WO2001022654A1 - Procede de decryptage de documents cryptes selon un procede de cryptage hybride en cas de perte de la cle cryptographique privee - Google Patents
Procede de decryptage de documents cryptes selon un procede de cryptage hybride en cas de perte de la cle cryptographique privee Download PDFInfo
- Publication number
- WO2001022654A1 WO2001022654A1 PCT/EP2000/008746 EP0008746W WO0122654A1 WO 2001022654 A1 WO2001022654 A1 WO 2001022654A1 EP 0008746 W EP0008746 W EP 0008746W WO 0122654 A1 WO0122654 A1 WO 0122654A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- key
- session key
- user
- message recovery
- document
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
Definitions
- the cryptographic technique of encryption is increasingly being used to secure communication data and stored data.
- the data is encrypted under the control of a cryptographic (symmetrical) key and can only be decrypted with this.
- a cryptographic (symmetrical) key can only be decrypted with this.
- Marketable products and software libraries are available for this.
- hybrid encryption methods are predominantly used today. With these methods, the data are first encrypted using a fast symmetrical algorithm and a randomly selected session key k. Then the session key k itself is encrypted using a public key method and the public key of the recipient (when communicating) or the PC user (when storing the data). A header containing the encrypted session key and other information required for decryption (exact specification of the algorithms used, coding, ...) is added to the data.
- the public key method and the private key of the recipient or user are first required in order to decrypt the session key k.
- the data can then itself be decrypted using the symmetrical method and the session key k.
- Key recovery is the recovery of the private key from the public key system that belongs to the public key used. By everyone Key recovery process can decrypt all data whose session keys have been encrypted with the public key in question. Key recovery methods are not the subject of this invention.
- Message recovery is the restoration of the cryptographic session key k used to encrypt a specific data record.
- Each message recovery process can only decrypt a data record or a document N structured as a data record.
- the method according to the invention is based on a method for message recovery. Message recovery methods are generally implemented in that the
- the session key was additionally encrypted with the (public or secret symmetrical) key of a recovery point and attached to the message (Dorothy E. Denning, "Resolving the Encryption Dilemma: The Case for Clipper.” .M.http: //www.techreview. com / articles / iuly95 / Denninp.html), or that a trusted server assigns the session key to the two communication participants (see D. Fox, The Royal Holloway System. A Key Recovery Protocol for Europe? Data Protection and Security, Issue 1/98 Both solutions were designed at the request of government agencies to allow government access, including encrypted communications, and user interest and practicality did not matter.
- the object of the invention is a method for reconstructing the cryptographic key k for sent or stored documents N.
- the mechanisms of this method should be under the control of the user who has lost his private key and can therefore no longer decrypt the document N.
- the method should be secure against misuse by third parties and should not offer any back doors for "unauthorized third parties" to reconstruct the session key k in order to access the encrypted document N.
- the solution should meet the following conditions:
- the method according to the invention for the reconstruction of the lost session key from sent or stored documents N is intended to enable the user to determine for himself how and under what circumstances the session key k is reconstructed.
- the principle of Diffie-Hellman key exchange is used.
- At least one center Z is included in the method, which acts as a message recovery center Z in the reconstruction of the lost cryptographic key k. If more than one message recovery center Z is to be included in the method, it is it makes sense to select independent message recovery centers. Independent centers are understood to mean message recovery centers that are operated by various institutions, such as Weg, the Federal Office for Information Security and the Chaos Computer Club.
- the principle of operation of the method according to the invention is described in more detail below with the inclusion of a message recovery center Z:
- Publicly known, general parameters are an element g of a publicly known mathematical group G of large multiplicative order. The problem of discrete logarithm should be practically insoluble in group G.
- the method is based on the fact that the user provides each data record that he sends as document N or that he stores with a preceding data record (header), which contains information that enables a reconstruction (recovery) of the lost session key k. At least one message recovery center Z that was selected by the user as “trustworthy” is involved in the method.
- the user proceeds as follows to generate the data record preceding the actual encrypted document N as a header:
- the user generates a cryptographic key k on the basis of the known Diffie / Hellmann method.
- the publicly known components of the encryption method are the mathematical group G, which is also known to the message recovery center Z (for example the multiplicative group of all integers modulo a large prime number p) and a publicly known element g of the group G (for example a number 0 ⁇ g ⁇ p) with large multiplicative order.
