This invention relates to cryptographic systems, and more particularly, to identity-based-encryption systems.
Cryptographic systems are used to provide secure communications services such as secure email services and secure content distribution services. In providing these services, various messages must be securely conveyed between different parts of the system. For example, in a secure email system, a secure email message must be conveyed from a sender to a recipient. In secure content distribution environments, a service provider may distribute media files to subscribers in the form of encrypted messages.
With symmetric key cryptographic systems, the sender of a message uses the same key to encrypt the message that the recipient of the message uses to decrypt the message. Symmetric-key systems require that each sender and recipient exchange a shared key in a secure manner.
With public-key cryptographic systems, two types of keys are used—public keys and private keys. Senders may encrypt messages using the public keys of the recipients. Each recipient has a private key that is used to decrypt the messages for that recipient.
One public-key cryptographic system that is in use is the RSA cryptographic system. Each user in this system has a unique public key and a unique private key. A sender may obtain the public key of a given recipient from a key server over the Internet. To ensure the authenticity of the public key and thereby defeat possible man-in-the-middle attacks, the public key may be provided to the sender with a certificate signed by a trusted certificate authority. The certificate may be used to verify that the public key belongs to the intended recipient of the sender's message. Public key encryption systems such as the RSA system that use this type of traditional approach are referred to herein as PKE cryptographic systems.
Identity-based-encryption (IBE) systems have also been proposed. As with PKE cryptographic systems, a sender in an IBE system may encrypt a message for a given recipient using the recipient's public key. The recipient may then decrypt the message using the recipient's corresponding private key. The recipient can obtain the private key from a private key generator associated with the recipient.
Unlike PKE schemes, IBE schemes generally do not require the sender to look up the recipient's public key. Rather, a sender in an IBE system may generate a given recipient's IBE public key based on known rules. For example, a message recipient's email address or other identity-based information may be used as the recipient's public key, so that a sender may create the IBE public key of a recipient by simply determining the recipient's email address.
In addition to or instead of using identity-based information, more generally applicable policy-based information may be used to form the IBE public key. As an example, a one-week expiration period may be imposed on all encrypted messages. This expiration date policy may be used to form the IBE public key (e.g., by basing the IBE public key on a date stamp). As another example, a ratings policy might specify that only subscribers greater than a certain age may access the content of the message. The rating value associated with a given message may be used to form the IBE public key for that message. Recipients must satisfy the policy constraints set forth in the IBE public key before they can access the encrypted message content.
Although senders of IBE-encrypted messages need not look up a recipient's public key as with PKE schemes, senders must obtain so-called IBE public parameter information that is associated with the recipient's IBE private key generator. The IBE public parameter information is used as an ancillary input to the sender's IBE encryption algorithm and works in conjunction with the IBE public key of the recipient to ensure that the message is encrypted properly.
To create the IBE public parameter information and IBE private keys of its associated recipients, an IBE private key generator must use secret information (called the “master secret s”). The security of the encrypted messages associated with this IBE private key generator rests on the ability of the IBE private key generator to maintain the secrecy of the master secret. Message security also depends on the measures taken by the IBE private key generator to authenticate a recipient before providing that recipient with an IBE private key. To maintain control over these aspects of system security, some organizations may want to maintain their own IBE private key generators.
In an environment with multiple IBE private key generators, the operators of the different IBE private key generators may not want to operate their systems identically. For example, one IBE private key generator may want to authenticate its users with a higher level of authentication than another IBE private key generator. Different IBE private key generators may also want to support different communications protocols or have other customized settings.
It is therefore an object of the present invention to provide ways in which to support IBE communications in an environment in which different IBE private key generators and other parties in the system have different operating needs.