WO2009034320A1 - Systems and methods relating to encryption and decryption - Google Patents

Systems and methods relating to encryption and decryption Download PDF

Info

Publication number
WO2009034320A1
WO2009034320A1 PCT/GB2008/003070 GB2008003070W WO2009034320A1 WO 2009034320 A1 WO2009034320 A1 WO 2009034320A1 GB 2008003070 W GB2008003070 W GB 2008003070W WO 2009034320 A1 WO2009034320 A1 WO 2009034320A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
decryption
file
server
encrypted
Prior art date
Application number
PCT/GB2008/003070
Other languages
French (fr)
Inventor
Raman Madhavan
Original Assignee
Mediares Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mediares Limited filed Critical Mediares Limited
Publication of WO2009034320A1 publication Critical patent/WO2009034320A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/101Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities
    • G06F21/1011Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities to devices

Definitions

  • the present invention relates to the encryption and decryption of files.
  • a user In order for a user to be able to decrypt a file, therefore, they must have a copy of the decryption key. If someone wishes to provide an encrypted file for a user that only that user can decrypt, they can provide the user with a unique decryption key, and then provide a file that can only be decrypted using that decryption key. A third party obtaining a copy of the encrypted file will be unable to decrypt the encrypted file, as they do not have the required decryption key. However, if a third party obtains a copy of the decryption key, they will also be able to decrypt the encrypted file. It would be desirable to be able to prevent such a situation occurring.
  • a decryption system for decrypting encrypted files, comprising: a user licence key; at least one piece of pre-determined device-specific information; wherein the decryption system is arranged to compare the at least one piece of pre-determined device-specific information with corresponding information present in the device on which the decryption is being performed, and is further arranged to decrypt an encrypted file using the user licence key only in the case that the at least one piece of pre-determined device-specific information and the corresponding information present in the device match.
  • decryption can only occur when there is a match between the pre-determined device-specific information and the corresponding information present in the device, if a third party attempts to decrypt an encrypted file on a different device using the system, they will be unable to do so.
  • the at least one piece of pre-determined device-specific information may be the MAC address for a network adaptor.
  • the at least one piece of pre-determined device-specific information may be the serial number of a hard disk drive.
  • At least one piece of pre-determined device- specific information is encrypted using the user licence key. This prevents a third part from being able to easily obtain the pre-determined device-specific information, which they could for example use to adapt their own device so that it appeared to be the intended device.
  • the user licence key is transformed prior to being used to decrypt an encrypted file.
  • the transformation of the user licence key is dependent upon the duration between the user licence key being generated and the encrypted file being encrypted. This means that even if a third party obtains the user licence key itself, they will not be able to use it to decrypt a file without knowing when it was generated.
  • the transformation of the user licence key is further dependent upon a pre-selected mathematical operation.
  • the transformation of the user licence key is further dependent upon a pre-selected time period.
  • the decryption system further comprises details of the time when the user licence key was generated, of the pre-selected mathematical operation, and/or of the pre-selected time period.
  • the details of the time when the user licence key was generated, of the pre-selected mathematical operation, and/or of the pre-selected time period are encrypted using the user licence key. This makes it more difficult for a third party to be able to obtain those details.
  • encryption and decryption is performed using the RC4 (Rivest Cipher 4) algorithm.
  • encryption and decryption is performed using the AES (Advanced Encryption Standard) cipher algorithm.
  • the decryption system may be further arranged to request an encrypted file from a remote device.
  • the file may be requested to be encrypted using the user licence key.
  • the file may be requested to be encrypted using a different licence key.
  • the encrypted file is the encryption of a file sent by the decryption system to the remote device. This allows a user to have their own files encrypted by the remote device, either with their own user licence key or with a different licence key.
  • the decryption system may be further arranged to encrypt files using the user licence key. This allows a user to encrypt their own files using the user licence key on their own device.
  • a method of decrypting an encrypted file on a device comprising the steps of: obtaining at least one piece of pre-determined device- specific information; comparing the at least one piece of pre-determined device-specific information with corresponding information present in the device; in the case the at least one piece of device-specific information and the corresponding information present in the device match, decrypting the encrypted file using a previously stored user licence key.
  • a method of providing a decryption computer program product for use in a decryption system of the present invention comprising the steps of: receiving a request from a device for a copy of the decryption computer program product; receiving details from the device of an intended user of the decryption computer program product; obtaining a user licence key corresponding the intended user; obtaining at least one piece of device-specific information present in the device; embedding the user licence key and at least one piece of device-specific information within a copy of the decryption computer program product; sending the copy of the decryption computer program product to the device.
  • This method provides a computer program product required to enable a user to use their current computer system as the system of the present invention described above.
  • a system for providing a decryption computer program product comprising a software server arranged to perform the method described immediately above .
  • the system further comprises a file server arranged to perform the method comprising the steps of: receiving a request from a device for an encrypted file; receiving details from the device of the intended user of the encrypted file; obtaining a user licence key corresponding the intended user; encrypting the file using the user licence key; sending the encrypted file to the device.
  • This method allows a user to have files encrypted using their own user licence key and different licence keys.
  • the method of the file server further comprises the step of: receiving from the device the file to be encrypted.
  • the system may further comprise a licence server arranged to store and provide on request user licence keys corresponding to users.
  • the software server, file server and/or licence server may be web servers.
