WO1998033295A1 - Method and system for hierarchical key access and recovery - Google Patents

Method and system for hierarchical key access and recovery Download PDF

Info

Publication number
WO1998033295A1
WO1998033295A1 PCT/US1997/019286 US9719286W WO9833295A1 WO 1998033295 A1 WO1998033295 A1 WO 1998033295A1 US 9719286 W US9719286 W US 9719286W WO 9833295 A1 WO9833295 A1 WO 9833295A1
Authority
WO
WIPO (PCT)
Prior art keywords
kac
key
message
signature
kmc
Prior art date
Application number
PCT/US1997/019286
Other languages
French (fr)
Inventor
Ezzat A. Dabbish
Robert Lawrence Geiger
Larry Charles Puhl
Original Assignee
Motorola Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Motorola Inc. filed Critical Motorola Inc.
Priority to AU54256/98A priority Critical patent/AU5425698A/en
Priority to EP97948124A priority patent/EP0894379A1/en
Publication of WO1998033295A1 publication Critical patent/WO1998033295A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • H04L9/0836Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key using tree structure or hierarchical structure
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Definitions

  • This invention relates in general to the field of cryptography, in particular to key management and authentication, and more particularly to accessing and recovering encryption keys.
  • Government agencies may need access to encryption keys of users or organizations for court-authorized law enforcement purposes.
  • private businesses or individuals it is desirable for private businesses or individuals to maintain their encryption keys for their employees and customers and to allow for emergency key recovery and also to allow access by the government agencies only when such access is authorized by the courts.
  • access should be authorized only for as long as such a court order is valid, and only the government agency should have access to the actual key value. It is also desirable that when an encryption key is requested, that the user or device does not know it is being monitored by the government agency.
  • what is needed is a method that provides access by the government to an encryption key pursuant only to a valid court order. What is also needed is a method of providing access to an encryption key such that when encryption keys are provided to a government agency pursuant to a court order, only the agency has access to the actual key value. Furthermore, what is also needed is a method of providing access to an encryption key such that only authorized parties know the identity of the device or user being monitored. What is also needed is a method of providing access to an encryption key only for as long as a court order for such a key is valid. What is also needed is a method of providing access to an encryption key that provides an audit trail so that it can be verified that proper procedures have been followed during all steps of the key access process.
  • FIG. 1 illustrates a hierarchical key management system in accordance with a preferred embodiment of the present invention
  • FIG. 2 illustrates a transfer path for a key request in accordance with a preferred embodiment of the present invention
  • FIG. 3 illustrates a key transfer bounce diagram in accordance with a preferred embodiment of the present invention
  • FIGs. 4 and 5 illustrate a flow chart of a key access procedure in accordance with a preferred embodiment of the present invention.
  • the present invention provides, among other things, a method for approved encryption key access by appropriate legal entities.
  • the inventors take the position that citizens should be able to use the cryptography of their choice when and how they desire.
  • the inventors also recognize that law enforcement may require, with the proper and legally obtained court order, the ability to decrypt the citizens traffic and communications for the purpose of a valid investigation.
  • the invention described herein provides an approach for key access and recovery.
  • the issue of key recovery and access is a controversial one involving the concerns of citizens, companies, governments and law enforcement agencies around the world. In order for any approach for key access to be acceptable to these diverse interests, it should address some of the basic concerns discussed below.
  • the present invention provides for access to an encryption key when, for example, a court order, approved by a court has been obtained.
  • the present invention also provides, among other things, a method of providing access to an encryption key wherein manufacturers, operators or attackers are not able to decrypt a user's messages in any amount of time commensurate with the security level in use by the user.
  • the present invention also provides, in another preferred embodiment, a method of key access wherein user's messages are not able to be decrypted after a court order expires.
  • the present invention also provides, among other things, a method of providing key access where only authorized parties, such as the government and court, know the identity of the individual or device which key is being accessed (e.g., the person or device which will be wiretapped or monitored). Furthermore, the present invention provides, in a preferred embodiment, a method of providing access to an encryption key wherein manufacturers, operators, and attackers, in general, will not be able to determine who is being monitored. In accordance with these preferred embodiments of the present invention, the key management system helps maintain the rights and independence of state, local and foreign governments in regard to key access and key recovery.
  • a manufacturer does not have to maintain a large key database for products sold and furthermore does not have the added cost due to the maintenance of a substantial key recovery system.
  • operators do not have to maintain large databases in order to implement the protocols and procedures for key access and recovery described herein.
  • session key means a key used for the encryption of data or other information.
  • a session key is generally not permanent and may be changed with some reasonable regularity. Access to a session key allows a third party such as law enforcement to decrypt communications for a given finite period of time (i.e., as long as the session key is valid).
  • any key used to decrypt groups of files, data or information is considered a session key even though it is very long lived and may have no expiration period.
  • KMC key management centers
  • KAC Key arbitration centers
  • FIG. 1 illustrates a hierarchical key management system in accordance with the preferred embodiment of the present invention.
  • the hierarchy 10 of KACs includes international KAC 12 coupled with a KAC from participating countries.
  • KAC 14 is for the United States and KAC 22 is for France.
  • Each national KAC such as KAC 14 is coupled to a plurality of local or regional KACs such as KAC 16.
  • Local or regional KACs 16 may or may not be associated with any particular geographic region and may be associated with certain groups of companies or certain organizations. In the preferred embodiment, there may be one KAC associated with each state in the United States, but this is not a requirement.
  • Each KAC, local or regional 16 has several other lower level KACs below it arranged in a hierarchy.
  • KMC key management centers
  • Each KMC is coupled with one KAC. Accordingly, for each KMC there is only one path up through the hierarchy to the highest level KAC.
  • Any KAC coupled with a KMC is herein referred to as a terminal KAC for that particular KMC.
  • KAC 16 is the terminal KAC for KMC 18 and KMC 20.
  • KAC 16 may be a higher level KAC for lower KACs which are terminal KACs for other KMCs.
  • France KAC 22 may have its own hierarchy arranged below it with several intermediate KACs.
  • KAC 22 maybe coupled directly to a KMC.
  • Each country preferably has its own hierarchy arranged similarly to that shown in FIG. 1.
  • international KAC 12 holds no key and has no global authority other than to complete the tree hierarchy and to facilitate communication among the various country KACs.
  • KAC 12 may be an international arbitrator set up by treaty. In another embodiment, not shown in FIG. 1 , international KAC 12 may be part of a hierarchy of international KACs that operate similarly to the hierarchy of KACs in the United States example.
  • the hierarchical structure shown in FIG. 1 is designed with a free market approach in mind. Individuals, companies and system operators, which may be KMCs, can chose which key arbitration center with which to connect.
  • the KMCs are intended to be as simple as possible.
