Chip cards are today used in diverse forms for encrypting and decrypting data. A field of application for chip cards is what is known as the electronic health card, which is intended to replace the health insurance card in Germany in future. The aim of this is to make data transmission between medical service providers, health insurance companies, pharmacies and patients less expensive in future, simplify it and to speed it up. This also includes allowing access to an electronic doctor's letter, an electronic patient record and an electronic prescription; inter alia, using the electronic health card.
It is therefore possible for medical data objects (MDOs), such as an electronic doctor's letter, an electronic patient record or an electronic prescription, to be stored on a central server in encrypted and digitally signed form. In this case, encryption is preferably performed using a symmetric key which is generated at random individually for each new medical data object in an electronic patient record, such as an electronic doctor's letter or an electronic prescription. The symmetric key itself, once created, is encrypted, for example with a public key from an asymmetric cryptographical key pair, and is stored on the central server together with the encrypted medical data objects. This public key used for encryption forms a cryptographic asymmetrical key pair together with a private key, which is stored on the electronic health card.
This ensures that access to the encrypted medical data objects is possible exclusively using the secret health card key. In the event of such access, the encrypted symmetric key is first of all decrypted using the secret health card key, and the decrypted symmetric key can then be used for further decryption of the medical data object. If creation of an MDO also involved a digital signature being generated with the secret health card key, it is subsequently possible to verify the integrity of the MDO and the authenticity of the MDO generator using the digital signature.
By way of example, DE 10 2004 051 269 B3 discloses a method for storing data and for querying data and also appropriate computer program products. A personalized chip card allows an electronic patient record to be stored on a data server. Using the chip card, it is possible for data, such as an MDO, in a patient record to be encrypted by a practice EDP system at a doctor's practice and to be transmitted to a data server in digitally signed form.
A further application for chip cards for patient data is known from DE 102 58 769 A1.
WO 00/72504 A1 describes a method for creating a cryptographic key pair comprising a public key and a private key. The private key can be restored or found out from the public key. This is done by virtue of a third party needing to authenticate itself prior to the private key being derived, so that there is no longer a need to store the private key separately from the public key.
EP 1105998 B1 describes a method for generating an asymmetric cryptographical key pair. Said method involves a starting value, which is input by a user, being used to generate a secret communication key. The secret communication key is used for communication with a previously ascertained asymmetric key pair comprising a secret key and a public key.
WO 2008/059475 A1 describes a method for generating a cryptographic key. The method allows secure interchange of data between a first and a second appliance. Both appliances have access to a secret (secret data record or piece of information which is not known to third parties). The second appliance has stored a cryptographical key which is derived in part from the secret. Using this key in a one-way function, the second appliance derives a text which can be used to find out the key again, the first appliance being capable of receiving the text and decrypting it using the secret which is known to the first appliance.
For the use of the electronic health card, the problem arises that in the event of a change of health insurance company and the associated issue of a new electronic health card with corresponding new asymmetric key pairs, for example, trouble-free access to an electronic patient record which has previously been encrypted using the old electronic health card is no longer possible. This means that the issue of a new electronic health card requires “recoding” of the old electronic patient record, which is intensive in terms of time and resources, particularly in the case of relatively large volumes of data.
A similar problem arises when an electronic health card is lost, and this even results in access to the electronic patient record no longer being possible at all on account of the cryptographic key pairs of the patient now no longer being available.
In order to counter loss of cryptographical key pairs, DE 101 34 489 B4 proposes an asymmetric cryptography method which uses recovery certificates and what are known as recovery cards to propose encrypting the secret key of a computer device with keys from at least two different recovery computer devices and creating an appropriate number of recovery certificates which have the encrypted key. This allows the secret key to be recovered and used without it being available in plain text outside of the smartcard.
By contrast, the invention is based on the object of providing an improved method for generating cryptographical key pairs, an improved method for encrypting data and also improved computer program products and improved data processing systems.
The objects on which the invention is based are each achieved by means of the features of the independent patent claims. Preferred embodiments of the invention are specified in the dependent patent claims.
