System and method for controlling access to a user secret using a key recovery field

US 6,272,632 B1
Filed: 02/12/1998
Issued: 08/07/2001
Est. Priority Date: 02/21/1995
Status: Expired due to Term

First Claim

Patent Images

1. A method for an encrypting system to control access to a user secret, the access being defined by one or more access rules, the method comprising the steps of:

(1) receiving an access rule index from an access rule index source, said access rule index referencing one or more access rules to control access to a user secret; and

(2) generating a key recovery field that includes an unencrypted header section and an encrypted payload section, wherein said unencrypted header section includes at least said access rule index and said encrypted payload section includes at least said user secret.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for data recovery is described. In one embodiment, an encrypting system encrypts a message or file using a secret key (KS) and attaches a key recovery field (KRF), including an access rule index (ARI) and KS, to the encrypted message or file. To access the encrypted message or file, a decrypting system must satisfactorily respond to a challenge issued by a key recovery center. The challenge is based on one or more access rules that are identified by the ARI included within the KRF.

Citations

30 Claims

1. A method for an encrypting system to control access to a user secret, the access being defined by one or more access rules, the method comprising the steps of:
- (1) receiving an access rule index from an access rule index source, said access rule index referencing one or more access rules to control access to a user secret; and
  
  (2) generating a key recovery field that includes an unencrypted header section and an encrypted payload section, wherein said unencrypted header section includes at least said access rule index and said encrypted payload section includes at least said user secret.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein step (2) comprises the step of generating a key recovery field that includes an unencrypted header section and an encrypted payload section, wherein said unencrypted header section includes said access rule index and an access rule index binding digest, said access rule index binding digest securely binding said access rule index to said encrypted payload section.
  - 3. The method of claim 2, wherein step (2) comprises the step of generating a key recovery field that includes an unencrypted header section and an encrypted payload section, wherein said unencrypted header section includes said access rule index and an access rule index binding digest, said access rule index binding digest including a hash of information that includes at least a portion of said access rule index and at least a portion of said encrypted payload.
  - 4. The method of claim 2, wherein step (2) comprises the step of generating a key recovery field that includes an unencrypted header section and an encrypted payload section, wherein said unencrypted header section includes said access rule index, a key identifier, and an access rule index binding digest, said access rule index binding digest securely binding said access rule index to said user secret in said encrypted payload section.
  - 5. The method of claim 4, wherein step (2) comprises the step of generating a key recovery field that includes an unencrypted header section and an encrypted payload section, wherein said unencrypted header section includes said access rule index, a key identifier, and an access rule index binding digest, said access rule index binding digest including a hash of information that includes at least a portion of said access rule index, at least a portion of said key identifier, and at least a portion of said encrypted payload.
  - 6. The method of claim 4, wherein step (2) comprises the step of generating a key recovery field that includes an unencrypted header section and an encrypted payload section, wherein said unencrypted header section includes said access rule index, a key identifier, a key recovery center identifier, and an access rule index binding digest, said access rule index binding digest securely binding said access rule index to said user secret in said encrypted payload section.
  - 7. The method of claim 6, wherein step (2) comprises the step of generating a key recovery field that includes an unencrypted header section and an encrypted payload section, wherein said unencrypted header section includes said access rule index, a key identifier, a key recovery center identifier, and an access rule index binding digest, said access rule index binding digest including a hash of information that includes at least a portion of said access rule index, at least a portion of said key identifier, at least a portion of said key recovery center identifier, and at least a portion of said encrypted payload.
  - 8. The method of claim 7, wherein step (2) comprises the step of generating a key recovery field that includes an unencrypted header section and an encrypted payload section, wherein said unencrypted header section includes said access rule index, a key identifier, a key recovery center identifier, and an access rule index binding digest, said access rule index binding digest of the form:
9. The method of claim 8, wherein step (2) comprises the step of generating a key recovery field that includes an unencrypted header section and an encrypted payload section, wherein said encrypted payload section includes said user secret and a verification digest, said verification digest securely binding said key recovery center identifier and said key identifier with said encrypted payload section.
10. The method of claim 1, wherein step (2) comprises the step of generating a key recovery field that includes an unencrypted header section and an encrypted payload section, wherein said unencrypted header section includes an unprotected access rule index.

