, those skilled in the art will appreciate that variations and modifications of the preferred embodiment may be made without departing from the scope of the invention.

For example, in order to prevent possible misuse of the key recovery agent's private key, it is possible to use a "split shares" capability for the key recovery agent's private key, so that more than one person would need to collaborate in order to generate the private key necessary to obtain the data encryption key. The number of persons would be n out of m, where a subset n of the total group of persons, m, would need to put their pieces of the key together to recover the private key recovery agent key. Secret sharing of this kind is well understood. Also, by way of example, while the specific embodiment described herein and illustrated in the drawings uses a random number as the session specific or unique value that can be uncovered only with a correct key recovery key, those skilled in the art will appreciate that the session specific value can take any form and is not limited to "random" numbers. Furthermore, the prepended combination of the session specific value and key recovery key can be generated by one-way or irreversible functions other than the illustrative exclusive OR function, with or without the MD5 hash, and can optionally be further encrypted or modified.

It is accordingly intended that the invention not be limited by the above description or accompanying drawings, but that it be defined solely in accordance with the appended claims.

Claims

I claim:
1. A file encryption and decryption method which permits access to an encrypted file by a key recovery agent, comprising the steps of: encrypting a file to obtain an encrypted file; generating a key recover key which depends on a unique value and provides access to the file by a key recovery agent; prepending the key recovery key to the encrypted file; combining the key recovery key and the unique value in such a manner that the unique value can only be recovered if the key recovery key has not been altered; prepending the combined key recovery key and unique value to the encrypted file; storing or transmitting the encrypted file; after retrieving or receiving the stored or transmitted encrypted file, using the key recovery key to recover the unique value; using the unique value to decrypt the encrypted file.
2. A file encryption and decryption method which permits access to an encrypted file by a key recovery agent, comprising the steps of: encrypting the file by: generating a session key; encrypting a file using the session key as a data encryption key; encrypting the session key using a public key of the key recovery agent to form a key recovery key; and decrypting the file by: again generating the session key; decrypting the file using the session key as a data decryption key, and further comprising the step of preventing decryption of the encrypted file if the key recovery key has been tampered with by making generation of the session key dependent on a session specific value used during encryption and modified by one-way combination with the key recovery key before prepending to the encrypted file so that the session specific value can only be recovered during decryption if the key recovery key prepended to the encrypted file has not been tampered with.
3. An encryption method which permits access to an encrypted file by a key recovery agent, comprising the steps of:
(a) using a secret key Ks to generate a session key DEK by encrypting a unique value R using the secret key to obtain the session key;
(b) using the public key of a key recovery agent to generate a key recovery key KRK by encrypting the session key using the public key of the key recovery agent;
(c) encrypting a file using the session key and prepending the key recovery key to the encrypted data file; (d) modifying the unique value by using a one way function to combine the unique value and at least the key recovery key to obtain a modified value R' , and
(e) prepending the modified value to the encrypted data file.
4. A method as claimed in claim 3, wherein step (d) comprises the step of combining the unique value and the key recovery key using an exclusive OR function to obtain the modified value RI=R XOR KRK.
5. A method as claimed in claim 4, wherein step (d) further comprises the step of combining R' with a hash of a portion of the encrypted data file.
6. A method as claimed in claim 5, wherein the hash of the encrypted data file is the MD5 hash value of the portion of the encrypted data file.
7. A method as claimed in claim 5, wherein the step of combining the value R' comprises the step of performing an exclusive OR function on R' and the hash value of the portion of the encrypted data file.
8. A method as claimed in claim 3, wherein step (d) further comprises the step of combining the one way function of the unique value and the key recovery key with a hash of a portion of the encrypted data file.
9. A method as claimed in claim 8, wherein the hash of the encrypted data file is the MD5 hash value of the encrypted data file.
10. A method as claimed in claim 8, wherein the step of combining the one way function of the unique value and the key recovery key comprises the step of performing an exclusive OR function on a result of said one way function and the hash value of the portion of the encrypted data file.
11. A method as claimed in claim 3, wherein the unique value R is a random number .
12. An encryption system which permits access to an encrypted file by a key recovery agent, comprising: session key generating means for generating a session key DEK by encrypting a unique value R using a secret key to obtain the session key; key recovery key generating means for generating a key recovery agent KRK by encrypting the session key using a public key of the key recovery agent; file encryption means for encrypting a file using the session key and prepending the key recovery key to the encrypted data file; unique value modifying means for modifying the unique value by using a one way function to combine the unique value and at least the key recovery key to obtain a modified value RI ; and means for prepending the modified value to the encrypted data file.
