1. Field of the Invention
This invention relates to the field of communications systems, and in particular to the encryption of information for distribution to multiple recipients
2. Description of Related Art
Cryptographic systems are commonly used to encrypt sensitive or confidential information, and increasingly, to encrypt copy-protected material, such as copyright audio and video material. Generally, the content information is encrypted by a source device and communicated over a communications path to a destination device, where it is decrypted to recreate the original content material. The source device encrypts the material using an encryption key, and the destination device decrypts the material using a decryption key. A symmetric cryptographic system uses the same key to encrypt and decrypt the material; an asymmetric cryptographic system uses one of a pair of keys for encryption, and the other of the pair for decryption. Most cryptographic systems are based on the premise that the expected computation time, effort, and costs required to decrypt the message without a knowledge of the decryption key far exceeds the expected value that can be derived from such a decryption.
Often, a key-exchange method is employed to provide a set of encryption and decryption keys between a source and destination device. One such key-exchange system is the xe2x80x9cDiffie-Hellmanxe2x80x9d key-exchange algorithm, common in the art. FIG. 1 illustrates an example flow diagram for a key-exchange and subsequent encryption of content material using the Diffie-Hellman scheme. At 110, a source device, device S, transmits a large prime n, and a number g that is primitive mod n, as a message 111 to a destination device, device D, that receives n and g, at 115. Each device, at 120 and 125, generates a large random number, x and y, respectively. At 130, device S computes a number X that is equal to gx mod n; and, at 135, device D computes a number Y that is equal to gy mod n. Device S communicates X to device D, and device D communicates Y to device S, via messages 131, 136, respectively. The numbers X and Y are termed public keys and the numbers x and y are termed private keys. Note that the determination of x from a knowledge of g and X, and y from a knowledge of g and Y, is computationally infeasible, and thus, an eavesdropper to the exchange of g, n, and the public keys X and Y will not be able to determine the private keys x or y.
Upon receipt of the public key Y, the source device S computes a key K that is equal to Yx mod n, at 140, and the destination device D computes a key Kxe2x80x2 that is equal to Xy mod n, at 145. Note that both K and Kxe2x80x2 are equal to gxy mod n, and thus both the source S and destination D devices have the same key K, while an eavesdropper to the exchange of g, n, X, and Y will not know the key K, because the eavesdropper does not know x or y.
After effecting the key-exchange, the source device S encrypts the content material M 150 and communicates the encrypted material Ek(M) to destination device D, at 160, via communications path 161. Because device D""s key Kxe2x80x2 is identical to the key K that is used to encrypt the content material M 150, device D uses key Kxe2x80x2 to decrypt the received encrypted material Ek(M) to create a decrypted copy 150xe2x80x2 of the content material M 150, at 165. This encryption method is referred to as symmetric because both devices use the same key K, Kxe2x80x2 to encrypt and decrypt the content material M 150. An eavesdropper to the communications path 161, not having knowledge of the key K, is unable to decrypt the encrypted material Ek(M), and thus unable to create a copy of the content material M 150. Note that the source device S need not communicate its public key X to the destination device D until the key X is needed by the destination device D to create the decryption key K, and therefore the public key X is often included as an attached item to the content material. In this manner, a destination device need not maintain a record of each of the source devices with which it has exchanged keys. The destination device D creates the decryption key by raising the attached public key Xxe2x80x2 to the power of its private key y, and applies it to the received encrypted material. Xxe2x80x2 represents a public key of an arbitrary source device. Provided that the material was encrypted using the destination device""s public key Y and the source device""s private key xxe2x80x2 corresponding to the attached public key Xxe2x80x2, the determined decryption key, (Xxe2x80x2) y mod n at the destination device D will appropriately decrypt the material. The source device S can continue to encrypt other content material using the key K for communication to the destination device D, as required, without repeating the above key-exchange.
For device S to communicate encrypted information to another device, a similar key-exchange process is performed with the other device. Device S transmits its public key X, and receives a public key Z that is equal to gz mod n, where z is the private key of the other device. The new encryption/decryption key K is then computed by device S and the other device as gxz mod n, and this key is used to encrypt information from device S to the other device, and vice versa.
The source device S may keep a record of the appropriate key to use for communicating to each destination device, so that a key-exchange need not be repeated for each communication. It is also common practice to re-establish a new key between the source device and destination device at regular time intervals, to improve the security of the system. If the same content material is to be communicated from source device S to two destination devices, device S encrypts the content material using the key associated with the first destination device, then encrypts the content material using the key associated with the second destination device. If the content material is intended for three destination devices, three unique copies are required, and so on. This requirement of multiple copies for multiple destinations incurs a substantial overhead in terms of processing time and memory resources to encrypt the material, and additional communication time or bandwidth to communicate the information to each destination device.
It is an object of this invention to provide a common encryption of content material that can be decrypted by multiple devices, each device having a unique private key. It is a further object of this invention to provide a multiple device key-exchange that facilitates a common encryption of content material for decryption by each device. It is a further object of this invention to provide a multiple device key-exchange that facilitates a common encryption of content material for selective decryption by one or more of the devices. It is a further object of this invention to minimize the computation requirements at a destination node for a multiple device key exchange.
These objects and others are achieved by creating a session key for encrypting content material that is based on each of the public keys of a plurality of destination devices. A partial key is also created corresponding to each of the destination devices that relies upon a private key associated with each destination device to form a decryption key that is suitable for decrypting content material that is encrypted by the session key. The encrypted content material and the corresponding partial key are communicated to each destination device. Each destination device decrypts the encrypted content material using the decryption key that is formed from its private key and the received partial key. Including or excluding the public key of selected destination devices in the creation of the session key effects selective encryption.