Ephemeral decryptability

US 6,363,480 B1
Filed: 09/14/1999
Issued: 03/26/2002
Est. Priority Date: 09/14/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method of supporting data encryption, comprising:

indicating to a first party at least one expiration time, said indicating of said at least one expiration time performed by a second party;

providing, by said first party, at least one encryption key associated with said expiration time to said second party;

receiving data encrypted by said second party using said encryption key;

decrypting, at least in part, said encrypted data using a decryption key associated with said encryption key; and

destroying, by said first party, said decryption key associated with said encryption key at said expiration time.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for a user to encrypt data in a way that ensures the data cannot be decrypted after a finite period. A number of ephemeral encryption keys are established by a first party, each of which will be destroyed at an associated time in the future (the “expiration time”). A second party selects or requests one of the ephemeral encryption keys for encrypting a message. The first party provides an ephemeral encryption key to the second party. Subsequently, the first party decrypts at least a portion of the message, using an ephemeral decryption key associated with the ephemeral encryption key provided to the second party. At the expiration time, the first party destroys all copies of at least the ephemeral decryption key, thus rendering any messages encrypted using the ephemeral encryption key permanently undecipherable. In an alternative embodiment, a number of ephemeral key servers provide a respective number of ephemeral encryption keys having associated expiration times. A party wishing to transmit an ephemeral message uses the provided ephemeral encryption keys to encrypt at least a portion of the message. The receiver of the message uses at least a subset of the ephemeral key servers to decrypt at least a portion of the encrypted message. At the expiration time(s), at least one of the ephemeral key servers permanently destroys at least one of the decryption keys associated with the provided ephemeral encryption keys.

Citations

66 Claims

1. A method of supporting data encryption, comprising:
- indicating to a first party at least one expiration time, said indicating of said at least one expiration time performed by a second party;
  
  providing, by said first party, at least one encryption key associated with said expiration time to said second party;
  
  receiving data encrypted by said second party using said encryption key;
  
  decrypting, at least in part, said encrypted data using a decryption key associated with said encryption key; and
  
  destroying, by said first party, said decryption key associated with said encryption key at said expiration time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The method of claim 1, wherein said encryption key is a symmetric encryption key, and wherein said decryption key associated with said encryption key is the same as said encryption key.
  - 3. The method of claim 1, further comprising receiving an encryption key request from said second party, said encryption key request including a requested expiration time range.
  - 4. The method of claim 3, wherein said providing said at least one encryption key by said first party is responsive to said receiving said encryption key request from said second party, and wherein said associated expiration time is within said requested expiration time range.
  - 5. The method of claim 1, wherein said encryption key is a public key of an encryption key pair, said encryption key pair further including a private key, and wherein said decryption key is the same as said private key.
  - 6. The method of claim 5, wherein said encryption key pair is one of a plurality of encryption key pairs, each of said plurality of encryption key pairs including a public and a private key, each of said encryption key pairs associated with a respective expiration time.
  - 7. The method of claim 6, wherein said public keys and said expiration times of said plurality of encryption key pairs are accessible to said second party.
  - 8. The method of claim 7, further comprising selecting, by said second party, one of said encryption key pairs, said selected one of said encryption key pairs including a public key equal to said encryption key, and said selected one of said encryption key pairs having a respective expiration time equal to said expiration time associated with said encryption key.
  - 10. The method of claim 1 wherein said encrypted data includes at least a portion of a file.
  - 11. The method of claim 8 wherein said encrypted data includes indication of said selected one of said plurality of encryption key pairs.
  - 12. The method of claim 1 wherein said encrypted data includes a second encryption key.
  - 13. The method of claim 12, wherein said encrypted data further includes a message body encrypted, at least in part, using said second encryption key.
  - 14. The method of claim 13, wherein said second encryption key is a symmetric encryption key.
  - 15. The method of claim 8, wherein data encrypted with a public key of said selected one of said plurality of encryption key pairs includes a message body.
  - 16. The method of claim 8, wherein said data encrypted with a public key of said selected one of said plurality of encryption key pairs is previously encrypted using a second encryption key associated with said first party.
  - 17. The method of claim 1, wherein said encrypted data is received from said second party via a computer network.
  - 18. The method of claim 1, further comprising transferring, by said second party, said data encrypted using said encryption key to a third party.
  - 19. The method of claim 1, wherein at least a portion of said data encrypted by said second party using said encryption key is received by said first party from said second party.
  - 20. The method of claim 18, wherein at least a portion of said data encrypted by said second party using said encryption key is received by said first party from said third party.
  - 21. The method of claim 20, further comprising transferring, by said first party to said third party, a result of said decrypting, at least in part, said encrypted data using a decryption key associated with said encryption key.
  - 22. The method of claim 21, further comprising providing, by said third party, an identity of said first party to said second party.
  - 23. The method of claim 22, wherein said identity of said first party is included within a list of ephemeral key servers provided to said second party by said third party.
  - 24. The method of claim 1, further comprising selecting said first party by said second party.