  • the software server, file server and/or licence server may be provided by a single web server.
  • the software server, file server and/or licence server may be network servers.
  • the software server, file server and/or licence server may be provided by a single network server.
  • Figure 1 shows a computer system suitable for the present invention
  • Figure 2 is a flow chart showing the creation of a user licence key
  • Figure 3 is a flow chart showing how decryption software is provided
  • Figure 4 is a flow chart showing how encrypted files are provided;
  • Figure 5 is a flow chart showing how an encrypted file is decrypted by the decryption software;
  • Figure 6 is a flow chart showing how filed provided by the user are encrypted
  • Figure 7 shows the generation of a new user licence key.
  • PC Personal computers
  • PC 2 and 3 are connected to the Internet 1, through which they are able to communicate with a licence server 4, software server 5 and a file server 6.
  • FIG 2 is a flow chart showing a first stage of the present invention, which occurs when a user first registers with the service.
  • a user using PC 2 sends a request to the licence server 4 notifying it that they wish to register with the service (step 101).
  • the licence server 4 then creates a unique user licence key for the user (step 102), as described below.
  • the licence server 4 then stores the details of the user and their licence key.
  • the user licence key could be generated using the user's personal details, location and date and time of registration. The generation of the user licence key is described in more detail below.
  • Figure 3 is a flow chart showing a second stage of the present invention, which occurs when a user who has already registered for the service (and so acquired a user licence key) wishes to install the software for decrypting files onto a machine.
  • the decryption software is being installed onto the second PC 3.
  • the user uses the PC 3 to send a request to the software server 5 for a copy of the decryption software (step 201) .
  • the software server 5 then request login and device information from the PC 3 (step 202) .
  • the "login information" is for example a unique user name and password chosen by the user when they first registered for the service as described above.
  • device information is meant some information relating to the PC 3 by which it can be uniquely identified, for example the Media Access Control (MAC) address (also known as physical address) of the network adapter by which the PC 3 is networked, which is a six-pair set of hexadecimal numbers of the form al-2b- c3-d4-5e-f6.
  • MAC Media Access Control
  • a computer may have more than one network adapter, in which case one of those adaptors is selected to provide the MAC address, for example the adapter being used at that time for connection to the internet.
  • Another example of a suitable “device information” is the serial number of the hard disk drive of the PC 3.
  • the software server 5 then sends the login information to the licence server 4, so that it can confirm that the request has come from the user (step 203) . If the login information matches that stored in the licence server 4, the licence server 4 sends the user licence key for the user (which was created when the user initially registered for the service) to the software server 5 (step 204). (The licence server 4 may also send some personal information provided by the user on registration to the service to the software server 5. The software server 5 can then send this information to the PC 2, and that information, or some part of it, is then displayed to the user. The user can then indicate that they recognise the personal information, so confirming that they have logged in correctly.
  • the software server 4 could ask the user to provide some of the personal details again, and then check if those newly provided details match those sent by the licence server 4. If the user does not provide confirmation and/or the correct personal details then the installation of the software is abandoned. )
  • the server then embeds the device information and the user licence key within a copy of the decryption software (step 205) .
  • the device information Before the device information is embedded it is first encrypted using the user licence key. This means that the device information cannot easily be extracted from the decryption software, which a third party may wish to do for reasons described below.
  • the decryption software is then sent to the PC 3 for installation thereon (step 206) .
  • FIG 4 is a flow chart showing a third stage of the present invention, which occurs when a user downloads an encrypted file.
  • the file is being downloaded onto the PC 2.
  • the user uses the PC 2 to send a request to the file server 6 for a particular file (step 301) .
  • This request could for example take the form of the purchase of a file, say a music file or text document.
  • the file server 6 then request login information from the PC 2 (step 302) .
  • the file server 6 then sends the login information to the licence server 4 (step 303) . If the login information matches that stored in the licence server 4, the licence server 4 sends the user licence key for the user to the file server 6 (step 304) .
  • the file server uses the licence key to encrypt the file, and sends the encrypted file to the PC 2 (step 305) .
  • the encryption of files is described in more detail below.
  • FIG. 5 is a flow chart showing a fourth stage of the present invention, which occurs when a user wishes to decrypt an encrypted file.
  • the user runs the decryption software, in this case on the PC 3, and selects the file they wish to decrypt (step 401) .
  • the decryption software will have been provided using the method described above with reference to Figure 3.
  • the file the user wishes to decrypt will also be on the PC 3.
  • the file will have been provided using the method described above with reference to Figure 4.
  • the file could have been downloaded directly onto the PC 3, or could alternatively have been downloaded onto a different device (for example the first PC 2) and later copied to the PC 3.
  • the software compares the device information for the PC 3, for example the MAC address by which it is networked, with the device information that was embedded within it by the software server 5 (step 402) .
  • the device information is of course decrypted using the user licence key embedded in the decryption software prior to the comparison.
  • the software uses the user licence key that was embedded within it by the software server 5 to decrypt the encrypted file (step 403) .
  • the decryption of files is described in more detail below. The user is then able to access the decrypted file to use as required.
  • the software could comprise a document viewer, media playback software (for audio or video), or other software relevant for the format of the encrypted file.
  • the file that had been encrypted could be accessed by the software, without the entire decrypted file ever being available on the PC 3. This would prevent the decrypted file being easily copied even if a third party gained access to the PC 3 itself, for example if a user used the software to play an encrypted music file and then left the PC 3 unattended. It can now be seen why the device information is encrypted using the user licence key prior to being embedded in the decryption software.
