Method and system for hierarchical key access and recovery
First Claim
1. In a hierarchical key management system comprising a plurality of key arbitration centers (KAC) arranged in a hierarchy, a method for providing access to an encryption key of a user comprising the steps of:
- receiving a signed message at a first KAC, said signed message comprising a message portion and an organization signature, said message portion identifying said user and an organization requesting said encryption key, said organization signature being said message portion digitally signed by said organization;
verifying said organization signature by said first KAC;
adding a first KAC ID to said message portion when said organization signature is valid;
after the adding step, signing by said first KAC, said message portion and said organization signature to generate a first KAC signature;
sending said first KAC signature, said organization signature and said message portion to a second KAC, said second KAC being at a next lower level in said hierarchy;
verifying, by said second KAC, said first KAC signature and said organization signature; and
said second KAC requesting said encryption key from a key management center (KMC) to receive said encryption key.
3 Assignments
0 Petitions
Accused Products
Abstract
A key management system includes a hierarchy (10) of independent key arbitration centers (KAC) for providing access to a user'"'"'s session keys through key management centers (KMC). When a court order is issued for a user'"'"'s session keys, a message requesting the keys is transferred down through hierarchy until a terminal KAC (16,36) is reached. Each KAC in the hierarchy adds its ID and signs (116) the message, verifying prior signatures (114). The user'"'"'s ID is encrypted with the terminal KAC'"'"'s public key. The terminal KAC engages in a blind key access procedure (129) with the KMC (18,38) to receive the user'"'"'s session key. The key is provided encrypted with the requesting party'"'"'s or agency'"'"'s public key. Accordingly, privacy is assured because only the KMC and the requesting agency have access to the actual key value, and only the terminal KAC and requesting agency have access to the user'"'"'s ID. No other KACs in the hierarchy have access to the user ID or key value, and the KMC does not know which user'"'"'s key has been provided.
91 Citations
21 Claims
-
1. In a hierarchical key management system comprising a plurality of key arbitration centers (KAC) arranged in a hierarchy, a method for providing access to an encryption key of a user comprising the steps of:
-
receiving a signed message at a first KAC, said signed message comprising a message portion and an organization signature, said message portion identifying said user and an organization requesting said encryption key, said organization signature being said message portion digitally signed by said organization; verifying said organization signature by said first KAC; adding a first KAC ID to said message portion when said organization signature is valid; after the adding step, signing by said first KAC, said message portion and said organization signature to generate a first KAC signature; sending said first KAC signature, said organization signature and said message portion to a second KAC, said second KAC being at a next lower level in said hierarchy; verifying, by said second KAC, said first KAC signature and said organization signature; and said second KAC requesting said encryption key from a key management center (KMC) to receive said encryption key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. In a hierarchy of key arbitration centers (KACs), a method for providing session keys of a user comprising the steps of:
-
higher level KACs of said hierarchy routing a request for said session keys to lower level KACs, said KACs being arranged in a hierarchy of KACs; and said lower level KACs of said hierarchy routing encrypted session keys to said higher level KACs, wherein each KAC that performs the routing a request step, also performs the steps of signing said request with a private key of said KAC and routing said request to one of said lower level KACs, and wherein each KAC receiving said request from a higher level KAC, also performing a step of verifying a signature of said higher level KAC. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A hierarchical key management system comprising:
-
a plurality of key arbitration centers (KAC) arranged in a hierarchy for communicating with each other; and a plurality of key management centers (KMC) for storing session keys of users, each KMC configured for communicating with one of said KACs, wherein said KACs route requests for session keys to lower level KACs of said hierarchy, said KACs route encrypted versions of said session keys to designated higher level KACs of said hierarchy, and KACs at end nodes of said hierarchy request said session keys from said KMC. - View Dependent Claims (18, 19)
-
-
20. In a hierarchical key management system comprising a plurality of key arbitration centers (KAC) arranged in a hierarchy, a method for providing access to an encryption key of a user comprising the steps of:
-
receiving a signed message at a first KAC, said signed message requesting said encryption key; verifying a signature of said signed message by said first KAC; adding a first KAC ID to a message portion of said signed message; signing said message portion by said first KAC, to generate a first KAC signature; sending a second signed message to a second KAC in said hierarchy, said second signed message including said first KAC signature; verifying, by said second KAC, said first KAC signature; and said second KAC receiving said encryption key in response to the verifying step. - View Dependent Claims (21)
-
Specification