Public-key encryption system

US 7,412,059 B1
Filed: 11/27/2002
Issued: 08/12/2008
Est. Priority Date: 11/27/2002
Status: Active Grant

First Claim

Patent Images

1. A method for allowing a sender having user equipment to send a secure message to a receiver having user equipment over a communications network to which the user equipment of the sender is coupled and the user equipment of the receiver is coupled, wherein a key management service is coupled to the communications network that has an associated key-management-service public key and key-management-service private key, wherein the sender encrypts the message using a message key to produce a message-key-encrypted message, the method comprising:

at the sender, encrypting the message key and policy information using the key-management-service public key to generate a corresponding public-key-encrypted message key and public-key-encrypted policy information, wherein the policy information includes date-based constraints that restrict access to the message to a particular time;

providing the message-key-encrypted message, the public-key-encrypted message key, and the public-key-encrypted policy information that includes date-based constraints that restrict access to the message to a particular time to the receiver;

receiving the public-key-encrypted message key and public-key-encrypted policy information including the date-based constraints that restrict access to the message at the key management service from the receiver;

decrypting the encrypted policy information including the date-based constraints at the key management service using the key management service'"'"'s private key;

determining, at the key management service, whether policy constraints imposed by the policy information including the date-based constraints that restrict access to the message have been satisfied;

decrypting the public-key-encrypted message key at the key management service using the key management service'"'"'s private key; and

providing the resulting unencrypted version of the message key to the receiver if the policy constraints including the date-based constraints that restrict access to the message have been satisfied for the receiver to use in decrypting the message-key-encrypted message.

View all claims

16 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is provided that allows users to communicate securely. A key management service may generate a single public-key/private-key pair. A sender who desires to send a secure message to a receiver may encrypt the message using a message key. The sender may use the public key to encrypt the message key and policy information that dictates how the message may be accessed. The receiver may pass the public-key-encrypted message key and policy information to the key management service. The key management service decrypts this information using the private key. After the key management service uses the policy information to verify that the receiver is authorized to access the message, the key management service may provide the decrypted message key to the receiver. The receiver may use this unencrypted version of the message key to decrypt the message-key-encrypted message from the sender.

49 Citations

View as Search Results

22 Claims

1. A method for allowing a sender having user equipment to send a secure message to a receiver having user equipment over a communications network to which the user equipment of the sender is coupled and the user equipment of the receiver is coupled, wherein a key management service is coupled to the communications network that has an associated key-management-service public key and key-management-service private key, wherein the sender encrypts the message using a message key to produce a message-key-encrypted message, the method comprising:
- at the sender, encrypting the message key and policy information using the key-management-service public key to generate a corresponding public-key-encrypted message key and public-key-encrypted policy information, wherein the policy information includes date-based constraints that restrict access to the message to a particular time;
  
  providing the message-key-encrypted message, the public-key-encrypted message key, and the public-key-encrypted policy information that includes date-based constraints that restrict access to the message to a particular time to the receiver;
  
  receiving the public-key-encrypted message key and public-key-encrypted policy information including the date-based constraints that restrict access to the message at the key management service from the receiver;
  
  decrypting the encrypted policy information including the date-based constraints at the key management service using the key management service'"'"'s private key;
  
  determining, at the key management service, whether policy constraints imposed by the policy information including the date-based constraints that restrict access to the message have been satisfied;
  
  decrypting the public-key-encrypted message key at the key management service using the key management service'"'"'s private key; and
  
  providing the resulting unencrypted version of the message key to the receiver if the policy constraints including the date-based constraints that restrict access to the message have been satisfied for the receiver to use in decrypting the message-key-encrypted message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method defined in claim 1 further comprising using an RSA encryption algorithm to generate the key-management-service public key and the key-management-service private key.
  - 3. The method defined in claim 1 wherein there is only a single public key and a single corresponding private key generated by the key management service, the method comprising using an RSA encryption algorithm at the key management service to generate the single public key and the single private key.
  - 4. The method defined in claim 1 further comprising providing the sender with the key-management-service public key.
  - 5. The method defined in claim 1 further comprising providing the sender with the key-management-service public key by distributing the key-management-service public key in software installed on the sender'"'"'s equipment.
  - 6. The method defined in claim 1, wherein the message key comprises a symmetric message key and wherein the sender uses symmetric key encryption to encrypt the message for the receiver using the symmetric message key and uses the key management service'"'"'s public key and public key encryption to encrypt the symmetric message key to produce a public-key-encrypted symmetric message key, the method further comprising using an RSA algorithm at the key management service to decrypt the public-key-encrypted symmetric message key.
  - 7. The method defined in claim 1 wherein the policy information includes the identity of the receiver, the method further comprising authenticating the identity of the receiver at the key management service to determine whether or not the policy constraints have been satisfied.
  - 8. The method defined in claim 1 wherein the sender concatenates the policy information with the message key before encrypting the message key and policy information with the key-management-service public key.
  - 9. The method defined in claim 1 wherein the policy information includes constraints based on receiver identity information and access rights, the method further comprising using the key management service to ensure that constraints based on the receiver identity information and access rights have been satisfied by the receiver before providing the receiver with the decrypted message key.
  - 10. The method defined in claim 1 wherein the message key is a symmetric message key, wherein the sender encrypts the message using the symmetric message key according to the Triple-DES encryption standard, wherein the sender sends the encrypted message to the receiver using an email program, and wherein the policy information dictates that only a receiver of a certain clearance level may access the message, the method further comprising using an RSA algorithm to produce the public key and private key at the key management service.
  - 11. The method defined in claim 1 further comprising:
    - at the sender, obtaining the key-management-service public key from the key management service by accessing a database at the key management service.

