This invention relates to cryptographic systems, and more particularly, to identity-based-encryption systems.
Cryptographic systems are used to provide secure communications services such as secure email services and secure content distribution services. In providing these services, various messages must be securely conveyed between different parts of the system. For example, in a secure email system, a secure email message must be conveyed from a sender to a recipient. In secure content distribution environments, a service provider may distribute media files to subscribers in the form of encrypted messages.
With symmetric key cryptographic systems, the sender of a message uses the same key to encrypt the message that the recipient of the message uses to decrypt the message. Symmetric-key systems require that each sender and recipient exchange a shared key in a secure manner.
With public-key cryptographic systems, two types of keys are used—public keys and private keys. Senders may encrypt messages using the public keys of the recipients. Each recipient has a private key that is used to decrypt the messages for that recipient.
One public-key cryptographic system that is in use is the RSA cryptographic system. Each user in this system has a unique public key and a unique private key. A sender may obtain the public key of a given recipient from a key server over the Internet. To ensure the authenticity of the public key and thereby defeat possible man-in-the-middle attacks, the public key may be provided to the sender with a certificate signed by a trusted certificate authority. The certificate may be used to verify that the public key belongs to the intended recipient of the sender's message. Public key encryption systems such as the RSA system that use this type of traditional approach are referred to herein as PKE cryptographic systems.
Identity-based-encryption (IBE) systems have also been proposed. As with PKE cryptographic systems, a sender in an IBE system may encrypt a message for a given recipient using the recipient's public key. The recipient may then decrypt the message using the recipient's corresponding private key. The recipient can obtain the private key from a private key generator associated with the recipient. Unlike PKE schemes, IBE schemes generally do not require the sender to look up the recipient's public key. Rather, a sender in an IBE system may generate a given recipient's IBE public key based on known rules. For example, a message recipient's email address or other identity-based information may be used as the recipient's public key, so that a sender may create the IBE public key of a recipient by simply determining the recipient's email address.
In addition to or instead of using identity-based information, more generally applicable policy-based information may be used to form the IBE public key. As an example, a one-week expiration period may be imposed on all encrypted messages. This expiration date policy may be used to form the IBE public key (e.g., by basing the IBE public key on a date stamp). As another example, a ratings policy might specify that only subscribers greater than a certain age may access the content of the message. The rating value associated with a given message may be used to form the IBE public key for that message. Recipients must satisfy the policy constraints set forth in the IBE public key before they can access the encrypted message content.
A given message recipient may have relationships with multiple private key generators and therefore may have multiple associated IBE public-private key pairs. Such a recipient may receive a number of messages from various senders each encrypted using a different one of the recipient's IBE public keys and each requiring a different one of the recipient's IBE private keys for decryption.
It may therefore be desirable for senders to provided recipients with information on which IBE public key was used to encrypt a given message. For example, senders can send both the encrypted message data and a copy of the IBE public key used to encrypt that message data to a recipient at the same time. The recipient can use the IBE public key that is received from the sender to determine which IBE private key to use in decrypting the message.
Sometimes, however, the IBE public key itself may contain sensitive information. For example, the IBE public key may reveal the rating that was associated with a particular IBE-encrypted movie the recipient received from a service provider or the IBE public key may reveal sensitive information regarding which portion of an organization the recipient is associated with or which sensitive projects the recipient is working on.
It is therefore an object of the present invention to provide improved ways in which message recipients can be provided with potentially sensitive IBE public key information for use in message decryption.