Method and system for managing keys for encrypted data
First Claim
Patent Images
1. A method for managing encryption keys for data comprising the steps of:
- a) generating a session key;
b) encrypting the data using the session key, the encrypted data having a binary representation;
c) generating a key encryption key based on an initial vector, the initial vector being known only to a party encrypting the data and a party intended to decrypt the data;
d) encrypting the session key using the key encryption key, the encrypted session key having a binary representation;
e) generating a set of indices by a one-way transform mapping based on the length of the binary representation of the encrypted session key, the length of the binary representation of the encrypted data, and the initial vector; and
f) reformatting the binary representation of the encrypted data to generate an output set of binary data by interleaving the encrypted session key with the encrypted data by dividing the binary representation of the encrypted session key into segments and inserting the segments into the binary representation of the encrypted data at locations determined by the set of indices.
1 Assignment
0 Petitions
Accused Products
Abstract
A computer system and method manages encryption keys for data. The system and method generates a session key and encrypts given data with the session key. The system and method generates a key encryption key based on a secret initial vector, or password. The session key is encrypted using the key encryption key. The encrypted data and the encrypted session key are then interleaved according to a set of indices created by a one-way transform. The one-way transform takes as its input the initial vector, the length of the encrypted session key and the length of the encrypted data. The data is recovered by a party knowing the initial vector using the one-way transform to determine the location of the encrypted session key in the interleaved data. The session key is decrypted which allows the data to be decrypted.
170 Citations
22 Claims
-
1. A method for managing encryption keys for data comprising the steps of:
-
a) generating a session key;
b) encrypting the data using the session key, the encrypted data having a binary representation;
c) generating a key encryption key based on an initial vector, the initial vector being known only to a party encrypting the data and a party intended to decrypt the data;
d) encrypting the session key using the key encryption key, the encrypted session key having a binary representation;
e) generating a set of indices by a one-way transform mapping based on the length of the binary representation of the encrypted session key, the length of the binary representation of the encrypted data, and the initial vector; and
f) reformatting the binary representation of the encrypted data to generate an output set of binary data by interleaving the encrypted session key with the encrypted data by dividing the binary representation of the encrypted session key into segments and inserting the segments into the binary representation of the encrypted data at locations determined by the set of indices. - View Dependent Claims (2, 3, 4, 5, 12, 13, 14)
a) regenerating the set of indices by using the one-way transform mapping based on the length of the binary representation of the encrypted session key, the length of the binary representation of the encrypted data, and the initial vector;
b) rebuilding the encrypted session key by using the regenerated set of indices to extract the segments of the binary representation of the encrypted session key from the output set of binary data and assembling the segments to form the encrypted session key;
c) rebuilding the encrypted data by using the regenerated set of indices to extract the binary representation of the encrypted data from the output set of binary data;
d) regenerating the key encryption key, using the initial vector;
e) regenerating the session key by decrypting the rebuilt encrypted session key using the regenerated key encryption key; and
f) decrypting the rebuilt encrypted data using the regenerated session key.
-
-
3. The method of claim 1 in which the number of elements in the set of indices is equal to the number of 8-bit bytes in the binary representation of the encrypted session key, in which each element of the set of indices is an index into the binary representation of the encrypted data, and in which each segment of the encrypted session key is one byte long, whereby the step of interleaving the encrypted session key with the encrypted data comprises the bytes of the binary representation of the encrypted session key being inserted at the byte-location in the binary representation of the encrypted data determined by the indices.
-
4. The method of claim 1 comprising the further step of padding the output set of data with data representing the length of the binary representation of the encrypted data and with data representing the length of the binary representation of the encrypted session key.
-
5. A method for decrypting an output set of binary data, the output set of binary data being generated by the method of claim 1, the method for decrypting comprising the following steps:
-
a) regenerating the set of indices by using the one-way transform mapping based on the length of the binary representation of the encrypted session key, the length of the binary representation of the encrypted data, and the initial vector;
b) rebuilding the encrypted session key by using the regenerated set of indices to extract the segments of the binary representation of the encrypted session key from the output set of binary data and assembling the segments to form the encrypted session key;
c) rebuilding the encrypted data by using the regenerated set of indices to extract the binary representation of the encrypted data from the output set of binary data;
d) regenerating the key encryption key, using the initial vector;
e) regenerating the session key by decrypting the rebuilt encrypted session key using the regenerated key encryption key; and
f) decrypting the rebuilt encrypted data using the regenerated session key.
-
-
12. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform the method of claim 1.
-
13. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform the method of claim 2.
-
14. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform the method of claim 5.
