System and method for controlling access to a user secret using a key recovery field
First Claim
Patent Images
1. A method for an encrypting system to control access to a user secret, the access being defined by one or more access rules, the method comprising the steps of:
- (1) receiving an access rule index from an access rule index source, said access rule index referencing one or more access rules to control access to a user secret; and
(2) generating a key recovery field that includes an unencrypted header section and an encrypted payload section, wherein said unencrypted header section includes at least said access rule index and said encrypted payload section includes at least said user secret.
3 Assignments
0 Petitions
Accused Products
Abstract
A system and method for data recovery is described. In one embodiment, an encrypting system encrypts a message or file using a secret key (KS) and attaches a key recovery field (KRF), including an access rule index (ARI) and KS, to the encrypted message or file. To access the encrypted message or file, a decrypting system must satisfactorily respond to a challenge issued by a key recovery center. The challenge is based on one or more access rules that are identified by the ARI included within the KRF.
-
Citations
30 Claims
-
1. A method for an encrypting system to control access to a user secret, the access being defined by one or more access rules, the method comprising the steps of:
-
(1) receiving an access rule index from an access rule index source, said access rule index referencing one or more access rules to control access to a user secret; and
(2) generating a key recovery field that includes an unencrypted header section and an encrypted payload section, wherein said unencrypted header section includes at least said access rule index and said encrypted payload section includes at least said user secret. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
H1 XOR H2 H1=HMAC [Key=Ka1] (HINFO||encrypted payload) H2=HMAC [Key=Ka2] (HINFO||encrypted payload) wherein HINFO includes at least a portion of said access rule index, at least a portion of said key identifier, and at least a portion of said key recovery center identifier.
-
-
9. The method of claim 8, wherein step (2) comprises the step of generating a key recovery field that includes an unencrypted header section and an encrypted payload section, wherein said encrypted payload section includes said user secret and a verification digest, said verification digest securely binding said key recovery center identifier and said key identifier with said encrypted payload section.
-
10. The method of claim 1, wherein step (2) comprises the step of generating a key recovery field that includes an unencrypted header section and an encrypted payload section, wherein said unencrypted header section includes an unprotected access rule index.
-
11. A system that enables an encrypting system to control access to a user secret, the access being defined by one or more access rules, the system comprising:
-
means for receiving an access rule index from an access rule index source, said access rule index referencing one or more access rules to control access to a user secret; and
means for generating a key recovery field that includes an unencrypted header section and an encrypted payload section, wherein said unencrypted header section includes at least said access rule index and said encrypted payload section includes at least said user secret. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
H1 XOR H2 H1=HMAC [Key=Ka1] (HINFO||encrypted payload) H2=HMAC [Key=Ka2] (HINFO||encrypted payload) wherein HINFO includes at least a portion of said access rule index, at least a portion of said key identifier, and at least a portion of said key recovery center identifier.
-
-
19. The system of claim 18, wherein said encrypted payload section includes said user secret and a verification digest, said verification digest securely binding said key recovery center identifier and said key identifier with said encrypted payload section.
-
20. The system of claim 11, wherein said unencrypted header section includes an unprotected access rule index.
-
21. A computer program product for enabling a processor in a computer system to control access to a user secret, the access being defined by one or more access rules, said computer program product comprising:
-
a computer usable medium having computer readable program code means embodied in said medium for causing a program to execute on the computer system, said computer readable program code means comprising;
a first computer readable program code means for enabling the computer system to receive an access rule index from an access rule index source, said access rule index referencing one or more access rules to control access to a user secret; and
a first computer readable program code means for enabling the computer system to generate a key recovery field that includes an unencrypted header section and an encrypted payload section, wherein said unencrypted header section includes at least said access rule index and said encrypted payload section includes at least said user secret. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
H1 XOR H2 H1=HMAC [Key=Ka1] (HINFO||encrypted payload) H2=HMAC [Key=Ka2] (HINFO||encrypted payload) wherein HINFO includes at least a portion of said access rule index, at least a portion of said key identifier, and at least a portion of said key recovery center identifier.
-
-
29. The computer program product of claim 28, wherein said encrypted payload section includes said user secret and a verification digest, said verification digest securely binding said key recovery center identifier and said key identifier with said encrypted payload section.
-
30. The computer program product of claim 21, wherein said unencrypted header section includes an unprotected access rule index.
Specification