  • a third party obtained a copy of the decryption software, if they were able to extract the device information then they could potentially adapt the device information on a separate PC (for example by changing the MAC address of its network adaptor) to match the device information embedded in the decryption software.
  • the device information in the decryption software would then match the device information of the separate PC, incorrectly indicating that the decryption software was running on the PC 2, and so the decryption software could be used by the third party to decrypt files.
  • the software can also be used by the user to encrypt files. If a file is to be encrypted using the user licence key embedded within the decryption software, then the file is encrypted by the decryption software without any connection to the file server 6 or licence server 4 being required.
  • the user may wish to encrypt a file so that it can be decrypted by other users, who will have their own user licence keys, as shown in Figure 6.
  • the user uses the PC 2 to send a file to the file server 6, along with a request that it be encrypted (step 501) .
  • the file server 6 requests encryption information from the PC 2 indicating the user for which the file should be encrypted (step 502).
  • the file server 6 then sends the encryption information to the licence server 4 (step 503) .
  • the licence server 4 finds the required licence key as indicated by the encryption information, and sends that licence key to the file server 6 (step 504) .
  • the file server uses the licence key to encrypt the file, and sends the encrypted file to the PC 2 (step 505) .
  • the user can then distribute the encrypted file as required.
  • the computer system described above is an example only, and various other suitable systems could be used.
  • the system described comprises three separate web servers (a software server, a file server and a licence server) , but a different number of servers could be used to perform the same operations - for example a single server could perform all the operations, or the licence server and software server could be combined.
  • all communication from the PCs 3 and 4 could be with the file server, which would then send and receive information to the licence server and software server as required.
  • the system could also for example operate over a local network, rather than over the Internet.
  • Fig 7 illustrates the generation of the user licence key, using personal details 1001 (for example name, address, date of birth) and registration details 1002 (for example IP address, date and time of registration) .
  • personal details 1001 for example name, address, date of birth
  • registration details 1002 for example IP address, date and time of registration
  • a number of characters from the personal and registration details are selected, to give a series of characters 1003.
  • the letters are then randomly transposed (i.e. randomly re-ordered) to give a new series of characters 1004.
  • This series of characters is the user licence key, as stored on the licence server 4 and embedded in the decryption software.
  • Each user licence key should be unique to the particular user, and so if the licence key thus generated is already present in the licence server 4 then a new user licence key should be generated according to the above method to be used instead. (Assuming that new user licence key is itself unique . )
  • the licence key has been described as being generated by the above method, any method that produced a suitable licence key that is unique to the user could be used, as long as the same licence key is used for the encryption of all files that are to be decrypted by the user using the decryption software (which may in practice be installed by the user on more than one device) .
  • the licence key could for example simply be a unique number randomly generated for the user upon registration.
  • Files are encrypted and decrypted using the well-known RC4 (Rivest Cipher 4) algorithm.
  • RC4 Rivest Cipher 4
  • any other suitable encryption/decryption algorithm could be used, such as the AES (Advanced Encryption Standard) cipher algorithm (also known as the Rijndael cipher algorithm) .
  • the key used for the RC4 algorithm is based on the user licence key. Before the user licence key is used for the RC4 algorithm a series of operations are performed upon it, as now described.
  • the device information is also encrypted using the user licence key prior to being embedded in the decryption software by the software server 5.
  • the RC4 algorithm is again used, however in that case the user licence key itself is used as the key, and it does not undergo any operations prior to being used.
  • the device information is of course also decrypted simply using the user licence key itself as key.
  • a value "c" is selected, which represents a mathematical operation from amongst a set of mathematical operations such as multiplication by a particular number, division by a particular number, or taking a power to a particular number, or a mixture of such operations.
  • a value "f” is also selected which represents a frequency such as once a millisecond, once an hour, daily, weekly etc.
  • the values "c” and "f”, and also the date and time at which the user licence key was generated are stored on the licence server 4 along with the user licence key, and also embedded in the decryption software when it is provided by the software server 5.
  • the values c and f and the time tg are encrypted using the user licence key itself prior to embedding in the decryption software, similarly to the device information.
  • the RC4 algorithm When a file is encrypted, either by the file server 6 or decryption software itself, the RC4 algorithm is used.
  • the operation c is then applied to the user licence key the number of times indicated by the frequency f and the time t, to give the key used by the RC4 algorithm when encrypting the file (called herein the "transformed user licence key”) .
  • the user licence key as generated above may not be a number, the mathematical operations described can easily be extended to operate on a string containing characters, for example by being applied to the binary representation of the string.
  • the time value tf is stored in the resulting encrypted file in an unencrypted form (for example in the "metadata" of the file.)
  • the combination of the encrypted file and the value tf may itself be encrypted, using the original untransformed user licence key.
  • An example of the generation of the transformed user licence key is as follows. Suppose the value of the user licence key "u" is 21, and c is the operation whereby the value of u is increased by one, and the frequency f is once a day.
  • the decryption software has embedded within it the user licence key. Also embedded within are the values c, f and the time tg the user licence key was generated, all encrypted by the RC4 algorithm with the user licence key as key. The decryption software is therefore able to decrypt those values. The decryption software is also able to extract the value tf from the file to be decrypted, within which it is stored in unencrypted form. (Alternatively, if the combination of the encrypted file and the value tf has itself been encrypted, the encrypted combination is first decrypted using the original untransformed user licence key, thus providing the value tf and the file encrypted with the transformed user licence key. )