-
6. A method for managing encryption keys in a computer system environment having a client and a server, comprising the steps of:
-
a) authenticating communication between the client and the server;
b) securely communicating an initial vector to the client and the server;
c) defining a server application and a client application in the server, whereby the client application comprises computer code, for a set of data, for the following functions;
i) generating a session key;
ii) encrypting the set of data using the session key, the encrypted data having a binary representation;
iii) generating a key encryption key based on the initial vector;
iv) encrypting the session key using the key encryption key, the encrypted session key having a binary representation;
v) generating a set of indices by a one-way transform mapping based on the length of the binary representation of the encrypted session key, the length of the binary representation of the encrypted data, and the initial vector; and
vi) reformatting the binary representation of the encrypted data to generate an output set of binary data by interleaving the encrypted session key with the encrypted data by dividing the binary representation of the encrypted session key into segments and inserting the segments into the binary representation of the encrypted data at locations determined by the set of indices;
and whereby the client application comprises computer code for the following functions;
vii) regenerating the set of indices by using the one-way transform mapping based on the length of the binary representation of the encrypted session key, the length of the binary representation of the encrypted data, and the initial vector;
viii) rebuilding the encrypted session key by using the regenerated set of indices to extract the segments of the binary representation of the encrypted session key from the output set of binary data and assembling the segments to form the encrypted session key;
ix) rebuilding the encrypted data by using the regenerated set of indices to extract the binary representation of the encrypted data from the output set of binary data;
x) regenerating the key encryption key, using the initial vector;
xi) regenerating the session key by decrypting the rebuilt encrypted session key using the regenerated key encryption key; and
xii) decrypting the rebuilt encrypted data using the regenerated session key;
d) providing the client application to the client; and
e) communicating between the client and the server by sets of data which are encrypted by the functions of the client application and decrypted by the functions of the server application. - View Dependent Claims (15)
-
-
7. A method for managing encryption keys for a plurality of sets of data comprising the steps of:
-
a) initializing an initial vector; and
b) for each set of data;
i) generating an associated session key for the set of data using an encryption key generation algorithm whereby there is a low probability that more than two or more of the plurality of sets of data will share the same session key;
ii) encrypting the set of data using the associated session key, the encrypted set of data having a binary representation;
iii) generating a key encryption key for the associated session key, based on the initial vector;
iv) encrypting the associated session key using the key encryption key, the encrypted associated session key having a binary representation;
v) generating a set of indices for the set of data by a one-way transform mapping based on the length of the binary representation of the encrypted associated session key, the length of the binary representation of the encrypted set of data, and the initial vector; and
vi) reformatting the binary representation of the encrypted set of data to generate an output set of binary data by interleaving the encrypted associated session key with the encrypted set of data by dividing the binary representation of the encrypted associated session key into segments and inserting the segments into the binary representation of the encrypted set of data at locations determined by the set of indices. - View Dependent Claims (8, 9, 10, 11, 16, 17)
a) regenerating the set of indices for the set of data by using the one-way transform mapping based on the length of the binary representation of the encrypted associated session key, the length of the binary representation of the encrypted set of data, and the initial vector;
b) rebuilding the encrypted session key by using the regenerated set of indices for the set of data to extract the segments of the binary representation of the encrypted associated session key from the output set of binary data and assembling the segments to regenerate the encrypted session key;
c) rebuilding the encrypted data by using the regenerated set of indices for the set of data to extract the binary representation of the encrypted set of data from the output set of binary data;
d) regenerating the key encryption key for the associated session key, using the initial vector;
e) regenerating the associated session key by decrypting the rebuilt encrypted session key using the regenerated key encryption key; and
f) decrypting the rebuilt encrypted data using the regenerated session key.
-
-
9. The method of claim 7 in which the number of elements in the set of indices for each encrypted set of data is equal to the number of 8-bit bytes in the binary representation of the encrypted associated session key, in which each element of the set of indices is an index into the binary representation of the encrypted set of data, and in which each segment of the encrypted associated session key is one byte long, whereby the step of interleaving the encrypted associated session key with the encrypted set of data comprises the bytes of the binary representation of the encrypted associated session key being inserted at the byte-location in the binary representation of the encrypted set of data determined by the indices for the encrypted set of data.
-
10. The method of claim 7 in which the step of initializing the initial vector comprises the step of receiving a password from a user.
-
11. The method of claim 10 in which the step of initializing the initial vector further comprises the step of a deriving the initial vector from a function which takes as its input the password, a timestamp, and a message digest which is a hashed value of a subset of the plurality of the encrypted sets of data.
-
16. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform the method of claim 7.