The invention provides a method for generating a second asymmetric cryptographical key pair and a first asymmetric cryptographical key pair, wherein a first private key forms the first asymmetric cryptographical key pair together with a first public key, wherein the method comprises the following steps:
reception of an arbitrarily selectable user identifier,
calculation of a second private key, wherein a random value and the user identifier are used in the calculation,
calculation of a second public key from the second private key using an asymmetric cryptographical key generation method, wherein the second private and the public authorization key form the second asymmetrical cryptographical key pair,
generation of a first cipher by encrypting the first private key with the second public key, and
storage of the first cipher.
The method is therefore made up of two essential components, namely firstly the feature that a second asymmetric cryptographical key pair is generated which allows access to the first private key by virtue of storage of the first cipher. In other words, it is therefore possible to access the first private key either using the first asymmetric cryptographical key pair, in the case of which the first private key is available in plain text. Alternatively, it is possible to decrypt the cipher with the second private key from the second asymmetric cryptographical key pair in order to obtain the first private key. Preferably, data are encrypted using the first public key, as a result of which it is possible to access these data using two different asymmetric cryptographical key pairs. This principle can be extended to a multiplicity of different key pairs which are each referred back to the first asymmetric key pair by means of appropriate ciphers. A user is therefore capable of using different key pairs in his possession to access his data objects and to decrypt them, with it not being necessary to store the same data objects more than once, encrypted with different cryptographical keys of the user. Furthermore, this allows the user to add further key pairs subsequently, these allowing the encrypted data objects to be accessed in the same way as with previously existing key pairs. This avoids recoding the encrypted data objects already stored in the information system.
The second feature of the present invention comprises the following steps:
1. Reception of an explicit user identification id and of an arbitrarily selectable user identifier pw associated with the user identification.
2. Mapping of the user identifier onto a value by a function g. The function g may be the identity function or a nontrivial function. From the point of view of security and confidentiality, g is preferably chosen as a collision-free one-way function, such as a cryptographical hash function.
3. Generation of a random value z.
4. Calculation of the second private key by applying a function f to g (user identifier) and z. By way of example, g (user identifier), i.e. the result of the application of the function g to the user identifier, and z are linked to one another and the function f is applied to the result of this concatenation. By way of example, f may be a cryptographical hash function which is applied to the concatenation of the hash value of the user identifier and the random value z.
5. Calculation of the second public key from the second private key, wherein the further second private and public keys form an asymmetric cryptographical key pair. By way of example, it is possible:
for the second public key, which is a point on the elliptic curve, to be calculated for elliptic curves by multiplying the second private key, which is an integer, by the base point from the domain parameters.
for the second public key (an integer) to be calculated for RSA such that it satisfies a congruence relationship, defined in the RSA method, with the second private key (likewise an interchange).
Embodiments of the invention have the advantage that in this case it is possible to generate asymmetric cryptographical key pairs, this being done using an arbitrarily selectable user identifier. The user identifier itself is used in the calculation algorithm for the second private and public keys.
It should be noted that “secret key” and “private key” are each notionally understood to mean the same key.
By way of example, the cited method steps allow a user to obtain access to an information system with data objects which have been encrypted using the first asymmetric cryptographical key pair, without the user needing to have this key pair available, for example on a chip card. By way of example, circumstances could require the user to obtain access to his data in an environment in which the requisite infrastructure for the operation of smartcards (card reader, etc.) is not available. The use of his self-selected user identifier nevertheless enables the user to generate his asymmetric cryptographical key pair even without a chip card, so as to obtain access to his encrypted data objects. In this case, the second cryptographical key pair can be deduced from a username/password combination, as a result of which the user is able to use a web interface, for example, to access the same data objects with the same scope of functions as when using a smartcard on which the second asymmetric cryptographical key pair was stored.