Abstract

A decryption system for decrypting encrypted files, comprising a user licence key and at least one piece of pre determined device-specific information. The decryption system is arranged to compare the at least one piece of pre determined device-specific information with corresponding information present in the device on which the decryption is being performed. The decryption system is further arranged to decrypt an encrypted file using the user licence key only in the case that the at least one piece of pre-determined device-specific information and the corresponding information present in the device match.

Description

Systems and methods relating to encryption and decryption
The present invention relates to the encryption and decryption of files.
In known encryption and decryption systems, files are encrypted using encryption keys. The contents of a file cannot then be read unless the file is decrypted, which must be done using a decryption key. The decryption key will be related to, and often identical to, the encryption key.
In order for a user to be able to decrypt a file, therefore, they must have a copy of the decryption key. If someone wishes to provide an encrypted file for a user that only that user can decrypt, they can provide the user with a unique decryption key, and then provide a file that can only be decrypted using that decryption key. A third party obtaining a copy of the encrypted file will be unable to decrypt the encrypted file, as they do not have the required decryption key. However, if a third party obtains a copy of the decryption key, they will also be able to decrypt the encrypted file. It would be desirable to be able to prevent such a situation occurring.
In accordance with a first aspect of the present invention there is provided a decryption system for decrypting encrypted files, comprising: a user licence key; at least one piece of pre-determined device-specific information; wherein the decryption system is arranged to compare the at least one piece of pre-determined device-specific information with corresponding information present in the device on which the decryption is being performed, and is further arranged to decrypt an encrypted file using the user licence key only in the case that the at least one piece of pre-determined device-specific information and the corresponding information present in the device match. As decryption can only occur when there is a match between the pre-determined device-specific information and the corresponding information present in the device, if a third party attempts to decrypt an encrypted file on a different device using the system, they will be unable to do so.
The at least one piece of pre-determined device-specific information may be the MAC address for a network adaptor. Alternatively, the at least one piece of pre-determined device-specific information may be the serial number of a hard disk drive.
Preferably, at least one piece of pre-determined device- specific information is encrypted using the user licence key. This prevents a third part from being able to easily obtain the pre-determined device-specific information, which they could for example use to adapt their own device so that it appeared to be the intended device.
Advantageously, the user licence key is transformed prior to being used to decrypt an encrypted file. This provides an additional level of security. Advantageously, the transformation of the user licence key is dependent upon the duration between the user licence key being generated and the encrypted file being encrypted. This means that even if a third party obtains the user licence key itself, they will not be able to use it to decrypt a file without knowing when it was generated. Preferably, the transformation of the user licence key is further dependent upon a pre-selected mathematical operation. Preferably, the transformation of the user licence key is further dependent upon a pre-selected time period. Preferably, the decryption system further comprises details of the time when the user licence key was generated, of the pre-selected mathematical operation, and/or of the pre-selected time period. In this way the information needed to transform the user licence key as required is readily available. Advantageously, the details of the time when the user licence key was generated, of the pre-selected mathematical operation, and/or of the pre-selected time period are encrypted using the user licence key. This makes it more difficult for a third party to be able to obtain those details.
Preferably, encryption and decryption is performed using the RC4 (Rivest Cipher 4) algorithm. Alternatively, encryption and decryption is performed using the AES (Advanced Encryption Standard) cipher algorithm.
The decryption system may be further arranged to request an encrypted file from a remote device. The file may be requested to be encrypted using the user licence key. Alternatively, the file may be requested to be encrypted using a different licence key. This allows a first user to obtain a file which can be decrypted only by a different user. Advantageously, the encrypted file is the encryption of a file sent by the decryption system to the remote device. This allows a user to have their own files encrypted by the remote device, either with their own user licence key or with a different licence key. The decryption system may be further arranged to encrypt files using the user licence key. This allows a user to encrypt their own files using the user licence key on their own device. In accordance with a second aspect of the present invention there is provided a method of decrypting an encrypted file on a device comprising the steps of: obtaining at least one piece of pre-determined device- specific information; comparing the at least one piece of pre-determined device-specific information with corresponding information present in the device; in the case the at least one piece of device-specific information and the corresponding information present in the device match, decrypting the encrypted file using a previously stored user licence key.
In accordance with a third aspect of the present invention there is provided a method of providing a decryption computer program product for use in a decryption system of the present invention as described above, comprising the steps of: receiving a request from a device for a copy of the decryption computer program product; receiving details from the device of an intended user of the decryption computer program product; obtaining a user licence key corresponding the intended user; obtaining at least one piece of device-specific information present in the device; embedding the user licence key and at least one piece of device-specific information within a copy of the decryption computer program product; sending the copy of the decryption computer program product to the device.
This method provides a computer program product required to enable a user to use their current computer system as the system of the present invention described above.
In accordance with a fourth aspect of the present invention there is provided a system for providing a decryption computer program product comprising a software server arranged to perform the method described immediately above . Advantageously, the system further comprises a file server arranged to perform the method comprising the steps of: receiving a request from a device for an encrypted file; receiving details from the device of the intended user of the encrypted file; obtaining a user licence key corresponding the intended user; encrypting the file using the user licence key; sending the encrypted file to the device.
This method allows a user to have files encrypted using their own user licence key and different licence keys.
Advantageously, the method of the file server further comprises the step of: receiving from the device the file to be encrypted.
This allows a user to provide the file to be encrypted.
The system may further comprise a licence server arranged to store and provide on request user licence keys corresponding to users. The software server, file server and/or licence server may be web servers. The software server, file server and/or licence server may be provided by a single web server.
Alternatively, the software server, file server and/or licence server may be network servers. The software server, file server and/or licence server may be provided by a single network server.
There will now be described embodiments of the invention, with reference to the accompanying drawings of which:
Figure 1 shows a computer system suitable for the present invention;
Figure 2 is a flow chart showing the creation of a user licence key; Figure 3 is a flow chart showing how decryption software is provided;
Figure 4 is a flow chart showing how encrypted files are provided; Figure 5 is a flow chart showing how an encrypted file is decrypted by the decryption software;
Figure 6 is a flow chart showing how filed provided by the user are encrypted;
Figure 7 shows the generation of a new user licence key.
A computer system suitable for the present invention is shown in Figure 1. Personal computers (PC) 2 and 3 are connected to the Internet 1, through which they are able to communicate with a licence server 4, software server 5 and a file server 6.
Figure 2 is a flow chart showing a first stage of the present invention, which occurs when a user first registers with the service. First, a user using PC 2 sends a request to the licence server 4 notifying it that they wish to register with the service (step 101). The licence server 4 then creates a unique user licence key for the user (step 102), as described below. The licence server 4 then stores the details of the user and their licence key.
The user licence key could be generated using the user's personal details, location and date and time of registration. The generation of the user licence key is described in more detail below.
Figure 3 is a flow chart showing a second stage of the present invention, which occurs when a user who has already registered for the service (and so acquired a user licence key) wishes to install the software for decrypting files onto a machine. In this case the decryption software is being installed onto the second PC 3. First, the user uses the PC 3 to send a request to the software server 5 for a copy of the decryption software (step 201) . The software server 5 then request login and device information from the PC 3 (step 202) . The "login information" is for example a unique user name and password chosen by the user when they first registered for the service as described above. By "device information" is meant some information relating to the PC 3 by which it can be uniquely identified, for example the Media Access Control (MAC) address (also known as physical address) of the network adapter by which the PC 3 is networked, which is a six-pair set of hexadecimal numbers of the form al-2b- c3-d4-5e-f6. (A computer may have more than one network adapter, in which case one of those adaptors is selected to provide the MAC address, for example the adapter being used at that time for connection to the internet.) Another example of a suitable "device information" is the serial number of the hard disk drive of the PC 3.
The software server 5 then sends the login information to the licence server 4, so that it can confirm that the request has come from the user (step 203) . If the login information matches that stored in the licence server 4, the licence server 4 sends the user licence key for the user (which was created when the user initially registered for the service) to the software server 5 (step 204). (The licence server 4 may also send some personal information provided by the user on registration to the service to the software server 5. The software server 5 can then send this information to the PC 2, and that information, or some part of it, is then displayed to the user. The user can then indicate that they recognise the personal information, so confirming that they have logged in correctly.
Alternatively, or additionally, the software server 4 could ask the user to provide some of the personal details again, and then check if those newly provided details match those sent by the licence server 4. If the user does not provide confirmation and/or the correct personal details then the installation of the software is abandoned. )
The server then embeds the device information and the user licence key within a copy of the decryption software (step 205) . Before the device information is embedded it is first encrypted using the user licence key. This means that the device information cannot easily be extracted from the decryption software, which a third party may wish to do for reasons described below. The decryption software is then sent to the PC 3 for installation thereon (step 206) .
Figure 4 is a flow chart showing a third stage of the present invention, which occurs when a user downloads an encrypted file. In this case the file is being downloaded onto the PC 2. First, the user uses the PC 2 to send a request to the file server 6 for a particular file (step 301) . This request could for example take the form of the purchase of a file, say a music file or text document. The file server 6 then request login information from the PC 2 (step 302) . The file server 6 then sends the login information to the licence server 4 (step 303) . If the login information matches that stored in the licence server 4, the licence server 4 sends the user licence key for the user to the file server 6 (step 304) . The file server then uses the licence key to encrypt the file, and sends the encrypted file to the PC 2 (step 305) . The encryption of files is described in more detail below.
Figure 5 is a flow chart showing a fourth stage of the present invention, which occurs when a user wishes to decrypt an encrypted file. First, the user runs the decryption software, in this case on the PC 3, and selects the file they wish to decrypt (step 401) . The decryption software will have been provided using the method described above with reference to Figure 3. The file the user wishes to decrypt will also be on the PC 3. The file will have been provided using the method described above with reference to Figure 4. The file could have been downloaded directly onto the PC 3, or could alternatively have been downloaded onto a different device (for example the first PC 2) and later copied to the PC 3.
The software then compares the device information for the PC 3, for example the MAC address by which it is networked, with the device information that was embedded within it by the software server 5 (step 402) . (The device information is of course decrypted using the user licence key embedded in the decryption software prior to the comparison.) If the two pieces of information do not match then it is presumed that the decryption software is not running on the device for which it was registered, and so it presents an error message and stops execution. If, on the other hand, the pieces of information match then it is presumed that the decryption software is running on the correct device. The software then uses the user licence key that was embedded within it by the software server 5 to decrypt the encrypted file (step 403) . The decryption of files is described in more detail below. The user is then able to access the decrypted file to use as required.
Instead of providing a decrypted file for the user to use as they wish, the software could comprise a document viewer, media playback software (for audio or video), or other software relevant for the format of the encrypted file. In that case the file that had been encrypted could be accessed by the software, without the entire decrypted file ever being available on the PC 3. This would prevent the decrypted file being easily copied even if a third party gained access to the PC 3 itself, for example if a user used the software to play an encrypted music file and then left the PC 3 unattended. It can now be seen why the device information is encrypted using the user licence key prior to being embedded in the decryption software. If, for example, a third party obtained a copy of the decryption software, if they were able to extract the device information then they could potentially adapt the device information on a separate PC (for example by changing the MAC address of its network adaptor) to match the device information embedded in the decryption software. The device information in the decryption software would then match the device information of the separate PC, incorrectly indicating that the decryption software was running on the PC 2, and so the decryption software could be used by the third party to decrypt files.
As well as downloading encrypted files as described above with reference to Figure 4, the software can also be used by the user to encrypt files. If a file is to be encrypted using the user licence key embedded within the decryption software, then the file is encrypted by the decryption software without any connection to the file server 6 or licence server 4 being required.
