Securing E-mail communications and encrypted file storage using yaksha split private key asymmetric cryptography

US 5,748,735 A
Filed: 06/07/1996
Issued: 05/05/1998
Est. Priority Date: 07/18/1994
Status: Expired due to Term

First Claim

Patent Images

1. A method for securing stored files in a system having a plurality of system users, each said user having an associated asymmetric crypto-key with a public key portion and a corresponding private key portion, each public key portion being accessible to the plurality of system users, each private key portion having a first private key portion known only to the associated user and a corresponding second private key portion known only to a security server, comprising the steps of:

identifying data for storage;

encrypting a symmetric crypto-key with the second private key portion of a first user crypto-key associated with a first user to form an encrypted key message;

obtaining the symmetric crypto-key by applying the first private key portion of the first user crypto-key to decrypt the encrypted key message;

encrypting said data with the symmetric crypto-key to form an encrypted file; and

storing the encrypted file and said encrypted key message.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided for securing stored files in a system having a plurality of system users with each system user having an associated asymmetric crypto-key with a public key portion and a corresponding private key portion. Each public key portion is accessible to the plurality of system users. Each private key portion has a first private key portion known only to the associated user and a corresponding second private key portion known only to a security server. Data to be stored is identified. A symmetric crypto-key is encrypted with only the second private key portion of a first user crypto-key to form an encrypted key message, thereby restricting access to the symmetric crypto-key to only the first user. The symmetric crypto-key is obtained by the first user by applying the first private key portion of the first user crypto-key to decrypt the encrypted key message. The first user encrypts the data with the symmetric crypto-key to form an encrypted file, and stores the encrypted file and the encrypted key message.

332 Citations

24 Claims

1. A method for securing stored files in a system having a plurality of system users, each said user having an associated asymmetric crypto-key with a public key portion and a corresponding private key portion, each public key portion being accessible to the plurality of system users, each private key portion having a first private key portion known only to the associated user and a corresponding second private key portion known only to a security server, comprising the steps of:
- identifying data for storage;
  
  encrypting a symmetric crypto-key with the second private key portion of a first user crypto-key associated with a first user to form an encrypted key message;
  
  obtaining the symmetric crypto-key by applying the first private key portion of the first user crypto-key to decrypt the encrypted key message;
  
  encrypting said data with the symmetric crypto-key to form an encrypted file; and
  
  storing the encrypted file and said encrypted key message.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method according to claim 1, further comprising the steps of:
    - encrypting a first retrieve file request with the first private key portion of a second user crypto-key associated with a second user to form a first encrypted retrieve file request;
      
      encrypting the first encrypted retrieve file request with the second private key portion of the second user crypto-key to form a second encrypted retrieve file request; and
      
      obtaining the first retrieve file request by applying the public key portion of the second user crypto-key to decrypt the second encrypted retrieve file request;
      
      retrieving the encrypted file and the encrypted key message from storage responsive to said retrieve file request;
      
      obtaining the symmetric crypto-key by applying the first private key portion of the first user crypto-key to decrypt the retrieved encrypted key message; and
      
      obtaining the data by applying the symmetric crypto-key to decrypt the retrieved encrypted file.
  - 3. A method according to claim 2, further comprising the steps of obtaining the first retrieve file request by applying the second private key portion of the second user crypto-key to the first encrypted retrieve file request, and directing the data to the second user.
  - 4. A method according to claim 1, wherein said first user is a file server.
  - 5. A method according to claim 1, wherein each said key portion has a bit length and the bit length of each first private key portion is smaller than the bit length of the associated second private key portion.
  - 6. A method according to claim 1, wherein the bit length of each said first private key portion is between 56 and 72 bits.
  - 7. A method according to claim 1, wherein (i) each said private key portion is comprised of a private exponent and modulus N which is a product of a plurality of numbers within a set of large prime numbers, (ii) each said public key portion is comprised of a public exponent and the modulus N and (iii) the modulus N has a bit length and the bit length of each said private key portion is no larger than fifteen percent of the bit length of the modulus N but not less than 56 bits.

