1. Field of the Invention
The present invention relates to a key recovery system in which an encrypted message obtained by encapsulating a data key serving as a data encryption/decryption key with a system key serving as a data encryption key is decrypted by using a master key serving as a data decryption key in accordance with a user's request, thereby decapsulating the data key.
2. Description of Related Art
A data encryption system for encrypting and decrypting data with numerical value data called as a "key" has been known as a technique for ensuring security of data such as secret (confidential) information, etc. With the data encryption system, only a user having a decryption key is able to decrypt an encrypted message.
The data such as secret information, etc. have the following characteristics.
(1) Duty of maintaining secrecy until a predetermined time is imposed under Law, Rule or Agreements. That is, it is required to hold data for a predetermined term (for example, for several years) while keeping the data encrypted.
(2) It is rare to decrypt an encrypted message and use the decrypted message. That is, if data are temporarily encrypted and saved, the data are rarely accessed afterwards.
(3) It must be ensured that data can be decrypted as occasion demands.
In the data encryption system described above, when a decryption key is lost for some reason, it is actually impossible to decrypt encrypted message. For example, when an encrypted message is held in a file or the like and after some days the data are required to be taken out, the data concerned could not be restored to original data if there is no decryption key. This is equivalent to the case where the data are lost. It is an actual possible case that a decryption key is lost. For example, it may be considered that a user erroneously deletes a file in which a decryption key is held, or in a company a person who manages a decryption key is transferred to another office or resigns from the company, so that a place at which a decryption key is held is unknown.
In the present situation, management of a key is usually entrusted to a responsible person for management of secret information. Therefore, it is expected that various problems will occur in management of keys more and more as encryption of secret information more widespread.
Accordingly, there has been proposed a key recovery system which enables accurate decryption of an encrypted message when a decryption key is lost, thereby backing up data such as secret information, etc.
In the following description, a system using a method to attach a tag to an encrypted message, which is called a "KRF (Key Recovery Field) system", will be described as a conventional key recovery system.
FIG. 7 is a schematic diagram showing the construction of a key recovery system to which the conventional KRF system is applied. This system is implemented among plural information processing devices (for example, personal computers) which are connected to one another through a network 54 such as a LAN or the like.
In FIG. 7, terminals 50a to 50c are information processing devices used by users of this system, and each terminal has a function of data encryption/decryption data. This function is implemented through execution of data encryption/decryption program 504b loaded from a magnetic disk 502 onto a memory 504 through a disk controller 506 by a CPU 502. In FIG. 7, reference numeral 504a represents an operating system (OS), and reference numeral 505 represents a network controller for implementing communications through the network 54. Three terminals are illustrated in FIG. 7, but the number of terminals is not limited to any specific value.
When a person who wishes to decrypt an encrypted message loses its decryption key, he/she can recover his/her lost key with the assistance of a key recovery center 52 which is an information processing device having a function of recovering the decryption key concerned. This function is implemented through execution of a key recovery program 524b and a check program 524c loaded from a magnetic disk 522 into a memory 524 through a disk controller 526 by a CPU 523. In FIG. 7, reference numeral 524a represents OS, and reference numeral 525 represents a network controller for implementing communications through the network 54.
In addition to the OS 524a, the key recovery program 524b, the check program 524c, a key recovery condition (RC: Recovery Condition) for judging whether a person who requests recovery of a lost decryption key has authorization to access the decryption key concerned is stored as a data base in the magnetic disk 522.
It is now assumed that the user of each of the terminals 50a to 50c instructs his/her terminal to execute the data encryption/decryption program 504b thereof so that data m such as secret information or the like are encrypted with his/her private key and then saved as data in the magnetic disk 502 in FIG. 7.
According to the KRF system, the structure of the encrypted message is as follows.
KRF .vertline. main body of encrypted message [RCI .vertline. KS]KRCpub .vertline. [KS]Userpub .vertline. [m]KS
Here, KRCpub represents a public key of the key recovery center 52. This public key is in paired relationship with a private key KRCpri of the key recovery center 52. Userpub represents a public key of the user of each terminal, and this is in paired relationship with a private key Userpri of the user concerned. The public key and the private key mean a public key and a private key on the basis of a public key encryption algorithm such as RSA (Rivest, Shamir, Adleman) or the like.
KS represents a common key based on a common key encryption algorithm such as DES (Data Encryption Standard) or the like. RCI represents a recovery condition of a person who can recover a key, that is, a recovery condition index for specifying RC. As described above, the key recovery center 52 has a data base of RC stored in the magnetic disc 522, and RCI is used when RC is searched from the data base.
Further, [a]b represents an encrypted message obtained by encrypting data a by using a key b. For example, [m]KS represents an encrypted message obtained by encrypting data m with a common key KS, and ".vertline." means data coupling.
As described above, according to the KRF system, an encrypted message has a structure of addition of the main body of encrypted message ([KS]Userpub.vertline.[m]KS) with the data ([RCI.vertline.KS]KRCpub) as KRF.
When a user wishes to decrypt an encrypted message [RCI.vertline.KS]KRCpub.vertline.[KS]Userpub.vertline.[m]KS to obtain the data m, the processing is usually carried out according to the following procedure by the data encryption/decryption program 504b.
(1) The common key KS is obtained by decrypting [KS]Userpub with the private key Userpri held by the user.
(2) The data m are obtained by decrypting [m]KS with the obtained common key KS.
The process of decrypting the encrypted message according to the above procedure is hereinafter referred to as "normal recovery".
On the other hand, when the user of the terminal cannot decrypt the encrypted message according to the procedure of the normal recovery because the private key Userpri is lost or the like, the encrypted message is decrypted by using the common key KS which is obtained in the key management center 52. This process is hereinafter referred to as "urgent recovery" as opposed to the usual recovery.
The processing flow of the urgent recovery will be described with reference to FIG. 8. FIG. 8 is a diagram showing the data flow of the urgent recovery of a key recovery system using the conventional KRF system.
(1) First, the terminal of the user transmits KRF([RCI.vertline.KS]KRCpub) added to the main body of the encrypted message through the network 54 to the key recovery center 52.
(2) Upon receiving KRF, the key recovery center 52 executes the key recovery program 524 to decrypt KRF with the private key KRCpri held therein, whereby the recovery condition index (RCI) and the common key KS are obtained.
(3) Subsequently, the key recovery center 52 executes the check program 524c to search for the key recovery condition RC (the key recovery condition RC1 in the case of FIG. 8) specified by the recovery condition index RCI (recovery condition index RCI1 in the case of FIG. 8) obtained in the above (2) from the data base 527 stored in the magnetic disc 522. Whether the user satisfies the key recovery condition (for example, name, belonging, password, etc.) searched, that is, whether the user has key recovery authorization is interactively checked between the key recovery center 52 and the terminal of the user through the network 54.
(4) Subsequently, if the key recovery center 52 confirms that the user has key recovery authorization, it transmits the common key KS obtained in (2) through the network 54 to the terminal of the user concerned. On the other hand, if it is not confirmed that the user has key recovery authorization, the key recovery center 52 does not transmit the common key KS obtained in (2) to the terminal of the user concerned.
(5) Upon receiving the common key KS, the terminal of the user executes the data encryption/decryption program 504b to decrypt the encrypted message [m]KS stored in the magnetic disc 502 with the common key KS, thereby obtaining the data m.
A commercial Key Escrow of Lipner, et al. is known as a publicly-known example of the key recovery system using the KRF system as described above, and it is disclosed in U.S. Pat. No. 5,557,765.