The present invention relates to a key recovery process used for strong encryption of a message sent by an entity, which message is either to be stored locally or transmitted to another entity, the reading of a message requiring a decryption key supplied to at least one trusted third party for key recovery, while the message comprises a compulsory control field which itself comprises a key recovery field for allowing a trusted third party to supply the decryption information that enables the encrypted message to be read.
First of all, it is noted that it is conventionally accepted that an encryption is considered to be strong when its decryption cannot be achieved within a reasonable amount of time without using the key.
Generally, the constant progress in the computerization field results in an increasingly immediate need when it comes to the protection of information. At present, computer security is an integral part of the thorny problems to be solved in this field. Thus, among other things, a problem arises when it is desirable to use encryption techniques to effectively protect sensitive information. In effect, in many countries, the dissemination of encrypted information through public networks is subject to authorization on a case-by-case basis, whereas the need to use such techniques is genuinely felt. The current tendency of international governmental authorities, however, is to authorize anyone to use strong encryption. In exchange for this authorization, the national authorities intend to retain the right of inspection, that is to have the capability to decrypt such communications.
With this type of technique, the stored or transmitted message can only be decrypted when the decryption key used is known. The specific object or technical problem in this case is to make the decryption key known to a predetermined key recovery authority, an authority hereinafter called a xe2x80x9ctrusted third partyxe2x80x9d for key recovery. Two techniques are generally used for this purpose.
The first technique consists of depositing a long-term decryption key which will be used to decrypt the working keys or decryption keys. Decryption hardware or software (hereinafter, for the sake of simplification and conciseness, indicated by xe2x80x9cdecryption hardware/softwarexe2x80x9d) then in turn uses this key to decrypt the decryption keys of a message, and thus any person wishing to decrypt the message must possess the copy of this key. This technique has proven effective and practical, for example within a single country, but has serious drawbacks relative to security when the communication is international and/or when an authority of one of the countries in question wishes to eavesdrop on and understand a message sent in one of the countries in question by a person under suspicion. In effect, one country""s trusted third party for key recovery is obligated to request another country""s trusted third party for key recovery, or the person possessing the copy of the key, [to supply it to it] in order to be able to decrypt the message. In the case where the latter agrees, which is a first restriction, on one hand the eavesdropping is xe2x80x9cgrantedxe2x80x9d to the other country""s trusted third party for key recovery when this type of intervention is supposed to be discreet and even confidential, and on the other hand, a significant time loss is inevitably caused in obtaining the copy of the key, which is completely inopportune since the message must be understood quickly when it is desirable to act fast with regard to the suspected person before the latter can escape or disappear. Therefore, this technique has substantial limitations for use at an international level due to the counterpart required by the international governmental authorities in authorizing this type of communication, unless the governments involved subscribe to reciprocity agreements, which in this field is not always, in fact rarely, desirable.
The second technique consists not of leaving a long-term decryption key but of allowing the trusted third party for key recovery to decrypt of the decryption key, and hence the encryption key of the message, whether this key is an asymmetric key or a symmetric key. For this purpose, two supplementary fields are added into the message, hereinafter called a compensation field and a compulsory control field, which itself comprises, among other information, at least one field intended for the recovery of the key by an authorized key keeper, hereinafter called a xe2x80x9ctrusted third partyxe2x80x9d for key recovery. Thus, in the particular case where a saved encrypted message is stored locally, for example on a disk, only one trusted third party for key recovery is involved, and therefore only one key recovery field is necessary. On the other hand, in the more general case of the transmission of a message between two users, or more generally between two communicating entities, two key recovery fields are necessary, since two trusted third parties for key recovery are involved, that of the country of the sender of the message and that of the country of the recipient of the message. Thus, an international conversation between two interlocutors of country A and country B, respectively, can be eavesdropped on, if this eavesdropping is authorized, by the appropriate intercepting authorities of country A and country B, respectively, without ever being subject to eavesdropping by the authorities of any other country. Consequently, when an eavesdropping is legally authorized, the first key recovery field of the compulsory control field allows eavesdropping by the approved authority of country A, while the second key recovery field allows eavesdropping by the approved authority of country B. These two approved authorities can either be national authorities based in the countries where the communicating entities are physically located, or national authorities of the same nationality as that of the communicating entities. In fact, in order to allow the decryption, one of these two key recovery fields present in the message is first delivered to a trusted third party for key recovery, then the decryption key is delivered by this trusted third party to the national authority, thus allowing it to decrypt the message in its entirety. Currently, it is expected for each country to approve a certain number of trusted third parties for key recovery who are nationals, each of whom is preferably specific to one field, and thus it is the trusted third party approved by a governmental authority that controls and allows the decryption and not the governmental authority directly. A technique of this type is described in the brochure entitled xe2x80x9cCommercial Key Escrow (CKE, a trademark of Trusted Information Systems, Inc.): The Path to Global Information Security.xe2x80x9d This second technique, however, also has a certain number of drawbacks. A first serious drawback is inherent in the fact that it is impossible to notice, in any simple way, that an attempted fraud has been perpetrated by modifying the compulsory control field or modifying the decryption hardware/software. Moreover, this technique does not make it possible to supply in advance daily decryption keys that are usable within, and only within, a predetermined time period, which is a second notable drawback relative to security. Finally, another drawback exists in the fact that the communicating entities are not identified, which does not make it possible to easily distinguish between legal or illegal eavesdropping.