8. A system for securing stored files having a plurality of system users, each said user having an associated asymmetric crypto-key with a public key portion and a corresponding private key portion, each public key portion being accessible to the plurality of system users, each private key portion having a first private key portion known only to the associated user and a corresponding second private key portion known only to a security server, comprising:
- a security server configured to encrypt a symmetric crypto-key to form an encrypted key message;
  
  a file server, having an associated file server crypto-key, configured to encrypt data with the symmetric crypto-key to form an encrypted file; and
  
  storage media configured to store the encrypted file and said encrypted key message;
  
  wherein, (i) the security server is operable to encrypt the symmetric crypto-key with the second private key portion of the file server crypto-key to form the encrypted key message, and (ii) the file server is operable to obtain the symmetric crypto-key by applying the first private key portion of the file server crypto-key to decrypt the encrypted key message.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. A system according to claim 8, further comprising:
    - a user processor configured to encrypt a first retrieve file request with the first private key portion of a user crypto-key to form a first encrypted retrieve file request;
      
      wherein, the security server encrypts the first encrypted retrieve file request with the second private key portion of the user crypto-key to form a second encrypted retrieve file request, andwherein, the file server (i) obtains the first retrieve file request by applying the public key portion of the user crypto-key to decrypt the second encrypted retrieve file request, (ii) directs the retrieval of the encrypted file and the encrypted key message from the storage media responsive to the retrieve file request, (iii) obtains the symmetric crypto-key by applying the first private key portion of the file server crypto-key to decrypt the retrieved encrypted key message, and (iv) obtains the data by applying the symmetric crypto-key to decrypt the retrieved encrypted file.
  - 10. A system according to claim 9, wherein said security server obtains the first retrieve file request by applying the second private key portion of the user crypto-key to the first encrypted retrieve file request, and the file server directs the data to the user processor.
  - 11. A system according to claim 8, wherein each said key portion has a bit length and the bit length of each first private key portion is smaller than the bit length of the associated second private key portion.
  - 12. A system according to claim 8, wherein the bit length of each said first private key portion is between 56 and 72 bits.
  - 13. A system according to claim 8, wherein (i) each said private key portion is comprised of a private exponent and modulus N which is a product of a plurality of numbers within a set of large prime numbers, (ii) each said public key portion is comprised of a public exponent and the modulus N and (iii) the modulus N has a bit length and the bit length of each said private key portion is no larger than fifteen percent of the bit length of the modulus N but not less than 56 bits.

14. An article of manufacture for securing stored files in a system having a plurality of system users, each said user having an associated asymmetric crypto-key with a public key portion and a corresponding private key portion, each public key portion being accessible to the plurality of system users, each private key portion having a first private key portion known only to the associated user and a corresponding second private key portion known only to a security server, comprising:
- computer readable storage medium; and
  
  computer programming stored on said storage medium;
  
  wherein said stored computer programming is configured to be readable from said computer readable storage medium by a computer and thereby cause said computer to operate so as to;
  
  decrypt a symmetric crypto-key encrypted with the second private key portion of a user crypto-key associated with a user of said computer by applying the first private key portion of the user crypto-key, to thereby obtain the symmetric crypto-key;
  
  encrypt data with the symmetric crypto-key to form an encrypted file; and
  
  store the encrypted file and the encrypted symmetric crypto-key.
- View Dependent Claims (15, 16)
- - 15. An article of manufacture according to claim 14, wherein said stored computer programming is configured to be readable from said computer readable storage medium by the computer to thereby cause said computer to operate so as to:
    - decrypt a retrieve file request encrypted with the first and the second private key portion of a second user crypto-key by applying the public key portion of said second user crypto-key to obtain the retrieve file request;
      
      retrieve the encrypted file and the encrypted symmetric crypto-key from storage responsive to said retrieve file request;
      
      decrypt the retrieved encrypted symmetric crypto-key by applying the first private key portion of the user crypto-key to obtain the symmetric crypto-key; and
      
      decrypt the retrieved encrypted file by applying the symmetric crypto-key to obtain the data.
  - 16. An article of manufacture according to claim 15, wherein said stored computer programming is configured to be readable from said computer readable storage medium by the computer to thereby cause said computer to operate so as to direct the data to the second user.