  • Each key management center for example, may provide and store current session keys for the users system or device. The system operator may contract with the third party for this KMC service if so desired.
  • the key management center may use any means to deliver these keys to the user or to the device.
  • all session keys are properly obtained from one of the KMCs at the bottom nodes in the hierarchy of FIG. 1.
  • each KMC engages in a blind access protocol with at least one KAC as described below.
  • a KMC may be located inside an individual communication device.
  • the nodes of the hierarchy, the KACs of FIG. 1 are preferably assigned a security level by the relevant authorities and each level is allowed connectivity to the system at that level. Any properly registered KAC that operates at the improper level will be invalidated.
  • public/private key technology is used for securing communications. Those with skill in the art will understand other methods of securing communications may also be used.
  • KACs ID and KACs signature is added to a message requesting an encryption key.
  • Each node at a given level of the tree preferably only accepts messages from one node above it and a configured subset of authorized nodes below it. Allowable message types are defined based on whether or not the message was received from a lower level or higher level KAC in the hierarchy. In this embodiment, messages from nodes at the same level are always rejected. Accordingly, each node desirably knows at least part of the tree structure.
  • FIG. 2 illustrates a transfer path for a key request in accordance with the preferred embodiment with the present invention.
  • an example government agency 32 i.e., the FBI
  • the FBI wishes to obtain a court order for session keys of an individual or device.
  • the FBI sends this request to the appropriate court 34.
  • the FBI receives the order from the court and the signed order is routed to the U.S. KAC 14 from the FBI.
  • the U.S. KAC 14 adds its signature and its ID to the order and forwards it to the next lower KAC until it eventually reaches the terminal KAC for that user or device.
  • Each KAC along the route preferably adds its ID and signature.
  • the terminal KAC (i.e., KAC 36) sends this order to key management center 38 which engages in a blind access protocol with KAC 36.
  • the session key is received at the terminal KAC 36.
  • KAC 36 forwards the session key back through the hierarchy until the session key reaches the agency 32. Further details are described below.
  • FIG. 3 is illustrates a key transfer bounce diagram in accordance with a preferred embodiment of the present invention.
  • M1 preferably includes the ID of the court, a unique serial number associated with the court order, a time stamp, a user type and a user ID, any of which may or may not be encrypted.
  • the message may also include other required authorizations.
  • the message preferably includes a validity period such as start and stop times associated with a court order, and a serial number unique to the court order which may or may not be encrypted.
  • the court signs this order with its signature and forwards this to the FBI.
  • the court's signature on the order allows the KACs verify the legitimacy of the order.
  • the message information sent by the court is illustrated as M1. This is discussed in further detail described below.
  • the FBI submits this signed order to the U.S. key management center which verifies the signature, adds its ID and signature, and forwards the message request to the New Jersey key arbitration center 36.
  • the message information added by the FBI is illustrated as M2 which includes the ID of the FBI, preferably a time stamp, and any extra information added by the FBI.
  • M3 includes the ID of the U.S. KAC, a time stamp the U.S. KAC and any extra information added by the U.S. KAC.
  • KMC 38 receives this message and verifies both the court and the U.S. key management center's signatures.
  • KAC 36 preferably engages in a blind access protocol with KMC 38.
  • the included message sent by KAC 36 to the KMC is illustrated as M4.
  • M4 preferably includes the ID of the KAC 36 (which is the terminal KAC for the user), a time stamp added by KAC 36 and any extra information added by KAC 36.
  • KMC 38 returns an encrypted encryption key to KAC 36.
  • the message information added by U.S. KAC 36 is illustrated in the figure as M5.
  • M5 preferably includes an encrypted user ID, the court order serial number, and a time stamp.
  • M5 may also include the ID of KAC 36.
  • the actual user/device ID is encrypted with the public key of the terminal KAC which engages in the blind access protocol with the relevant KMC. Accordingly, only this terminal KAC has access to the user/device ID which helps ensure privacy.
  • the terminal KMC as part of the blind access protocol, provides a set of encrypted user ID's and the associated encryption keys to the terminal KAC. The encryption keys are provided encrypted with the KMCs public key.
  • the terminal KAC selects the appropriate encryption key based on the user ID and sends the selected encryption key back to the KMC after encrypting it with the agency's public key.
  • the KMC then decrypts the results with its private key and sends it back the terminal KAC which transfers it through the hierarchy to the requesting agency.
  • a commutative encryption algorithm is desirable for this blind access protocol. Accordingly, because the public key of the agency requesting the key is used, the terminal KAC does not need to decrypt this key and accordingly this terminal KAC never knows the actual key value. Only the requesting agency will know this actual value, and only the agency and the terminal KAC knows the user ID for the requested session key.
  • a user's device has an internal KMC module installed therein when the user's device generates it own keys.
  • This module enables encryption upon registration with any KAC, (becoming the terminal KAC for that KMC) and desirably will respond to requests for session keys.
  • Devices that have more than one possible user and accordingly more than one session key manages these requests, preferably by engaging a blind access protocol.
  • KMC modules in particular user devices respond only to requests for keys from the KAC from which it has registered.
  • FIGs. 4 and 5 illustrate a flow chart of key access procedure 100 in accordance with a preferred embodiment of the present invention.
  • Procedure 100 may be performed by various equipment or parties in a key management hierarchy, such as the one described above.
  • Organizations operating such equipment may include, for example various courts and government agencies, KACs and KMCs.
  • an organization such as a government agency (e.g., the FBI) requests a court order for an encryption key(s) (e.g., session keys) that have been used or are currently being used by a user or device.
  • the request for the court order preferably includes a user or device ID 101 to identify the individual, and may include other information required by the court to issue a court order for session keys.
  • the request for the court order sent by the agency is a digitally signed message, signed by the requesting agency.
  • the message may or may not be encrypted, for example, with the court's public key.
  • the court may issue a court order for the encryption key.
  • the court order preferably is a message that includes such information 103 as, for example, the court's ID and a serial number associated with the court order, a time-stamp, the user's ID, an order validity period, and authority information.
  • the court signs its message, preferably with the court's private key 105, and sends the signed message (i.e., the message and signature) to the government agency that has requested the court order.
  • the message portion is preferably not encrypted.
  • the user's ID portion of the message may be encrypted, for example, with the agency's pubic key.
  • the agency performs optional tasks 108 and 110.
  • the agency verifies the signature of the court.
  • the agency verifies the court's signature with the court's public key 107.
  • the subsequent tasks of the procedure are performed.
  • the agency preferably encrypts the user ID information with the public key 111 of a KAC that is associated with the user's Key Management Center (KMC) (i.e., the terminal KAC for that user), and adds the encrypted user ID to the message.
  • KMC Key Management Center
  • the agency also preferably adds information identifying that KAC (e.g., the terminal KAC ID) as the terminal KAC to the message.
  • Task 109 may also include the task of initially decrypting the user's ID if it had been encrypted by the court.
  • the agency adds the agency's ID to the message and signs the message with the agency's private key before sending the signed message to the appropriate KAC in task 112.