The object of the present invention is to eliminate the various drawbacks of the different known techniques of the prior art, and to propose a key recovery process that is effective and easy to use, which makes it possible to detect any modification, however minimal, of the compulsory control field, and which allows the provision, even in advance, of daily decryption keys usable only within a predetermined time period.
FIGS. 1 and 2, illustrate the steps of the key recovery process used for strong encryption of a message (M) according to the present invention. Message (M) is sent by a sending entity (SE) (step 100), wherein the message is either to be stored locally or transmitted to a receiving entity (RE) (step 200). The reading of the message (step 600) requires a decryption key (DK) which can be reconstructed by at least one trusted third party (TTP) for key recovery (step 500). Each trusted party for key recovery is assigned an identifier (Id) and a public key (PK) (step 400). The process of key recovery further includes the steps of forming the message with a compensation field (CF) and a compulsory control field (CCF) (step 130), wherein the compulsory control field (CCF) includes a compulsory field comprising at least one key recovery field (KRF) for allowing the at least one trusted third party to supply the decryption key (DK) that enables the encrypted message (M) to be read (step 110). The compulsory control field (CCF) further comprises, in unencrypted form, a current date (D), an agreement number (AN) for encryption hardware/software and a dialogue key (DiK) encrypted under a daily intermediate key (IK) (step 120).
For this purpose, the key recovery process used for strong encryption of messages (M) mentioned in the preamble is remarkable in that the compulsory control field (CCF) also comprises, in unencrypted form, the current date (D) and the agreement number (AN) of the decryption hardware/software, as well as a dialogue (DIK) key encrypted under a daily intermediate key (IK), which intermediate key (IK) is a key calculated from certain elements of the compulsory control field (CCF) according to a formula that is explained below.
As used herein, the term xe2x80x9cstrongxe2x80x9d relates to ciphering and xe2x80x9cstrong encryptionxe2x80x9d means each message is encrypted in a way which tenaciously protects against a fraud.
Thus, according to the concept of the invention and as a result of the technique used, which will be described below, the modification, subsequent to its generation, of the compulsory control field (CCF) correctly generated by the sender renders decryption by the recipient impossible. In fact, an alteration of certain data of the compulsory control field (CCF) for the purpose of preventing the recovery of the decryption key (DK) of the message (M) by any of the trusted third parties makes it impossible to decrypt the message (M). Moreover, the agreement number (AN) of the decryption hardware/software allows the national authority authorizing the trusted third parties (TTP) for key recovery to be given the decryption keys (DK), first of all, to identify the hardware/software to be used for decrypting the message (M). Finally, the current date (D) makes it possible to ensure that the message (M) to be decrypted is transmitted within the correct time period, an incorrect date being detected automatically and immediately without even having to involve the trusted third party (TTP) for key recovery, but also and above all, it is the very foundation of the technique, making it possible to provide decryption keys (DK) in advance as explained below.
According to another characteristic specific to the present invention, the key recovery process is remarkable in that each key recovery field (KRK) first comprises, in unencrypted form, the identifier (Id) of the appropriate trusted third party for key recovery, as a function of the application type, followed by a dialogue key encrypted under the public key of this trusted third party, and lastly, encrypted under the public key (PK) of this trusted third party (TTP), the serial number of the approved hardware/software, a working key and the period of validity of this working key.
In addition, according to a variant, each key recovery field also comprises in the above-mentioned last field the identifier of the user entity or the manager of this hardware/software, also encrypted under the public key of the appropriate trusted third party for key recovery. As a result of this identifier, advantageously and as explained below, the trusted third party for key recovery can directly know the identity of the user entity or the manager without referring to either the hardware/software vendor or its representative or a user entity registration authority.
Finally, in a characteristic way, the working key in combination with, among other things, the date, is used to calculate the daily intermediate key, while this intermediate key is used to encrypt the dialogue key.