11. A system that enables an encrypting system to control access to a user secret, the access being defined by one or more access rules, the system comprising:
- means for receiving an access rule index from an access rule index source, said access rule index referencing one or more access rules to control access to a user secret; and
  
  means for generating a key recovery field that includes an unencrypted header section and an encrypted payload section, wherein said unencrypted header section includes at least said access rule index and said encrypted payload section includes at least said user secret.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein said unencrypted header section further includes an access rule index binding digest, said access rule index binding digest securely binding said access rule index to said encrypted payload section.
  - 13. The system of claim 12, wherein said access rule index binding digest includes a hash of information that includes at least a portion of said access rule index and at least a portion of said encrypted payload.
  - 14. The system of claim 12, wherein said unencrypted header section includes said access rule index, a key identifier, and an access rule index binding digest, said access rule index binding digest securely binding said access rule index to said user secret in said encrypted payload section.
  - 15. The system of claim 14, wherein said access rule index binding digest includes a hash of information that includes at least a portion of said access rule index, at least a portion of said key identifier, and at least a portion of said encrypted payload.
  - 16. The system of claim 14, wherein said unencrypted header section includes said access rule index, a key identifier, a key recovery center identifier, and an access rule index binding digest.
  - 17. The system of claim 16, wherein said access rule index binding digest includes a hash of information that includes at least a portion of said access rule index, at least a portion of said key identifier, at least a portion of said key recovery center identifier, and at least a portion of said encrypted payload.
  - 18. The system of claim 17, wherein said access rule index binding digest is of the form:
19. The system of claim 18, wherein said encrypted payload section includes said user secret and a verification digest, said verification digest securely binding said key recovery center identifier and said key identifier with said encrypted payload section.
20. The system of claim 11, wherein said unencrypted header section includes an unprotected access rule index.

21. A computer program product for enabling a processor in a computer system to control access to a user secret, the access being defined by one or more access rules, said computer program product comprising:
- a computer usable medium having computer readable program code means embodied in said medium for causing a program to execute on the computer system, said computer readable program code means comprising;
  
  a first computer readable program code means for enabling the computer system to receive an access rule index from an access rule index source, said access rule index referencing one or more access rules to control access to a user secret; and
  
  a first computer readable program code means for enabling the computer system to generate a key recovery field that includes an unencrypted header section and an encrypted payload section, wherein said unencrypted header section includes at least said access rule index and said encrypted payload section includes at least said user secret.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The computer program product of claim 21, wherein said unencrypted header section further includes an access rule index binding digest, said access rule index binding digest securely binding said access rule index to said encrypted payload section.
  - 23. The computer program product of claim 22, wherein said access rule index binding digest includes a hash of information that includes at least a portion of said access rule index and at least a portion of said encrypted payload.
  - 24. The computer program product of claim 22, wherein said unencrypted header section includes said access rule index, a key identifier, and an access rule index binding digest, said access rule index binding digest securely binding said access rule index to said user secret in said encrypted payload section.
  - 25. The computer program product of claim 24, wherein said access rule index binding digest includes a hash of information that includes at least a portion of said access rule index, at least a portion of said key identifier, and at least a portion of said encrypted payload.
  - 26. The computer program product of claim 24, wherein said unencrypted header section includes said access rule index, a key identifier, a key recovery center identifier, and an access rule index binding digest.
  - 27. The computer program product of claim 26, wherein said access rule index binding digest includes a hash of information that includes at least a portion of said access rule index, at least a portion of said key identifier, at least a portion of said key recovery center identifier, and a t least a portion of said encrypted payload.
  - 28. The computer program product of claim 27, wherein said access rule index binding digest is of the form:
29. The computer program product of claim 28, wherein said encrypted payload section includes said user secret and a verification digest, said verification digest securely binding said key recovery center identifier and said key identifier with said encrypted payload section.
30. The computer program product of claim 21, wherein said unencrypted header section includes an unprotected access rule index.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, Inc. (McAfee, LLC)
Original Assignee
Network Associates, Inc.
Inventors
Walker, Stephen T., Balenson, David M., Tajalli, Homayoon, Carman, David W.
Primary Examiner(s)
Swann, Tod
Assistant Examiner(s)
Callahan, Paul E.

Application Number

US09/022,677
Time in Patent Office

1,272 Days
Field of Search

713/200, 713/155, 713/160, 713/168, 713/170, 380/286, 380/277, 380/59
US Class Current

713/168
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 2221/2103   Challenge-response

H04L 63/06   for supporting key manageme...

H04L 9/0894   Escrow, recovery or storing...

System and method for controlling access to a user secret using a key recovery field

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for controlling access to a user secret using a key recovery field

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links