1—Related Applications
The present invention relates to the field of asymmetrical encryption of confidential data. It relates more particularly to a method of recovering one or more expired decryption keys for decrypting data that was encrypted by means of an expired encryption key associated with that kind of expired decryption key.
2—Field of the Invention
In asymmetrical cryptography, for example cryptography using the RSA (Ron Shamir Adleman) algorithm, associating an encryption public key and a decryption private key, or a signature private key and a signature verification public key, the basic trusted object is the certificate. The certificate includes the following data: the public key to be certified, an identity of the holder of the public key, a validity period, a list of attributes corresponding to the rights of use of the key, for example a message signature key, and a cryptographic signature of the foregoing data by an encryption key of a certification authority issuing the certificate. The certification authority, also known as a PKI (Public Key Infrastructure), is responsible in particular for generating certificates and the associated private keys.
Once generated, the certificates and the private keys are stored either as software on a hard disk, a private key being encryptable by a respective password, or in a physical device, usually a secure microcontroller integrated into a microchip card or USB dongle. The invention relates more particularly to storing the certificate and the associated private key in a physical device, for better security. Decryption is effected (at least in part) directly in the physical device, so that the private key never leaves said physical device.
On the loss or deterioration of a private key, or in the event of normal renewal of a certificate/private key pair after a predetermined period of use, the user of the certificate and the private key revokes the certificate that has expired, and by association the private key also expires. The certification authority assigns the user a new certificate and a new private key. However, the user cannot use the new private key to decrypt data previously encrypted with the public key contained in the expired certificate.
In a first prior art implementation, the certification authority supplies the user with the expired private key.
In a first situation, the expired private key is supplied in software form, possibly encrypted using a password. This security is insufficiently reliable. The expired private key can be easily decrypted by a malicious person because the expired key is no longer stored in a secure physical device.
In a second situation, the expired private key is supplied in another physical device. Security is maintained to the detriment of practical and ergonomic aspects if the user has already renewed the private key and certificate several times and consequently is in possession of several physical devices.
In a third situation, the expired private key is supplied in another physical device which therefore contains a plurality of private keys that have successively expired in addition to the current private key and the current certificate. The storage capacity of the physical device is limited, however, and it cannot continue to receive private keys and certificates indefinitely.
In another prior art implementation, the certification authority supplies the encrypted data in clear, either by decrypting it using a copy of the expired private key, or by means of a direct recovery mechanism that does not necessitate the use of said expired private key. It is then indispensable for the data to be encrypted again, but using the public key included in the new certificate. This operation is referred to as transcryption and must be applied to all the encrypted data. The user is therefore subject to the constraint of sending the certification authority all the encrypted data, without forgetting any. Furthermore, the user may have several types of data encrypted by means of different applications, such as e-mails and encrypted hard disk partitions. Encrypting and decrypting such data is greatly dependent on the data storage format, which can differ from one application to another. In this case, it is necessary to create a different transcryption application for each type of data, which is costly and complicated.