  • the agency forwards this message to the appropriate level KAC in the hierarchy.
  • the KAC may be the highest level KAC in the United States (i.e., the U.S. KAC).
  • the request that the agency sends to the KAC preferably includes the user's ID encrypted with the public key of terminal KAC associated with the user.
  • the signed message sent to the appropriate level KAC in task 112 is preferably is comprised of a message portion and a signature portion.
  • the signature portion is a digital signature based on the message portion, a hash algorithm and the private key of the sender.
  • the message portion preferably includes the message received from the court in task 108 along with the information added by the agency in tasks 109 and 110. Note that the message received from the court may include both a message portion and a signature portion when signed by the court in task 106.
  • the KAC verifies the signatures including the court's signature and the agency's signature. When the signatures are valid, the subsequent tasks of procedure 100 are performed. When any of the signatures are not valid, the KAC may notify the agency from which the message was received of the invalid signature(s).
  • the KAC adds it's ID to the message, and signs the message with it's private key 115.
  • the KAC desirably includes a time stamp within the message.
  • the message at this point in procedure 100 includes a message portion and the signature portion.
  • the signature portion is the digital signature of the KAC based on the message portion.
  • the message portion preferably includes the signed message received by the KAC in task 112, and also includes the information added by the KAC in task 116.
  • the signature portion is preferably based on the entire message portion.
  • the KAC identifies the terminal KAC associated with the user's KMC based in the information in the received message. The KAC then routes its signed message to the identified terminal KAC.
  • each KAC in the hierarchy has information on the configuration of the hierarchy so that the message may be routed to the terminal KAC identified in the message.
  • each KAC along the route preferably performs tasks 114 through 118, adding its ID and signature to the message.
  • the terminal KAC verifies the signature of the KAC from which the message was received, and preferably verifies the signatures of all higher level KACs in the hierarchy which were involved with routing the message requesting the session key.
  • the terminal KAC may also verify the court's signature and the agency's signature.
  • the signatures are valid, the subsequent tasks of procedure 100 are performed.
  • the terminal KAC preferably notifies the higher level KAC from which the message was received of the invalid signature. An invalid signature message is then preferably routed up through the hierarchy until the agency is notified.
  • the terminal KAC adds it's ID and other information to the message, and signs the message.
  • the terminal KAC identifies the KMC for the particular user. This, for example, is accomplished by reading the user ID within the message, and associating the user with a KMC associated with the terminal KAC.
  • the user ID is encrypted with the public key of the terminal KAC to help insure privacy.
  • task 123 is performed which includes the step of decrypting the user ID with the terminal KACs private key 124 to determine the user ID and the appropriate KMC.
  • only the terminal KAC has access to the user ID to help insure privacy. Users (either individuals or organizations with many users) preferably choose which terminal KAC to sign up with, and presumably will choose terminal KACs that are considered more trustworthy.
  • the terminal KAC sends the signed message it generated in task 122 requesting a key to the identified KMC.
  • the message that is sent to the KMC does not include a (clear text) user ID and accordingly, does not allow the KMC to determine which user's session key is being requested. In this way, the KMC does not know the identity of the device or individual user to be monitored by the agency.
  • the KMC provides the requested session key or keys to the terminal KAC.
  • the terminal KAC performs blind key access procedure 129 or a similar protocol with the KMC to receive the session key of the individual without the KMC knowing which session key is provided.
  • the KMC provides the session key to the terminal KAC already encrypted with the agency's public key 130. Accordingly, in this embodiment, the terminal KAC does not have access to the actual session key value. Only the requesting agency will know the actual key value. Furthermore, only the requesting agency and the terminal KAC know the user ID of the key.
  • a blind access protocol provides an encryption key to a requestor without the sender being able to identify which key has been requested.
  • a blind key access procedure is used in conjunction with tasks 126 and 128, the message that the terminal KAC sends to the KMC desirably does not include an unencrypted user ID.
  • a blind key access procedure may require that both the agency's key and the key used by the terminal KAC use a communitative encryption algorithm well known in the art.
  • the terminal KAC encrypts the session key received from the KMC with the agency's public key, before routing it up through the hierarchy.
  • the terminal KAC may now route the encrypted session key(s) up through the hierarchy and back to the agency requesting the session key.
  • the terminal KMC may add additional information to the message before routing the encrypted session key back up through the hierarchy of KACs to the agency. For example, in task 131 , the terminal KAC encrypts the user ID with the agency's public key, and in task 132, the terminal KAC may add the encrypted user ID, court order serial number, and other information to the message before routing the message to the next higher level KAC in the hierarchy in task 134. In one embodiment, the terminal KAC signs the message
  • the next higher level KAC verifies the terminal KACs signature, preferably adds its ID to the message and signs the message in task 136 before further routing the message to the next higher lever KAC in the hierarchy.
  • each KAC in the hierarchy involved in routing the encrypted session key back to the requesting agency performs task 136, until the highest level KAC sends the message to the requesting agency in task 138.
  • the KAC at the level associated the government agency e.g., FBI
  • the terminal KAC routes the session key directly to the agency.
  • the KMC keeps a record that includes the court orders and the validity period of the court orders. Because a KMC that engages in a blind access procedure to provide an encryption key does not know which user a court order applies to, when a court order expires, the KMC preferably issues all new session keys to users and expires or cancels previously issued session keys.
  • the terminal KAC upon expiration of a session key validity period during when the court order for the session key is valid, the terminal KAC requests the new session key for the user.
  • a blind key access procedure is also used so that user's who key is being requested is not identified by the KMC.
  • the KMC In response to a request for the session key, the KMC provides a portion of the session key to one terminal KAC, and another portion to another terminal KAC.
  • the KMC preferably provides one half the session key (e.g., k1 ) to one terminal KAC and the other half of the session key (e. g., k2) to the other terminal KAC.
  • the actual session key is a combination of K1 and K2, and is preferably the binary exclusive-OR of the key portions.
  • K1 and K2 each may simply represent part or half of the complete session key bits.
  • K1 and K2 may be separately generated and the complete session key may be a combination of the two individual keys.
  • the split key embodiment of the present invention is not limited to two session key portions, and is applicable to N session key portions where N may be several hundred. In these embodiments, each key portion is provided to a different terminal KAC, and preferably provided using a blind key access procedure.
  • one advantage to the present invention is that session keys may be obtained only when proper court authorization is obtained.
  • Another advantage to the present invention is that manufacturers, operators or attackers are not able to decrypt a user's messages in any amount of time commensurate with the security level in use by the user.
  • Another advantage to the present invention is that user's messages are not able to be decrypted after a court order expires.

