Creation and distribution of cryptographic envelope
First Claim
1. A method of creating a cryptographic envelope, which can be distributed arbitrarily to a plurality of users, said envelope being a digital document which is an aggregation of information parts, said method comprising:
- a. encrypting one of said information parts with a part encryption key to produce an encrypted part, which is included in said envelope;
b. encrypting said part encryption key with a first public key to produce an encrypted part encryption key, which is included in said envelope;
c. creating a list of parts that are included in said envelope, each entry in said list comprising a part name and a secure hash of said named part, said list also being included in said envelope; and
d. signing said list with a first secret key to produce a signature, which is included in said envelope,wherein the integrity of said list can be checked using a second public key associated with said first secret key to verify said signature, and wherein the integrity of any one part of said envelope can be checked by computing a second secure hash of said one part and comparing said second hash with its corresponding hash in said list, and wherein the information content of said encrypted part is protected from disclosure and can only be recovered with said part encryption key, and wherein said part encryption key can be recovered by decryption of said encrypted part encryption key using a second secret key corresponding to said first public key.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus to create, distribute, sell and control access to digital documents using secure cryptographic envelopes. An envelope is an aggregation of information parts, where each of the parts to be protected are encrypted with a corresponding part encryption key. These encrypted information parts along with the other information parts become part of the envelope. Each part encryption key is also encrypted with a public key, and these encrypted part encryption keys are also included in the envelope. The envelope also includes a list of parts where each entry in the list has a part name and a secure hash of the named part. The list is then signed with a secret key to generate a signature, which is also included in the envelope. The signature can be verified using a second public key associated with first secret key, and the integrity of any information part in the envelope can be checked by computing a second hash and comparing it with the corresponding hash in the list of parts. Also, the information content of any encrypted part can only be recovered by knowledge of a second secret key corresponding to the public key that was used to encrypt the part encryption keys.
846 Citations
8 Claims
-
1. A method of creating a cryptographic envelope, which can be distributed arbitrarily to a plurality of users, said envelope being a digital document which is an aggregation of information parts, said method comprising:
-
a. encrypting one of said information parts with a part encryption key to produce an encrypted part, which is included in said envelope; b. encrypting said part encryption key with a first public key to produce an encrypted part encryption key, which is included in said envelope; c. creating a list of parts that are included in said envelope, each entry in said list comprising a part name and a secure hash of said named part, said list also being included in said envelope; and d. signing said list with a first secret key to produce a signature, which is included in said envelope, wherein the integrity of said list can be checked using a second public key associated with said first secret key to verify said signature, and wherein the integrity of any one part of said envelope can be checked by computing a second secure hash of said one part and comparing said second hash with its corresponding hash in said list, and wherein the information content of said encrypted part is protected from disclosure and can only be recovered with said part encryption key, and wherein said part encryption key can be recovered by decryption of said encrypted part encryption key using a second secret key corresponding to said first public key. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method of providing access to content data in a cryptographic envelope, said method comprising:
-
a. transmitting a request from a user to a server, said request being a request to access a part of said cryptographic envelope, said request comprising at least an encrypted part encryption key which is a public key encryption of a key used to encrypt said part; b. transmitting a response, in response to said request, from said server to said user, said response being a transformation of said encrypted part encryption key, said transformation being generated by; decrypting said encrypted part encryption key using a secret key associated with said public key, and encrypting said part encryption key using a second public key; and
decrypting said transformed key using said secret key into said part encryption key, wherein said selected part is decrypted into clear text using said part encryption key, thereby providing access to said user.
-
-
8. In a communications network having a server with electronic access to a plurality of terminals, a method of authorizing access to selected content data, said cryptographic envelope being created by:
-
a. creating a cryptographic envelope, which can be distributed arbitrarily to a plurality of users, said envelope being a digital document which is an aggregation of information parts, said method comprising; (i) associating a part encryption key for each of said parts to be protected, wherein one of said parts contains said selected content data; (ii) encrypting each of said parts to be protected with its associated part encryption key; (iii) encrypting each said part encryption key with a public key to form an encrypted part encryption key for each of said part encryption keys; (iv) creating a list of parts, each entry in said list containing a part name for one of said parts, a secure hash for said one part, and (v) signing said list with a secret key to produce a signature, wherein said cryptographic envelope is the aggregation of;
said signature, said list, said encrypted part encryption keys, said encrypted parts, and those of said information parts which have not been encrypted; andb. when a user in possession of a copy of said cryptographic envelope desires to access said selected content data said access being given by; (i) transmitting a request from said user to a server, said request being a request to access a part of said cryptographic envelope, wherein latter said part contains said selected content data, said request comprising at least an encrypted part encryption key which is a public key encryption of an encryption key used to encrypt latter said part; (ii) transmitting a response, in response to said request, from said server to said user, said response comprising a transformation of said encrypted part encryption key in said request, said transformation being generated by; decrypting said encrypted part encryption key in said request using a secret key associated with said public key of step b (1), encrypting said part encryption key in said request using a second public key; and decrypting said transformed key using said secret key associated with said second public key into said part encryption key in said request, wherein said selected part is decrypted into clear text using said part encryption key in said request, thereby providing access to said user.
-
Specification