Identity-based-encryption system with district policy information

US 7,103,911 B2
Filed: 10/17/2003
Issued: 09/05/2006
Est. Priority Date: 10/17/2003
Status: Active Grant

First Claim

Patent Images

1. A method for controlling communications in an identity-based encryption (IBE) system in which senders communicate with recipients over a communications network and in which recipients and IBE private key generators are organized in a plurality of districts, each district including a respective one of the IBE private key generators, wherein the IBE private key generator in each district generates IBE private keys for recipients that are associated with that district, wherein each district has IBE public parameter information that is used by senders in encrypting messages for recipients in that district, wherein each district has district policy information that includes IBE encryption protocol information, and wherein the recipients in each district use their IBE private keys in decrypting messages that are encrypted using respective IBE public keys, comprising:

when a sender desires to send a message to a recipient in a given district, obtaining the district policy information for the given district for the sender over the communications network, wherein the district policy information that is obtained for the given district includes IBE encryption protocol information for the given district that specifies an IBE public key format that is to be used in creating IBE public keys for the recipients in the given district;

at the sender, using the IBE public key format specified by the IBE encryption protocol information to construct an IBE public key for the recipient in the given district; and

at the sender, encrypting the message for the recipient using the IBE public parameter information associated with the given district and the IBE public key that has been constructed for the recipient according to the IBE public key format.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is provided that uses identity-based encryption (IBE) to allow a sender to securely convey information in a message to a recipient over a communications network. IBE public key information may be used to encrypt messages and corresponding IBE private key information may be used to decrypt messages. The IBE private keys may be provided to message recipients by an IBE private key generator. The IBE private key generator and the recipients who obtain their IBE private keys from that generator form a district. District policy information may be provided by the IBE private key generator that specifies which encryption and communications protocols are used by the district. The district policy information may also specify which authentication protocols are used by the district and may set forth how content-based protocols are implemented. This information may be used by senders in sending messages to recipients.

99 Citations

View as Search Results

21 Claims

1. A method for controlling communications in an identity-based encryption (IBE) system in which senders communicate with recipients over a communications network and in which recipients and IBE private key generators are organized in a plurality of districts, each district including a respective one of the IBE private key generators, wherein the IBE private key generator in each district generates IBE private keys for recipients that are associated with that district, wherein each district has IBE public parameter information that is used by senders in encrypting messages for recipients in that district, wherein each district has district policy information that includes IBE encryption protocol information, and wherein the recipients in each district use their IBE private keys in decrypting messages that are encrypted using respective IBE public keys, comprising:
- when a sender desires to send a message to a recipient in a given district, obtaining the district policy information for the given district for the sender over the communications network, wherein the district policy information that is obtained for the given district includes IBE encryption protocol information for the given district that specifies an IBE public key format that is to be used in creating IBE public keys for the recipients in the given district;
  
  at the sender, using the IBE public key format specified by the IBE encryption protocol information to construct an IBE public key for the recipient in the given district; and
  