17. A programmed computer for securing stored files in a system having a plurality of system users, each said user having an associated asymmetric crypto-key with a public key portion and a corresponding private key portion, each public key portion being accessible to the plurality of system users, each private key portion having a first private key portion known only to the associated user and a corresponding second private key portion known only to a security server, comprising:
- a processor for decrypting a symmetric crypto-key encrypted with the second private key portion of a user crypto-key by applying the first private key portion of the user crypto-key, to thereby obtain the symmetric crypto-key, and encrypting data with the symmetric crypto-key to form an encrypted file;
  
  storage media for storing the encrypted file and the encrypted symmetric crypto-key.
- View Dependent Claims (18)
- - 18. A programmed computer according to claim 17, wherein:
    - the processor is adapted to decrypt a retrieve file request encrypted with the first and the second private key portion of a second user crypto-key by applying the public key portion of said second user crypto-key to obtain the retrieve file request, to retrieve the encrypted file and the encrypted symmetric crypto-key from the storage media, to decrypt the retrieved encrypted symmetric crypto-key by applying the first private key portion of the user crypto-key to obtain the symmetric crypto-key, and to decrypt the retrieved encrypted file by applying the symmetric crypto-key to obtain the data;
      
      the storage media is adapted to store the first private key portion of the user crypto-key.

19. A method for session key distribution in a system having a plurality of system users, each said user having an associated asymmetric crypto-key with a public key portion and a corresponding private key portion, each public key portion being accessible to the plurality of system users, the private key portion of a first user having a first private key portion known only to the first user and a corresponding second private key portion known only to a security server and the private key portion of a second user known only to the second user, comprising the steps of:
- encrypting a symmetric session key request with the first private key portion of the first user crypto-key to form a first encrypted message;
  
  decrypting the first encrypted message by applying the second private key portion of the first user crypto-key to thereby obtain the session key request;
  
  encrypting a symmetric session crypto-key with the second private key portion of the first user crypto-key to form a first encrypted key message;
  
  encrypting the symmetric session crypto-key with the public key portion of the second user crypto-key to form a second encrypted key message;
  
  decrypting the first encrypted key message by applying the first private key portion of the first user crypto-key to obtain the symmetric session crypto-key for the first user;
  
  decrypting the second encrypted key message by applying the private key portion of the second user crypto-key to obtain the symmetric session crypto-key for the second user;
  
  encrypting and decrypting communications between said first user and said second user with the symmetric crypto-key.
- View Dependent Claims (20)
- - 20. A method according to claim 19, wherein said (i) each said private key portion is comprised of a private exponent and modulus N which is a product of a plurality of numbers within a set of large prime numbers, (ii) each said public key portion is comprised of a public exponent and the modulus N and (iii) the modulus N has a bit length and the bit length of each said private key portion is no larger than fifteen percent of the bit length of the modulus N but not less than 56 bits.

21. A system for session key distribution having a plurality of system users, each said user having an associated asymmetric crypto-key with a public key portion and a corresponding private key portion, each public key portion being accessible to the plurality of system users, the private key portion of a first user having a first private key portion known only to the first user and a corresponding second private key portion known only to a security server and the private key portion of a second user known only to the second user, comprising:
- a security server configured to encrypt a symmetric session crypto-key with the second private key portion of the first user crypto-key to form a first encrypted key message and to encrypt the symmetric session crypto-key with the public key portion of the second user crypto-key to form a second encrypted key message, and having an associated storage medium for storing the second private key portion of the first user crypto-key and the public key portion of the second user crypto-key;
  
