1. Field of the Invention
This invention relates to a cryptographic key recovery system and, more particularly, to a flexible key recovery system that is based on a framework.
2. Description of the Related Art
Copending US Patent Application of D. B. Johnson et al., Ser. No. 08/629,815, filed Apr. 10, 1996, entitled xe2x80x9cCryptographic Key Recovery Systemxe2x80x9d (xe2x80x9cJohnson et al. Ixe2x80x9d), assigned to the International Business Machines Corporation, is incorporated herein by reference. This cited patent application describes a key recovery system using multiple key recovery agents.
Copending application of D. B. Johnson et al., Ser. No. 08/681,679, filed Jul. 29, 1996, entitled xe2x80x9cInteroperable Cryptographic Key Recovery Systemxe2x80x9d (xe2x80x9cJohnson et al. IIxe2x80x9d), assigned to the International Business Machines Corporation, is incorporated herein by reference. This cited patent application describes another key recovery system.
1. Background
In recent times, cryptography has come into widespread use in meeting multiple security needs, such as confidentiality, integrity, authentication and non-repudiation [SCHN, MENE]. The use of cryptographic products for confidentiality creates the need for supporting conflicting requirements between users and their respective governments or enterprises. While users have a legitimate need to establish and maintain confidentiality of their data and communications, governments and enterprises have, at times, a legitimate need to intercept and recover such confidential data and communications under proper legal conditions. This conflict becomes especially apparent when users"" applications begin to use strong encryption techniques, which can either be too expensive or impossible to break within reasonable time.
Some governments such as the US, Canada, and France, impose controls on the export and foreign dissemination of cryptographic products on the premise that they are critical to national security and foreign policy interests. This is a major hindrance for manufacturers and vendors of cryptographic products since the market for their encryption products is severely restricted by such jurisdiction-based controls. To mitigate this, key recovery techniques have been proposed as a means to relax export controls on cryptographic products. Certain governments, such as the US, now have a stated policy that strong encryption based products can be licensed for general purpose export if they can be shown to incorporate an acceptable mechanism for key recovery. Adoption of such a policy enables cryptographic product vendors to develop a single international version of their product that contains strong encryption along with some technique for key recovery.
Key recovery mechanisms serve other useful purposes as well. They may be used by individuals to recover lost or corrupted keys; they may be used by enterprises to deter corporate insiders from using encryption to bypass the corporate security policy regarding the flow of proprietary information. Corporations may also use key recovery mechanisms to recover employee keys in certain situations, e.g. in the employees absence. Finally, the use of key recovery mechanisms in web based transactional scenarios can serve as an additional technique of non-repudiation and audit, that may be admissible in a court of law. Thus, there appear to be added incentivesxe2x80x94beyond those of satisfying the governments needsxe2x80x94for the incorporation as well as adoption of key-recovery mechanisms in local and distributed encryption based systems.
Several vendors, such as Hewlett Packard, Trusted Information Systems and others have or are developing exportable cryptographic systems based on key recovery techniques. Most currently available or proposed architectures for key-recovery-enabled cryptographic systems are somewhat restrictive and inflexible. The design of some of these products is based on restrictive assumptions such as all users need to be certified under a common public key infrastructure (PK). Others products are very inflexible since they bundle a specific key recovery mechanism with a specific key transport mechanism or a specific cryptographic engine. Others support a single proprietary key recovery mechanism, which may not be acceptable for export to certain jurisdictions that choose not to adopt or legislatively support that key recovery mechanism. To avoid these and possibly other limitations, we propose an architecture for key-recovery-enabled cryptographic systems that has the potential to support a wide variety of key recovery mechanisms and cryptographic mechanisms under a common uniform framework. The additional benefits of such a framework-based solution, is that it is not tied to any particular communications protocol or key transport mechanism, and can be adapted to conform to any jurisdiction-based, key-recovery policy.
1.1. Key Recovery Nomenclature
Denning and Branstad [DENN], present a taxonomy of key escrow systems. In this document, a different scheme of nomenclature was adopted in order to exhibit some of the finer nuances of key recovery schemes. The term key recovery encompasses mechanisms that allow authorized parties to retrieve the cryptographic keys used for data confidentiality, with the ultimate goal of recovery of encrypted data. The remainder of this section will discuss the various types of key recovery mechanisms, the phases of key recovery, and the policies with respect to key recovery.
1.1.1. Key Recovery Types
There are two classes of key recovery mechanisms based on the way keys are held to enable key recovery: key escrow and key encapsulation. Key escrow techniques are based on the paradigm that the government or a trusted party called an escrow agent, holds the actual user keys or portions thereof Key encapsulation techniques, on the other hand, are based on the paradigm that a cryptographically encapsulated form of the key is made available to parties that require key recovery; the encapsulation technique ensures that only certain trusted third parties called recovery agents can perform the unwrap operation to retrieve the key material buried inside. There may also be hybrid schemes that use some escrow mechanisms in addition to encapsulation mechanisms.
An orthogonal way to classify key recovery mechanisms is based on the nature of the key that is either escrowed or encapsulated. Some schemes rely on the escrow or encapsulation of long-term keys, such as private keys, while other schemes are based on the escrow or encapsulation of ephemeral keys such as bulk encryption keys. Since escrow schemes involve the actual archival of keys, they typically deal with long-term keys, in order to avoid the proliferation problem that arises when trying to archive the nyriad ephemeral keys. Key encapsulation techniques, on the other hand, usually operate on the ephemeral keys.
