Information-centric security

US 20060050870A1
Filed: 07/29/2005
Published: 03/09/2006
Est. Priority Date: 07/29/2004
Status: Active Grant

First Claim

Patent Images

1. A system for encrypting a data encryption key, the system comprising:

a key encryption key generator configured to receive a public portion of a label, the label including an asymmetric key pair of the public portion and a private portion, the key encryption key generator being further configured to process the public portion of the label to obtain a key encryption key; and

a data encryption key encoder configured to receive the key encryption key from the key encryption key generator and to receive a data encryption key from a random number generator, the encoder being further configured to encrypt the data encryption key using the key encryption key to produce an encrypted data encryption key and to provide the encrypted data encryption key to an encryption device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for encrypting a data encryption key includes a key encryption key generator configured to receive a public portion of a label, the label including an asymmetric key pair of the public portion and a private portion, the key encryption key generator being further configured to process the public portion of the label to obtain a key encryption key, and a data encryption key encoder configured to receive the key encryption key from the key encryption key generator and to receive a data encryption key from a random number generator, the encoder being further configured to encrypt the data encryption key using the key encryption key to produce an encrypted data encryption key and to provide the encrypted data encryption key to an encryption device.

190 Citations

View as Search Results

25 Claims

1. A system for encrypting a data encryption key, the system comprising:
- a key encryption key generator configured to receive a public portion of a label, the label including an asymmetric key pair of the public portion and a private portion, the key encryption key generator being further configured to process the public portion of the label to obtain a key encryption key; and
  
  a data encryption key encoder configured to receive the key encryption key from the key encryption key generator and to receive a data encryption key from a random number generator, the encoder being further configured to encrypt the data encryption key using the key encryption key to produce an encrypted data encryption key and to provide the encrypted data encryption key to an encryption device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1 wherein the key encryption key generator is configured to receive public portions of a plurality of labels and to generate a corresponding key encryption key corresponding to each public label portion received and the encoder is configured to encrypt the data encryption key using each corresponding key encryption key received from the key encryption key generator to produce a plurality of encrypted data encryption keys.
  - 3. The system of claim 2 further comprising the encryption device, wherein the encryption device is configured to encrypt a plaintext message using the data encryption key to produce ciphertext, and is further configured to transmit the ciphertext in association with each of the plurality of encrypted data encryption keys.
  - 4. The system of claim 1 wherein the key encryption key generator is configured to multiply each public portion and an ephemeral private key to produce a multiplication result.
  - 5. The system of claim 4 wherein the key encryption key generator is further configured to combine the multiplication result and a unique identifier of the label associated with the public portion multiplied to generate the key encryption key.
  - 6. The system of claim 5 wherein the key encryption generator is configured to use a standard-based key derivation function to combine the multiplication result and the unique identifier.
  - 7. The system of claim 1 wherein the key encryption generator and the data encryption key encoder comprise software instructions configured to cause a computer to perform the recited functions.
  - 8. The system of claim 1 further comprising a parser configured to combine benign asymmetrically-split portions of the label to provide the public portion of the at least one label to the key encryption key generator.

9. A system for decrypting an encrypted data encryption key, the system comprising:
- a key encryption key generator configured to receive a private portion of a label, the label including an asymmetric key pair of a public portion and the private portion, the key encryption key generator being further configured to process the private portion of the label to obtain a key encryption key; and
  
  a data encryption key decoder configured to receive the key encryption key from the key encryption key generator and to receive an encrypted data encryption key associated with ciphertext, the decoder being further configured to decrypt the data encryption key using the key encryption key to produce an unencrypted data encryption key and to provide the unencrypted data encryption key to a decryption device.
- View Dependent Claims (10, 11)
- - 10. The system of claim 9 wherein the received ciphertext comprises multiple encryptions of a plaintext message, each encryption being associated with a different encryption of the data encryption key and wherein the decoder is configured to decrypt a selected one of the encrypted data encryption keys using the key encryption key received from the key encryption key generator, the selected one of the encrypted data encryption keys being the one that was encrypted using a public portion of a label corresponding to the private portion used by the key encryption key generator to generate the key encryption key.
  - 11. The system of claim 9 wherein the key encryption generator and the data encryption key decoder comprise software instructions configured to cause a computer to perform the recited functions.