- group G which is also known to the message recovery center Z (for example the multiplicative group of all integers modulo a large prime number p) and a publicly known element g of the group G (for example a number 0 ⁇ g ⁇ p) with large multiplicative order.
- other suitable mathematical structures can also be used for group G, such as.
- B the multiplicative group of a finite field or the group of points of an elliptic curve.
- the user calculates
- the user first generates a random number r.
- the user turns the publicly known element g into the Group G and the random number r generated by the user additionally generates a number according to the relationship g r .
- the element g and the group G must meet the additional condition that the problem of the discrete logarithm cannot be solved with regard to their parameters.
- the cryptographic session key k encrypted with the public key of the user / recipient and the number g r are added to each document N as a header.
- the user or recipient If the user or recipient has lost his private key or can no longer access it, he can no longer decrypt the document N. In this case, he contacts the message recovery center Z and there presents the encrypted document N or only the number (the element of the group G) g r from the header of the encrypted document N.
- An increase in the security of the method according to the invention is achieved for the user by including several message recovery centers ZI - Zn.
- Each message recovery center Zi must use its secret number zi to reconstruct the session key k. This means that in this variant, none of the centers ZI to Zn is able to reconstruct the session key k alone.
- Each center ZI to Zn can only reconstruct a partial secret of the session key k. When all centers ZI to Zn have transmitted their partial secret to the user, the user can reconstruct the session key k by combining all partial secrets.
- the user regenerates a random number r, for example by means of a
- XOR denotes the bitwise Addition modulo 2.
- any combination of the two values can also be used instead of XOR, with this session key k the document N of the user is encrypted.
- the user calculates an additional number g r from the publicly known element g of the mathematical group G and the random number r generated by him and the document N together with that with a private one
- Key of the user encrypted session key k is added as a header.
- Document N or just the number g r from the header of document N for which he has lost his private key.
- the message recovery centers ZI and Z2 each calculate part of the lost key k from the number g r and their own secret number zl or z2.
- Center ZI calculates the partial key (g 1 ) 2 ', and the center Z2 calculates the partial key (g ") z2 .
- the user can use these two values
- the cryptographic session key k can be restricted to a suitable part (for example the last 128 bits) of the values (g z ) r for each message recovery center ZI to Zn become.
- Another advantage of the solution is that any number of message recovery centers can be included in the method according to the invention without this being apparent from the message format. In an extreme case, an attacker who came into possession of a document N and who has complete control over all n message recovery centers would have to try 2 n possibilities before finding the subset of message recovery centers that can reconstruct the session key k.
- n-t + 1 values must be stored in the MRF. It follows from this construction that an (n, n + (n-t)) threshold method must be used.
- the decisive step is again the generation of the session key. Alice does this as follows: • Alice selects the parameters n and t, and n different centers Z ⁇ , ..., Z n .
- n shares (i, s-) clearly define a polynomial f (x) of degree n-1 over a finite field of sufficient size (eg GF (2 64 ) or GF (2 128 )).
- email messages can be encrypted using the methods outlined above, with the difference that the recipient's public key (referred to here as Bob) is used to encrypt the session key. Another important difference is that the message recovery centers chosen by Bob must be publicly known so that Alice can correctly calculate the session key. The additional protection factor that an attacker does not know the message recovery centers used is therefore not applicable here.
- IP packets could also be used for the encryption of IP packets. However, this would only be necessary to implement a legally required monitoring option, since encrypted IP packets are nowhere stored for a long time.
