N/A
N/A
The present invention relates generally to private communications, and more specifically to a system and method for providing ephemeral decryptability of documents, files, and/or messages.
In recent years, individuals and businesses have increasingly employed computer and telecommunications networks, such as the World Wide Web (WWW), to exchange messages. These networks typically include a number of intermediate systems between the source of a message and its destination, at which the message may be temporarily written to a memory and/or data storage device. Such intermediate systems, as well as the communications lines within the network itself, are often considered to be susceptible to actions of a malicious third party, which may result in messages being intercepted as they are carried through the network. For this reason, various types of data encryption have been used for private communications through such networks. Encryption algorithms are also sometimes used to support integrity checking and authentication of received messages. Integrity checking allows the message recipient to determine whether the message has been altered since it was generated, while authentication permits the recipient to verify the source of the message.
Specific encryption algorithms are usually thought of as being either xe2x80x9csymmetric keyxe2x80x9d or xe2x80x9cpublic keyxe2x80x9d systems. In symmetric key encryption, also sometimes referred to as xe2x80x9csecret keyxe2x80x9d encryption, the two communicating parties use a shared, secret key to both encrypt and decrypt messages they exchange. The Data Encryption Standard (DES), published in 1977 by the National Bureau of Standards, and the International Data Encryption Algorithm (IDEA), developed by Xuejia Lai and James L. Massey, are examples of well known symmetric key encryption techniques. Public key encryption systems, in contrast to symmetric key systems, provide each party with two keys: a private key that is not revealed to anyone, and a public key made available to everyone. When the public key is used to encrypt a message, the resulting encoded message can only be decoded using the corresponding private key. Public key encryption systems also support the use of xe2x80x9cdigital signaturesxe2x80x9d, which are used to authenticate the sender of a message. A digital signature is an encrypted digest associated with a particular message, which can be analyzed by a holder of a public key to verify that the message was generated by someone knowing the corresponding private key.
While encryption protects the encrypted data from being understood by someone not in possession of the decryption key, the longer such encrypted information is stored, the greater potential there may be for such a key to fall into the wrong hands. For example, key escrows are often maintained which keep records of past keys. Such records may be stored for convenience in order to recover encrypted data when a key has been lost, for law enforcement purposes, to permit the police to eavesdrop on conversations regarding criminal activities, or for business management to monitor the contents of employee communications. However, as a consequence of such long term storage, the keys may be discovered over time.
In existing systems, there are various events that may result in an encrypted message remaining stored beyond its usefulness to a receiving party. First, there is no guarantee that a receiver of an encrypted message will promptly delete it after it has been read. Additionally, electronic mail and other types of messages may be automatically xe2x80x9cbacked-upxe2x80x9d to secondary storage, either at the destination system, or even within intermediate systems through which they traverse. The time period such back-up copies are stored is sometimes indeterminate, and outside control of the message originator. Thus, it is apparent that even under ordinary circumstances, an encrypted message may remain in existence well beyond its usefulness, and that such longevity may result in the privacy of the message being compromised.
Existing systems for secure communications, such as the Secure Sockets Layer (SSL) protocol, provide for authenticated, private, real-time communications. In the SSL protocol, a server system generates a short term public/private key pair, that is certified as authentic using a long term private key belonging to the server. The client uses the short term public key to encrypt a symmetric key for use during the session. The server periodically changes its short term private key, discarding any previous versions. This renders any records of previous sessions established using the former short term public key undecryptable. Such a system is sometimes referred to as providing xe2x80x9cperfect forward secrecyxe2x80x9d. These existing systems, however, provide no mechanism for setting or determining a finite xe2x80x9clifetimexe2x80x9d, in terms of decryptability, for stored encrypted data or messages independent of a real-time communications session.
Accordingly it would be desirable to have a system for specifying a finite period after which stored encrypted data, such as electronic mail messages, cannot be decrypted. After such a xe2x80x9cdecryption lifetimexe2x80x9d period expires, the encrypted data should become effectively unrecoverable. The system should provide the ability to specify such a decryptability lifetime on a per message, data unit, or file basis, independent of any particular real-time communications session.
A system and method for providing ephemeral decryptability is disclosed, which enables a user to encrypt data in a way that ensures that the data cannot be decrypted after a finite period. One or more ephemeral encryption keys are provided to a party wishing to encrypt a message to be passed to a destination party. The ephemeral key or keys are each associated with an expiration time. Prior to the expiration time, the party wishing to encrypt the message uses the ephemeral encryption key or keys to encrypt the message, and passes the encrypted message to the destination party. The destination party uses ephemeral decryption keys associated with the ephemeral encryption keys to decrypt the received message. The provider of the ephemeral encryption keys destroys at least the ephemeral decryption keys such that they cannot be recovered after their respective expiration times. In the case where ephemeral public/private key pairs are used, then the ephemeral encryption keys are the public keys, the ephemeral decryption keys are the private keys. In the case where ephemeral symmetric keys are used, then the ephemeral encryption key and its associated ephemeral decryption key are the same key. In the present disclosure, data that has been encrypted using any kind of ephemeral key may sometimes be referred to as xe2x80x9cephemeral data.xe2x80x9d
In a first illustrative embodiment, a first party establishes a number of ephemeral public/private key pairs, each of which will be destroyed at an associated time in the future (the xe2x80x9cexpiration timexe2x80x9d), and makes them publicly available. A second party then selects one of the ephemeral public/private key pairs having an expiration time appropriate for its needs, and sends one or more messages to the first party encrypted using the public key from the selected ephemeral key pair. If the ephemeral keys are symmetric keys, the second party would request an ephemeral symmetric key from the first party, causing the first party to generate an ephemeral symmetric key and securely convey it to the second party. At the expiration time, the first party destroys all copies of the ephemeral decryption key, thus rendering any messages encrypted with the associated encryption key permanently undecipherable.