9. A method of supporting data encryption, comprising:
- providing, by a first party, at least one encryption key associated with an expiration time to a second party;
  
  receiving data encrypted by said second party using said encryption key, wherein said encrypted data includes at least a portion of an electronic mail message;
  
  decrypting, at least in part, said encrypted data using a decryption key associated with said encryption key; and
  
  destroying, by said first party, said decryption key associated with said encryption key at said expiration time.

25. A computer program product including a computer readable medium, said computer readable medium having a data encryption computer program stored thereon, said data encryption computer program comprising:
- program code for indicating to a first party at least one expiration time, said indicating of said at least one expiration time by a second party;
  
  program code for providing, by said first party, at least one encryption key associated with an expiration time to said second party;
  
  program code for receiving data encrypted by said second party using said encryption key;
  
  program code for decrypting, at least in part, said encrypted data using a decryption key associated with said encryption key; and
  
  program code for destroying, by said first party, said decryption key associated with said encryption at said expiration time.

26. A computer data signal embodied in a carrier wave, said computer data signal including a computer program for providing data encryption, said data encryption computer program comprising:
- program code for indicating to a first party at least one expiration time, said indicating of said at least one expiration time by a second party;
  
  program code for providing, by said first party, at least one encryption key associated with an expiration time to said second party;
  
  program code for receiving data encrypted by said second party using said encryption key;
  
  program code for decrypting, at least in part, said encrypted data using a decryption key associated with said encryption key; and
  
  program code for destroying, by said first party, said decryption key associated with said encryption at said expiration time.

27. A method of encrypting data to be passed from a first party to a second party, comprising:
- indicating at least one expiration time, said indicating of said at least one expiration time by said first party;
  
  providing a plurality of encryption keys to said first party, each of said plurality of encryption keys associated with at least one of a plurality of encryption key servers, each of said plurality of encryption keys having an associated decryption key and an associated expiration time, wherein said associated expiration time is equal to said expiration time indicated by said first party;
  
  successively encrypting said data, by said first party, using each one of said plurality of encryption keys;
  
  decrypting, at least in part, said encrypted data, by at least a subset of said plurality of encryption key servers, using at least an associated subset of said decryption keys associated with said encryption keys; and
  
  destroying at least one of said plurality of encryption keys by at least an associated one of said plurality of encryption key servers.

28. A computer program product including a computer readable medium, said computer readable medium having a data encryption computer program stored thereon, said data encryption computer program comprising:
- program code for indicating at least one expiration time, said indicating of said at least one expiration time by said first party;
  
  program code for providing a plurality of encryption keys to said first party, each of said plurality of encryption keys associated with at least one of a plurality of encryption key servers, each of said plurality of encryption keys having an associated decryption key and an associated expiration time, wherein said associated expiration time is equal to said expiration time indicated by said first party;
  
  program code for encrypting said data, by said first party, using each one of said plurality of encryption keys;
  
  program code for decrypting, at least in part, said encrypted data, by at least a subset of said plurality of encryption key servers, using at least an associated subset of said decryption keys associated with said encryption keys; and
  
  program code for destroying at least one of said plurality of encryption keys by at least an associated one of said plurality of encryption key servers.