-
17. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform the method of claim 8.
-
18. A computer system for managing encryption keys for data comprising:
-
a) means for generating a session key;
b) means for encrypting the data using the session key, the encrypted data having a binary representation;
c) means for generating a key encryption key based on an initial vector, the initial vector being known only to a party encrypting the data and a party intended to decrypt the data;
d) means for encrypting the session key using the key encryption key, the encrypted session key having a binary representation;
e) means for generating a set of indices by a one-way transform mapping based on the length of the binary representation of the encrypted session key, the length of the binary representation of the encrypted data, and the initial vector; and
f) means for reformatting the binary representation of the encrypted data to generate an output set of binary data by interleaving the encrypted session key with the encrypted data by dividing the binary representation of the encrypted session key into segments and inserting the segments into the binary representation of the encrypted data at locations determined by the set of indices. - View Dependent Claims (19, 20, 21)
a) means for regenerating the set of indices by using the one-way transform mapping based on the length of the binary representation of the encrypted session key, the length of the binary representation of the encrypted data, and the initial vector;
b) means for rebuilding the encrypted session key by using the regenerated set of indices to extract the segments of the binary representation of the encrypted session key from the output set of binary data and assembling the segments to form the encrypted session key;
c) means for rebuilding the encrypted data by using the regenerated set of indices to extract the binary representation of the encrypted data from the output set of binary data;
d) means for regenerating the key encryption key, using the initial vector;
e) means for regenerating the session key by decrypting the rebuilt encrypted session key using the regenerated key encryption key; and
f) means for decrypting the rebuilt encrypted data using the regenerated session key.
-
-
20. The system of claim 18 in which the number of elements in the set of indices is equal to the number of 8-bit bytes in the binary representation of the encrypted session key, in which each element of the set of indices is an index into the binary representation of the encrypted data, and in which each segment of the encrypted session key is one byte long, whereby the means for interleaving the encrypted session key with the encrypted data comprises means for inserting the bytes of the binary representation of the encrypted session key at the byte-location in the binary representation of the encrypted data determined by the indices.
-
21. The system of claim 18 further comprising means for padding the output set of data with data representing the length of the binary representation of the encrypted data and with data representing the length of the binary representation of the encrypted session key.
-
22. A computer program product for managing encryption keys in a computer system environment having a client and a server, comprising a computer usable medium having computer readable code means embodied in said medium to perform steps comprising:
-
a) authenticating communication between the client and the server;
b) securely communicating an initial vector to the client and the server;
c) defining a server application and a client application in the server, whereby the client application comprises computer code, for a set of data, for the following functions;
i) generating a session key;
ii) encrypting the set of data using the session key, the encrypted data having a binary representation;
iii) generating a key encryption key based on the initial vector;
iv) encrypting the session key using the key encryption key, the encrypted session key having a binary representation;
v) generating a set of indices by a one-way transform mapping based on the length of the binary representation of the encrypted session key, the length of the binary representation of the encrypted data, and the initial vector; and
vi) reformatting the binary representation of the encrypted data to generate an output set of binary data by interleaving the encrypted session key with the encrypted data by dividing the binary representation of the encrypted session key into segments and inserting the segments into the binary representation of the encrypted data at locations determined by the set of indices;
and whereby the client application comprises computer code for the following functions;
vii) regenerating the set of indices by using the one-way transform mapping based on the length of the binary representation of the encrypted session key, the length of the binary representation of the encrypted data, and the initial vector;
viii) rebuilding the encrypted session key by using the regenerated set of indices to extract the segments of the binary representation of the encrypted session key from the output set of binary data and assembling the segments to form the encrypted session key;
ix) rebuilding the encrypted data by using the regenerated set of indices to extract the binary representation of the encrypted data from the output set of binary data;
x) regenerating the key encryption key, using the initial vector;
xi) regenerating the session key by decrypting the rebuilt encrypted session key using the regenerated key encryption key; and
xii) decrypting the rebuilt encrypted data using the regenerated session key;
d) providing the client application to the client; and
e) communicating between the client and the server by sets of data which are encrypted by the functions of the client application and decrypted by the functions of the server application.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsWeidong, Kou
-
Primary Examiner(s)Barron, Gilberto
-
Assistant Examiner(s)STULBERGER, CAS P
-
Application NumberUS09/532,246Time in Patent Office1,700 DaysField of Search380/277, 380/278, 380/281US Class Current380/277CPC Class CodesH04L 2209/043 of tables, e.g. lookup, sub...H04L 2209/20 Manipulating the length of ...H04L 9/0822 using key encryption keyH04L 9/088 Usage controlling of secret...