- IPSec IPSec
- the IPSec standard [IPSec] would have to be expanded to include a new key agreement protocol in addition to OAKLEY. Should such an internet surveillance regulation ever be enacted, the advantages of the proposed procedure would come into play. Users can share access to the data they encrypt with a wide variety of organizations without sacrificing performance that is important at the IP level.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Compression, Expansion, Code Conversion, And Decoders (AREA)
Abstract
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU76512/00A AU7651200A (en) | 1999-09-20 | 2000-09-07 | Method of decoding documents encoded by means of a hybrid encoding method in theevent of the loss of the private cryptographic key |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE1999146127 DE19946127A1 (de) | 1999-09-20 | 1999-09-20 | Verfahren zur Entschlüsselung von mit einem hybriden Verschlüsselungsverfahren verschlüsselten Dokumenten nach Verlust des privaten kryptografischen Schlüssels |
DE19946127.9 | 1999-09-20 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2001022654A1 true WO2001022654A1 (fr) | 2001-03-29 |
WO2001022654A8 WO2001022654A8 (fr) | 2001-07-05 |
Family
ID=7923367
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2000/008746 WO2001022654A1 (fr) | 1999-09-20 | 2000-09-07 | Procede de decryptage de documents cryptes selon un procede de cryptage hybride en cas de perte de la cle cryptographique privee |
Country Status (3)
Country | Link |
---|---|
AU (1) | AU7651200A (fr) |
DE (1) | DE19946127A1 (fr) |
WO (1) | WO2001022654A1 (fr) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2442253A1 (fr) * | 2010-10-12 | 2012-04-18 | Research In Motion Limited | Procédé pour la sécurisation d'informations dans un référentiel distant |
US8756706B2 (en) | 2010-10-12 | 2014-06-17 | Blackberry Limited | Method for securing credentials in a remote repository |
WO2021165625A1 (fr) * | 2020-02-19 | 2021-08-26 | Orange | Procede de calcul d'une cle de session, procede de recuperation d'une telle cle de session |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE10134489B4 (de) * | 2001-06-27 | 2004-03-04 | Mediasec Technologies Gmbh | Asymmetrisches Kryptographieverfahren |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5920630A (en) * | 1997-02-25 | 1999-07-06 | United States Of America | Method of public key cryptography that includes key escrow |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5815573A (en) * | 1996-04-10 | 1998-09-29 | International Business Machines Corporation | Cryptographic key recovery system |
US5796830A (en) * | 1996-07-29 | 1998-08-18 | International Business Machines Corporation | Interoperable cryptographic key recovery system |
US5907618A (en) * | 1997-01-03 | 1999-05-25 | International Business Machines Corporation | Method and apparatus for verifiably providing key recovery information in a cryptographic system |
WO1998047260A2 (fr) * | 1997-04-11 | 1998-10-22 | Network Associates, Inc. | Recuperation de cle verifiable publiquement |
US6775382B1 (en) * | 1997-06-30 | 2004-08-10 | Sun Microsystems, Inc. | Method and apparatus for recovering encryption session keys |
-
1999
- 1999-09-20 DE DE1999146127 patent/DE19946127A1/de not_active Withdrawn
-
2000
- 2000-09-07 AU AU76512/00A patent/AU7651200A/en not_active Withdrawn
- 2000-09-07 WO PCT/EP2000/008746 patent/WO2001022654A1/fr not_active Application Discontinuation
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5920630A (en) * | 1997-02-25 | 1999-07-06 | United States Of America | Method of public key cryptography that includes key escrow |
Non-Patent Citations (3)
Title |
---|
BETH T ET AL: "TOWARDS ACCEPTABLE KEY ESCROW SYSTEMS", 2ND ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY,XX,XX, 2 November 1994 (1994-11-02), pages 51 - 58, XP000560695 * |
KOBLITZ N, MENEZES A J, YI-HONG WU, R J ZUCCHERATO: "Algebraic Aspects of Cryptography", 1999, SPRINGER VERLAG, BERLIN, GERMANY, ISBN: 3-540-63446-0, ISSN: 1431-1550, XP002160873 * |
MAHER D P: "CRYPTOBACKUP AND KEY ESCROW", COMMUNICATIONS OF THE ASSOCIATION FOR COMPUTING MACHINERY,US,ASSOCIATION FOR COMPUTING MACHINERY. NEW YORK, vol. 39, no. 3, 1 March 1996 (1996-03-01), pages 48 - 53, XP000584954, ISSN: 0001-0782 * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2442253A1 (fr) * | 2010-10-12 | 2012-04-18 | Research In Motion Limited | Procédé pour la sécurisation d'informations dans un référentiel distant |