It should be pointed out that this method for generating an asymmetric cryptographical key pair differs from popular key generation methods in which, on the basis of today's prior art, it is merely possible to associate an arbitrarily selectable user identifier with an associated generated cryptographical key pair, but not to perform a functional calculation of key pairs using the arbitrarily selectable user identifier itself, which dispenses with the permanent storage of the association between the user identifier and the key.
These standard methods involve an arbitrarily selected user identifier or a depiction thereof being stored in a table and being explicitly associated with public or private keys, wherein merely administrative and/or legal regulations stipulate that unauthorized persons cannot access the private key. This practice compromises security to a significant degree: if an unauthorized person or else a government agency, on the basis of various monitoring laws, obtains access to the database which associates the passwords with the public and private keys, the person or organization is immediately able to access all the data objects of a person by accessing this single key-managing institution.
Hence, the method for generating an asymmetric cryptographical key pair has the further advantage that, in addition to the option of an arbitrarily selectable user identifier, it is not possible for a central entity to gain possession of the combination of user identifier (e.g. password) and key pairs, which ensures technical protection against seizure. The second private key can be calculated only with knowledge of a random value and the use identifier. Generation of the second public key likewise requires knowledge of the random value and the user identifier, the user identifier preferably being known exclusively secretly to the relevant user. By way of example, it is therefore no longer possible to obtain access to cryptographical key pairs and hence to encrypted data by means of seizure or theft of central database servers without the active assistance of those persons who are in possession of their private, secret user identifiers.
A further advantage of the method according to the invention is that, even when the same user identifier is selected by different users, the use of the random value for generating the further second private key means that it is possible to ensure that the said key pair is never allocated to different users.
It should also be pointed out that embodiments of the method according to the invention for generating an asymmetric cryptographical key pair could be applied to arbitrary cryptosystems for generating asymmetric key pairs, such as the RSA, Rabin and Elgamal cryptosystems or cryptographical methods on elliptic curves. From the second private key, which has been obtained on the basis of the user identifier and the random value, the second public key is calculated, such a method being able to be used for this calculation.
In this regard, it may be necessary for the second private key to need to have one or more prescribed properties and/or to need to satisfy conditions which are checked in the course of an admissibility check. If the further first key is found to be inadmissible for a selected method, a new random value is generated in order to produce a new candidate for a second private key, which is then in turn subjected to an admissibility check. This is repeated until an admissible second private key has been found. This admissibility check may involve the use of restrictions which arise directly from the algorithm for performing an appropriate asymmetric cryptographical key generation method.
Furthermore, it is also possible for further restrictions to be used in the admissibility check which relate, by way of example to the entropy of the generated key or which arise from current knowledge regarding the attackability of the relevant key generation method. By way of example, for the RSA method there are a series of generally known and regularly complemented restrictions, compliance with which is demanded for key generation by authorities in order to minimize the attackability of the generated key pairs. By way of example, PKCS#1 (Public Key Cryptography Standards) specifies a series of cryptographical specifications for RSA which need to be complied with by public and private RSA key pairs. The standard PKCS#13, which is under development, will stipulate the requirements for key generation on elliptic curves.
One aspect of the invention is that the second private key is calculated using a function g, applied to the user identifier pw. In accordance with one embodiment, either the arbitrarily selectable user identifier as such is received and then converted using the function g, or the function value g(pw) is received directly.
Calculation of the second private key using the value b=g(pw) and the random value z has the advantage that relatively unsecure user identifiers can therefore be used to calculate input values which have a high degree of randomness and therefore effectively increase the security of the second private key further when it is calculated. By way of example, the cryptographical hash function SHA-256 is applied for g.
In accordance with a further embodiment of the invention, the second private key is calculated by applying a function f to the values b and z. By way of example, f may be defined as the application of the cryptographical hash function SHA-256 to the concatenation, that is to say consecutive attachment, of b and z.
Applying the function f to the random value z and the function value g(pw) ensures a high level of quality for the second private key. In other words, the second private key likewise has a high degree of randomness on account of the random selection of z, so that guessing the second private key is therefore rendered practically impossible.
