Interoperable cryptographic key recovery system

US 5,796,830 A
Filed: 07/29/1996
Issued: 08/18/1998
Est. Priority Date: 07/29/1996
Status: Expired due to Term

First Claim

Patent Images

1. A method of providing, in a manner verifiable by a possessor of a cryptographic key, for the recovery of said key using a plurality of cooperating key recovery agents, comprising the steps of:

generating a plurality of shared key recovery values from which said key may be recovered, said key recovery values being generated as a function only of said key and public information;

encrypting said shared key recovery values under respective keys of said key recovery agents to generate encrypted recovery values; and

transmitting said encrypted recovery values over a communications channel to make said shared key recovery values available to said key recovery agents, whereby said shared key recovery values may be regenerated from said cryptographic key and said public information by a possessor of said key to verify said encrypted recovery values without requiring additional secret information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cryptographic key recovery system that is interoperable with existing systems for establishing keys between communicating parties. The sender uses a reversible key inversion function to generate key recovery values P, Q and (optionally) R as a function of a session key and public information, so that the session key may be regenerated from the key recovery values P, Q and (if generated) R. Key recovery values P and Q are encrypted using the respective public recovery keys of a pair of key recovery agents. The encrypted P and Q values are included along with other recovery information in a session header accompanying an encrypted message sent from the sender to the receiver. The key recovery agents may recover the P and Q values for a law enforcement agent by decrypting the encrypted P and Q values in the session header, using their respective private recovery keys corresponding to the public keys. The R value, if generated, is not made available to the key recovery agents, but is ascertained using standard cryptanalytic techniques in order to provide a nontrivial work factor for law enforcement agents. The receiver checks the session header of a received message to ensure that the sender has included valid recovery information. Only when the receiver has verified that the sender has included valid recovery information does the receiver decrypt the received message.

Citations

32 Claims

1. A method of providing, in a manner verifiable by a possessor of a cryptographic key, for the recovery of said key using a plurality of cooperating key recovery agents, comprising the steps of:
- generating a plurality of shared key recovery values from which said key may be recovered, said key recovery values being generated as a function only of said key and public information;
  
  encrypting said shared key recovery values under respective keys of said key recovery agents to generate encrypted recovery values; and
  
  transmitting said encrypted recovery values over a communications channel to make said shared key recovery values available to said key recovery agents, whereby said shared key recovery values may be regenerated from said cryptographic key and said public information by a possessor of said key to verify said encrypted recovery values without requiring additional secret information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The method of claim 1 in which a pair of communicating parties use said cryptographic key to intercommunicate.
  - 3. The method of claim 2 in which said cryptographic key is established by one of said parties and communicated to the other of said parties.
  - 4. The method of claim 1 in which said cryptographic key is established by both of said parties acting in concert.
  - 5. The method of claim 1 in which said cryptographic key is completely determined by said shared key recovery values.
  - 6. The method of claim 1 in which said generating step comprises the further step of:
    - generating a nonshared key recovery value as a function of said cryptographic key that is not shared with any key recovery agent, said key being completely determined by said shared key recovery values and said nonshared key recovery value.
  - 7. The method of claim 1 in which said generating step comprises the steps of:
    - generating a first input value as a first invertible function of said cryptographic key;
      
      concatenating at least a portion of said first input value with a second input value to generate a lengthened input value;
      
      generating an output value as a second invertible function of said lengthened input value; and
      
      partitioning said output value into subportions to create said shared key recovery values.
  - 8. The method of claim 7 in which said second input value is generated as a function of said cryptographic key.
  - 9. The method of claim 7 in which only a portion of said first input value is concatenated with said second input value to generate said lengthened input value, the remaining portion of said first input value being used to generate a nonshared key recovery value that is not made available to any key recovery agent.
  - 10. The method of claim 9 in which said second input value is generated as a function of said remaining portion of said input value.
  - 11. The method of claim 7 in which said first invertible function is a pseudorandom function.
  - 12. The method of claim 7 in which said first invertible function is such that each bit of said first input value depends on each bit of said cryptographic key.
  - 13. The method of claim 7 in which said second invertible function is a pseudorandom function.
  - 14. The method of claim 7 in which said second invertible function is such that each bit of said output value depends on each bit of said lengthened input value.
  - 15. The method of claim 7 in which all of said first input value is concatenated with said second input value to generate said lengthened input value.
  - 16. The method of claim 7 in which said first invertible function is a non-pseudorandom function.
  - 17. The method of claim 7 in which one of said subportions of said output value is a nonshared key recovery value that is not made available to any key recovery agent.
  - 18. The method of claim 1, further comprising the steps of:
    - regenerating said shared key recovery values from said key and said public information;
      