WO2012051076A3 (fr) * | 2010-10-12 | 2012-06-21 | Research In Motion Limited | Procédé permettant de mettre en sûreté des justificatifs d'identité dans un organe d'archivage éloigné |
US8756706B2 (en) | 2010-10-12 | 2014-06-17 | Blackberry Limited | Method for securing credentials in a remote repository |
US9455830B2 (en) | 2010-10-12 | 2016-09-27 | Blackberry Limited | Method for securing credentials in a remote repository |
WO2021165625A1 (fr) * | 2020-02-19 | 2021-08-26 | Orange | Procede de calcul d'une cle de session, procede de recuperation d'une telle cle de session |
Also Published As
Publication number | Publication date |
---|---|
DE19946127A1 (de) | 2001-04-12 |
AU7651200A (en) | 2001-04-24 |
WO2001022654A8 (fr) | 2001-07-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE69534192T2 (de) | Verfahren zur gemeinsamen Nutzung einer geheimen Information, zur Erzeugung einer digitalen Unterschrift und zur Ausführung einer Beglaubigung in einem Kommunikationssystem mit mehreren Informationsverarbeitungseinrichtungen und Kommunikationssystem zur Anwendung dieses Verfahrens | |
DE60215332T2 (de) | System und Verfahren zum Verabreiten eines gemeinsamen Geheimnisses | |
DE60036112T2 (de) | Serverunterstützte wiedergewinnung eines starken geheimnisses aus einem schwachen geheimnis | |
EP1793525B1 (fr) | Procédé pour changer la clé de groupe dans un groupe d'éléments de réseau dans un réseau | |
DE69929251T2 (de) | Verschlüsselungssystem mit einem schlüssel veränderlicher länge | |
DE69725659T2 (de) | Verfahren und Einrichtung zur Ablage eines in einem RSA-Kryptosystem benutzten Geheimschlüssels | |
DE69633590T2 (de) | Verfahren zur Unterschrift und zur Sitzungsschlüsselerzeugung | |
DE69233613T2 (de) | Kryptographisches Protokoll zur gesicherten Kommunikation | |
DE102009001718B4 (de) | Verfahren zur Bereitstellung von kryptografischen Schlüsselpaaren | |
DE602004004029T2 (de) | Verfahren zur Verteilung von Konferenzschlüsseln, gemäss einem identitätsbasierten Verschlüsselungssystem | |
WO1991014980A1 (fr) | Procede d'authentification d'un utilisateur utilisant une station de donnees | |
LU93024B1 (de) | Verfahren und Anordnung zum Aufbauen einer sicheren Kommunikation zwischen einer ersten Netzwerkeinrichtung (Initiator) und einer zweiten Netzwerkeinrichtung (Responder) | |
DE10129285A1 (de) | Verschlüsselungsverfahren mit beliebig wählbaren Enmalschlüsseln | |
DE60109805T2 (de) | Verfahren und system zur benützung eines ungesicherten krypto-beschleunigers | |
EP1298834A1 (fr) | Procédé et dispositif de chiffrement et de déchiffrement des données | |
DE102015103251B4 (de) | Verfahren und System zum Verwalten von Nutzerdaten eines Nutzerendgeräts | |
EP1116357B1 (fr) | Procede de generation sure repartie d'une cle de codage | |
WO2001022654A1 (fr) | Procede de decryptage de documents cryptes selon un procede de cryptage hybride en cas de perte de la cle cryptographique privee | |
EP1221223A1 (fr) | Procede destine a generer/regenerer une cle de codage pour un procede de cryptographie | |
EP3050244B1 (fr) | Production et utilisation de clés pseudonymes dans le cryptage hybride | |
EP1208669B1 (fr) | Procede permettant d'etablir une cle commune d'un groupe d'au moins trois abonnes | |
DE10046642A1 (de) | System und Verfahren zur Geheimcode-Emulation zwischen zwei Hardwaremodulen | |
WO2000022776A1 (fr) | Technique permettant d'etablir une cle commune entre un central telephonique et un groupe de participants | |
DE10114157A1 (de) | Verfahren zur rechnergestützten Erzeugung von öffentlichen Schlüsseln zur Verschlüsselung von Nachrichten und Vorrichtung zur Durchführung des Verfahrens | |
WO1995034968A1 (fr) | Dispositif de dechiffrement d'algorithmes de dechiffrement et procede pour le chiffrement et le dechiffrement au moyen d'un tel dispositif |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AU CA US |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2000965938 Country of ref document: EP |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
AK | Designated states |
Kind code of ref document: C1 Designated state(s): AU CA US |
|
AL | Designated countries for regional patents |
Kind code of ref document: C1 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE |
|
CFP | Corrected version of a pamphlet front page |
Free format text: REVISED TITLE RECEIVED BY THE INTERNATIONAL BUREAU AFTER COMPLETION OF THE TECHNICAL PREPARATIONS FOR INTERNATIONAL PUBLICATION |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 2000965938 Country of ref document: EP |
|
WA | Withdrawal of international application |