  a first user processor configured to decrypt the first encrypted key message by applying the first private key portion of the first user crypto-key to obtain the symmetric crypto-key, and to encrypt communications to and decrypt communications from the second user with the symmetric crypto-key;
  
  a second user processor configured to decrypt the second encrypted key message by applying the private key portion of the second user crypto-key to obtain the symmetric crypto-key, and to encrypt communications to and decrypt communications from the first user with the symmetric crypto-key.
- View Dependent Claims (22)
- - 22. A system according to claim 21, wherein (i) each said private key portion is comprised of a private exponent and modulus N which is a product of a plurality of numbers within a set of large prime numbers, (ii) each said public key portion is comprised of a public exponent and the modulus N and (iii) the modulus N has a bit length and the bit length of each said private key portion is no larger than fifteen percent of the bit length of the modulus N but not less than 56 bits.

23. An article of manufacture for session key distribution in a system having a plurality of system users, each said user having an associated asymmetric crypto-key with a public key portion and a corresponding private key portion, each public key portion being accessible to the plurality of system users, the private key portion of a first user having a first private key portion known only to the first user and a corresponding second private key portion known only to a security server and the private key portion of a second user known only to the second user, comprising:
- computer readable storage medium; and
  
  computer programming stored on said storage medium;
  
  wherein said stored computer programming is configured to be readable from said computer readable storage medium by a computer and thereby cause said computer to operate so as to;
  
  decrypt a first message encrypted with the first private key portion of the first user crypto-key by applying the second private key portion of the first user crypto-key to thereby obtain a session key request;
  
  encrypt a symmetric crypto-key with the second private key portion of the first user crypto-key to form a first encrypted key message; and
  
  encrypt the symmetric crypto-key with the public key portion of the second user crypto-key to form a second encrypted key message;
  
  wherein, the symmetric crypto-key is obtainable by the first user by applying the first private key portion of the first user crypto-key to the first encrypted key message and by the second user by applying the private key portion of the second user crypto-key to the second encrypted key message so that the symmetric crypto-key is available to encrypt and decrypt communications between said first and said second users.

24. A programmed computer for session key distribution in a system having a plurality of system users, each said user having an associated asymmetric crypto-key with a public key portion and a corresponding private key portion, each public key portion being accessible to the plurality of system users, the private key portion of a first user having a first private key portion known only to the first user and a corresponding second private key portion known only to a security server and the private key portion of a second user known only to the second user, comprising:
- a processor for decrypting a first message encrypted with the first private key portion of the first user crypto-key by applying the second private key portion of the first user crypto-key to thereby obtain a session key request, for generating a symmetric crypto-key, for encrypting the symmetric crypto-key with the second private key portion of the first user crypto-key to form a first encrypted key message, and for encrypting the symmetric crypto-key with the public key portion of the second user crypto-key to form a second encrypted key message; and
  
  storage media for storing the second private key portion of the first user crypto-key and the public key portion of the second user crypto-key. wherein, the symmetric crypto-key is obtainable by the first user by applying the first private key portion of the first user crypto-key to the first encrypted key message and by the second user by applying the private key portion of the second user crypto-key to the second encrypted key message so that the symmetric crypto-key is available to encrypt and decrypt communications between said first and said second users.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Bell Atlantic Network Services, Inc. (Verizon Communications Inc.)
Inventors
Ganesan, Ravi
Primary Examiner(s)
Barron, Jr., Gilberto

Application Number

US08/663,019
Time in Patent Office

697 Days
Field of Search

380/21, 380/30
US Class Current

713/165
CPC Class Codes

H04L 9/083 involving central third par...

H04L 9/0894 Escrow, recovery or storing...

Securing E-mail communications and encrypted file storage using yaksha split private key asymmetric cryptography

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

332 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Securing E-mail communications and encrypted file storage using yaksha split private key asymmetric cryptography

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

332 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links