Alternatively, the user may wish to encrypt a file so that it can be decrypted by other users, who will have their own user licence keys, as shown in Figure 6. First, the user uses the PC 2 to send a file to the file server 6, along with a request that it be encrypted (step 501) . The file server 6 then requests encryption information from the PC 2 indicating the user for which the file should be encrypted (step 502). The file server 6 then sends the encryption information to the licence server 4 (step 503) . The licence server 4 then finds the required licence key as indicated by the encryption information, and sends that licence key to the file server 6 (step 504) . The file server then uses the licence key to encrypt the file, and sends the encrypted file to the PC 2 (step 505) . The user can then distribute the encrypted file as required.
It will be understood that the computer system described above is an example only, and various other suitable systems could be used. For example, the system described comprises three separate web servers (a software server, a file server and a licence server) , but a different number of servers could be used to perform the same operations - for example a single server could perform all the operations, or the licence server and software server could be combined. In another example, all communication from the PCs 3 and 4 could be with the file server, which would then send and receive information to the licence server and software server as required. The system could also for example operate over a local network, rather than over the Internet.
The generation of the user licence key and the encryption and decryption of files is now described in greater detail.
Fig 7 illustrates the generation of the user licence key, using personal details 1001 (for example name, address, date of birth) and registration details 1002 (for example IP address, date and time of registration) . A number of characters from the personal and registration details are selected, to give a series of characters 1003. The letters are then randomly transposed (i.e. randomly re-ordered) to give a new series of characters 1004.
This series of characters is the user licence key, as stored on the licence server 4 and embedded in the decryption software. Each user licence key should be unique to the particular user, and so if the licence key thus generated is already present in the licence server 4 then a new user licence key should be generated according to the above method to be used instead. (Assuming that new user licence key is itself unique . ) Although the licence key has been described as being generated by the above method, any method that produced a suitable licence key that is unique to the user could be used, as long as the same licence key is used for the encryption of all files that are to be decrypted by the user using the decryption software (which may in practice be installed by the user on more than one device) . The licence key could for example simply be a unique number randomly generated for the user upon registration. Files are encrypted and decrypted using the well-known RC4 (Rivest Cipher 4) algorithm. However, any other suitable encryption/decryption algorithm could be used, such as the AES (Advanced Encryption Standard) cipher algorithm (also known as the Rijndael cipher algorithm) . The key used for the RC4 algorithm is based on the user licence key. Before the user licence key is used for the RC4 algorithm a series of operations are performed upon it, as now described.
(As described above, the device information is also encrypted using the user licence key prior to being embedded in the decryption software by the software server 5. In this case the RC4 algorithm is again used, however in that case the user licence key itself is used as the key, and it does not undergo any operations prior to being used. The device information is of course also decrypted simply using the user licence key itself as key. Alternatively another algorithm, such as the AES algorithm, could be used to encrypt the device information; it could be the case that the device algorithm and any files are encrypted using the same algorithm, or using different algorithms.) When the user licence key is generated, a value "c" is selected, which represents a mathematical operation from amongst a set of mathematical operations such as multiplication by a particular number, division by a particular number, or taking a power to a particular number, or a mixture of such operations. A value "f" is also selected which represents a frequency such as once a millisecond, once an hour, daily, weekly etc. The values "c" and "f", and also the date and time at which the user licence key was generated (denoted "tg") , are stored on the licence server 4 along with the user licence key, and also embedded in the decryption software when it is provided by the software server 5. (The values c and f and the time tg are encrypted using the user licence key itself prior to embedding in the decryption software, similarly to the device information. )
When a file is encrypted, either by the file server 6 or decryption software itself, the RC4 algorithm is used. The key for the RC4 algorithm is generated as follows. First, the time "t" lapsed since the user licence key was generated is calculated. This time t is the difference between the time tg at which the licence key was generated and the current time "tf" (as indicated by the internal clock of the file server 6 or PC 2 on which the decryption software is running); in other words t = tf - tg. The operation c is then applied to the user licence key the number of times indicated by the frequency f and the time t, to give the key used by the RC4 algorithm when encrypting the file (called herein the "transformed user licence key") . (Although the user licence key as generated above may not be a number, the mathematical operations described can easily be extended to operate on a string containing characters, for example by being applied to the binary representation of the string.) The time value tf is stored in the resulting encrypted file in an unencrypted form (for example in the "metadata" of the file.) Alternatively, the combination of the encrypted file and the value tf may itself be encrypted, using the original untransformed user licence key. An example of the generation of the transformed user licence key is as follows. Suppose the value of the user licence key "u" is 21, and c is the operation whereby the value of u is increased by one, and the frequency f is once a day. If t is 6 days, in other words the current time tf is six days after the time tg the user licence key was generated, then the transformed user licence key would be u with c applied 6 times, in other words 21+1+1+1+1+1+1 = 27. Similarly, if c is the operation whereby u is cubed and the frequency f is every 3 days, with the same u and t the transformed user licence key will be 21Λ3 = 794280046581.
As can be seen, unless files are encrypted within the same time period (as given by the frequency f) , the files will be encrypted using different keys, the keys being generated from the user licence key based on the time at which the file is encrypted.
When a file is decrypted, again the RC4 algorithm is used. The decryption software has embedded within it the user licence key. Also embedded within are the values c, f and the time tg the user licence key was generated, all encrypted by the RC4 algorithm with the user licence key as key. The decryption software is therefore able to decrypt those values. The decryption software is also able to extract the value tf from the file to be decrypted, within which it is stored in unencrypted form. (Alternatively, if the combination of the encrypted file and the value tf has itself been encrypted, the encrypted combination is first decrypted using the original untransformed user licence key, thus providing the value tf and the file encrypted with the transformed user licence key. )
The values of c, f, tg and tf can then be used as described above to obtain from the user licence key the transformed user licence key with which the file was encrypted. That key can then be used with the RC4 algorithm to decrypt the file.
It can be seen that if a third party obtains a user licence key, to be able to decrypt a file they must also gain details of the values c, f and tg. This makes it more difficult for third parties to decrypt files even if the user licence key is obtained.