In accordance with one embodiment of the invention, the key pair for a cryptosystem is calculated on elliptic curves. An elliptic curve is provided by the equation y2=x3+ax+b, where the parameters a and b, and also the coordinates of the points (x, y) on the curve, are integers from the range [0, n−1], where n is the order of the curve. The values a, b, n and also a selected curve point P form what are known as the domain parameters of the elliptic curve, which also need to be disclosed for the purpose of performing cryptographical methods using the further first and further second keys. The number of points which satisfy the equation for an elliptic curve is referred to as the order n of the curve. The second private key is a natural number, and the second public key, a point on the curve, is the result of multiplication of the second private key by the curve point P on the elliptic curve.
The use of a cryptosystem on elliptic curves has the following advantages:
the second private key may be an arbitrary natural number from the range [2, n−1]. This number is not tied to any further functional conditions; the aspect of its arbitrary nature will play a large part in due course.
cracking a cryptosystem on elliptic curves is very highly complex, much more so than in the case of RSA.
the keys are very short in comparison with RSA, and the calculations on the curve are relatively simple, which means that they can be implemented in a versatile and efficient manner.
the second public key can be calculated from the second private key again easily and at any time.
Using the functions f and g, the second private key can be calculated very efficiently from the user identifier and the random value. This allows mathematical functions to be used to associate the cryptographical key pair with the selected user identifier. On account of this functional relationship, it is not necessary in this case to have available a tabular association between key pair and an appropriate user identifier.
In accordance with a further embodiment of the invention, the method comprises the step of checking the admissibility of the second private key. In the course of the admissibility check, a check is performed to determine whether the second private key is greater than 1 and less than the order of the elliptic curve. If this check condition is satisfied, the random value and also the second private and the second public key are admissible. If the check condition is not satisfied, however, a new random value is selected which is used to recalculate the second private key and to re-perform the admissibility check on this key. This process is repeated until the admissibility check is passed.
The admissibility check can be extended by further check conditions, e.g. by the check that the second private key has a high degree of randomness. In this regard, it should be noted that cryptography usually involves the use of algebraic structures which contain only a finite number of elements. The reason for this is that in the case of a finite number of elements, many problems which are harmless in real numbers become difficult, as a result of which elliptic curves with a finite number of elements can be used effectively for cryptographical applications. For cryptographical applications, it is now important that the algebraic structure used is large enough, that is to say that the number of points on an elliptic curve, referred to as the order, is sufficiently large. In this context, it is necessary to consider that the generated second private key may be larger than the order of the elliptic curve. So as nevertheless to allow an association in this case, it is customary to divide the second private key modulo the order of the elliptic curve. However, this results in a high level of probability that the resulting number is in a lower value range from the range [2, r−1] (where r is the order of the elliptic curve) or is even 0 or 1, as a result of which this reduces the difficulty of finding out a point on the curve which is situated in this value range mathematically or by trial and error. Performance of the admissibility check therefore reliably avoids restricting the value range which contains the second private key, which means that the entropy of the second private key and hence the randomness thereof can therefore be ensured to a sufficient extent.
A further advantage of the admissibility check is that it can be used to ensure that compatibility of the second private key with appropriate program libraries for elliptic curves, as are available on the basis of the prior art, can be reliably guaranteed.
At this juncture, it should be pointed out that performance of the admissibility check is not absolutely necessary for performing the method using an elliptic curve function. Even without applying the admissibility check, it is possible in this case to generate key pairs which, however, sometimes—depending on the user identifier and the random value—cannot take account of very high security demands which might be required for cryptographical applications. In the case of elliptic curves, the admissibility check is a further step in order to ensure that the generated key pairs satisfy those very security demands.
In accordance with one embodiment of the invention, the bit length of the random value is greater than or equal to the bit length of the order of the elliptic curve. Furthermore, in accordance with one embodiment of the invention, the random value is selected such that the value of the generated second private key is smaller than the order of the elliptic curve. Both criteria likewise have, as already discussed for the admissibility check, the same effect, namely that a high level of entropy for the second private key can therefore be ensured. Hence, in other words, the security of the second private key and hence the security of the encryption method are increased significantly.
