1. Field of the Invention
The present invention relates to a key recovery system for recovering a key to an encrypted sentence in an emergency when an operator on the user side is absent, when a user loses his or her private key, etc. in encrypting data using a key and storing the encrypted data as an encrypted sentence.
2. Description of the Related Art
There are two methods of realizing a key recovery system, that is, a method of previously depositing a key of each user; and a method of encrypting a data key using a system key. The present invention relates to a key recovery system according to the latter method.
When data is encrypted, each user encrypts, using a preliminarily obtained system key (hereinafter referred to as a public key), a key for use in encrypting data (hereinafter referred to as a data key), and stores the encrypted data, the encrypted data key, and a recovery condition as key recovery information.
The above described public key is obtained from at least one key recovery device (also referred to as a key recovery center).
When the user possesses a private key, the user decrypts encrypted data by decrypting using a private key a data key encrypted using the user's public key. If the user has lost the private key or the third party urgently needs to decrypt the encrypted data, key recovery information attached to the encrypted data is retrieved and is transmitted to the key recovery device in order to recover the data key through the key recovery device.
The key recovery device refers to the key recovery information, checks whether or not a recoverer who attempts recovery has a recovery right. If yes, the data key is recovered from the key recovery information, and is output to the recoverer.
In the conventional key recovery system, a key recovery device has a private key, and therefore can recover all encrypted sentences provided with the key recovery information encrypted using its public key. To avoid this, it is necessary to distribute the recovery ability of the key recovery device. Thus, a plurality of key recovery devices are provided, and key recovery information is generated from a plurality of public keys of the plurality of key recovery devices so that a key cannot be recovered without obtaining agreements of all key recovery devices.
FIG. 1 shows the SKR (secure key recovery) system of IBM as an example of the conventional technology. As shown in FIG. 1, the system includes a key recovery service provider 1. A recoverer device 2 is checked by the key recovery service provider 1 for authentication. If the key recovery service provider 1 has authenticated the recoverer device 2, then the key recovery service provider 1 transmits key recovery information to a key recovery device 3, each of the key recovery devices 3 recovers key information, and the key is returned to the recoverer device 2 through the key recovery service provider 1 based on the key information.
According to the conventional system shown in FIG. 1, a data key is recovered based on the authentication between the key recovery service provider 1 and the recoverer device 2. Therefore, if a sentence encrypter specifies a recovery condition for each key recovery device, the key recovery service provider 1 may not perform an authenticating process depending on a key recovery device due to a large overhead, resulting in an impossible key recovery.
If the key recovery service provider 1 illegally authenticates a recoverer, there is the problem that all encrypted sentences are recovered by the key recovery service provider 1.