This invention relates to messaging systems such as email messaging systems, and more particularly, to ways in which to send secure messages.
Cryptographic systems are used to provide secure communications services such as secure email services and secure web browsing.
With symmetric key cryptographic systems, the sender of a message uses the same key to encrypt the message that the recipient of the message uses to decrypt the message. Symmetric-key systems require that each sender and recipient exchange a shared key in a secure manner.
With public-key cryptographic systems, two types of keys are used—public keys and private keys. Senders may encrypt messages using the public keys of the recipients. Each recipient has a private key that is used to decrypt the messages for that recipient.
One public-key cryptographic system that is in use is the RSA cryptographic system. Each user in this system has a unique public key and a unique private key. A sender may obtain the public key of a given receiver from a key server over the Internet. To ensure the authenticity of the public key and thereby defeat possible man-in-the-middle attacks, the public key may be provided to the sender with a certificate signed by a trusted certificate authority. The certificate may be used to verify that the public key belongs to the intended recipient of the sender's message. Public key encryption systems based on this type of fairly traditional approach are referred to herein as PKE cryptographic systems.
Identity-based-encryption (IBE) arrangements have also been proposed. With IBE encryption systems, a message recipient's email address or other identity-based information may be used as the recipient's public key. With IBE encryption schemes, it is generally not necessary to look up a given recipient's public key as with PKE systems such as the RSA system. Rather, a sender may create the public key based on well-known rules. For example, a sender may create the public key by simply determining the recipient's email address.
Public parameter information and private keys are used to support IBE encryption and decryption operations. Each user has a unique private key based on the user's identity for decrypting messages, but the public parameter information that is used during the encryption and decryption processes may be shared by many users. These schemes are said to be “identity based,” because user-specific identity information such as a particular intended recipient's email address is used as one of the inputs to the IBE encryption algorithm. With one suitable arrangement, a user's email address or a user's email address concatenated with a date stamp may be used to identify each user.
When a recipient receives a PKE-encrypted or IBE-encrypted message, the recipient must generally use an appropriate decryption algorithm to decrypt the encrypted message and access its contents. If the recipient does not have the appropriate decryption software installed on their equipment, the recipient may download a plug-in module or otherwise obtain the necessary software for performing the decryption process. This can be difficult for the recipient to do, particularly if the recipient wishes to receive encrypted messages in an organization that places restrictions on user-installed software.