Claims

Claims :
1. A decryption system for decrypting encrypted files, comprising: a user licence key; at least one piece of pre-determined device-specific information; wherein the decryption system is arranged to compare the at least one piece of pre-determined device-specific information with corresponding information present in the device on which the decryption is being performed, and is further arranged to decrypt an encrypted file using the user licence key only in the case that the at least one piece of pre-determined device-specific information and the corresponding information present in the device match.
2. A decryption system as claimed in claim 1, wherein the at least one piece of pre-determined device-specific information is the MAC address for a network adaptor.
3. A decryption system as claimed in claim 1, wherein the at least one piece of pre-determined device-specific information is the serial number of a hard disk drive.
4. A decryption system as claimed in any preceding claim, wherein at least one piece of pre-determined device-specific information is encrypted using the user licence key.
5. A decryption system as claimed in any preceding claim, wherein the user licence key is transformed prior to being used to decrypt an encrypted file.
6. A decryption system as claimed in claim 5, wherein the transformation of the user licence key is dependent upon the duration between the user licence key being generated and the encrypted file being encrypted.
7. A decryption system as claimed in claim 5 or 6, wherein the transformation of the user licence key is further dependent upon a pre-selected mathematical operation.
8. A decryption system as claimed in claim 5, 6 or 7 , wherein the transformation of the user licence key is further dependent upon a pre-selected time period.
9. A decryption system as claimed in claim 7 or 8, further comprising details of the time when the user licence key was generated, of the pre-selected mathematical operation, and/or of the pre-selected time period.
10. A decryption system as claimed in claim 9, wherein the details of the time when the user licence key was generated, of the pre-selected mathematical operation, and/or of the pre-selected time period are encrypted using the user licence key.
11. A decryption system as claimed in any preceding claim, wherein encryption and decryption is performed using the RC4 (Rivest Cipher 4) algorithm.
12. A decryption system as claimed in any of claims 1 to 10, wherein encryption and decryption is performed using the AES (Advanced Encryption Standard) cipher algorithm.
13. A decryption system as claimed in any preceding claim, which is further arranged to request an encrypted file from a remote device.
14. A decryption system as claimed in claim 13, wherein the file is requested to be encrypted using the user licence key.
15. A decryption system as claimed in claim 13, wherein the file is requested to be encrypted using a different licence key.
16. A decryption system as claimed any one of claims 13 to 15, wherein the encrypted file is the encryption of a file sent by the decryption system to the remote device.
17. A decryption system as claimed in any preceding claim, which is further arranged to encrypt files using the user licence key.
18. A method of decrypting an encrypted file on a device comprising the steps of: obtaining at least one piece of pre-determined device- specific information; comparing the at least one piece of pre-determined device-specific information with corresponding information present in the device; in the case the at least one piece of device-specific information and the corresponding information present in the device match, decrypting the encrypted file using a previously stored user licence key.
19. A method of providing a decryption computer program product for use in a decryption system as claimed in any of claims 1 to 17, comprising the steps of: receiving a request from a device for a copy of the decryption computer program product; receiving details from the device of an intended use/: of the decryption computer program product; obtaining a user licence key corresponding the intended user; obtaining at least one piece of device-specific information present in the device; embedding the user licence key and at least one piece of device-specific information within a copy of the decryption computer program product; sending the copy of the decryption computer program product to the device.
20. A system for providing a decryption computer program product comprising a software server arranged to perform the method of claim 19.
21. A system as claimed in claim 20, further comprising a file server arranged to perform the method comprising the steps of: receiving a request from a device for an encrypted file; receiving details from the device of the intended user of the encrypted file; obtaining a user licence key corresponding the intended user; encrypting the file using the user licence key; sending the encrypted file to the device.
22. A system as claimed in claim 21, wherein the method further comprises the step of: receiving from the device the file to be encrypted.
23. A system as claimed in any one of claims 20 to 22, further comprising a licence server arranged to store and provide on request user licence keys corresponding to users.
24. A system as claimed in any one of claims 20 to 23, wherein the software server, file server and/or licence server are web servers.
25. A system as claimed in any one of claims 20 to 23, wherein the software server, file server and/or licence server are provided by a single web server.
26. A system as claimed in any one of claims 20 to 23, wherein the software server, file server and/or licence server are network servers.
27. A system as claimed in any one of claims 20 to 23, wherein the software server, file server and/or licence server are provided by a single network server.
PCT/GB2008/003070 2007-09-10 2008-09-10 Systems and methods relating to encryption and decryption WO2009034320A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GBGB0717587.0A GB0717587D0 (en) 2007-09-10 2007-09-10 Systems and methods relating to encryption and decryption
GB0717587.0 2007-09-10