In a second illustrative embodiment, a number of third party entities offer an xe2x80x9cephemerizer servicexe2x80x9d, and are accordingly referred to as xe2x80x9cephemeral key serversxe2x80x9d or xe2x80x9cephemerizersxe2x80x9d. Each ephemerizer publishes a selection of ephemeral public/private key pairs, or generates ephemeral symmetric keys upon request. Each ephemeral key is associated with an expiration time. A party wishing to encrypt a message acquires one of the ephemerizer""s ephemeral encryption keys with an appropriate expiration time. Alternatively, where none of the associated expiration times offered by the ephemerizer are appropriate for the message to be transmitted, the party wishing to encrypt that message may request an ephemeral key expiration time or range of expiration times, in which case the ephemerizer generates an ephemeral key having an appropriate expiration time and provides it to the requester. The requesting party first encrypts the data using an encryption key of the party which will receive the message, and then encrypts the resulting encrypted data again using the acquired ephemeral encryption key. An address of the ephemerizer, as well as an indication of the selected ephemeral encryption key, may also be included in the message. When the message is received, the receiver first locates the ephemerizer, and asks the ephemerizer to decrypt at least a portion of the message. The ephemerizer decrypts at least a portion of the message as requested and returns the result to the receiver. The receiver then completes decryption of the message as necessary. At the expiration time, the ephemerizer permanently destroys the selected ephemeral decryption key.
Ephemerizers are relied upon to be available to decrypt messages encrypted using the ephemeral encryption keys they provide, to recall the associated decryption keys until their associated expiration times, and to destroy such decryption keys by their associated expiration times. However, for various reasons, a given ephemerizer may fail to perform one or more of these tasks. Advantageously, multiple ephemerizers may be employed in the disclosed system to address the possibility of such failures. In order to address the problem of an ephemerizer failing to destroy an ephemeral decryption key by its expiration time, multiple ephemerizers may be used to perform multiple, successive encryptions of the data. With this approach, if any one of the multiple ephemerizers destroys its ephemeral decryption key, the data is no longer decryptable.
Another technique employing multiple ephemerizers addresses the problem of one or more ephemerizers becoming unavailable, or forgetting their ephemeral decryption keys prior to their associated expiration time. In this approach, a xe2x80x9cK of Nxe2x80x9d scheme is employed by which the message is encoded using multiple (xe2x80x9cNxe2x80x9d) ephemeral encryption keys, provided by N associated ephemerizers, such that the recipient of the encrypted message only needs a subset xe2x80x9cKxe2x80x9d of the associated ephemerizers to be available and having retained their decryption keys to decrypt the message. In this way, even if some subset, less than or equal to Kxe2x88x92N of the ephemerizers from which the ephemeral encryption keys were obtained, becomes unavailable or forgets an associated decryption key, the message may still be decrypted by its recipient using the K functioning ephemerizers.
In general, ephemerizers may be selected based on a recommendation of either communicating party, or, where one party distrusts the other party to some degree, unilaterally. For example, the recipient may provide a list of ephemerizers which may be used by the encrypting party. Alternatively, the encrypting party may be permitted to select the ephemerizer or ephemerizers.
Thus there is provided a system in which data may be encrypted such that it cannot be decrypted after a finite period. The system advantageously permits selection of an appropriate decryptability lifetime for specific units of data, such as electronic mail messages. Further, where one or more third party ephemerizer systems are used to provide ephemeral keys to encrypt a message, such third party ephemerizers may be employed to destroy the ephemeral keys at their expiration times, without burdening the communicating parties with this responsibility.
As a further advantage, it is not necessary to encrypt an entire message using an ephemeral encryption key. Instead, the ephemeral key may simply be used to encrypt another key contained within the message header. In that case, the message body itself is encrypted such that it can be decrypted using the key contained in the message header. The receiver of the message need send only the message header to the appropriate ephemerizer system or systems for decryption, thus preserving communications bandwidth and improving throughput.
Another advantage of the disclosed system arises from the fact that any data sent to an ephemerizer system for decryption may be further encrypted, for example prior to encryption with any ephemeral key. In such an embodiment, the ephemerizer system or systems are not exposed to fully decrypted data (xe2x80x9cplaintextxe2x80x9d), and accordingly need not be completely trusted.