29. A computer data signal embodied in a carrier wave, said computer data signal including a computer program for providing data encryption, said data encryption computer program comprising:
- program code for indicating at least one expiration time, said indicating of said at least one expiration time by said first party;
  
  program code for providing a plurality of encryption keys to said first party, each of said plurality of encryption keys associated with at least one of a plurality of encryption key servers, each of said plurality of encryption keys having an associated decryption key and an associated expiration time, wherein said associated expiration time is equal to said expiration time indicated by said first party;
  
  program code for encrypting said data, by said first party, using each one of said plurality of encryption keys;
  
  program code for decrypting, at least in part, said encrypted data, by at least a subset of said plurality of encryption key servers, using at least an associated subset of said decryption keys associated with said encryption keys; and
  
  program code for destroying at least one of said plurality of encryption keys by at least an associated one of said plurality of encryption key servers.

30. A method of encrypting data to be passed from a first party to a second party, comprising:
- indicating at least one expiration time, said indicating of said at least one expiration time by said first party;
  
  providing a plurality of N encryption keys to said first party, each of said plurality of N encryption keys associated with a respective one of a plurality of N encryption key servers, each of said plurality of N encryption keys having an associated decryption key and an associated expiration time, wherein said associated expiration time is equal to said expiration time indicated by said first party;
  
  encrypting said data, by said first party, using each one of said plurality of N encryption keys, said encryption performed such that at least K of said associated decryption keys are required to decrypt said data, where K is less than N;
  
  decrypting said encrypted data using less than N, but at least K of said plurality of N encryption key servers, using at least K of said associated decryption keys; and
  
  destroying said associated decryption keys by said plurality of N encryption servers at said associated expiration time.

31. A method of encrypting data to be passed from a first party to a second party, comprising:
- indicating at least one expiration time, said indicating of said at least one expiration time by said first party;
  
  encrypting said data in a plurality of encryption stages, using a respective set of one or more encryption key servers at each one or said plurality of encryption stages, wherein each encryption key server provides an encryption key associated with a decryption key and an expiration time, wherein said associated expiration time is equal to said expiration time indicated by said first party, and wherein said data is encrypted in at least one of said plurality of encryption stages such that less than all of the associated decryption keys of the encryption key servers in the respective encryption key server set are necessary to decrypt said data at that one of said plurality of encryption stages;
  
  decrypting, at least in part, said encrypted data, using less than all of said encryption key servers in said encryption key server set associated with said at least one of said plurality of encryption stages; and
  
  destroying said associated decryption keys by said encryption key servers at said associated expiration time.

32. A method of supporting data encryption, comprising:
- receiving an indication of an expiration time from a remote system;
  
  providing, to said remote system, at least one encryption key associated with an expiration time, wherein said associated expiration time is equal to said expiration time received from said remote system;
  
  receiving data encrypted using said encryption key;
  
  decrypting, at least in part, said encrypted data using a decryption key associated with said encryption key; and
  
  destroying said decryption key associated with said encryption at said expiration time.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 41, 42, 43, 44)
- - 33. The method of claim 32, wherein said encryption key is a symmetric encryption key, and wherein said decryption key associated with said encryption key is the same as said encryption key.
  - 34. The method of claim 32, further comprising receiving an encryption key request, said encryption key request including a requested expiration time range.
  - 35. The method of claim 34, wherein said providing said at least one encryption key is responsive to said receiving said encryption key request, and wherein said associated expiration time is within said requested expiration time range.
  - 36. The method of claim 32, wherein said encryption key is a public key of an encryption key pair, said encryption key pair further including a private key, and wherein said decryption key is the same as said private key.
  - 37. The method of claim 36, wherein said encryption key pair is one of a plurality of encryption key pairs, each of said plurality of encryption key pairs including a public and a private key, each of said encryption key pairs associated with a respective expiration time.
  - 38. The method of claim 37, wherein said public keys and said expiration times of said plurality of encryption key pairs are publicly accessible.
  - 41. The method of claim 32 wherein said encrypted data includes a second encryption key.
  - 42. The method of claim 41, wherein said encrypted data further includes a message body encrypted, at least in part, using said second encryption key.
  - 43. The method of claim 42, wherein said second encryption key is a symmetric encryption key.
  - 44. The method of claim 32, wherein said encrypted data is received via a computer network.