Abstract

A key management system includes a hierarchy (10) of independent key arbitration centers (KAC) for providing access to a user's session keys through key management centers (KMC). When a court order is issued for a user's session keys, a message requesting the keys is transferred down through hierarchy until a terminal KAC (16, 36) is reached. Each KAC in the hierarchy adds its ID and signs (116) the message, verifying prior signatures (114). The user's ID is encrypted with the terminal KAC's public key. The terminal KAC engages in a blind key access procedure (129) with the KMC (18, 38) to receive the user's session key. The key is provided encrypted with the requesting party's or agency's public key. Accordingly, privacy is assured because only the KMC and the requesting agency have access to the actual key value, and only the terminal KAC and requesting agency have access to the user's ID. No other KACs in the hierarchy have access to the user ID or key value, and the KMC does not know which user's key has been provided.

Description

METHOD AND SYSTEM FOR HIERARCHICAL KEY ACCESS AND RECOVERY
Field of the Invention
This invention relates in general to the field of cryptography, in particular to key management and authentication, and more particularly to accessing and recovering encryption keys.
Background of the Invention
Government agencies may need access to encryption keys of users or organizations for court-authorized law enforcement purposes. However, because of privacy and efficiency issues, it is desirable for private businesses or individuals to maintain their encryption keys for their employees and customers and to allow for emergency key recovery and also to allow access by the government agencies only when such access is authorized by the courts. Furthermore, such access should be authorized only for as long as such a court order is valid, and only the government agency should have access to the actual key value. It is also desirable that when an encryption key is requested, that the user or device does not know it is being monitored by the government agency.
Accordingly, what is needed is a method that provides access by the government to an encryption key pursuant only to a valid court order. What is also needed is a method of providing access to an encryption key such that when encryption keys are provided to a government agency pursuant to a court order, only the agency has access to the actual key value. Furthermore, what is also needed is a method of providing access to an encryption key such that only authorized parties know the identity of the device or user being monitored. What is also needed is a method of providing access to an encryption key only for as long as a court order for such a key is valid. What is also needed is a method of providing access to an encryption key that provides an audit trail so that it can be verified that proper procedures have been followed during all steps of the key access process.
More generally, there is a need for securely providing encryption keys to an authorized party pursuant to an authorized request without the user's knowledge.
Brief Description of the Drawings
The invention is pointed out with particularity in the appended claims. However, a more complete understanding of the present invention may be derived by referring to the detailed description and claims when considered in connection with the figures, wherein like reference numbers refer to similar items throughout the figures, and:
FIG. 1 illustrates a hierarchical key management system in accordance with a preferred embodiment of the present invention;
FIG. 2 illustrates a transfer path for a key request in accordance with a preferred embodiment of the present invention;
FIG. 3 illustrates a key transfer bounce diagram in accordance with a preferred embodiment of the present invention; and FIGs. 4 and 5 illustrate a flow chart of a key access procedure in accordance with a preferred embodiment of the present invention.
The exemplification set out herein illustrates a preferred embodiment of the invention in one form thereof, and such exemplification is not intended to be construed as limiting in any manner. Detailed Description of the Drawings
The present invention provides, among other things, a method for approved encryption key access by appropriate legal entities. The inventors take the position that citizens should be able to use the cryptography of their choice when and how they desire. The inventors also recognize that law enforcement may require, with the proper and legally obtained court order, the ability to decrypt the citizens traffic and communications for the purpose of a valid investigation. The invention described herein provides an approach for key access and recovery. The issue of key recovery and access is a controversial one involving the concerns of citizens, companies, governments and law enforcement agencies around the world. In order for any approach for key access to be acceptable to these diverse interests, it should address some of the basic concerns discussed below.
In a preferred embodiment, the present invention provides for access to an encryption key when, for example, a court order, approved by a court has been obtained. The present invention also provides, among other things, a method of providing access to an encryption key wherein manufacturers, operators or attackers are not able to decrypt a user's messages in any amount of time commensurate with the security level in use by the user. The present invention also provides, in another preferred embodiment, a method of key access wherein user's messages are not able to be decrypted after a court order expires.
The present invention also provides, among other things, a method of providing key access where only authorized parties, such as the government and court, know the identity of the individual or device which key is being accessed (e.g., the person or device which will be wiretapped or monitored). Furthermore, the present invention provides, in a preferred embodiment, a method of providing access to an encryption key wherein manufacturers, operators, and attackers, in general, will not be able to determine who is being monitored. In accordance with these preferred embodiments of the present invention, the key management system helps maintain the rights and independence of state, local and foreign governments in regard to key access and key recovery. In accordance with the one embodiment of the present invention, a manufacturer does not have to maintain a large key database for products sold and furthermore does not have the added cost due to the maintenance of a substantial key recovery system. In accordance with other preferred embodiments of the present invention, operators do not have to maintain large databases in order to implement the protocols and procedures for key access and recovery described herein.
The term session key as used herein, means a key used for the encryption of data or other information. A session key is generally not permanent and may be changed with some reasonable regularity. Access to a session key allows a third party such as law enforcement to decrypt communications for a given finite period of time (i.e., as long as the session key is valid). As used herein, any key used to decrypt groups of files, data or information is considered a session key even though it is very long lived and may have no expiration period.
The term key management centers (KMC) as used herein means an entity that generates, stores and/or manages a user's or organization's session keys. Key arbitration centers (KAC) as used herein, means an entity that handles the interactions for key recovery appropriate for its level in the hierarchy. This is discussed in more detail below. In general KACs are entities run by private or public concerns and which arbitrate the key access and key recovery processes.
FIG. 1 illustrates a hierarchical key management system in accordance with the preferred embodiment of the present invention. The hierarchy 10 of KACs includes international KAC 12 coupled with a KAC from participating countries. For example, KAC 14 is for the United States and KAC 22 is for France. Each national KAC such as KAC 14 is coupled to a plurality of local or regional KACs such as KAC 16. Local or regional KACs 16 may or may not be associated with any particular geographic region and may be associated with certain groups of companies or certain organizations. In the preferred embodiment, there may be one KAC associated with each state in the United States, but this is not a requirement. Each KAC, local or regional 16 has several other lower level KACs below it arranged in a hierarchy. At the lowest level nodes in this hierarchy of KACs are key management centers (KMC). Each KMC is coupled with one KAC. Accordingly, for each KMC there is only one path up through the hierarchy to the highest level KAC. Any KAC coupled with a KMC is herein referred to as a terminal KAC for that particular KMC. For the example shown in FIG. 1 , KAC 16 is the terminal KAC for KMC 18 and KMC 20. In the example shown in FIG. 1 KAC 16 may be a higher level KAC for lower KACs which are terminal KACs for other KMCs.
In the example shown in FIG. 1 , France KAC 22 may have its own hierarchy arranged below it with several intermediate KACs. Alternatively, KAC 22 maybe coupled directly to a KMC. Each country preferably has its own hierarchy arranged similarly to that shown in FIG. 1. In the embodiment shown in FIG. 1 , international KAC 12 holds no key and has no global authority other than to complete the tree hierarchy and to facilitate communication among the various country KACs.
In another embodiment, KAC 12 may be an international arbitrator set up by treaty. In another embodiment, not shown in FIG. 1 , international KAC 12 may be part of a hierarchy of international KACs that operate similarly to the hierarchy of KACs in the United States example.
The hierarchical structure shown in FIG. 1 is designed with a free market approach in mind. Individuals, companies and system operators, which may be KMCs, can chose which key arbitration center with which to connect. The KMCs are intended to be as simple as possible. Each key management center, for example, may provide and store current session keys for the users system or device. The system operator may contract with the third party for this KMC service if so desired. The key management center may use any means to deliver these keys to the user or to the device. In accordance with a preferred embodiment of the present invention, all session keys are properly obtained from one of the KMCs at the bottom nodes in the hierarchy of FIG. 1. In the preferred embodiments of the present invention, each KMC engages in a blind access protocol with at least one KAC as described below. Alternatively, a KMC may be located inside an individual communication device. When this is the situation, there is no need for a blind access protocol since only a single session key is usually stored at any time. The nodes of the hierarchy, the KACs of FIG. 1 are preferably assigned a security level by the relevant authorities and each level is allowed connectivity to the system at that level. Any properly registered KAC that operates at the improper level will be invalidated. In the embodiment described herein, public/private key technology is used for securing communications. Those with skill in the art will understand other methods of securing communications may also be used. As messages pass through each node of the tree an ID and a digital signature of each node (i.e., KACs ID and KACs signature) is added to a message requesting an encryption key. This provides, among other things, an audit trail for the request. Each node at a given level of the tree preferably only accepts messages from one node above it and a configured subset of authorized nodes below it. Allowable message types are defined based on whether or not the message was received from a lower level or higher level KAC in the hierarchy. In this embodiment, messages from nodes at the same level are always rejected. Accordingly, each node desirably knows at least part of the tree structure.
