The present invention relates generally to encryption and more particularly to public key management within a secure communication system.
As is known, to securely transmit data from one party to another in a secure communication system, the data is encrypted using an encryption key and an encryption algorithm. Such an encryption algorithm may be a symmetric-key algorithm such as the Data Encryption Standard (DES) while the encryption key is a corresponding symmetric key. A secure transmission begins when a sending party encrypts the data using the symmetric-key algorithm. Once the data is encrypted, it is transmitted to the receiving party over a transmission medium (i.e., Internet, telephone line, Local Area Network, Wide Area Network, Ethernet(trademark)). Upon receipt, the receiving party decrypts the data using the same symmetric key, which must be transmitted to it or derived by it by some appropriately secure mechanism.
Encrypting data using public-key algorithms is somewhat more expensive than using a symmetric algorithm, but, with the symmetric algorithm, it is difficult to securely provide the symmetric key to both parties. Thus, to obtain the cost saving benefits of symmetric key encryption and the key distribution advantages of public/private key pairs, a wrapped session key is provided to the receiving party along with the data that is encrypted using the symmetric key. The wrapped session key is the symmetric key that has been encrypted using the public key (of a public/private key pair) of the receiving party. When the receiving party receives the encrypted message, it decrypts the wrapped session key using its private key to recapture the symmetric key. Having recaptured the symmetric key, it utilizes it to decrypt the message. Typically, symmetric keys are used for a relatively short duration (E.g. a communication, a set number of communications, an hour, a day, a few days), while encryption public keys are used for longer durations (E.g. a week, a month, or a year or more).
To further enhance security of encrypted data transmissions in the secure communication system, the sending party provides its signature with encrypted messages that it transmits. The signature of the sending party consists of a tag computed as a function of both the data being signed and the signature private key of the sender. The receiving party, using the corresponding signature verification public key of the sending party, can validate the signature. To ensure that the receiving party is using an authentic signature verification public key of the sending party, it obtains a signature public key certificate from a directory or a certification authority. The signature public key certificate includes the public key of the sending party and a signature of a certificate authority. The signature of the certification authority is first verified by the receiving party using a trusted public key of the certification authority that the receiving party has stored. Once the signature of the certification authority is verified, the receiving party can trust any message that was signed by the certification authority. Thus, the signature public key certificate that the receiving party obtained is verified and the signature public key of the sending party can be trusted to verify the signature of the sending party on the message.
In the above described security transmission, a critical factor to ensuring secure transmissions is providing the parties with trusted signature public keys of certification authorities. Without this, a party cannot validate a public key within a public key certificate, thus the party cannot trust the security of the message. One method to securely provide parties (i.e., clients) of the secure communication system with trusted public keys of certification authorities is to hard code the keys into the client software or pre-configure the software with the trusted public keys at the software manufacturer prior to distribution of the software.
While this provides a secure manner in which the clients obtain the signature public keys of the certification authorities, it does not provide a mechanism for easily changing a client""s trusted public keys. In other words, a certification authority cannot modify a client""s or a group of clients"" trusted public keys on-line. An end-user, however, may modify which public keys it""s client software will trust. For example, in one of its browser products Netscape(trademark)provides a client with up to eighteen (18) public keys of certification authorities. The client may utilize these eighteen (18) certification authorities or the end-user may manually delete a subset of them if desired. In many secure communications systems, system administrators do not want end-users to alter which certification authorities their client software can trust. Further in many secure communication systems, it is desirable to provide on-line updating, and/or customized initialization of trusted certification authority public keys to clients, under the control of some organization other than the manufacturer of the client software product.
Another method for providing a single trusted certification authority public key to a client is to have the certification authority associated with the client to provide the trusted public key to the client on-line. While this method over comes the hard coding limitations described above, it does not provide the flexibility of providing more than one trusted public key to a client. This limitation restricts the client to secure communications with other clients that have the same initially trusted certification authority public key. If a client attempts to communicate with a client having a different trusted public key, the communication cannot be trusted unless the certification authorities associated with the trusted public keys have a trusted path between them. If so, a certification authority chain is established thereby allowing a client to trust a communication having a different trusted public key. As one could imagine, if the certification authority chain becomes relatively long, the efficiency of the secure communication system may suffer, or the complexity of verifying the validity of the chain itself becomes burdensome.
Therefore, a need exists for a method and apparatus for public key management that allows a client to obtain multiple trusted public keys of various certificate authorities on-line, where the ability to change a client""s trusted public keys is a privilege granted by the system (rather than the end-user) and the efficiency of the secure communication system does not suffer.