13. A system as claimed in claim 12, wherein the unique value modifying means comprises means for combining the unique value and the key recovery key using an exclusive OR function to obtain the modified value RI=R XOR KRK.
14. A system as claimed in claim 13, wherein the unique value modifying means further comprises means for combining R' with a hash of a portion of the encrypted data file.
15. A system as claimed in claim 14, wherein the hash of the encrypted data file is the MD5 hash value of the portion of the encrypted data file.
16. A system as claimed in claim 14, wherein the means for combining the value R' comprises means for performing an exclusive OR function on R' and the hash value of the portion of the encrypted data file.
17. A system as claimed in claim 12, wherein the unique value modifying means further comprises means for combining the one way function of the unique value and the key recovery key with a hash of a portion of the encrypted data file.
18. A system as claimed in claim 17, wherein the hash of the encrypted data file is the MD5 hash value of the encrypted data file.
19. A system as claimed in claim 17, wherein the means for combining the one way function of the unique value and the key recovery key comprises means for performing an exclusive OR function on a result of said one way function and the hash value of the portion of the encrypted data file.
20. A system as claimed in claim 12, wherein the unique value R is a random number .
21. An encryption method which permits access to an encrypted file by a key recovery agent, comprising the steps of:
(a) using a unique value R as a key to encrypt a file;
(b) using the public key of a key recovery agent to generate a key recovery key KRK by encrypting the unique value R by using the public key of the key recovery agent; (σ) modifying the unique value by using a one way function to combine the unique value and at least the key recovery key to obtain a modified value RI;
(d) encrypting the modified unique value using a recipient's public key to obtain a recipient's recovery key RRK, and
(e) prepending the recipient's recovery key to the encrypted data file.
22. A method as claimed in claim 21, wherein step (d) comprises the step of combining the unique value and the key recovery key using an exclusive OR function to obtain the modified value RI=R XOR KRK.
23. A method as claimed in claim 22, wherein step (d) further comprises the step of combining R' with a hash of a portion of the encrypted data file.
24. A method as claimed in claim 23, wherein the hash of the encrypted data file is the MD5 hash value of the portion of the encrypted data file.
25. A method as claimed in claim 23, wherein the step of combining the value R' comprises the step of performing an exclusive OR function on R' and the hash value of the portion of the encrypted data file.
26. A method as claimed in claim 22, wherein step (d) further comprises the step of combining the one way function of the unique value and the key recovery key with a hash of a portion of the encrypted data file.
27. A method as claimed in claim 26, wherein the hash of the encrypted data file is the MD5 hash value of the encrypted data file.
28. A method as claimed in claim 27, wherein the step of combining the one way function of the unique value and the key recovery key comprises the step of performing an exclusive OR function on a result of said one way function and the hash value of the portion of the encrypted data file.
29. A method as claimed in claim 22, wherein the unique value R is a random number.
30. An encryption system which permits access to an encrypted file by a key recovery agent, comprising: means for encrypting a file using a unique value R as an encryption key; means for generating a key recovery key using a public key of a key recovery agent to encrypt the unique value R; means for modifying the unique value by using a one way function to combine the unique value and at least the key recovery key to obtain a modified value R' ; means for encrypting the modified unique value using a recipient's public key to obtain a recipient's recovery key RRK; and means for prepending the key recovery key and the recipient's recovery key to the encrypted data file.
31. A system as claimed in claim 29, wherein the unique value modifying means comprises means for combining the unique value and the key recovery key using an exclusive OR function to obtain the modified value RI=R XOR KRK.
32. A system as claimed in claim 31, wherein the unique value modifying means further comprises means for combining R' with a hash of a portion of the encrypted data file.
33. A system as claimed in claim 32, wherein the hash of the encrypted data file is the MD5 hash value of the portion of the encrypted data file.
34. A system as claimed in claim 32, wherein the means for combining the value R' comprises means for performing an exclusive OR function on R' and the hash value of the portion of the encrypted data file.
35. A system as claimed in claim 30, wherein the unique value modifying means further comprises means for combining the one way function of the unique value and the key recovery key with a hash of a portion of the encrypted data file.
36. A system as claimed in claim 35, wherein the hash of the encrypted data file is the MD5 hash value of the encrypted data file.
37. A system as claimed in claim 35, wherein the means for combining the one way function of the unique value and the key recovery key comprises means for performing an exclusive OR function on a result of said one way function and the hash value of the portion of the encrypted data file.
38. A system as claimed in claim 30, wherein the unique value R is a random number .
PCT/US1998/014201 1997-07-15 1998-07-15 File encryption with key recovery WO1999004530A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US89294797 true 1997-07-15 1997-07-15
US08/892,947 1997-07-15

Publications (1)

Publication Number Publication Date
WO1999004530A1 true true WO1999004530A1 (en) 1999-01-28

Family

ID=25400757

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US1998/014201 WO1999004530A1 (en) 1997-07-15 1998-07-15 File encryption with key recovery

Country Status (1)