In accordance with one embodiment of the invention, the key pair is calculated for an RSA cryptosystem. An RSA cryptosystem is provided by a number n, which is the product of two prime numbers p and q (n=p·q), the number d, which satisfies the condition HCF(d(p−1)·(q−1))=1, and the number e, which satisfies the condition e·d=1 mod(p−1)·(q−1) (“HCF” stands for highest common factor). Following the selection of d and the calculation of e, the values p, q and (p−1)·(q−1) need to be deleted. Which of the two e and d is the public key and which is the private key can be selected freely, in principle, in the case of RSA; in this invention, the functions f and g calculate the second private key d from the user identifier pw and the random value z. The extended Euclidian algorithm is then used to calculate the second public key e from the second private key d.
The advantages of the RSA method are the facts that the method continues to be very secure with keys selected to be of appropriate length and that it is in widespread use. However, RSA also has the drawbacks that it is slow in operation on account of the requisite long key length, and modern factorization algorithms give rise to the fear that RSA will be cracked in the not too distant future.
For RSA too, the functions f and g allow the second private key to be calculated from the user identifier and the random value. Hence, it is also possible for RSA to allocate a cryptographical key pair to the selected user identifier using mathematical functions. On account of this functional relationship, it is not necessary to have available a tabular association between key pair and an appropriate user identifier for RSA either.
In accordance with a further aspect of the invention, the method comprises the step of checking the admissibility of the second private RSA key. The admissibility check involves a check to determine whether the second private key d satisfies the conditionsd is in the range[2,(p−1)·(q−1)−2] andHCF(d,(p−1)·(q−1))=1
The admissibility check may contain further conditions based on current knowledge. When these check conditions are satisfied, the random value and the second private and second public keys are admissible. If the check condition is not satisfied, however, a new random value z is selected which is used to recalculate the second private key and to re-perform the admissibility check on this key. This process is repeated until the admissibility check is passed.
In accordance with a further embodiment of the invention, the random value is retrieved from a database, wherein the random value is explicitly associated with the user identification. By way of example, first performance of the method for generating the asymmetric key pair involves a random value being generated once by a trustworthy station, e.g. a certification station, which random value needs to be accessible to an appropriate user for cryptographical processes if the second private key is admissible. By storing the random value in a database, associated with the explicit user identification, it is possible, by way of example, for a computer program which executes the method for generating asymmetric key pairs to retrieve the random value via a secure communication link using the user identification and to use it to generate the relevant first and possibly also the further second public key.
Preferably, the random value is stored in the database in encrypted form. To this end, in accordance with one embodiment of the invention, symmetric encryption, e.g. using AES-256, can be used. The use of an encrypted random value has the advantage that it is therefore possible to prevent dictionary attacks for decrypting the first key by experiment.
In accordance with a further embodiment of the invention, the method also comprises the step of reception of a third private key, wherein the third private key forms a third asymmetric cryptographical key pair together with a third public key, and reception of a second cipher. In addition, the method comprises the decryption of the cipher with the third private key to obtain the first private key.
These steps are necessary when the first private key is not available in plain text, so as to generate the first cipher by encrypting the first private key with the second public key. This could be the case when the user identifier/random value principle is intended to be implemented for a user but the user does not have an appropriate chip card on which the first asymmetric cryptographical key pair is stored, so that the first cipher could be generated therefrom directly. In this case, it is assumed that a further, third asymmetric cryptographical key pair is available which has previously been used to generate an appropriate second cipher for the first private key. If this second cipher is now decrypted with the third private key, this results in the first private key, which can then be used for the password-protected generation of the first cipher.
In accordance with a further embodiment of the invention, the third private key is received from a portable data storage medium. It is therefore assumed in this case that the third private key is stored on an appropriate chip card. However, it is also possible for the third private key likewise to be derived by applying the password principle described above.
In accordance with a further embodiment of the invention, the method also comprises the step of authentication to the database on which the ciphers are stored, wherein the second cipher is received from the database following successful authentication.