Publications (1)

Publication Number Publication Date
WO2009034320A1 true WO2009034320A1 (en) 2009-03-19

Family

ID=38640518

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2008/003070 WO2009034320A1 (en) 2007-09-10 2008-09-10 Systems and methods relating to encryption and decryption

Country Status (2)

Country Link
GB (1) GB0717587D0 (en)
WO (1) WO2009034320A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7886364B2 (en) * 2001-03-26 2011-02-08 Microsoft Corporation Encrypted key cache
US8112452B2 (en) 2001-03-26 2012-02-07 Microsoft Corporation Serverless distributed file system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998042098A1 (en) * 1997-03-14 1998-09-24 Cryptoworks, Inc. Digital product rights management technique
EP1434119A2 (en) * 2002-12-25 2004-06-30 Victor Company Of Japan, Limited License management method and license management system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998042098A1 (en) * 1997-03-14 1998-09-24 Cryptoworks, Inc. Digital product rights management technique
EP1434119A2 (en) * 2002-12-25 2004-06-30 Victor Company Of Japan, Limited License management method and license management system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7886364B2 (en) * 2001-03-26 2011-02-08 Microsoft Corporation Encrypted key cache
US8112452B2 (en) 2001-03-26 2012-02-07 Microsoft Corporation Serverless distributed file system

Also Published As

Publication number Publication date
GB0717587D0 (en) 2007-10-17

Similar Documents

Publication Publication Date Title
US7376624B2 (en) Secure communication and real-time watermarking using mutating identifiers
EP2188756B1 (en) Device and method for a backup of rights objects
US7324648B1 (en) Method and apparatus for secure key delivery for decrypting bulk digital content files at an unsecure site
CA2822185C (en) Method and system for unified mobile content protection
US6732277B1 (en) Method and apparatus for dynamically accessing security credentials and related information
US20040054920A1 (en) Live digital rights management
US7373330B1 (en) Method and apparatus for tracking and controlling e-mail forwarding of encrypted documents
US20060031175A1 (en) Multiple party content distribution system and method with rights management features
US7299500B1 (en) Method and apparatus for secure delivery and rights management of digital content at an unsecure site
US20080022356A1 (en) Communication processing method and system relating to authentication information
US8595492B2 (en) On-demand protection and authorization of playback of media assets
US6711553B1 (en) Method and apparatus for digital content copy protection
CN103491098A (en) Software authorization method based on public key cryptosystem
WO2005008442A2 (en) Ticket-based secure time delivery in digital networks
JP2009505243A (en) Cancellation information management
CN112685786A (en) Financial data encryption and decryption method, system, equipment and storage medium
JP5496880B2 (en) Data security
JP2005516278A (en) Method and system for transmitting and distributing information in a secret manner and for physically exemplifying information transmitted in an intermediate information storage medium
JP5223860B2 (en) Time information distribution system, time distribution station, terminal, time information distribution method and program
CN102138145B (en) Cryptographically controlling access to documents
WO2009034320A1 (en) Systems and methods relating to encryption and decryption
JP4068877B2 (en) Digital content system
CN111541731B (en) Electronic file access control method based on block chain and knowledge range encryption
US8006307B1 (en) Method and apparatus for distributing secure digital content that can be indexed by third party search engines
JP3984570B2 (en) Program for controlling key management server and verification device in signature / verification system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08788569

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08788569

Country of ref document: EP

Kind code of ref document: A1