12. A computer program product for encrypting/decrypting information, the computer program-product residing on a computer-readable medium and comprising computer-readable instructions configured to cause a computer to:
- receive a public portion of a label for key encryption and to receive a private portion of the label for key decryption, the label including an asymmetric key pair of the public and private portions;
  
  process the public portion and an ephemeral private key to obtain a key encryption key for information encryption and to process the private portion and an ephemeral public key to obtain the key encryption key for information decryption;
  
  for information encryption;
  
  receive a data encryption key from a random number generator;
  
  encrypt the data encryption key using the key encryption key to produce an encrypted data encryption key; and
  
  provide the encrypted data encryption key to an encryption device; and
  
  for information decryption;
  
  receive the key encryption key and an encrypted data encryption key associated with ciphertext;
  
  decrypt the data encryption key using the key encryption key to produce an unencrypted data encryption key; and
  
  provide the unencrypted data encryption key to a decryption device.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computer program product of claim 12 wherein the instructions configured to cause the processor to process the public portion and an ephemeral private key to obtain the key encryption key for information encryption cause the processor to multiply the public portion and the ephemeral private key and to apply a standards-based key derivation function.
  - 14. The computer program product of claim 12 further comprising instructions configured to cause the computer to produce the public and private portions of the label by combining benign asymmetric portions of the public and private portions.
  - 15. The computer program product of claim 12 further comprising instructions configured to cause the computer to encrypt a plaintext message using the data encryption key to produce ciphertext, and to transmit the ciphertext in association with the encrypted data encryption key.
  - 16. The computer program product of claim 15 wherein the instructions configured to cause the computer to produce the encrypted data encryption key are configured to cause the computer to produce a plurality of encrypted data encryption keys each being produced using at least one of a plurality of received public portions of labels, and wherein the instructions configured to cause the computer to transmit the ciphertext in association with the encrypted data encryption key cause the computer to transmit the ciphertext in association with the plurality of encrypted data encryption keys.
  - 17. The computer program product of claim 12 wherein the received ciphertext comprises multiple encryptions of a plaintext message, each encryption being associated with a different encryption of the data encryption key, the instructions configured to cause the computer to decrypt the data encryption key being configured to cause the computer to decrypt a selected one of the encrypted data encryption keys using private portions of only cryptographic key pairs whose corresponding public portions were used to encrypt the selected one of the encrypted data encryption keys

18. A cryptographic system for providing cryptographic key management, the system comprising:
- a communications interface configured to communicate electronically with a plurality of clients;
  
  a memory configured to store at least one of a public and a private portion of a cryptographic key pair associated with different levels of access; and
  
  a key management module configured and connected to communicate with the interface and the memory and configured to;
  
  split public and private portions of encryption keys into asymmetric pieces;
  
  provide access by clients through the communication interface to public and private portions of keys if the clients satisfy at least one authentication mechanism associated with a first security level at least as high as a second security level associated with the portions of keys that the client desires to access; and
  
  encrypt a data encryption key that is for use in encrypting a plaintext message.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The system of claim 18 wherein the key management module is further configured to actively audit client interactions with the system and activity of the key management module.
  - 20. The system of claim 19 wherein the key management module is further configured to monitor and report authorized information accesses and unauthorized information access attempts by clients.
  - 21. The system of claim 19 wherein the key management module is configured to encrypt the data encryption key for each of a plurality of public key portions received associated with a plurality of encryption keys.
  - 22. The system of claim 19 wherein the key management module is further configured to assign roles to clients and to associate with the clients an indication of what information sensitivity level or levels each client is authorized to access.
  - 23. The system of claim 18 wherein the key management module is further configured to provide full tokens to members where the tokens enable the members to encrypt and decrypt information.
  - 24. The system of claim 23 wherein the key management module is configured to encrypt a full asymmetric key pair using a member'"'"'s write-only key and sign the encrypted key pair with a digital certificate to produce the full token.
  - 25. The system of claim 18 wherein the key management module is protected within a software application by an encapsulation technique against malicious code attacks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
James G. Lightburn
Original Assignee
Infoassure.Com., Inc.
Inventors
Kimmel, Gerald D., Domangue, Ersin L., Adamouski, Francis J.

Granted Patent

US 7,715,565 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/30
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/065   for group communications cr...

H04L 63/105   Multiple levels of security

H04L 9/088   Usage controlling of secret...

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

Information-centric security

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

190 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Information-centric security

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

190 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links