The present invention is related to cryptography and more specifically to the recovery of encryption session keys.
Messages, such as those transmitted between computers, may be encrypted to prevent unintended recipients from reading them. Messages may be encrypted using a symmetric encryption algorithm and a session key, both described below. The message is decrypted using a decryption algorithm and the session key used to encrypt the message. When the same key is used to encrypt and decrypt the message, the process is known as symmetric encryption and decryption. The Data Encryption Standard (DES) is an example of such a symmetric encryption algorithm. DES is described in Schneier, Applied Cryptography, (2d. ed., John Wiley and Sons, 1996).
The sender of the message transforms the message into a scrambled message known as cypher text by applying the message and the session key as inputs to the encryption algorithm. The sender then transmits the cypher text to the recipient and provides the session key to the recipient using a separate or secure communication way. The recipient transforms the cypher text into the original message by applying the session key and the cypher text as inputs to the decryption algorithm, which reverses the scrambling performed by the encryption algorithm.
Where a secure communication channel is not available or it is not desirable to use a communication channel separate from the communication channel used to send the cypher text, asymmetric encryption may be used for sending the session key. Asymmetric encryption uses a separate process to encrypt the session key, so that it may be transmitted over any communication channel, such as the Internet.
With asymmetric encryption, a pair of keys is used to asymmetrically encrypt and decrypt a message. The pair of keys includes a public key and a private key. The public key may be made available to others and can be used to encrypt the session key using an asymmetric encryption algorithm. Unlike the session key of symmetric encryption, the public key cannot be used to decrypt that which has been encrypted with it. Instead, a mathematically-related private key is required to decrypt the cypher text encrypted with the corresponding public key. This technique allows the recipient to provide his or her public key to others for sending messages to him or her, without providing them access to other messages encrypted using the public key.
Because asymmetric encryption and decryption can take longer to perform than symmetric encryption and decryption, a combination of both techniques are used to encrypt and decrypt a message. To prevent the sender from using a session key that is easily decipherable, such as the first name of the recipient, a session key generator may be used to generate a random session key of sufficient length. The message is encrypted using the relatively rapid symmetric encryption. The session key is encrypted using asymmetric encryption using the recipient""s public key.
The encrypted session key and the cypher text are transmitted to the recipient. The recipient uses his private key to decrypt the encrypted session key, and then uses the session key to decrypt the message. Because the message is typically longer than the session key, the relatively more time consuming asymmetric encryption and decryption are performed only on the session key with relatively rapid symmetric encryption performed on the message.
The pair of public and private keys are generated by a cryptographic module, and provided to an individual, who shares the public key with others he expects will send him or her cypher text, while maintaining the secrecy of his or her private key. Because the generation of a private key using the public key is extremely difficult and time consuming, the recipient can even post his or her public key for the world to see.
In order to bind the public key and the identity of the owner, referred to herein as the xe2x80x9cprincipalxe2x80x9d, a trusted party called a certificate authority (xe2x80x9cCAxe2x80x9d) issues a certificate. The certificate provides evidence to third parties that a person owns the public key, so that no other party can claim ownership of the public key. In this manner, the public key is said to be xe2x80x9cboundxe2x80x9d to the owner.
The certificate authority can issue a certificate to any principal that wishes to bind his or her identity to the public key. In addition to the principal""s public key, the certificate can include a certificate serial number; the principal""s name; an organization name, which is often the principal""s employer""s name; an organizational unit name, often the division of the employer for whom the principal works; the locality, state and country of the employer or the residence, of the principal; and a pair of dates between which the certificate is valid. In addition, the certificate can include the public key, the name or identifier of the certificate authority issuing the certificate; and an electronic signature that may be used to verify the authenticity and integrity of the certificate. When the keys are originally issued, the certificate authority issues the private key and the certificate.
To ensure security of the private key, only the owner of the private key has access to it. In the event that the recipient loses or forgets his private key, it is virtually impossible to decrypt messages encrypted using the recipient""s public key. Some certificate authorities keep a copy of each private key in a vault or other form of key escrow. However, a breach of security would allow an intruder to steal the private key and decrypt any message sent to the recipient.
Therefore, there is a need for a method and system to allow individual messages to be decrypted only by the intended recipient of the message in the event that the intended recipient loses or forgets his private key without providing access to every message in the event of a breach of security, and with a minimum of disruption to the existing encryption procedures already in place.
In addition, the United States government presently has a policy of allowing more secure encryption and decryption software to be exported if a key recovery is provided to allow law enforcement agencies to decrypt specified messages encrypted. Therefore, there is a need for a method and system to allow such decryption of such specified messages without compromising the security of the other messages.
In addition to the asymmetric encryption of the session key, a method and apparatus encrypts the session key and the intended recipient""s public key or other identifier using the recipient""s certificate authority""s public key to create an encrypted key recovery field. The certificate authority stores the intended recipient""s public key or other identifier and private information about the recipient such as the recipient""s mother""s maiden name and social security number in a database indexed using the public key. Should the recipient forget his private key or the password used to obtain it, he can send the encrypted key recovery field to the certificate authority, who can use its private key to decrypt the session key and the recipient""s public key or other identifier. The public key is used to locate the private information about the recipient which the certificate authority can use to verify the identity of the requesting person who sent the encrypted key recovery field to the certificate authority. If the identity is sufficiently verified, the certificate authority can provide to the requesting person the session key it decrypts using its private key, which the requesting person can use to decrypt the message.
Because the information stored in the database may be provided by the principal to the certificate authority with the other information the principal provides for the certificate, the information stored in the database may be easily obtained. Because the key recovery field is added to the message, implementation does not interfere with existing encryption procedures. Because the certificate authority provides the session key for a single message, and only for those messages for which it receives a key recovery field, breaches of security will not allow an intruder to decrypt other messages. Law enforcement agencies with a court order can require the certificate authority to decrypt the key recovery field, allowing more secure technology to be exported without compromising the security of the messages.