MEDIATED KEY EXCHANGE BETWEEN SOURCE AND TARGET OF COMMUNICATION

US 20060248336A1
Filed: 04/28/2005
Published: 11/02/2006
Est. Priority Date: 04/28/2005
Status: Active Grant

First Claim

Patent Images

1. A process for communicating a message securely between a sender-client and a receiver-client, the process comprising:

at the sender-client, providing a key server with a receiver string specifying one or more attributes of the receiver-client;

at said key server, obtaining a first private value (a) corresponding with a first public value (A), obtaining a second public value (B) of an authentication server corresponding with a second private value (b) of said authentication server, obtaining a message key, calculating a hash (h) of said receiver string, calculating an envelope decryption key (d), wherein d=gˆ

{B^ahmod p} mod q in which g is a generator of and p and q are prime numbers in a group in which calculation is performed, calculating an envelope encryption key (e), wherein e=g^dmod p, encrypting said message key with said envelope encryption key (e), thereby creating the envelope; and

providing said envelope to the sender-client;

at the sender-client, encrypting the message into a secure message with said message key, and providing said secure message and said envelope to the receiver-client;

at the receiver-client, accepting said secure message and said envelope, and asking said authentication server for said envelope decryption key (a);

at said authentication server, obtaining said first public value (A) of said key server, calculating said envelope decryption key (d), wherein d=gˆ

{A^bhmod p} mod q, and providing said envelope decryption key (d) to the receiver-client; and

at the receiver-client, decrypting said envelope with said envelope decryption key (d) into said message key, and decrypting said secure message with said message key into the message.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for communicating a message securely between a sender and a receiver. The sender provides a key server with a string specifying the receiver. The key server obtains a message key and a particular envelope encryption key corresponding with a particular envelope decryption key, encrypts the message key with the envelope encryption key (creating the envelope), and provides the envelope to the sender-client. The sender-client encrypts the message with the message key and provides it and the envelope to the receiver. The receiver-client receives these and asks an authentication server for the envelope decryption key. The authentication server obtains the envelope decryption key and provides it to the receiver. The receiver then decrypts the envelope with the envelope decryption key, to get the message key, and decrypts the message.

29 Citations

View as Search Results

27 Claims

1. A process for communicating a message securely between a sender-client and a receiver-client, the process comprising:
- at the sender-client, providing a key server with a receiver string specifying one or more attributes of the receiver-client;
  
  at said key server, obtaining a first private value (a) corresponding with a first public value (A), obtaining a second public value (B) of an authentication server corresponding with a second private value (b) of said authentication server, obtaining a message key, calculating a hash (h) of said receiver string, calculating an envelope decryption key (d), wherein d=gˆ
  
  {B^ahmod p} mod q in which g is a generator of and p and q are prime numbers in a group in which calculation is performed, calculating an envelope encryption key (e), wherein e=g^dmod p, encrypting said message key with said envelope encryption key (e), thereby creating the envelope; and
  
  providing said envelope to the sender-client;
  
  at the sender-client, encrypting the message into a secure message with said message key, and providing said secure message and said envelope to the receiver-client;
  
  at the receiver-client, accepting said secure message and said envelope, and asking said authentication server for said envelope decryption key (a);
  
  at said authentication server, obtaining said first public value (A) of said key server, calculating said envelope decryption key (d), wherein d=gˆ
  
  {A^bhmod p} mod q, and providing said envelope decryption key (d) to the receiver-client; and
  
  at the receiver-client, decrypting said envelope with said envelope decryption key (d) into said message key, and decrypting said secure message with said message key into the message.

2. A process for making an envelope encryption key (e) that corresponds with an envelope decryption key (d), for communicating a message securely between a sender-client and a receiver-client, the process comprising:
- selecting a generator (g) of a group in which calculation is performed;
  
  selecting a prime number (p) in said group;
  
  calculating e=g^dmod p.
- View Dependent Claims (3, 4)
- - 3. The process of claim 2, further comprising:
    - obtaining a hash (h) of a receiver string specifying one or more attributes of the receiver-client; and
      
      calculating d=gˆ
      
      {B^ahmod p} mod q, wherein a private value (a) has been chosen and a public value (B) of a trusted party has been obtained and q is also a prime number in said group.
  - 4. An envelope encryption key (e) made by one of the processes of claims 2-3.

5. A process for making an envelope decryption key (d) that corresponds with an envelope encryption key (e), for communicating a message securely between a sender-client and a receiver-client, the process comprising:
- obtaining a hash (h) of a receiver string specifying one or more attributes of the receiver-client;
  
  obtaining a public value (A) of a party that created the envelope encryption key (e); and
  
  calculating d=gˆ
  
  {A^bhmod p} mod q, wherein b is a private value and g is a generator of and pand qare prime numbers in a group in which calculation is performed.
- View Dependent Claims (6)
- - 6. An envelope decryption key (d) made by one of the processes of claim 5.

7. A process for making an envelope for communicating a message securely between a sender-client and a receiver-client, the process comprising:
- obtaining a message key;
  
  obtaining an envelope encryption key (e) corresponding with an envelope decryption key (d), wherein e=g^dmod p in which g is a generator of and p is a prime number in a group in which calculation is performed; and
  
  encrypting said message key with said envelope encryption key (e), thereby creating the envelope.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The process of claim 7, wherein said obtaining said message key includes accepting said message key from the sender-client.
  - 9. The process of claim 7, wherein said obtaining said message key includes generating said message key.
  - 10. The process of claim 7, wherein said obtaining said envelope encryption key (e) includes recalling a previously stored instance of said envelope encryption key (e).
  - 11. The process of claim 7, further comprising:
    - choosing a private value (a);
      
      obtaining a public value (B) of a trusted party;
      
      obtaining a hash (h) of a receiver string specifying one or more attributes of the receiver-client; and
      
      calculating d=gˆ
      
      {B^ahmod p} mod q, wherein q is also a prime number in said group.
  - 12. An envelope made by one of the processes of claim 7-11.