This gives rise to multiple advantages: firstly, it is possible to ensure that only authorized persons are able to retrieve ciphers from the database in order to use them to calculate the first private key. By way of example, provision can be made in this case for exclusively authorized medical service providers to be able to access the ciphers in the case of encryption and decryption processes for medical data objects. If the data processing system of such a medical service provider is regarded as a trustworthy station, this station is capable of performing decryption processes for data objects using the first private key, to which end the first private key may be available in plain text in the main memory in the relevant data processing system. In this context, it is assumed that there is no misuse of the first private key in this case.
The concept of multiple key pairs in connection with ciphers which are stored on the database can therefore be extended flexibly by further criteria. By way of example, it is possible for a cipher to have an extended validity on the basis of time interval, an extended validity on the basis of number of uses or an extended validity on the basis of the nature of use:
validity on the basis of time interval: the server in the information system stores the time interval within which a key pair is valid. If a user attempts to use an “expired” key pair Ki; i.e. the user opens a session on the information system in which he authenticates himself with the key pair then the information system denies him this.
validity on the basis of number of uses: the server in the information system stores how often a key pair can be used as a maximum and how often it has already been used (i.e. how often a session has been opened using the key pair during authentication). If the number of uses of a key pair Ki which has already taken place has reached its maximum number, the information system denies fresh use of Ki; the session is then thus not set up.
Validity on the basis of the nature of use: the server in the information system stores, for each key pair, which operations are admissible in a session which has been opened using the key pair during authentication. If the user attempts to perform an operation which is not admissible for the current session, the information system denies this.
In all these cases, it is assumed, as already described above, that the encryption and decryption processes for data and also the decryption processes for ciphers take place in a trustworthy station which does not store the cipher decrypted in a previous session, i.e. the first private key, in unauthorized fashion so as to be no longer reliant on use and access to further ciphers in future.
In accordance with a further embodiment of the invention, the method also comprises the step of generation of a fourth asymmetric cryptographical key pair, wherein a fourth private key forms the fourth asymmetric cryptographical key pair together with a fourth public key, wherein the method comprises the steps of reception of the fourth public key, generation of a fourth cipher by encrypting the first private key with the fourth public key, and storage of the fourth cipher. Preferably, these method steps are performed on a portable data storage medium, such as the portable data storage medium which contains the first asymmetric cryptographical key pair, which ensures that the first private key does not leave the portable data storage medium, such as a chip card.
It should be noted that asymmetric cryptographical key pairs can be stored generally on portable data storage media. Such portable data storage media may be chip cards, USB sticks, flash drives, and portable hard disks. It is also possible to use portable data storage media with a processor, such as processor chip cards, i.e. what are known as smartcards, which are capable of performing decryption processes for ciphers themselves.
In accordance with a further embodiment of the invention, the method also comprises the step of reception of a key pair identifier associated with the asymmetric cryptographical key pair in the trustworthy station, wherein the cipher is retrieved using the key pair identifier. By way of example, the cipher is retrieved from a database. Alternatively, it is possible, by way of example, for the asymmetric key pair to be stored on a portable data storage medium, such as a chip card, together with the cipher.
In accordance with a further embodiment of the invention, the method comprises the step of a signature check on the data object encrypted with the first public key, wherein the signature check comprises the steps of reading a signature associated with the data object and verification of the signature for the data object, wherein the verification is performed with the second public key.
Performing an additional signature check in the event of the data object having previously been signed has the advantage that this can be used to verify that the data object has not been modified without authorization since the original encryption process.
In accordance with a further embodiment of the invention, the data object is encrypted with a symmetric data object key, wherein the symmetric data object key is encrypted with the first public key, wherein the decryption of the encrypted data object in this case comprises the further step of decryption of the encrypted symmetric data object key with the decrypted first private key and decryption of the encrypted data object with the decrypted symmetric key.