39. A method of supporting data encryption, comprising:
- providing at least one encryption key associated with an expiration time;
  
  receiving data encrypted using said encryption key, wherein said encrypted data includes at least a portion of an electronic mail message;
  
  decrypting, at least in part, said encrypted data using a decryption key associated with said encryption key; and
  
  destroying said decryption key associated with said encryption at said expiration time.

40. A method of supporting data encryption, comprising:
- providing at least one encryption key associated with an expiration time;
  
  receiving data encrypted using said encryption key, wherein said encrypted data includes at least a portion of a file;
  
  decrypting, at least in part, said encrypted data using a decryption key associated with said encryption key; and
  
  destroying said decryption key associated with said encryption at said expiration time.

45. A method of supporting data encryption between a first party and a remote second party, comprising:
- indicating, by said first party to said second party, at least one expiration time;
  
  obtaining, from said second party, an encryption key associated with an expiration time, wherein said associated expiration time is equal to said expiration time indicated by said first party, said expiration time indicating a time at which a decryption key associated with said encryption key will be destroyed;
  
  encrypting data using said encryption key; and
  
  transmitting said encrypted data to said second party prior to said expiration time.
- View Dependent Claims (46, 47, 48, 49, 50, 55, 56, 57, 60)
- - 46. The method of claim 45, wherein said encryption key is a symmetric encryption key, and wherein said decryption key associated with said encryption key is the same as said encryption key.
  - 47. The method of claim 45, said obtaining further comprising transmitting an encryption key request to said second party, said encryption key request including a requested expiration time range.
  - 48. The method of claim 47, wherein said associated expiration time is within said requested expiration time range.
  - 49. The method of claim 45, wherein said encryption key is a public key of an encryption key pair, said encryption key pair further including a private key, and wherein said decryption key is the same as said private key.
  - 50. The method of claim 49, wherein said encryption key pair is one of a plurality of encryption key pairs, each of said plurality of encryption key pairs including a public and a private key, each of said encryption key pairs associated with a respective expiration time.
  - 55. The method of claim 45 wherein said encrypted data includes a second encryption key.
  - 56. The method of claim 55, wherein said encrypted data further includes a message body encrypted, at least in part, using said second encryption key.
  - 57. The method of claim 56, wherein said second encryption key is a symmetric encryption key.
  - 60. The method of claim 45, wherein said encrypted data is transmitted to said second party via a computer network.

51. A method of supporting data encryption comprising:
- obtaining an encryption key associated with an expiration time, said expiration time indicating a time at which a decryption key associated with said encryption key will be destroyed, wherein said encryption key is a public key of an encryption key pair, said encryption key pair further including a private key, and wherein said decryption key is the same as said private key wherein said encryption key pair is one of a plurality of encryption key pairs, each of said plurality of encryption key pairs including a public and a private key, each of said encryption key pairs associated with a respective expiration time, and wherein said obtaining further comprises selecting one of said encryption key pairs, said selected one of said encryption key pairs including a public key equal to said encryption key, and said selected one of said encryption key pairs having a respective expiration time equal to said expiration time associated with said encryption key;
  
  encrypting data using said encryption key; and
  
  transmitting said encrypted data to a second party prior to said expiration time.
- View Dependent Claims (54, 58, 59)
- - 54. The method of claim 51 wherein said encrypted data includes indication of said selected one of said plurality of encryption key pairs.
  - 58. The method of claim 51, wherein data encrypted with a public key of said selected one of said plurality of encryption key pairs includes a message body.
  - 59. The method of claim 51, wherein said data encrypted with a public key of said selected one of said plurality of encryption key pairs is previously encrypted using a second encryption key associated with said first party.

52. A method of supporting data encryption comprising:
- obtaining an encryption key associated with an expiration time, said expiration time indicating a time at which a decryption key associated with said encryption key will be destroyed;
  
  encrypting data using said encryption key wherein said encrypted data includes at least a portion of an electronic mail message; and
  
  transmitting said encrypted data to a second party prior to said expiration time.

53. A method of supporting data encryption comprising:
- obtaining an encryption key associated with an expiration time, said expiration time indicating a time at which a decryption key associated with said encryption key will be destroyed;
  
  encrypting data using said encryption key wherein said encrypted data includes at least a portion of an electronic mail message; and
  
  transmitting said encrypted data to a second party prior to said expiration time.