  at the sender, encrypting the message for the recipient using the IBE public parameter information associated with the given district and the IBE public key that has been constructed for the recipient according to the IBE public key format.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method defined in claim 1 further comprising using the district policy information to determine whether to send the message to the recipient.
  - 3. The method defined in claim 1 further comprising using the district policy information and client policy information to determine whether to send the message to the recipient.
  - 4. The method defined in claim 1 further comprising using the district policy information to determine how to send the message to the recipient.
  - 5. The method defined in claim 1 wherein the recipient has a username and wherein the IBE encryption protocol information includes IBE public key format information that specifies which portion of the recipient'"'"'s username is used to form the IBE public key, the method comprising using the IBE public key format information that specifies which portion of the recipient'"'"'s username is used to form the IBE public key at the sender to construct the IBE public key from the recipient'"'"'s username.
  - 6. The method defined in claim 1 wherein the district policy information for the given district includes communications protocol information that specifies which communications protocols are used by the given district, the method comprising using the communications protocol information at the sender to determine which communications protocols are being used by the given district.
  - 7. The method defined in claim 1 wherein the district policy information for the given district includes communications protocol information that specifies which communications protocols are used by the given district, the method comprising using the communications protocol information at the sender to determine which message format is being used by the given district.
  - 8. The method defined in claim 1 wherein the district policy information includes authentication protocol information that specifies what type of authentication is required before the IBE private key generator for the given district provides IBE private keys to recipients in the given district, the method comprising using the authentication protocol information at the sender in sending the message to the recipient.
  - 9. The method defined in claim 1 wherein the district policy information includes authentication protocol information that specifies what type of authentication is required before the IBE private key generator for the given district provides IBE private keys to recipients in the given district, the method comprising using the authentication protocol information at the sender to determine whether to send the message to the recipient.
  - 10. The method defined in claim 1 wherein the district policy information includes authentication protocol information that specifies what type of authentication is required before the IBE private key generator for the given district provides IBE private keys to recipients in the given district, the method comprising using the authentication protocol information at the sender to determine whether the recipient uses a smart card when being authenticated by the IBE private key generator.
  - 11. The method defined in claim 1 wherein the district policy information includes content-based protocol information that specifies how messages for recipients in the given district are to be handled based on their content, the method comprising using the content-based protocol information at the sender to determine whether to send the message to the recipient in the given district.
  - 12. The method defined in claim 1 wherein the given district comprises multiple subdistricts, each of the multiple subdistricts having its own respective subdistrict IBE private key generator, wherein the recipient is associated with at least one of the subdistricts, and wherein each subdistrict has associated subdistrict policy information, the method further comprising:
    - at the sender, obtaining the subdistrict policy information for each of the multiple subdistricts; and
      
      at the sender, using the subdistrict policy information for the multiple subdistricts in sending the message to the recipient.
  - 13. The method defined in claim 1 wherein the given district comprises multiple subdistricts, each of the multiple subdistricts having its own respective subdistrict IBE private key generator, wherein the recipient is associated with more than one of the subdistricts, and wherein each subdistrict has associated subdistrict policy information, the method further comprising:
    - at the sender, obtaining the subdistrict policy information for each of the multiple subdistricts; and
      
      at the sender, using the subdistrict policy information for the subdistricts with which the recipient is associated in determining which subdistrict to send the message to.
  - 14. The method defined in claim 1 wherein the given district comprises multiple subdistricts, each of the multiple subdistricts having its own respective subdistrict IBE private key generator, wherein the recipient is associated with more than one of the subdistricts, wherein the subdistricts use different techniques for authenticating recipients, wherein each subdistrict has associated subdistrict policy information that specifies the techniques used for authenticating their recipients, the method further comprising:
    - at the sender, obtaining the subdistrict policy information for each of the multiple subdistricts; and
      
      at the sender, using the subdistrict policy information for those subdistricts with which the recipient is associated in determining which of those subdistricts to send the message to based on which technique is used to authenticate the recipient at each of those subdistricts.
  - 15. The method defined in claim 1wherein the message has certain message content the method further comprising:
    - at the sender, determining whether to send the message to the recipient based on the message content and the district policy information.
  - 16. The method defined in claim 1 further comprising:
    - at the sender, using the district policy information to determine whether to display a notice for the sender.
  - 17. The method defined in claim 1 further comprising providing the district policy information to the sender in the form of a district policy information list containing an identifier for each list entry.
  - 18. The method defined in claim 1 further comprising providing the district policy information to the sender in the form of a district policy information list having list entries, wherein at least some of the list entries are digitally signed.