For a large class of key recovery (escrow as well as encapsulation) schemes, there are a set of key recovery fields that accompany an enciphered message or file. These key recovery fields may be used by the appropriate authorized parties to recover the decryption key and or the plaintext. Typically, the key recovery fields comprise information regarding the key escrow or recovery agent(s) that can perform the recovery operation; they also contain other pieces of information to enable recovery.
In a key escrow scheme for long-term private keys, the xe2x80x9cescrowedxe2x80x9d keys are used to recover the ephemeral data confidentiality keys. In such a scheme, the key recovery fields may comprise the identity of the escrow agent(s), identifying information for the escrowed key, and the bulk encryption key wrapped in the recipients public key (which is part of an escrowed key pair); thus the key recovery fields include the key exchange block in this case. In a key escrow scheme where bulk encryption keys are archived, the key recovery fields may comprise information to identity the escrow agent(s), and the escrowed key for that enciphered message.
In a typical key encapsulation scheme for ephemeral bulk encryption keys, the key recovery fields are distinct from the key exchange block, (if any.) The key recovery fields identify the recovery agent(s), and contain the bulk encryption key encapsulated using the public keys of the recovery agent(s).
The key recovery fields are generated by the party performing the data encryption, and associated with the enciphered data. To ensure the integrity of the key recovery fields, and its association with the encrypted data, it may be required for processing by the party performing the data decryption. The processing mechanism ensures that successful data decryption cannot occur unless the integrity of the key recovery fields are maintained at the receiving end. In schemes where the key recovery fields contain the key exchange block, decryption cannot occur at the receiving end unless the key recovery fields are processed to obtain the decryption key; thus the integrity of the key recovery fields are automatically verified. In schemes where the key recovery fields are separate from the key exchange block, additional processing has to happen to ensure that decryption of the ciphertext occurs only after the integrity of the key recovery fields are verified.
With escrow schemes for long terms private keys, a major advantage is that the cryptographic communication protocol needs minimal adaptation (since the key recovery fields and the key exchange block are one and the same in most cases); however, the serious disadvantages are the lack of privacy for individuals (since their private keys are held by a separate entity), and the lack of granularity with respect to the recoverable keys. Additionally, there is the burden that every individual has to obtain and use public keys through an approved public key infrastructure in order for the key recovery scheme to work.
The major advantage to key encapsulation schemes based on ephemeral keys are that there is much greater privacy for the individuals; they can generate and keep their own private keys. Each ephemeral key can be recovered independently, so there is maximal granularity with respect to the recoverable keys. A disadvantage is that the communication protocol between sending and receiving parties needs more elaborate adaptation to allow the flow of the encapsulated key (which is separate from the key exchange block.) Another disadvantage is that there is some performance penalty in key encapsulation for each ephemeral key; however, this may be minimized by caching techniques.
The Secure Key Management Framework (SKMF) defines an infrastructure for a complete set of cryptographic services augmented with key recovery enablement. There are three major layersxe2x80x94the application layer invokes the SKMF layer, while the SKMF layer invokes the service provider (SP) layer. The application layer code invokes the cryptographic API and key-recovery API supported by the SKMF. Multiple key recovery mechanisms and cryptographic mechanisms can be implemented as service providers that plug-in underneath the framework using the well-defined service provider interfaces provided by the framework. The SKMF implements the supported API calls by making appropriate invocations of the service provider modules using the SPIS. The primary functionality of the SKMF layer is to maintain state regarding the connections between the application layer code and the service providers underneath. Additionally, the SKMF mediates all interactions between applications and CSPs, and implements and enforces the applicable key recovery policy. Finally, the SKMF allows the seamless integration of the key recovery functions and the cryptographic functions provided by independent service provider modules.
The design of the SKMF starts with an existing cryptographic framework that meets certain abstract properties such as extensibility and modularity. Next, the cryptographic framework is extended laterally to include a key recovery module manager that supports a set of key recovery APIs (KR-APIs) for use by application layer code and a set of key recovery SPIs (KR-SPIs) to support plug-in key recovery service provider modules. The KR-APIs are used to set state and attribute information for use by the key recovery service providers, and to generate and validate the key recovery blocks for confidentiality protected sessions. The KR module manager also contains the static key recovery enablement policy table and an enforcement module that ensures that all cryptographic associations abide by the key recovery enablement policy.
The base cryptographic module manager is modified to accommodate the key recovery module manager. While the base cryptographic API is kept intact (in order to perturb existing applications as little as possible), the cryptographic module manager is modified to invoke the key recovery policy enforcement module. If key recovery enablement if required for a certain cryptographic operation, the key recovery enablement operations need to be invoked appropriately before the invocation of the cryptograph operation. As a result, a dependency is created between the key recovery enablement operation and certain cryptographic operations. Since key recovery enablement typically required additional parameters such as public keys of key recovery agents, authorization information for user, etc., these additional parameters need to be provided to the SKMF through some mechanisms. The KR-APIs can be used by the application layer code to set up he necessary parameters for key recovery enablement. These parameters are held as state information within the KR management module.
The KRSPs perform two fundamental operations with respect to key recovery enablement: key recovery block generation, and key recovery block processing. On the sending side of a cryptographic association, key recovery enablement implies that a key recovery block be generated and sent out to the receiving side. On the receiving side, key recovery enablement requires that the key recover block be processed before decryption can occur; processing ensures that the key recovery block was transmitted intact from the sender to the receiver.