Thus, the choice of the trusted third party for key recovery is left to the application, and is therefore a dynamic choice which is a function of the application type or of the context, that is, specific to a field. In this way, the approved hardware/software can xe2x80x9cknowxe2x80x9d the choice and consequently the name of the appropriate trusted third parties for key recovery, a name which can be determined from the context of the application or user data, from the source and destination countries or even from elements of the hierarchical structure of the names. This same principle of dynamic choice ensures that the trusted third party cannot know this choice in advance. The identifier of the trusted third party for key recovery allows the national authority authorizing the trusted third parties to be given the decryption keys to identify the trusted third party for key recovery chosen. In order to verify that the compulsory control field created by the sender has been constituted so as to effectively render the decryption key of the message accessible to the various trusted third parties, the recipient""s hardware/software recalculates part of this compulsory control field, that is, it re-encrypts the dialogue key, which it also obtains by means of the key exchange protocol specific to the application, under the public key of each trusted third party and verifies that it obtains an identical result. If this is not the case, it refrains from decrypting the message.
This process, however, does not prevent a recipient""s accordingly modified hardware/software from bypassing this control and not refraining from decryption. Thus, as explained below, one of the novelties of the invention resides in the fact that the modification, during their transfer, of the correctly generated compulsory control and compensation fields, no matter what receiving hardware/software is used (compliant or modified), prevents the recipient from decrypting the message.
Normally, the standard key recovery systems are limited to directly encrypting the decryption key of the message under the key of each trusted third party. Consequently, it is necessary to consult a trusted third party in order to decrypt each individual decryption key. Thus, as will be explained below, another novelty of the invention resides in the fact that it makes it possible to supply the decryption authorities in advance with daily intermediate keys, which prevents the decryption authorities from having to use the services of a trusted third party in order to decrypt each message. In order to allow the authorities to receive in advance, the data that make it possible to reconstruct the decryption keys, the process, unlike the known techniques, combines the direct method for recovering the dialogue key by means of the public encryption key of the trusted third party with a second method for recovering the dialogue key using a four-level key hierarchy wherein firstly, the working key, the serial number of the approved hardware/software, the period of validity of this working key, and possibly, depending on the variant presented above, the identifier of the user or the manager of this hardware/software are encrypted under the public key of each trusted third party for key recovery, after which the working key, specifically in combination with the date, is used to calculate the daily intermediate key, then the daily intermediate key is used to encrypt a dialogue key. Since the working key is encrypted under the public key of the trusted third party for key recovery, it can be decrypted by this trusted third party and by this entirety alone, since furthermore, this working key cannot be used directly, but only indirectly, to decrypt the message. Consequently, in a characteristic way, the approved decryption hardware/software will calculate the daily intermediate key by means of a one-way function (also called a xe2x80x9cone-way hash functionxe2x80x9d by one skilled in the art) from the working key, and from the compulsory control field, that is, the current date, the agreement number and two key recovery fields. The two communicating entities normally exchange a decryption key according to a protocol of their own. Depending on the method used, the key exchanged is not considered to be this decryption key, but to be precisely the above-mentioned dialogue key. This dialogue key is therefore also directly accessible to the designated trusted third parties, because it is encrypted directly under their public key, but also because this dialogue key is also encrypted under a daily intermediate key. The two communicating entities calculate the decryption key from a one-way function using as parameters the dialogue key and the result of a collision-proof one-way function calculated on all of the components of the compulsory control field, the result then being combined with the compensation field by means of an exclusive OR.
Each of the trusted third parties performs the calculation of the decryption key in the same way, and is therefore capable of calculating the decryption key. The compensation field makes it possible to use a decryption key of any value, which can be the xe2x80x9cprivate keyxe2x80x9d type for an asymmetric algorithm or the xe2x80x9csecret keyxe2x80x9d type for a symmetric algorithm. In effect, the sender of the message adjusts the value of the key by means of the compensation field, since the result of the one-way function using as parameters the dialogue key and the result of a collision-proof one-way function calculated on all of the components of the compulsory control field cannot be predictable. Thus, due to the fact that the decryption key is a function of the compulsory control field and the compensation field, used jointly by the communicating entities and the trusted third parties, and that as indicated above, any alteration of the compulsory control field constituted normally at the source by the sender, makes it impossible to decrypt the message, the objectxe2x80x94and this is fundamentalxe2x80x94being to render the decryption key false for the recipient of the message as a result of any modification. In effect, a modification, however minimal, of any of the fields of the compulsory control field has the result of modifying the decryption key, thus preventing the decryption and therefore the comprehension of the semantics of the message. It is important to note that the present process makes it possible to choose, for each message, a different and completely random decryption key.