19. A method for controlling communications in an identity-based encryption (IBE) system in which senders communicate with recipients over a communications network and in which recipients and IBE private key generators are organized in a plurality of districts, each district including a respective one of the IBE private key generators, wherein the IBE private key generator in each district generates IBE private keys for recipients that are associated with that district, wherein each district has IBE public parameter information that is used by senders in encrypting messages for recipients in that district, wherein each district has district policy information that includes IBE encryption protocol information, and wherein the recipients in each district use their IBE private keys in decrypting messages that are encrypted using respective IBE public keys, comprising:
- when a sender desires to send a message to a recipient in a given district, obtaining the district policy information for the given district for the sender over the communications network, wherein the district policy information that is obtained for the given district includes authentication protocol information for the given district that specifies what type of authentication is required before the IBE private key generator for the district provides IBE private keys to recipients in the district;
  
  at the sender, using the authentication protocol information for the given district to determine whether to send the message to the recipient in the given district; and
  
  at the sender, if it is determined that the message is to be sent to the recipient in the given district, encrypting the message for the recipient using the IBE public parameter information associated with the given district and an IBE public key of the recipient and sending the message to the recipient.

20. A method for controlling communications in an identity-based encryption (IBE) system in which senders communicate with recipients over a communications network and in which recipients and IBE private key generators are organized in a plurality of districts, each district including a respective one of the IBE private key generators, wherein the IBE private key generator in each district generates IBE private keys for recipients that are associated with that district, wherein each district has IBE public parameter information that is used by senders in encrypting messages for recipients in that district, wherein each district has district policy information that includes IBE encryption protocol information, and wherein the recipients in each district use their IBE private keys in decrypting messages that are encrypted using respective IBE public keys, comprising:
- when a sender desires to send a message to a recipient in a given district, obtaining the district policy information for the given district for the sender over the communications network, wherein the district policy information that is obtained for the given district includes IBE message format information that specifies at least one IBE message format that is supported by the given district;
  
  at the sender, using the IBE message format specified by the IBE message format information to construct the message for the recipient in the given district; and
  
  at the sender, encrypting the message for the recipient using the IBE public parameter information associated with the given district and an IBE public key for the recipient and sending the message to the recipient.

21. A method for controlling communications in an identity-based encryption (IBE) system in which senders communicate with recipients over a communications network and in which recipients and IBE private key generators are organized in a plurality of districts, each district including a respective one of the IBE private key generators, wherein the IBE private key generator in each district generates IBE private keys for recipients that are associated with that district, wherein each district has IBE public parameter information that is used by senders in encrypting messages for recipients in that district, wherein each district has district policy information that includes IBE encryption protocol information, and wherein the recipients in each district use their IBE private keys in decrypting messages that are encrypted using respective IBE public keys, comprising:
- when a sender desires to send a message to a recipient in a given district, obtaining the district policy information for the given district for the sender over the communications network, wherein the district policy information that is obtained for the given district includes content-based protocol information for the given district that specifies how the given district handles messages depending on their content;
  
  at the sender, using the content-based protocol information for the given district to determine whether to send the message to the recipient in the given district; and
  
  at the sender, if it is determined that the message is to be sent to the recipient in the given district, encrypting the message for the recipient using the IBE public parameter information associated with the given district and an IBE public key of the recipient and sending the message to the recipient.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
entIT Software LLC (Open Text Corporation)
Original Assignee
Voltage Security Incorporated (HP Inc.)
Inventors
Appenzeller, Guido, Pauker, Matthew J., Spies, Terence, Ryan, Lucas C.
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
CHEN, SHIN HON

Application Number

US10/688,019
Publication Number

US 20050084100A1
Time in Patent Office

1,054 Days
Field of Search

726/14, 726/3, 713/150, 713/168, 713/170, 713/156, 713/175, 380/282, 380277-279
US Class Current

726/3
CPC Class Codes

H04L 47/10   Flow control; Congestion co...

H04L 47/20   Traffic policing

H04L 63/0442   wherein the sending and rec...

H04L 9/0847   involving identity based en...

H04L 9/088   Usage controlling of secret...

H04L 9/3073   involving pairings, e.g. id...

Identity-based-encryption system with district policy information

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

99 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Identity-based-encryption system with district policy information

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

99 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links