FIG. 2 illustrates a transfer path for a key request in accordance with the preferred embodiment with the present invention. In FIG. 2, an example government agency 32 (i.e., the FBI) wishes to obtain a court order for session keys of an individual or device. The FBI sends this request to the appropriate court 34. The FBI then receives the order from the court and the signed order is routed to the U.S. KAC 14 from the FBI. The U.S. KAC 14 adds its signature and its ID to the order and forwards it to the next lower KAC until it eventually reaches the terminal KAC for that user or device. Each KAC along the route preferably adds its ID and signature. The terminal KAC, (i.e., KAC 36) sends this order to key management center 38 which engages in a blind access protocol with KAC 36. The session key is received at the terminal KAC 36. KAC 36 forwards the session key back through the hierarchy until the session key reaches the agency 32. Further details are described below.
FIG. 3 is illustrates a key transfer bounce diagram in accordance with a preferred embodiment of the present invention. When a court issues a court order for an encryption key, the message sent from the court to the requesting agency 32 is illustrated as M1. M1 preferably includes the ID of the court, a unique serial number associated with the court order, a time stamp, a user type and a user ID, any of which may or may not be encrypted. The message may also include other required authorizations. The message preferably includes a validity period such as start and stop times associated with a court order, and a serial number unique to the court order which may or may not be encrypted. Preferably the court signs this order with its signature and forwards this to the FBI. Among other things, the court's signature on the order allows the KACs verify the legitimacy of the order. The message information sent by the court is illustrated as M1. This is discussed in further detail described below. The FBI submits this signed order to the U.S. key management center which verifies the signature, adds its ID and signature, and forwards the message request to the New Jersey key arbitration center 36.
The message information added by the FBI is illustrated as M2 which includes the ID of the FBI, preferably a time stamp, and any extra information added by the FBI. M3 includes the ID of the U.S. KAC, a time stamp the U.S. KAC and any extra information added by the U.S. KAC. KMC 38 receives this message and verifies both the court and the U.S. key management center's signatures. When the signatures are confirmed, KAC 36 preferably engages in a blind access protocol with KMC 38. The included message sent by KAC 36 to the KMC is illustrated as M4. M4 preferably includes the ID of the KAC 36 (which is the terminal KAC for the user), a time stamp added by KAC 36 and any extra information added by KAC 36. KMC 38 returns an encrypted encryption key to KAC 36. The message information added by U.S. KAC 36 is illustrated in the figure as M5. M5 preferably includes an encrypted user ID, the court order serial number, and a time stamp. M5 may also include the ID of KAC 36.
In the preferred embodiment the actual user/device ID is encrypted with the public key of the terminal KAC which engages in the blind access protocol with the relevant KMC. Accordingly, only this terminal KAC has access to the user/device ID which helps ensure privacy. As shown in FIG. 3, the terminal KMC, as part of the blind access protocol, provides a set of encrypted user ID's and the associated encryption keys to the terminal KAC. The encryption keys are provided encrypted with the KMCs public key. As part of the blind access protocol the terminal KAC selects the appropriate encryption key based on the user ID and sends the selected encryption key back to the KMC after encrypting it with the agency's public key. The KMC then decrypts the results with its private key and sends it back the terminal KAC which transfers it through the hierarchy to the requesting agency. Note that a commutative encryption algorithm is desirable for this blind access protocol. Accordingly, because the public key of the agency requesting the key is used, the terminal KAC does not need to decrypt this key and accordingly this terminal KAC never knows the actual key value. Only the requesting agency will know this actual value, and only the agency and the terminal KAC knows the user ID for the requested session key. In accordance with a preferred embodiment of the present invention, a user's device has an internal KMC module installed therein when the user's device generates it own keys. This module enables encryption upon registration with any KAC, (becoming the terminal KAC for that KMC) and desirably will respond to requests for session keys. Devices that have more than one possible user and accordingly more than one session key, manages these requests, preferably by engaging a blind access protocol. In the preferred embodiment, KMC modules in particular user devices respond only to requests for keys from the KAC from which it has registered.
FIGs. 4 and 5 illustrate a flow chart of key access procedure 100 in accordance with a preferred embodiment of the present invention. Procedure 100 may be performed by various equipment or parties in a key management hierarchy, such as the one described above. Organizations operating such equipment may include, for example various courts and government agencies, KACs and KMCs.
In task 102, an organization such as a government agency (e.g., the FBI) requests a court order for an encryption key(s) (e.g., session keys) that have been used or are currently being used by a user or device. The request for the court order preferably includes a user or device ID 101 to identify the individual, and may include other information required by the court to issue a court order for session keys. In the preferred embodiment, the request for the court order sent by the agency is a digitally signed message, signed by the requesting agency. The message may or may not be encrypted, for example, with the court's public key.
In task 104, after the court receives the request for the court order, the court may issue a court order for the encryption key. The court order preferably is a message that includes such information 103 as, for example, the court's ID and a serial number associated with the court order, a time-stamp, the user's ID, an order validity period, and authority information.
In task 106, the court signs its message, preferably with the court's private key 105, and sends the signed message (i.e., the message and signature) to the government agency that has requested the court order. The message portion is preferably not encrypted. However, the user's ID portion of the message may be encrypted, for example, with the agency's pubic key.
In one embodiment of the present invention, the agency performs optional tasks 108 and 110. When the message received from the court has been signed by the court, in task 108, the agency verifies the signature of the court. Preferably, the agency verifies the court's signature with the court's public key 107. In this embodiment, when the signature is valid, the subsequent tasks of the procedure are performed.
In task 109, after receiving the court order message from the court, the agency preferably encrypts the user ID information with the public key 111 of a KAC that is associated with the user's Key Management Center (KMC) (i.e., the terminal KAC for that user), and adds the encrypted user ID to the message. The agency also preferably adds information identifying that KAC (e.g., the terminal KAC ID) as the terminal KAC to the message. Task 109 may also include the task of initially decrypting the user's ID if it had been encrypted by the court.
In task 110, the agency adds the agency's ID to the message and signs the message with the agency's private key before sending the signed message to the appropriate KAC in task 112. In task 112, the agency forwards this message to the appropriate level KAC in the hierarchy. In the case of United States government agencies such as the FBI, the KAC may be the highest level KAC in the United States (i.e., the U.S. KAC). As discussed in task 109, the request that the agency sends to the KAC preferably includes the user's ID encrypted with the public key of terminal KAC associated with the user.
The signed message sent to the appropriate level KAC in task 112 is preferably is comprised of a message portion and a signature portion. The signature portion is a digital signature based on the message portion, a hash algorithm and the private key of the sender. The message portion preferably includes the message received from the court in task 108 along with the information added by the agency in tasks 109 and 110. Note that the message received from the court may include both a message portion and a signature portion when signed by the court in task 106.
In task 114, the KAC verifies the signatures including the court's signature and the agency's signature. When the signatures are valid, the subsequent tasks of procedure 100 are performed. When any of the signatures are not valid, the KAC may notify the agency from which the message was received of the invalid signature(s).
In task 116, the KAC adds it's ID to the message, and signs the message with it's private key 115. The KAC desirably includes a time stamp within the message. Similar to the message sent in task 112, the message at this point in procedure 100 includes a message portion and the signature portion. The signature portion is the digital signature of the KAC based on the message portion. The message portion preferably includes the signed message received by the KAC in task 112, and also includes the information added by the KAC in task 116. The signature portion is preferably based on the entire message portion.
In task 118, the KAC identifies the terminal KAC associated with the user's KMC based in the information in the received message. The KAC then routes its signed message to the identified terminal KAC.
In the preferred embodiment of the present invention comprised of a hierarchy of KACs, other (non-terminal) KACs may be coupled inbetween the first/initial KAC and the terminal KAC for that user. In this embodiment, the initial KAC routes the message to the next KAC lower in the hierarchy until the message reaches the terminal KAC. Preferably, each KAC in the hierarchy has information on the configuration of the hierarchy so that the message may be routed to the terminal KAC identified in the message. In this embodiment, each KAC along the route preferably performs tasks 114 through 118, adding its ID and signature to the message.
