Identity-based encryption system for secure data distribution
First Claim
1. A method for using identity-based encryption (IBE) to distribute data to users in a system that has a content provider, a data packaging service, a policy enforcement service, a plurality of users at respective user devices, and a communications network, comprising:
- providing a data structure from the content provider to the data packaging service over the communications network, wherein the data structure includes data to be encrypted and data attributes for that data;
at the data packaging service, using at least some of the data attributes from the content provider as policy information to form an identity-based-encryption public key that is not specific to a single user, wherein the data packaging service uses data type encryption policy information to select which of the data attributes are used when forming the identity-based-encryption public key;
at the data packaging service, encrypting the data using an identity-based encryption engine, wherein the identity-based encryption engine uses the identity-based-encryption public key and identity-based-encryption public parameter information as inputs when encrypting the data;
making the encrypted data available to the plurality of users at the user devices;
at a given one of the users, generating a key request for an identity-based-encryption private key corresponding to the identity-based-encryption public key, wherein the key request includes the policy information;
receiving the key request from the given user at the policy enforcement service;
at the policy enforcement service, using the policy information from the key request to determine which access policy applies to the given user and to determine which identity-based-encryption private key to generate in response to the key request;
using the policy information from the key request and information on at least one characteristic of the given user at the policy enforcement service to determine whether the given user is authorized to receive the requested identity-based-encryption private key; and
if the given user is authorized, using the policy enforcement service to transmit the requested identity-based-encryption private key to the user that corresponds to the identity-based-encryption public key.
13 Assignments
0 Petitions
Accused Products
Abstract
A system is provided that allows encrypted content to be distributed to users over a communications network. A policy enforcement service may use an identity-based encryption algorithm to generate public parameter information and private keys. Data content may be encrypted prior to distribution using an identity-based encryption engine. The encryption engine may use the public parameter information from the policy service and public key information to encrypt the data. The public key information may be based on policy information that specifies which types of users are allowed to access the data that is encrypted using that public key. A user may obtain a private key for unlocking particular encrypted data by providing a key request to the policy enforcement service that contains the public key. The policy enforcement service may enforce the policies given by the policy information and may provide private keys only to authorized users.
204 Citations
15 Claims
-
1. A method for using identity-based encryption (IBE) to distribute data to users in a system that has a content provider, a data packaging service, a policy enforcement service, a plurality of users at respective user devices, and a communications network, comprising:
-
providing a data structure from the content provider to the data packaging service over the communications network, wherein the data structure includes data to be encrypted and data attributes for that data; at the data packaging service, using at least some of the data attributes from the content provider as policy information to form an identity-based-encryption public key that is not specific to a single user, wherein the data packaging service uses data type encryption policy information to select which of the data attributes are used when forming the identity-based-encryption public key; at the data packaging service, encrypting the data using an identity-based encryption engine, wherein the identity-based encryption engine uses the identity-based-encryption public key and identity-based-encryption public parameter information as inputs when encrypting the data; making the encrypted data available to the plurality of users at the user devices; at a given one of the users, generating a key request for an identity-based-encryption private key corresponding to the identity-based-encryption public key, wherein the key request includes the policy information; receiving the key request from the given user at the policy enforcement service; at the policy enforcement service, using the policy information from the key request to determine which access policy applies to the given user and to determine which identity-based-encryption private key to generate in response to the key request; using the policy information from the key request and information on at least one characteristic of the given user at the policy enforcement service to determine whether the given user is authorized to receive the requested identity-based-encryption private key; and if the given user is authorized, using the policy enforcement service to transmit the requested identity-based-encryption private key to the user that corresponds to the identity-based-encryption public key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
Specification