13. A process for a sender-client to encrypt a message for a receiver-client, the process comprising:
- obtaining a message key;
  
  obtaining an envelope containing said message key encrypted with an envelope encryption key (e) corresponding with an envelope decryption key (a), wherein e=g^dmod p in which g is a generator of and p is a prime number in a group in which calculation is performed; and
  
  encrypting the message into a secure message with said message key.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The process of claim 13, wherein said obtaining said message key includes accepting said message key from a key server.
  - 15. The process of claim 13, wherein:
    - said obtaining said message key includes generating said message key; and
      
      said obtaining said envelope includes;
      
      providing said message key to a key server; and
      
      accepting said envelope from said key server.
  - 16. The process of claim 13, further comprising:
    - authenticating with an authentication server;
      
      accepting an assertion from said authentication server;
      
      providing said assertion to a key server; and
      
      accepting said envelope from said key server.
  - 17. The process of claim 13, wherein said envelope encryption key (e) also corresponds with a hash (h) of a receiver string specifying one or more attributes of the receiver-client.
  - 18. A secure message made by one of the processes of claim 13-17.

19. A process for a receiver-client to decrypt a message, the process comprising:
- obtaining a secure message including the message in encrypted form;
  
  obtaining an envelope including a message key to decrypt said secure message, wherein said envelope has been encrypted with an envelope encryption key (e) corresponding with an envelope decryption key (d);
  
  obtaining said envelope decryption key (d), wherein d=gˆ
  
  {A^bhmod p} mod q in which A is a public value of a first party that created e, b is a private value of a second party that is providing d, h is a hash of a receiver string specifying one or more attributes of the receiver-client, and g is a generator of and p and q are prime numbers in a group in which calculation is performed;
  
  decrypting said envelope with said envelope decryption key (d) into said message key; and
  
  decrypting said secure message with said message key into the message.
- View Dependent Claims (20, 21, 22)
- - 20. The process of claim 19, wherein said obtaining said envelope decryption key (d) includes authenticating with an authentication server and the process further comprises accepting said envelope decryption key (d) from said authentication server.
  - 21. The process of claim 20, further comprising caching said envelope decryption key (d) for future use.
  - 22. The process of claim 19, wherein said obtaining said envelope decryption key (d) includes recalling a previously obtained said envelope decryption key (d).

23. A computer program, embodied on a computer readable storage medium, for making an envelope encryption key (e) that corresponds with an envelope decryption key (d), for communicating a message securely between a sender-client and a receiver-client, the computer program comprising a code segment that calculates the envelope encryption key (e) such that e=g^dmod p in which g is a generator of and p is a prime number in a group in which calculation is performed.
- View Dependent Claims (24)
- - 24. The computer program of claim 23, further comprising:
    - a code segment that obtains a hash (h) of a receiver string specifying one or more attributes of the receiver-client; and
      
      a code segment that calculates d=gˆ
      
      {B^ahmod p} mod q, wherein a private value (a) has been chosen and a public value (B) of a trusted party has been obtained and q is also a prime number in said group.

25. A computer program, embodied on a computer readable storage medium, for making an envelope decryption key (d) that corresponds with an envelope encryption key (e), for communicating a message securely between a sender-client and a receiver-client, the computer program comprising:
- a code segment that obtains a hash (h) of a receiver string specifying one or more attributes of the receiver-client;
  
  a code segment that obtains a public value (A) of a party that created the envelope encryption key (e); and
  
  a code segment that calculates d=gˆ
  
  {A^bhmod p} mod q, wherein b is a private value and g is a generator of and p and q are prime numbers in a group in which calculation is performed.

26. A computer program, embodied on a computer readable storage medium, for making an envelope for communicating a message securely between a sender-client and a receiver-client, the computer program comprising:
- a code segment that obtains a message key;
  
  a code segment that obtains an envelope encryption key (e) corresponding with an envelope decryption key (d), wherein e=g^dmod p in which g is a generator of and p is a prime number in a group in which calculation is performed; and
  
  a code segment that encrypts said message key with said envelope encryption key (e), thereby creating the envelope.
- View Dependent Claims (27)
- - 27. The computer program of claim 26, further comprising:
    - choosing a private value (a);
      
      obtaining a public value (B) of a trusted party;
      
      obtaining a hash (h) of a receiver string specifying one or more attributes of the receiver-client; and
      
      calculating d=gˆ
      
      {B^ahmod p} mod q, wherein q is also a prime number in said group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Proofpoint Incorporated
Original Assignee
Secure Data In Motion, Inc. (Proofpoint Incorporated)
Inventors
Moreh, Jahanshah, Bruns, Logan O'Sullivan

Granted Patent

US 7,594,116 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

H04L 9/0822 using key encryption key

H04L 9/3013 involving the discrete loga...

MEDIATED KEY EXCHANGE BETWEEN SOURCE AND TARGET OF COMMUNICATION

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

29 Citations

27 Claims

Specification

Use Cases

Quick Links

Others

MEDIATED KEY EXCHANGE BETWEEN SOURCE AND TARGET OF COMMUNICATION

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

27 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others