In accordance with a further embodiment of the invention, the random value is retrieved from a database via a secure communication link. In this case, it is possible for the database from which the cipher is retrieved and from which the random value is retrieved to be identical.
In accordance with a further embodiment of the invention, the random value is stored in the database in encrypted form.
In accordance with a further embodiment of the invention, the data object is a medical data object.
In a further aspect, the invention relates to a computer program product having instructions which can be executed by a processor for the purpose of performing the method according to the invention.
In accordance with one embodiment of the invention, the computer program products are produced by applets or browser plug-ins. It is likewise possible to provide the computer program products as independent applications for a data processing system. The use of an applet or a browser plug-in has the advantage that existing data processing systems do not need to be converted for the purpose of performing the method for key generation and consequently also for performing cryptographical operations such as encryption, decryption and the creation and verification of digital signatures: in this case, it merely suffices to load an applet, for example via the Internet, which can perform the described operations securely.
In a further aspect, the invention relates to a data processing system for generating a second asymmetric cryptographical key pair using an arbitrarily selectable user identifier.
In a further aspect, the invention relates to a method for decrypting data, wherein the data are encrypted with a first public key, wherein the method first of all comprises the step of reception of a first cipher, wherein the first cipher comprises a first private key encrypted with a second public key, wherein the first private key forms an asymmetric cryptographical key pair together with the first public key. This is followed by the reception of a user identifier and of a random value, wherein the random value is associated with the user identifier. By way of example, the user identifier can be provided by virtue of a keyboard input on a data processing system by a user. Next, a second private key is calculated, wherein the random value and the user identifier are used in the calculation, wherein the second private key and the second public key form a second asymmetric cryptographical key pair. The first cipher is then decrypted with the second private key to obtain the first private key. Finally, the data are decrypted with the first private key.
A user therefore has two selection options available for how the user wishes to decrypt his data encrypted with the first public key. In one option, the user is able to use his first private key, if he has it available, directly to decrypt the data. By way of example, it is conceivable in this case for the first private key to be stored on a chip card belonging to the user, so that the user can perform data decryption using his chip card. An alternative available to the user is that he uses his user identifier to calculate a second private key, then retrieves a cipher associated with the second private key from an appropriate database and decrypts it so as to obtain the first private key, in order then in turn to perform a decryption process for his data. As already mentioned above, the latter alternative is advantageous particularly when an appropriate infrastructure for reading chip cards is not available. In this case, there is nevertheless the assurance that a user is able to access his encrypted data.
In a further aspect, the invention relates to a computer program product having instructions which can be executed by a processor for the purpose of performing the decryption method.
In a further aspect, the invention relates to a data processing system for decrypting data.
Preferably, the data processing system is a data processing system at a trustworthy station. This may be a certification station or a trust centre, for example. Alternatively, it is also possible to provide an appropriate piece of, preferably portable, hardware which, as a trustworthy station, comprises the data processing system. In a further alternative, the trustworthy station may be the client itself which performs the cryptographical operations. Finally, it is also possible for the data processing system to be a data processing system which runs on a separate, protected hardware module. In this case, it is possible for a trusted platform module (TPM) to be used, for example.
Embodiments of the invention are advantageous from different aspects: the invention allows the generation of an inverted tree which relates the key pairs to one another. This allows a lost key pair to be replaced by another key pair from the tree. In addition, this allows a very high degree of flexibility for adjusting and/or retrieving data objects. In particular, it is possible to access the data objects even when the owner of the keys currently does not have a computer or, on account of his physical constitution, for example, is unable to use a computer. In this regard, the owner is able to give his password to the doctor, for example, verbally, and the doctor then effects the access. In particular, this does not require the owner, i.e. the patient, to present or enable a chip card for this purpose.
It is of particular further advantage that a plurality of the key pairs can be used simultaneously, wherein a data object which has been encrypted with one of the key pairs can be decrypted with any of the other key pairs.
It is of particular further advantage that one or more of the key pairs can be provided with attributes which specify the opportunity for use of the relevant key pair, for example in respect of the validity period, the number of uses and/or the purpose of use.