In task 120, the terminal KAC verifies the signature of the KAC from which the message was received, and preferably verifies the signatures of all higher level KACs in the hierarchy which were involved with routing the message requesting the session key. The terminal KAC may also verify the court's signature and the agency's signature. When the signatures are valid, the subsequent tasks of procedure 100 are performed. When any of the signatures are invalid, the terminal KAC preferably notifies the higher level KAC from which the message was received of the invalid signature. An invalid signature message is then preferably routed up through the hierarchy until the agency is notified.
Similarly to task 116, in task 122, the terminal KAC adds it's ID and other information to the message, and signs the message.
In task 125, the terminal KAC identifies the KMC for the particular user. This, for example, is accomplished by reading the user ID within the message, and associating the user with a KMC associated with the terminal KAC. In the preferred embodiment of the present invention, the user ID is encrypted with the public key of the terminal KAC to help insure privacy. In this embodiment, task 123 is performed which includes the step of decrypting the user ID with the terminal KACs private key 124 to determine the user ID and the appropriate KMC. In the preferred embodiment, only the terminal KAC has access to the user ID to help insure privacy. Users (either individuals or organizations with many users) preferably choose which terminal KAC to sign up with, and presumably will choose terminal KACs that are considered more trustworthy.
In task 126, the terminal KAC sends the signed message it generated in task 122 requesting a key to the identified KMC. Note that in the preferred embodiment, the message that is sent to the KMC does not include a (clear text) user ID and accordingly, does not allow the KMC to determine which user's session key is being requested. In this way, the KMC does not know the identity of the device or individual user to be monitored by the agency.
In task 128, the KMC provides the requested session key or keys to the terminal KAC. Preferably, the terminal KAC performs blind key access procedure 129 or a similar protocol with the KMC to receive the session key of the individual without the KMC knowing which session key is provided. As part of procedure 129, in the preferred embodiment, the KMC provides the session key to the terminal KAC already encrypted with the agency's public key 130. Accordingly, in this embodiment, the terminal KAC does not have access to the actual session key value. Only the requesting agency will know the actual key value. Furthermore, only the requesting agency and the terminal KAC know the user ID of the key.
An example of a suitable blind key access procedure is described in United States Patent, Number 5,564,106, entitled "Method for Providing Blind Access to an Encryption Key", issued October 8, 1996, which is hereby incorporated by reference. In general, a blind access protocol provides an encryption key to a requestor without the sender being able to identify which key has been requested. When a blind key access procedure is used in conjunction with tasks 126 and 128, the message that the terminal KAC sends to the KMC desirably does not include an unencrypted user ID. A blind key access procedure may require that both the agency's key and the key used by the terminal KAC use a communitative encryption algorithm well known in the art. In another embodiment that does not fully implement a blind key access protocol, the terminal KAC encrypts the session key received from the KMC with the agency's public key, before routing it up through the hierarchy. The terminal KAC may now route the encrypted session key(s) up through the hierarchy and back to the agency requesting the session key. The terminal KMC may add additional information to the message before routing the encrypted session key back up through the hierarchy of KACs to the agency. For example, in task 131 , the terminal KAC encrypts the user ID with the agency's public key, and in task 132, the terminal KAC may add the encrypted user ID, court order serial number, and other information to the message before routing the message to the next higher level KAC in the hierarchy in task 134. In one embodiment, the terminal KAC signs the message
(with the terminal KACs private key) before routing the message to the next higher level KAC in the hierarchy in task 134. In this embodiment, the next higher level KAC verifies the terminal KACs signature, preferably adds its ID to the message and signs the message in task 136 before further routing the message to the next higher lever KAC in the hierarchy. Preferably, each KAC in the hierarchy involved in routing the encrypted session key back to the requesting agency performs task 136, until the highest level KAC sends the message to the requesting agency in task 138. In the example discussed herein, the KAC at the level associated the government agency (e.g., FBI) is the U.S. KAC. In another embodiment of the present invention, the terminal KAC routes the session key directly to the agency. In this embodiment, the session key may or may not be encrypted with the agency's public key, and may depend on whether or not the session key was received encrypted from the KMC. In task 140, the agency receives the session key, verifies the signatures of the lower KACs, and decrypts the user's session key or keys using the agency's private key. Now the agency has access to the user's session key value and may use the session key in accordance with the court order, and preferably, only until such court order expires.
In a preferred embodiment of the present invention, a court order issued by a court has a time stamp and a validity period associated with the order. In this embodiment, when the terminal KAC receives the request for the session key (i.e., task 118), the terminal KAC records this validity period of the court order, and stores this information with the user ID. Furthermore, in this embodiment of the present invention, a session key received from the KMC in task 128 includes a validity period for the session key. When the validity period for the session key expires, the session key is no longer valid and the user obtains a new session key. The terminal KAC also stores the session key validity period associated with the user ID.
In one preferred embodiment, the KMC keeps a record that includes the court orders and the validity period of the court orders. Because a KMC that engages in a blind access procedure to provide an encryption key does not know which user a court order applies to, when a court order expires, the KMC preferably issues all new session keys to users and expires or cancels previously issued session keys.
In another preferred embodiment of the present invention, the terminal KAC keeps a record that includes the court orders and the validity period of the court orders. When a court order expires, the terminal KAC notifies the KMC that a particular court order has expired. Accordingly, the KMC then issues new session keys to users and expires or cancels the previously issued session keys.
In other embodiments of the present invention, upon expiration of a session key validity period during when the court order for the session key is valid, the terminal KAC requests the new session key for the user. Preferably, a blind key access procedure is also used so that user's who key is being requested is not identified by the KMC.
In other embodiments of the present inventions, the KACs and KMCs in the hierarchy include time stamps within their messages. In these embodiments, each subsequent KAC sending and receiving a message compares the time stamp of the prior KAC to determine if more than a predetermined amount of time has passed. When more that the predetermined amount of time has passed, the KAC receiving the message deems the message invalid, and preferably notifies the requesting agency. In an alternative embodiment of the present invention, referred to as a split key embodiment, a KMC is associated with at least two distinct and separate terminal KACs. In this embodiment, requests for session keys are submitted to each terminal KAC associated with the user's KMC, in a similar manner to that described above. In response to a request for the session key, the KMC provides a portion of the session key to one terminal KAC, and another portion to another terminal KAC. When there are two terminal KACs, the KMC preferably provides one half the session key (e.g., k1 ) to one terminal KAC and the other half of the session key (e. g., k2) to the other terminal KAC. The actual session key is a combination of K1 and K2, and is preferably the binary exclusive-OR of the key portions. However, other combinations of split keys may also be used. For example, K1 and K2 each may simply represent part or half of the complete session key bits. Alternatively, K1 and K2 may be separately generated and the complete session key may be a combination of the two individual keys. The split key embodiment of the present invention is not limited to two session key portions, and is applicable to N session key portions where N may be several hundred. In these embodiments, each key portion is provided to a different terminal KAC, and preferably provided using a blind key access procedure.
When the requesting agency receives the key portions, it combines the session key portions as appropriate to arrive at the complete session key. An advantage to this embodiment is that no terminal KAC has access to the whole session key. Spreading key information over N locations further enhances privacy and reduce the possibility of unauthorized key access.
Thus, a method for encryption key access and key recovery has been described which overcomes specific problems and accomplishes certain advantages relative to typical methods and systems. The improvements over known technology are significant. For example one advantage to the present invention, as described in a preferred embodiment, is that session keys may be obtained only when proper court authorization is obtained. Another advantage to the present invention, as described in a preferred embodiment, is that manufacturers, operators or attackers are not able to decrypt a user's messages in any amount of time commensurate with the security level in use by the user. Another advantage to the present invention, as described in a preferred embodiment, is that user's messages are not able to be decrypted after a court order expires. Another advantage to the present invention, as described in a preferred embodiment, is that only authorized parties, such as the government and court, know the identity of the individual or device which key is being accessed (e.g., the person or device which will be wiretapped or monitored). Another advantage to the present invention, as described in a preferred embodiment, is that manufacturers, operators, and attackers, in general, will not be able to determine who is being monitored. The foregoing description of the specific embodiments will so fully reveal the general nature of the invention that others can, by applying current knowledge, readily modify and/or adapt for various applications such specific embodiments without departing from the generic concept, and therefore such adaptations and modifications should and are intended to be comprehended within the meaning and range of equivalents of the disclosed embodiments. It is to be understood that the phraseology or terminology employed herein is for the purpose of description and not of limitation. Accordingly, the invention is intended to embrace all such alternatives, modifications, equivalents and variations as fall within the spirit and broad scope of the appended claims.