      encrypting said regenerated shared key recovery values under said encryption keys of said key recovery agents to generate comparison encrypted recovery values; and
      
      comparing said transmitted encrypted recovery values with said comparison encrypted recovery values to verify said transmitted encrypted recovery values.
  - 19. The apparatus of claim 18 in which said generating means further comprises:
    - means for generating a nonshared key recovery value as a function of said cryptographic key that is not shared with any key recovery agent, said key being completely determined by said shared key recovery values and said nonshared key recovery value.
  - 20. The apparatus of claim 18 in which said generating means comprises:
    - means for generating a first input value as a first invertible function of said cryptographic key;
      
      means for concatenating at least a portion of said first input value with a second input value to generate a lengthened input value;
      
      means for generating an output value as a second invertible function of said lengthened input value; and
      
      means for partitioning said output value into subportions to create said shared key recovery values.
  - 21. The method of claim 1 in which said keys of said key recovery agents are public encryption keys.
  - 22. The program storage of claim 21 in which said generating step comprises the further step of:
    - generating a nonshared key recovery value as a function of said cryptographic key that is not shared with any key recovery agent, said key being completely determined by said shared key recovery values and said nonshared key recovery value.
  - 23. The program storage device of claim 21 in which said generating step comprises the steps of:
    - generating a first input value as a first invertible function of said cryptographic key;
      
      concatenating at least a portion of said first input value with a second input value to generate a lengthened input value;
      
      generating an output value as a second invertible function of said lengthened input value; and
      
      partitioning said output value into subportions to create said shared key recovery values.
  - 24. The method of claim 7 in which said first input value comprises said key.
  - 25. The apparatus of claim 20 in which said first input value comprises said key.
  - 26. The program storage device of claim 23 in which said first input value comprises said key.

27. Apparatus for providing, in a manner verifiable by a possessor of a cryptographic key, for the recovery of said key using a plurality of cooperating key recovery agents, comprising:
- means for generating a plurality of shared key recovery values from which said key may be recovered, said key recovery values being generated as a function only of said key and public information;
  
  means for encrypting said shared key recovery values under respective keys of said key recovery agents to generate encrypted recovery values; and
  
  means for transmitting said encrypted recovery values over a communications channel to make said shared key recovery values available to said key recovery agents, whereby said shared key recovery values may be regenerated from said cryptographic key and said public information by a possessor of said key to verify said encrypted recovery values without requiring additional secret information.
- View Dependent Claims (28, 29)
- - 28. The apparatus of claim 27, further comprising:
    - means for regenerating said shared key recovery values from said key and said public information;
      
      means for encrypting said regenerated shared key recovery values under said encryption keys of said key recovery agents to generate comparison encrypted recovery values; and
      
      means for comparing said transmitted encrypted recovery values with said comparison encrypted recovery values to verify said transmitted encrypted recovery values.
  - 29. The apparatus of claim 27 in which said keys of said key recovery agents are public encryption keys.

30. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform method steps for providing, in a manner verifiable by a possessor of a cryptographic key, for the recovery of said key using a plurality of cooperating key recovery agents, said method steps comprising:
- generating a plurality of shared key recovery values from which said key may be recovered, said key recovery values being generated as a function only of said key and public information;
  
  encrypting said shared key recovery values under respective keys of said key recovery agents to generate encrypted recovery values; and
  
  transmitting said encrypted recovery values over a communications channel to make said shared key recovery values available to said key recovery agents, whereby said shared key recovery values may be regenerated from said cryptographic key and said public information by a possessor of said key to verify said encrypted recovery values without requiring additional secret information.
- View Dependent Claims (31, 32)
- - 31. The program storage device of claim 30, said method steps further comprising:
    - regenerating said shared key recovery values from said key and said public information;
      
      encrypting said regenerated shared key recovery values under said encryption keys of said key recovery agents to generate comparison encrypted recovery values; and
      
      comparing said transmitted encrypted recovery values with said comparison encrypted recovery values to verify said transmitted encrypted recovery values.
  - 32. The program storage device of claim 30 in which said keys of said key recovery agents are public encryption keys.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Yung, Marcel Mordechay, Zunic, Nevenko, Safford, David Robert, Matyas, Stephen Michael Jr., Karger, Paul Ashley, Kaufman, Charles William Jr., Johnson, Donald Byron
Primary Examiner(s)
Cain, David C.

Application Number

US08/681,679
Time in Patent Office

750 Days
Field of Search

380/21, 380/30, 380/49, 380/28, 380/23
US Class Current

380/286
CPC Class Codes

H04L 9/0894 Escrow, recovery or storing...

Interoperable cryptographic key recovery system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Interoperable cryptographic key recovery system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links