Method and apparatus for correcting improper encryption and/or for reducing memory storage

US 6,341,164 B1
Filed: 07/22/1998
Issued: 01/22/2002
Est. Priority Date: 07/22/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method for facilitating an encryption process comprising the steps of:

receiving data containing header data wherein the header data includes a plurality of cryptographic key packages associated with multiple recipients;

parsing the header data to determine whether at least one of the plurality of cryptographic key packages corresponds to key identification data for a predetermined recipient; and

removing at least some cryptographic key packages not corresponding to the key identification data for the predetermined recipient.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and methods for facilitating an encryption process for use in systems employing cryptography based security, removes unnecessary data relating to encryption keys prior to storing the data after receipt of the encrypted information from a sender. Encrypted data, such as message data for multiple recipients, is analyzed to determine whether encryption related data for other recipients may be removed and/or whether a preferred encrypting process was used. In one embodiment, the apparatus and method also determines whether a non-preferred encryption process was used to encrypt encrypted data and re-encrypts the encrypted data with a different encryption process in response to detected non-preferred encryption key usage.

280 Citations

38 Claims

1. A method for facilitating an encryption process comprising the steps of:
- receiving data containing header data wherein the header data includes a plurality of cryptographic key packages associated with multiple recipients;
  
  parsing the header data to determine whether at least one of the plurality of cryptographic key packages corresponds to key identification data for a predetermined recipient; and
  
  removing at least some cryptographic key packages not corresponding to the key identification data for the predetermined recipient.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein at least one cryptographic key package includes at least one symmetric encryption key wrapped with an asymmetric encryption key.
  - 3. The method of claim 1 wherein the data also contains message data and wherein the method further includes the step of re-storing the parsed header data with encrypted message data for future use wherein the re-stored parsed header data omits the removed cryptographic key packages.
  - 4. The method of claim 1 wherein the step of removing at least some cryptographic key packages includes removing all cryptographic key packages except the cryptographic key package corresponding to the predetermined recipient.
  - 5. The method of claim 2 including the step of re-encrypting the symmetric encryption key with a different asymmetric encryption key to generate a second and different cryptographic key package.
  - 6. The method of claim 5 including the step of parsing the header data to determine whether at least one of the plurality of cryptographic key packages includes identification data corresponding to digital signing data for a predetermined recipient.
  - 7. The method of claim 2 including the step of re-encrypting the symmetric encryption key using a different asymmetric encryption process than that used to originally wrap the symmetric encryption key.
  - 8. The method of claim 7 wherein the different asymmetric encryption process is from the group of:
    - elliptic curve, RSA, ElGamal and Diffie-Hellman encryption processes.
  - 9. The method of claim 2 including the steps of:
10. The method of claim 1 including the step of decrypting, compressing, and re-encrypting the message data prior to restoring the encrypted message.

11. A method for facilitating an encryption process comprising the steps of:
- receiving data containing header data wherein the header data includes a plurality of cryptographic key packages associated with multiple recipients;
  
  parsing the header data to determine whether at least one of the plurality of cryptographic key packages corresponds to key identification data for a predetermined recipient; and
  
  removing at least some cryptographic key packages not corresponding to the predetermined recipient to obtain a first remaining cryptographic key package corresponding to the predetermined recipient;
  
  decrypting an encryption symmetric key from the first remaining cryptographic key package to obtain a recipient encryption key;
  
  re-encrypting the recipient encryption key to generate a second cryptographic key package; and
  
  storing the second cryptographic key package for later use by the recipient.
- View Dependent Claims (12, 13)
- - 12. The method of claim 11 wherein the step of re-encrypting the recipient encryption key includes using at least one of elliptic curve, RSA, ElGamal and Diffie-Hellman encryption processes as a different asymmetric encryption process to generate the second cryptographic key package.
  - 13. The method of claim 11 wherein the step of re-encrypting the recipient encryption key includes generating the second cryptographic key package by encrypting a message encryption key with a public encryption key from a public key certificate.

14. A method for facilitating an encryption process comprising the steps of:
- receiving data containing header data wherein the header data includes a plurality of cryptographic key packages associated with multiple recipients;
  
  re-encrypting the header data leaving only header data corresponding to the predetermined recipient; and
  
  storing the re-encrypted header data for later use by the recipient.
- View Dependent Claims (15, 16, 17)
- - 15. The method of claim 14 wherein the step of re-encrypting includes upgrading recipient asymmetric key strength by re-encrypting a symmetric key from an associated recipient cryptographic key package with a different asymmetric key.
  - 16. The method of claim 14 including the step of re-encrypting message data with a different symmetric encryption process, involving at least one of a different symmetric encryption key and a different symmetric encryption algorithm.
  - 17. The method of claim 16 wherein the step of re-encrypting the message data includes:

18. A method for facilitating an encryption process comprising the steps of:
- receiving encrypted data;
  
  determining an encryption key used to encrypt the encrypted data to determine whether an improper encryption key was used to encrypt the encrypted data;
  
  re-wrapping the encrypted data with a different encryption process in response to a detected improper encryption key usage.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
- - 19. The method of claim 18 wherein the encrypted data includes header data containing at least one cryptographic key package having a wrapped message encryption key and key identification data associated with at least one recipient and used to encrypt message data.
  - 20. The method of claim 19 wherein key identification data is used to determine improper encryption key usage.
  - 21. The method of claim 18 wherein the step of determining an encryption key used to encrypt the encrypted data includes determining whether a digital signing key was used as an encryption key.
  - 22. The method of claim 20 wherein the step of re-wrapping the encrypted data with a different encryption process includes re-wrapping using a different encryption key or algorithm from the group of:
    - RSA, elliptic curve, ElGamal and Diffie-Hellman based encryption algorithms.
  - 23. The method of claim 21 wherein the step of re-wrapping the encrypted data with a different encryption process includes re-encrypting using a different encryption key.
  - 24. The method of claim 19 including the steps of:
25. The method of claim 18 where the encrypted data includes header data and message data, including the step of re-encrypting message data with a different symmetric key.
26. The method of claim 25 wherein the step of re-encrypting the message data includes:
- parsing the header data and extracting a specific recipient'"'"'s cryptographic key package;
  
  using a symmetric encryption key recovered from the cryptographic key package to decrypt message data;
  
  selecting a different symmetric encryption key;
  
  compressing the decrypted message data;
  
  re-encrypting the message data with the different symmetric encryption key; and
  
  re-wrapping the different symmetric encryption key with a public encryption key.

27. An apparatus for facilitating an encryption process comprising:
- means for receiving data containing header data wherein the header data includes a plurality of cryptographic key packages associated with multiple recipients;
  
  means, operatively coupled to the receiving means, for parsing the header data to determine whether at least one of the plurality of cryptographic key packages corresponds to key identification data for a predetermined recipient; and
  
  means, operatively coupled to the parsing means, for removing at least some cryptographic key packages not corresponding to the key identification data.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34)
- - 28. The apparatus of claim 27 wherein at least one cryptographic key package includes at least one symmetric encryption key wrapped using an asymmetric encryption key.
  - 29. The apparatus of claim 27 wherein the data also contains message data and wherein the system includes means for re-storing the parsed header data with encrypted message data for future use.
  - 30. The apparatus of claim 27 wherein the means for removing at least some cryptographic key packages removes all cryptographic key packages except the cryptographic key package corresponding to the predetermined recipient.
  - 31. The apparatus of claim 27 including means for parsing the header data to determine whether at least one of the plurality of cryptographic key packages includes digital signing key data for a predetermined recipient.
  - 32. The apparatus of claim 28 including means for re-encrypting the symmetric encryption key with at least one of a different asymmetric encryption key and asymmetric encryption process to generate a second cryptographic key package.
  - 33. The apparatus of claim 32 wherein the means for removing includes means for retrieving a decryption key based on key identification data, decrypting a cryptographic key package to recover a symmetric encryption key, then re-encrypting the symmetric encryption key.
  - 34. The apparatus of claim 27 including means for compressing message data prior to restoring encrypted message data.

35. An apparatus for facilitating an encryption process comprising:
- means for receiving data containing header data wherein the header data includes a plurality of cryptographic key packages associated with multiple recipients;
  
  a re-encryptor, operatively responsive to the received data, that re-encrypts the header data with only header data corresponding to the predetermined recipient; and
  
  means for storing the re-encrypted header data for later use by the recipient.
- View Dependent Claims (36, 37, 38)
- - 36. The apparatus of claim 35 wherein the re-encryptor uses a preferred recipient asymmetric key by re-encrypting a symmetric key recovered from an associated recipient cryptographic key package with a different asymmetric key.
  - 37. The apparatus of claim 35 including a message data re-encryptor that operates by:
38. The apparatus of claim 35 including means for determining an encryption key used to encrypt the encrypted data to determine whether a non-preferred encryption key was used to encrypt the encrypted data and for re-wrapping the encrypted data with a different encryption process in response to a detected non-preferred encryption key usage.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Entrust Corp.
Original Assignee
Entrust Technologies Limited
Inventors
Van Oorschot, Paul C., Dilkie, Lee
Primary Examiner(s)
Hayes, Gail
Assistant Examiner(s)
Seal, James

Application Number

US09/120,716
Time in Patent Office

1,280 Days
Field of Search

713/153, 380/278
US Class Current

380/278
CPC Class Codes

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

Method and apparatus for correcting improper encryption and/or for reducing memory storage

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

280 Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for correcting improper encryption and/or for reducing memory storage

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

280 Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links