Claims

CLAIMSWhat is claimed is:
1. In a hierarchical key management system comprising a plurality of key arbitration centers (KAC) arranged in a hierarchy, a method for providing access to an encryption key of a user comprising the steps of: receiving a signed message at a first KAC, said signed message comprising a message portion and an organization signature, said message portion identifying said user and an organization requesting said encryption key, said organization signature being said message portion digitally signed by said organization; verifying said organization signature by said first KAC; adding a first KAC ID to said message portion when said organization signature is valid; after the adding step, signing by said first KAC, said message portion and said organization signature to generate a first KAC signature; sending said first KAC signature, said organization signature and said message portion to a second KAC, said second KAC being at a next lower level in said hierarchy; verifying, by said second KAC, said first KAC signature and said organization signature; and said second KAC requesting said encryption key from a key management center (KMC) to receive said encryption key.
2. A method as claimed in claim 1 wherein the requesting step includes the step of said second KAC engaging in a blind key access protocol with said KMC to receive said encryption key, and wherein the receiving step, the message portion is digitally signed with a private key of said organization, and wherein the receiving step includes the step of receiving as part of said message portion, a user identifier (UID) encrypted with a public key of said second KAC, said second KAC being a terminal KAC for said user, and wherein said message portion also includes a destination
ID identifying said second KAC as said terminal KAC.
3. A method as claimed in claim 2 wherein said signed message includes a request for said encryption key, and wherein said receiving step includes the step of receiving said message portion, said message portion including a validity period for said request, said method further comprising the step of said terminal KAC checking that said request is valid based on said validity period, said second KAC performing said engaging step during said validity period, and wherein the engaging step includes the steps of: receiving a session key associated with said user from said KMC; and receiving a validity time associated with said session key, and wherein the method further comprises the step of said second KAC, upon expiration of the validity time of the session key, requesting subsequent session keys for said user from said KMC during said validity period of said request, said second KAC routing said subsequent session keys to said organization.
4. A method as claimed in claim 3 further comprising the steps of: encrypting said subsequent session keys with a public key of said organization; and sending a signed message to said first KAC, said signed message including said encrypted subsequent session keys, said signed message being signed with a private key of said second KAC.
5. A method as claimed in claim 3 further comprising the steps of: determining by said KMC when said validity period for said request has expired; and said KMC issuing new session keys in response to the determining step.
6. A method as claimed in claim 3 further comprising the step of said second KAC, prior to the engaging step, verifying that said first KAC is authorized to communicate with said second KAC, the verifying by said second KAC step including the step of determining that said first KAC is at a next higher level in said hierarchy, wherein said request includes a court order and wherein the receiving a signed message step, said organization is a court that has issued said court order to a government agency to obtain said encryption key, and wherein said message includes information identifying said court and an authority for said court order; and the method includes the steps of: identifying said terminal KAC based on said destination ID; said first KAC adding a time-stamp to said message portion; and said second KAC performing the engaging step only within a predetermined period of time of said time-stamp.
7. A hierarchical key management system comprising: a plurality of key arbitration centers (KAC) arranged in a hierarchy for communicating with each other; and a plurality of key management centers (KMC) for storing session keys of users, each KMC configured for communicating with one of said KACs, wherein said KACs route requests for session keys to lower level KACs of said hierarchy, said KACs route encrypted versions of said session keys to designated higher level KACs of said hierarchy, and and KACs at end nodes of said hierarchy request said session keys from said KMC.
8. A system as claimed in claim 7 wherein each KAC that routes one of said requests, also signs said request with a private key of said KAC and routes said request to one of said lower level KACs, and wherein each KAC receiving said request from a higher level KAC, also verifies a signature of said higher level KAC, wherein one of said lower level KAC engages in a blind access protocol with a key management center (KMC) to receive said session keys of said user, and said lower level KAC receives said session key encrypted with a public key of an organization requesting said session key.
9. A system as claimed in claim 8 wherein said higher level KACs add an ID of said each higher level KAC prior to routing said request.
10. In a hierarchical key management system comprising a plurality of key arbitration centers (KAC) arranged in a hierarchy, a method for providing access to an encryption key of a user comprising the steps of: receiving a signed message at a first KAC, said signed message requesting said encryption key; verifying a signature of said signed message by said first
KAC; adding a first KAC ID to a message portion of said signed message; signing said message portion by said first KAC, to generate a first KAC signature; sending a second signed message to a second KAC in said hierarchy, said second signed message including said first KAC signature; verifying, by said second KAC, said first KAC signature; and said second KAC receiving said encryption key in response to the verifying step, wherein: the receiving step further comprises the step of receiving said signed message, wherein said signed message comprises a message portion and an organization signature, said message portion identifying said user an organization requesting said encryption key, said organization signature being said message portion signed with a private key of said organization; wherein the adding step is performed when said organization signature is valid; wherein the signing step is performed after the adding step, and includes the step of signing by said first KAC, said message portion and said organization signature to generate said first KAC signature; wherein said second signed message includes said first KAC signature, said organization signature and said message portion, said second KAC being a next lower KAC in said hierarchy, wherein the verifying said first KAC signature step includes the step of verifying said organization signature, and wherein said second KAC receiving step includes the step of engaging in a blind key access protocol with a key management center (KMC) to receive said encryption key.
PCT/US1997/019286 1997-01-23 1997-10-28 Method and system for hierarchical key access and recovery WO1998033295A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
AU54256/98A AU5425698A (en) 1997-01-23 1997-10-28 Method and system for hierarchical key access and recovery
EP97948124A EP0894379A1 (en) 1997-01-23 1997-10-28 Method and system for hierarchical key access and recovery

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US08/788,068 US5917911A (en) 1997-01-23 1997-01-23 Method and system for hierarchical key access and recovery
US08/788,068 1997-01-23

Publications (1)

Publication Number Publication Date
WO1998033295A1 true WO1998033295A1 (en) 1998-07-30

Family

ID=25143353

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US1997/019286 WO1998033295A1 (en) 1997-01-23 1997-10-28 Method and system for hierarchical key access and recovery

Country Status (4)

Country Link
US (1) US5917911A (en)
EP (1) EP0894379A1 (en)
AU (1) AU5425698A (en)
WO (1) WO1998033295A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104618120A (en) * 2015-03-04 2015-05-13 青岛微智慧信息有限公司 Digital signature method for escrowing private key of mobile terminal
CN115065533A (en) * 2022-06-14 2022-09-16 东北大学 Information encryption method and system based on key layering

