Identity-based encryption system for secure data distribution

US 7,003,117 B2
Filed: 02/05/2003
Issued: 02/21/2006
Est. Priority Date: 02/05/2003
Status: Expired due to Term

First Claim

Patent Images

1. A method for using identity-based encryption (IBE) to distribute data to users in a system that has a content provider, a data packaging service, a policy enforcement service, a plurality of users at respective user devices, and a communications network, comprising:

providing a data structure from the content provider to the data packaging service over the communications network, wherein the data structure includes data to be encrypted and data attributes for that data;

at the data packaging service, using at least some of the data attributes from the content provider as policy information to form an identity-based-encryption public key that is not specific to a single user, wherein the data packaging service uses data type encryption policy information to select which of the data attributes are used when forming the identity-based-encryption public key;

at the data packaging service, encrypting the data using an identity-based encryption engine, wherein the identity-based encryption engine uses the identity-based-encryption public key and identity-based-encryption public parameter information as inputs when encrypting the data;

making the encrypted data available to the plurality of users at the user devices;

at a given one of the users, generating a key request for an identity-based-encryption private key corresponding to the identity-based-encryption public key, wherein the key request includes the policy information;

receiving the key request from the given user at the policy enforcement service;

at the policy enforcement service, using the policy information from the key request to determine which access policy applies to the given user and to determine which identity-based-encryption private key to generate in response to the key request;

using the policy information from the key request and information on at least one characteristic of the given user at the policy enforcement service to determine whether the given user is authorized to receive the requested identity-based-encryption private key; and

if the given user is authorized, using the policy enforcement service to transmit the requested identity-based-encryption private key to the user that corresponds to the identity-based-encryption public key.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is provided that allows encrypted content to be distributed to users over a communications network. A policy enforcement service may use an identity-based encryption algorithm to generate public parameter information and private keys. Data content may be encrypted prior to distribution using an identity-based encryption engine. The encryption engine may use the public parameter information from the policy service and public key information to encrypt the data. The public key information may be based on policy information that specifies which types of users are allowed to access the data that is encrypted using that public key. A user may obtain a private key for unlocking particular encrypted data by providing a key request to the policy enforcement service that contains the public key. The policy enforcement service may enforce the policies given by the policy information and may provide private keys only to authorized users.

204 Citations

15 Claims

1. A method for using identity-based encryption (IBE) to distribute data to users in a system that has a content provider, a data packaging service, a policy enforcement service, a plurality of users at respective user devices, and a communications network, comprising:
- providing a data structure from the content provider to the data packaging service over the communications network, wherein the data structure includes data to be encrypted and data attributes for that data;
  
  at the data packaging service, using at least some of the data attributes from the content provider as policy information to form an identity-based-encryption public key that is not specific to a single user, wherein the data packaging service uses data type encryption policy information to select which of the data attributes are used when forming the identity-based-encryption public key;
  
  at the data packaging service, encrypting the data using an identity-based encryption engine, wherein the identity-based encryption engine uses the identity-based-encryption public key and identity-based-encryption public parameter information as inputs when encrypting the data;
  
  making the encrypted data available to the plurality of users at the user devices;
  
  at a given one of the users, generating a key request for an identity-based-encryption private key corresponding to the identity-based-encryption public key, wherein the key request includes the policy information;
  
  receiving the key request from the given user at the policy enforcement service;
  
  at the policy enforcement service, using the policy information from the key request to determine which access policy applies to the given user and to determine which identity-based-encryption private key to generate in response to the key request;
  
  using the policy information from the key request and information on at least one characteristic of the given user at the policy enforcement service to determine whether the given user is authorized to receive the requested identity-based-encryption private key; and
  
  if the given user is authorized, using the policy enforcement service to transmit the requested identity-based-encryption private key to the user that corresponds to the identity-based-encryption public key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method defined in claim 1 further comprising using the private key and a decryption engine at the user device of the given user to decrypt the encrypted data so that the given user may access the content of the encrypted data.
  - 3. The method defined in claim 1 wherein the policy information includes rating information, the method further comprising using the rating information in determining whether the given user is authorized to receive the requested private key.
  - 4. The method defined in claim 1 wherein the policy information includes rating information selected from the group consisting of:
    - a G rating, a PG rating, a PG-13 rating, an R rating, and an X rating.
  - 5. The method defined in claim 1 wherein a media player is implemented on the user device of the given user, the method further comprising generating the key request using the media player.
  - 6. The method defined in claim 1 further comprising using the identity-based encryption engine to automatically encrypt the data based on data type encryption policy information that is in an XML format.
  - 7. The method defined in claim 6, wherein the data is in an XML format, the method further comprising using the identity-based encryption engine to automatically encrypt the XML-format data based on the XML-format data type encryption policy information.
  - 8. The method defined in claim 1 wherein the public key comprises an XML-format public key and wherein using the policy information of the public key and information on at least one characteristic of the given user at the policy enforcement service to determine whether the given user is authorized to receive the requested identity-based-encryption private key further comprises using the XML-format public key in determining whether the given user is authorized to receive the private key corresponding to the public key.
  - 9. The method defined in claim 1 wherein the data comprises a song, the method further comprising distributing the song to users using a peer-to-peer arrangement in which one user electronically transmits the song to another before the data is decrypted.
  - 10. The method defined in claim 1 further comprising distributing the encrypted data from one user to another in a peer-to-peer arrangement before decrypting the encrypted data.
  - 11. The method defined in claim 1 further comprising encrypting the data directly using an identity-based encryption algorithm without using symmetric key encryption to encrypt content in the data.
  - 12. The method defined in claim 1 further comprising encrypting the data using a two-step process in which content in the data is encrypted using symmetric key and the symmetric key is encrypted using an identity-based encryption algorithm.
  - 13. The method defined in claim 1 further comprising transmitting the public key from the data packaging service to the users over the communications network.
  - 14. The method defined in claim 1 further comprising using global policy information at the policy enforcement service in determining whether the given user is authorized to receive the requested private key.
  - 15. The method defined in claim 1 wherein the information on the characteristic of the given user includes information on the given user'"'"'s age, the method further comprising using the policy information from the key request and the information on the user'"'"'s age at the policy enforcement service to determine whether the given user is authorized to receive the private key corresponding to the public key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Voltage Security Incorporated (HP Inc.)
Inventors
Kacker, Rishi R., Appenzeller, Guido, Pauker, Matthew J., Spies, Terence
Primary Examiner(s)
Song, Hosuk
Assistant Examiner(s)
Dada, Beemnet W.

Application Number

US10/361,192
Publication Number

US 20040151308A1
Time in Patent Office

1,112 Days
Field of Search

713/164, 713/166, 713/167, 705/1, 705/51, 705/50, 705/59, 705/71, 707/9, 707/10, 380/30, 380/282, 380/278, 726/1
US Class Current

380/277
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/603   Digital right managament [DRM]

H04L 2209/68   Special signature format, e...

H04L 2463/101   applying security measures ...

H04L 63/0442   wherein the sending and rec...

H04L 63/065   for group communications cr...

H04L 63/101   Access control lists [ACL]

H04L 9/3073   involving pairings, e.g. id...

Identity-based encryption system for secure data distribution

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

204 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Identity-based encryption system for secure data distribution

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

204 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links