This invention relates to cryptographic systems, and more particularly, to subscription management services for secure messaging systems.
It is often desirable to encrypt sensitive electronic communications such as email messages. With symmetric key cryptographic arrangements, the sender of a message uses the same key to encrypt the message that the recipient of the message uses to decrypt the message. Symmetric key systems require that each sender and recipient exchange a shared key in a secure manner.
With public key cryptographic systems, two types of keys are used—public keys and private keys. Senders may encrypt messages using the public keys of recipients. Each recipient has a private key that is used to decrypt the messages for that recipient.
To ensure the authenticity of the public keys in traditional public key systems and thereby defeat possible man-in-the-middle attacks, public keys may be provided to senders with a certificate signed by a trusted certificate authority. The certificate may be used to verify that the public key belongs to the intended recipient of the sender's message. Public key encryption systems that use this type of traditional approach are said to use the public key infrastructure (PKI) and are referred to as PKI cryptographic systems.
Identity-based-encryption (IBE) public key cryptographic systems have also been proposed. As with PKI cryptographic systems, a sender in an IBE system may encrypt a message for a given recipient using the recipient's public key. The recipient may then decrypt the message using the recipient's corresponding private key. The recipient can obtain the private key from a private key generator associated with the recipient.
Unlike PKI schemes, IBE schemes generally do not require the sender to look up the recipient's public key. Rather, a sender in an IBE system may generate a given recipient's IBE public key based on known rules. For example, a message recipient's email address or other identity-based information may be used as the recipient's public key, so that a sender may create the IBE public key of a recipient by simply determining the recipient's email address.
The operation of a cryptographic system requires ongoing maintenance. In some situations, the responsibility for the operation of a cryptographic system may rest with a single organization. The organization can perform setup operations such as the distribution and installation of encryption and decryption software. During operation of the system, the organization may use a key server to distribute keys to authorized users within the organization. This type of arrangement may work satisfactorily for closed environments in which all communications take place between users within the organization.
However, in more open environments users are not all associated with the same organization. A sender associated with one organization may desire to send an encrypted email to a recipient in another organization who in turn desires to forward the message to a recipient in a different organization. Issues such as software installation, key distribution, billing, and support need to be addressed if secure communications are to be successful in this type of environment.