Families Citing this family (43)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6628987B1 (en) * 2000-09-26 2003-09-30 Medtronic, Inc. Method and system for sensing cardiac contractions during vagal stimulation-induced cardiopalegia
JP3656688B2 (en) * 1997-03-31 2005-06-08 栄司 岡本 Cryptographic data recovery method and key registration system
US6606387B1 (en) * 1998-03-20 2003-08-12 Trusted Security Solutions, Inc. Secure establishment of cryptographic keys
US6724895B1 (en) * 1998-06-18 2004-04-20 Supersensor (Proprietary) Limited Electronic identification system and method with source authenticity verification
ATE360866T1 (en) * 1998-07-02 2007-05-15 Cryptography Res Inc LEAK-RESISTANT UPDATING OF AN INDEXED CRYPTOGRAPHIC KEY
WO2000025466A1 (en) * 1998-10-23 2000-05-04 L-3 Communications Corporation Apparatus and methods for managing key material in heterogeneous cryptographic assets
US7499551B1 (en) * 1999-05-14 2009-03-03 Dell Products L.P. Public key infrastructure utilizing master key encryption
US6907127B1 (en) * 1999-06-18 2005-06-14 Digital Video Express, L.P. Hierarchical key management encoding and decoding
US7213048B1 (en) 2000-04-05 2007-05-01 Microsoft Corporation Context aware computing devices and methods
US7076255B2 (en) * 2000-04-05 2006-07-11 Microsoft Corporation Context-aware and location-aware cellular phones and methods
US6750883B1 (en) 2000-04-05 2004-06-15 Microsoft Corporation Identity-based context aware computing systems and methods
US6327535B1 (en) * 2000-04-05 2001-12-04 Microsoft Corporation Location beaconing methods and systems
US7421486B1 (en) 2000-04-05 2008-09-02 Microsoft Corporation Context translation methods and systems
US7743074B1 (en) 2000-04-05 2010-06-22 Microsoft Corporation Context aware systems and methods utilizing hierarchical tree structures
US7096029B1 (en) 2000-04-05 2006-08-22 Microsoft Corporation Context aware computing devices having a common interface and related methods
US7480939B1 (en) * 2000-04-28 2009-01-20 3Com Corporation Enhancement to authentication protocol that uses a key lease
US6895091B1 (en) * 2000-07-07 2005-05-17 Verizon Corporate Services Group Inc. Systems and methods for encryption key archival and auditing in a quantum-cryptographic communications network
US6944679B2 (en) * 2000-12-22 2005-09-13 Microsoft Corp. Context-aware systems and methods, location-aware systems and methods, context-aware vehicles and methods of operating the same, and location-aware vehicles and methods of operating the same
US7072956B2 (en) * 2000-12-22 2006-07-04 Microsoft Corporation Methods and systems for context-aware policy determination and enforcement
US7493565B2 (en) 2000-12-22 2009-02-17 Microsoft Corporation Environment-interactive context-aware devices and methods
KR100406754B1 (en) * 2001-04-11 2003-11-21 한국정보보호진흥원 Forward-secure commercial key escrow system and escrowing method thereof
US7451110B2 (en) * 2001-05-18 2008-11-11 Network Resonance, Inc. System, method and computer program product for providing an efficient trading market
US7464154B2 (en) * 2001-05-18 2008-12-09 Network Resonance, Inc. System, method and computer program product for analyzing data from network-based structured message stream
US7124299B2 (en) * 2001-05-18 2006-10-17 Claymore Systems, Inc. System, method and computer program product for auditing XML messages in a network-based message stream
US7936693B2 (en) * 2001-05-18 2011-05-03 Network Resonance, Inc. System, method and computer program product for providing an IP datalink multiplexer
US8929552B2 (en) * 2001-06-01 2015-01-06 No Magic, Inc. Electronic information and cryptographic key management system
US7137000B2 (en) 2001-08-24 2006-11-14 Zih Corp. Method and apparatus for article authentication
US6874089B2 (en) * 2002-02-25 2005-03-29 Network Resonance, Inc. System, method and computer program product for guaranteeing electronic transactions
US7769997B2 (en) * 2002-02-25 2010-08-03 Network Resonance, Inc. System, method and computer program product for guaranteeing electronic transactions
GB0215524D0 (en) * 2002-07-05 2002-08-14 Hewlett Packard Co Method and apparatus for generating a cryptographic key
GB0215590D0 (en) * 2002-07-05 2002-08-14 Hewlett Packard Co Method and apparatus for generating a cryptographic key
KR100924773B1 (en) * 2002-09-16 2009-11-03 삼성전자주식회사 Method for encrypting and decrypting metadata and method for managing metadata and system thereof
US20060085454A1 (en) * 2004-10-06 2006-04-20 Blegen John L Systems and methods to relate multiple unit level datasets without retention of unit identifiable information
KR100640058B1 (en) * 2004-11-23 2006-11-01 삼성전자주식회사 Method of managing a key of user for broadcast encryption
US7890634B2 (en) * 2005-03-18 2011-02-15 Microsoft Corporation Scalable session management
US7509116B2 (en) * 2005-03-30 2009-03-24 Genx Mobile Incorporated Selective data exchange with a remotely configurable mobile unit
US7860244B2 (en) * 2006-12-18 2010-12-28 Sap Ag Secure computation of private values
US9203613B2 (en) 2011-09-29 2015-12-01 Amazon Technologies, Inc. Techniques for client constructed sessions
CN103842984B (en) * 2011-09-29 2017-05-17 亚马逊技术股份有限公司 Parameter based key derivation
WO2016118523A1 (en) 2015-01-19 2016-07-28 InAuth, Inc. Systems and methods for trusted path secure communication
BR102016001279B1 (en) * 2016-01-20 2024-02-27 Scopus Soluções Em Ti Ltd METHOD FOR PROTECTING THE SECRECY OF THE IDENTIFICATION OF THE SENDER OF MESSAGES TRANSMITTED BY PROMISCUOUS CHANNELS
US10116440B1 (en) 2016-08-09 2018-10-30 Amazon Technologies, Inc. Cryptographic key management for imported cryptographic keys
CN109167759B (en) * 2018-08-09 2021-03-30 中国联合网络通信集团有限公司 Mobile phone number acquisition method and device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0586022A1 (en) * 1989-03-07 1994-03-09 Addison M. Fischer Improved public key/signature cryptosystem with enhanced digital signature certification field
US5564106A (en) * 1995-03-09 1996-10-08 Motorola, Inc. Method for providing blind access to an encryption key

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4969188A (en) * 1987-02-17 1990-11-06 Gretag Aktiengesellschaft Process and apparatus for the protection of secret elements in a network of encrypting devices with open key management
US4888801A (en) * 1988-05-02 1989-12-19 Motorola, Inc. Hierarchical key management system
GB8819767D0 (en) * 1988-08-19 1989-07-05 Ncr Co Public key diversification method
US5179591A (en) * 1991-10-16 1993-01-12 Motorola, Inc. Method for algorithm independent cryptographic key management
US5341426A (en) * 1992-12-15 1994-08-23 Motorola, Inc. Cryptographic key management apparatus and method
US5335281A (en) * 1992-12-15 1994-08-02 Motorola, Inc. Network controller and method
US5369702A (en) * 1993-10-18 1994-11-29 Tecsec Incorporated Distributed cryptographic object method
NZ329891A (en) * 1994-01-13 2000-01-28 Certco Llc Method of upgrading firmware of trusted device using embedded key
US5420927B1 (en) * 1994-02-01 1997-02-04 Silvio Micali Method for certifying public keys in a digital signature scheme

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0586022A1 (en) * 1989-03-07 1994-03-09 Addison M. Fischer Improved public key/signature cryptosystem with enhanced digital signature certification field
US5564106A (en) * 1995-03-09 1996-10-08 Motorola, Inc. Method for providing blind access to an encryption key

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
K.SIUDA: "Technische Massnahmen für die sichere Informationsübertragung in zukünftigen Fernmeldenetzen (ISDN)", BULL.SEV/VSE 77., 11 January 1986 (1986-01-11), BERN(CH), pages 5 - 11, XP002063183 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104618120A (en) * 2015-03-04 2015-05-13 青岛微智慧信息有限公司 Digital signature method for escrowing private key of mobile terminal
CN115065533A (en) * 2022-06-14 2022-09-16 东北大学 Information encryption method and system based on key layering

Also Published As

Publication number Publication date
EP0894379A1 (en) 1999-02-03
US5917911A (en) 1999-06-29
AU5425698A (en) 1998-08-18

Similar Documents

Publication Publication Date Title
US5917911A (en) Method and system for hierarchical key access and recovery
CN108768988B (en) Block chain access control method, block chain access control equipment and computer readable storage medium
US7020778B1 (en) Method for issuing an electronic identity
US6192130B1 (en) Information security subscriber trust authority transfer system with private key history transfer
Kent Privacy enhancement for internet electronic mail: Part II: Certificate-based key management
US5745574A (en) Security infrastructure for electronic transactions
US6377810B1 (en) Method of operation of mobile wireless communication system with location information
CN110046521A (en) Decentralization method for secret protection
Fumy et al. Principles of key management
US7685421B2 (en) System and method for initializing operation for an information security operation
CN107196966A (en) The identity identifying method and system of multi-party trust based on block chain
EP2553894B1 (en) Certificate authority
CN100342684C (en) Securing arbitrary communication services
CN110059503A (en) The retrospective leakage-preventing method of social information
EP2404427B1 (en) Method and apparatus for securing network communications
JPH05103094A (en) Method and apparatus for mutually certifying users in communication system
CN112565294B (en) Identity authentication method based on block chain electronic signature
CN109858259A (en) The data protection of community health service alliance and sharing method based on HyperLedger Fabric
MXPA02008919A (en) Automatic identity protection system with remote third party monitoring.
KR100582546B1 (en) Method for sending and receiving using encryption/decryption key
CN113392430B (en) Digital resource management method and system based on intelligent contract authentication
CN100596066C (en) Entity identification method based on H323 system
Condell A security model for the information mesh
GB2413744A (en) Limiting access to personal (e.g. location) information of a service user by a service provider
CN117692152A (en) Signature verification network-based signature method, signature verification method and certificate issuing method

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AL AM AT AT AU AZ BA BB BG BR BY CA CH CN CU CZ CZ DE DE DK DK EE EE ES FI FI GB GE GH HU ID IL IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SK SL TJ TM TR TT UA UG UZ VN YU ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE CH DE DK ES FI FR GB GR IE IT LU MC NL PT SE

WWE Wipo information: entry into national phase

Ref document number: 1997948124

Country of ref document: EP

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWP Wipo information: published in national office

Ref document number: 1997948124

Country of ref document: EP

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

NENP Non-entry into the national phase

Ref country code: CA

WWW Wipo information: withdrawn in national office

Ref document number: 1997948124

Country of ref document: EP