Country Link
WO (1) WO1999004530A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001018807A2 (en) * 1999-09-03 2001-03-15 Koninklijke Philips Electronics N.V. Recovery of a master key from recorded published material
EP1641176A1 (en) * 2004-09-27 2006-03-29 Axalto SA Escrowing services oriented encryption and decryption methods
KR100748867B1 (en) 1999-09-03 2007-08-13 코닌클리케 필립스 일렉트로닉스 엔.브이. Recovery of a master key from recorded published material
US7305564B2 (en) 2002-12-19 2007-12-04 International Business Machines Corporation System and method to proactively detect software tampering

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4484027A (en) * 1981-11-19 1984-11-20 Communications Satellite Corporation Security system for SSTV encryption
US5227613A (en) * 1989-01-24 1993-07-13 Matsushita Electric Industrial Co., Ltd. Secure encrypted data communication system having physically secure ic cards and session key generation based on card identifying information
US5481613A (en) * 1994-04-15 1996-01-02 Northern Telecom Limited Computer network cryptographic key distribution system
US5640454A (en) * 1994-08-11 1997-06-17 Trusted Information Systems, Inc. System and method for access field verification
US5796830A (en) * 1996-07-29 1998-08-18 International Business Machines Corporation Interoperable cryptographic key recovery system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4484027A (en) * 1981-11-19 1984-11-20 Communications Satellite Corporation Security system for SSTV encryption
US5227613A (en) * 1989-01-24 1993-07-13 Matsushita Electric Industrial Co., Ltd. Secure encrypted data communication system having physically secure ic cards and session key generation based on card identifying information
US5481613A (en) * 1994-04-15 1996-01-02 Northern Telecom Limited Computer network cryptographic key distribution system
US5640454A (en) * 1994-08-11 1997-06-17 Trusted Information Systems, Inc. System and method for access field verification
US5796830A (en) * 1996-07-29 1998-08-18 International Business Machines Corporation Interoperable cryptographic key recovery system

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001018807A2 (en) * 1999-09-03 2001-03-15 Koninklijke Philips Electronics N.V. Recovery of a master key from recorded published material
WO2001018807A3 (en) * 1999-09-03 2001-10-04 Koninkl Philips Electronics Nv Recovery of a master key from recorded published material
KR100748867B1 (en) 1999-09-03 2007-08-13 코닌클리케 필립스 일렉트로닉스 엔.브이. Recovery of a master key from recorded published material
US7305564B2 (en) 2002-12-19 2007-12-04 International Business Machines Corporation System and method to proactively detect software tampering
US7707429B2 (en) 2002-12-19 2010-04-27 International Business Machines Corporation System and method to proactively detect software tampering
EP1641176A1 (en) * 2004-09-27 2006-03-29 Axalto SA Escrowing services oriented encryption and decryption methods

Similar Documents

Publication Publication Date Title
US4825050A (en) Security transaction system for financial data
US6553494B1 (en) Method and apparatus for applying and verifying a biometric-based digital signature to an electronic document
US5675649A (en) Process for cryptographic key generation and safekeeping
US6959394B1 (en) Splitting knowledge of a password
US7475250B2 (en) Assignment of user certificates/private keys in token enabled public key infrastructure system
Schneier et al. Cryptographic Support for Secure Logs on Untrusted Machines.
US6389535B1 (en) Cryptographic protection of core data secrets
US6530020B1 (en) Group oriented public key encryption and key management system
US6687375B1 (en) Generating user-dependent keys and random numbers
US6408389B2 (en) System for supporting secured log-in of multiple users into a plurality of computers using combined presentation of memorized password and transportable passport record
US6976162B1 (en) Platform and method for establishing provable identities while maintaining privacy
US5426700A (en) Method and apparatus for verification of classes of documents
US20050160277A1 (en) Secure transactions with passive storage media
US4326098A (en) High security system for electronic signature verification
US6925182B1 (en) Administration and utilization of private keys in a networked environment
US6819766B1 (en) Method and system for managing keys for encrypted data
US6185316B1 (en) Self-authentication apparatus and method
US20060143462A1 (en) Storage and authentication of data transactions
US5602918A (en) Application level security system and method
US20090310779A1 (en) Method for generating cryptographic key from biometric data
US6370250B1 (en) Method of authentication and storage of private keys in a public key cryptography system (PKCS)
US5604802A (en) Transaction processing system
US6332193B1 (en) Method and apparatus for securely transmitting and authenticating biometric data over a network
US20120078798A1 (en) Systems and methods for transmitting financial account information
US20030135740A1 (en) Biometric-based system and method for enabling authentication of electronic messages sent over a network

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GE GH GM HR HU ID IL IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG UZ VN YU ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
NENP Non-entry into the national phase in:

Ref country code: KR

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase in:

Ref country code: CA