It is known in the art to use a symmetric key server for managing and distributing encryption keys. For example, in a secure email system, a sender of email may request that such a key server create and store an encryption key. The sender may then encrypt their email with the created key and send it to one or more recipients. A given recipient can then request the key from the key server, which determines the authenticity of the recipient. If the recipient is authorized to receive the key (as specified by the original sender), the key server then delivers the decryption key to the recipient, who can use it to decrypt the email. Note, in passing, that in a symmetric key system the encryption and decryption keys are the same.
Distributing symmetric keys via a key server has many positive attributes, including the following. The sender (or any authorized party) can determine when a recipient requested and received the decryption key. This “key advisement” can usefully form the basis of an audit system. The sender (or any authorized party) can also control access to the decryption key, specifying “not-before” and/or “not-after” release times for a key. In this way, the decryption key can be made available during a certain time window.
These positive attributes of the key server scheme are realized because a recipient must be on-line to request the key, that is, to communicate with the key server to obtain the key from it. However, this makes “offline decryption” impossible.
Offline decryption is therefore typically implemented via “key enveloping.” In this technique the sender encrypts the message with a random key (termed a “message key”) and then encrypts the message key with another key, which is called the “envelope key.” Currently, the following three methods are used for deriving envelope keys. The envelope key can be derived from a password that is known to the sender and all of the recipients. Alternately, a public key of each recipient can be used as their respective envelope key, meaning that the sender must create one envelope per recipient. And, somewhat similar to the recipient's public key method, the public key(s) can be derived from an “identity string” for the recipient (such as their email address) using an Identity Based Encryption (IBE) algorithm. Note, in passing, that an asymmetric key system is one where different public and private keys for encryption and decryption are employed.
The first method noted above, enveloping a message key with another key that is derived from a password, is weak because the password is often susceptible to discovery by brute force or off-line dictionary attacks. Given that most passwords need to be memorized by human users, and given that passwords must consist of printable characters, the entropy of a key derived from a password is anywhere from 1.5 to 5 bits per character. Thus, the effective length of a key derived from a twelve character password (which has 50% more characters than a typical password of eight characters) is anywhere from 18 to 60 bits. By today's standards, such a key is very weak and thus subject to attacks that often will succeed.
The second method noted above, that of enveloping a message key with the recipient's public key, is very strong. However, this imposes a number of burdensome requirements. For example, all of the recipients must have a public key, and the public keys of all of the recipients must be available to the sender at the time of enveloping, and the private key of each recipient must be available at the place where the recipient desires to read the message. For instance, if the recipient stores his or her private key in a computer at work, they would not be able to decrypt the email at a home computer that does not also have a copy of their private key.
The third method noted above, enveloping a message key with the recipient's IBE public key is very strong. However, this also imposes a number of burdensome requirements. For example, again, all of the recipients must assert their respective identity strings in order to receive the corresponding private key, and the system that generates the private keys (typically called a “private key generator”) is a high value “target.” If this server is compromised, an adversary can then decrypt all of the messages that were ever sent (or that will be sent until the system's parameters are actually changed).
In summary, a password-based scheme is easy to use but offers weak security. A public key system offers strong security but is very difficult to deploy and use. And an IBE system is secure and somewhat easy to use, but its compromise can have catastrophic results. Because of these particular reasons, as well as others, the current state-of-the-art schemes do not simultaneously satisfy the three requirements of security, ease-of-use, and low risk.