61. A system for supporting data encryption, comprising:
- means for indicating to a first party at least one expiration time, wherein said indicating is by a remote second party;
  
  means for providing, by said first party, at least one encryption key associated with an expiration time to said second party, wherein said associated expiration time is equal to said indicated expiration time;
  
  means for receiving data encrypted by said second party using said encryption key;
  
  means for decrypting, at least in part, said encrypted data using a decryption key associated with said encryption key; and
  
  means for destroying, by said first party, said decryption key associated with said encryption at said expiration time.

62. A system for encrypting data to be passed from a first party to a remote second party, comprising:
- means for indicating to said second party at least one expiration time, said indicating of said at least one expiration time by said first party, wherein said indicating is by said first party;
  
  means for providing a plurality of encryption keys to said first party, each of said plurality of encryption keys associated with at least one of a plurality of encryption key servers, each of said plurality of encryption keys having an associated decryption key and an associated expiration time, wherein said associated expiration time is equal to said indicated expiration time;
  
  means for successively encrypting said data, by said first party, using each one of said plurality of encryption keys;
  
  means for decrypting, at least in part, said encrypted data, by at least a subset of said plurality of encryption key servers, using at least an associated subset of said decryption keys associated with said encryption keys; and
  
  means for destroying at least one of said plurality of encryption keys by at least an associated one of said plurality of encryption key servers.

63. A system for encrypting data to be passed from a first party to a second party, comprising:
- means for indicating to said second party at least one expiration time, wherein said indicating is by said first party;
  
  means for providing a plurality of N encryption keys to said first party, each of said plurality of N encryption keys associated with a respective one of a plurality of N encryption key servers, each of said plurality of N encryption keys having an associated decryption key and an associated expiration time, wherein said associated expiration time is equal to said expiration time indicated by said first party;
  
  means for encrypting said data, by said first party, using each one of said plurality of N encryption keys, said encryption performed such that at least K of said associated decryption keys are required to decrypt said data, where K is less than N;
  
  means for decrypting said encrypted data using less than N, but at least K of said plurality of N encryption key servers, using at least K of said associated decryption keys; and
  
  means for destroying said associated decryption keys by said plurality of N encryption servers at said associated expiration time.

64. A system for encrypting data to be passed from a first party to a second party, comprising:
- means for indicating at least one expiration time, wherein said indicating is by said first party;
  
  means for encrypting said data in a plurality of encryption stages, using a respective set of one or more encryption key servers at each one or said plurality of encryption stages, wherein each encryption key server provides an encryption key associated with a decryption key and an expiration time, wherein said associated expiration is equal to said expiration time indicated by said first party, and wherein said data is encrypted in at least one of said plurality of encryption stages such that less than all of the associated decryption keys of the encryption key servers in the respective encryption key server set are necessary to decrypt said data at that one of said plurality of encryption stages;
  
  means for decrypting, at least in part, said encrypted data, using less than all of said encryption key servers in said encryption key server set associated with said at least one of said plurality of encryption stages; and
  
  means for destroying said associated decryption keys by said encryption key servers at said associated expiration time.

65. A system for supporting data encryption, comprising:
- means for indicating to a second party at least one expiration time;
  
  means for obtaining, from said second party, an encryption key associated with an expiration time, said expiration time indicating a time at which a decryption key associated with said encryption key will be destroyed;
  
  means for encrypting data using said encryption key; and
  
  means for transmitting said encrypted data to said second party prior to said expiration time.

66. A system for supporting data encryption, comprising:
- means for receiving an indication from a remote system of at least one expiration time;
  
  means for providing at least one encryption key associated with said expiration time;
  
  means for receiving data encrypted using said encryption key;
  
  means for decrypting, at least in part, said encrypted data using a decryption key associated with said encryption key; and
  
  means for destroying said decryption key associated with said encryption at said expiration time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Perlman, Radia J.
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US09/395,581
Time in Patent Office

924 Days
Field of Search

713/164, 713/165, 713/166, 713/168, 713/200, 713/201
US Class Current

713/164
CPC Class Codes

H04L 9/083 involving central third par...

H04L 9/088 Usage controlling of secret...

Ephemeral decryptability

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

66 Claims

Specification

Solutions

Use Cases

Quick Links

Ephemeral decryptability

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

66 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links