12. A method comprising:
- providing a key management service having a key-management-service public key and key-management-service private key;
  
  encrypting, at a sender, a message using a message key to produce a message-key-encrypted message;
  
  encrypting, at the sender, the message key and policy information using the key-management-service public key to generate a corresponding public-key-encrypted message key and public-key-encrypted policy information, wherein the policy information includes date-based constraints that restrict access to the message to a particular time;
  
  providing, to the receiver, the message-key-encrypted message, the public-key-encrypted message key, and the public-key-encrypted policy information that includes the date-based constraints that restrict access to the message;
  
  receiving, at the key management service, the public-key-encrypted message key and the public-key-encrypted policy information that includes the date-based constraints that restrict access to the message from the receiver;
  
  decrypting, at the key management service, the encrypted policy information that includes the date-based constraints that restrict access to the message using the key management service'"'"'s private key;
  
  decrypting, at the key management service, the public-key-encrypted message key using the key management service'"'"'s private key; and
  
  if policy constraints associated with the policy information including the date-based constraints that restrict access to the message have been satisfied, providing the resulting unencrypted version of the message key to the receiver to use in decrypting the message-key-encrypted message.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method defined in claim 12 further comprising using an RSA encryption algorithm to generate the key-management-service public key and the key-management-service private key.
  - 14. The method defined in claim 12 wherein there is only a single public key and a single corresponding private key generated by the key management service, the method comprising using an RSA encryption algorithm at the key management service to generate the single public key and the single private key.
  - 15. The method defined in claim 12 further comprising providing the sender with the key-management-service public key.
  - 16. The method defined in claim 12 further comprising providing the sender with the key-management-service public key by distributing the key-management-service public key in software installed on the sender'"'"'s equipment.
  - 17. The method defined in claim 12, wherein the message key comprises a symmetric message key and wherein the sender uses symmetric key encryption to encrypt the message for the receiver using the symmetric message key and uses the key management service'"'"'s public key and public key encryption to encrypt the symmetric message key to produce a public-key-encrypted symmetric message key, the method further comprising using an RSA algorithm at the key management service to decrypt the public-key-encrypted symmetric message key.
  - 18. The method defined in claim 12 wherein the policy information includes the identity of the receiver, the method further comprising authenticating the identity of the receiver at the key management service to determine whether or not the policy constraints have been satisfied.
  - 19. The method defined in claim 12 wherein the sender concatenates the policy information that includes the date-based constraints that restrict access to the message with the message key before encrypting the message key and policy information with the key-management-service public key, the method further comprising using the key management service to consider whether the date-based constraints specified by the policy information have been satisfied.
  - 20. The method defined in claim 12 wherein the policy information includes constraints based on receiver identity information and access rights, the method further comprising using the key management service to ensure that the constraints based on receiver identity information and access rights have been satisfied by the receiver before providing the receiver with the decrypted message key.
  - 21. The method defined in claim 12 wherein the message key is a symmetric message key, wherein the sender encrypts the message using the symmetric message key according to the Triple-DES encryption standard, wherein the sender sends the encrypted message to the receiver using an email program, and wherein the policy information that includes the date-based constraints dictates that only a receiver of a certain clearance level may access the message, the method further comprising using an RSA algorithm to produce the public key and private key at the key management service.
  - 22. The method defined in claim 12 further comprising:
    - at the sender, obtaining the key-management-service public key from the key management service by accessing a database at the key management service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Voltage Security Incorporated (HP Inc.)
Inventors
Appenzeller, Guido, Kacker, Rishi R, Pauker, Matthew J
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Hoffman; Brandon S

Application Number

US10/307,007
Time in Patent Office

2,085 Days
Field of Search

726/1, 380/277
US Class Current

380/277
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 51/00   User-to-user messaging in p...

H04L 63/0442   wherein the sending and rec...

H04L 63/20   for managing network securi...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/083   involving central third par...

Public-key encryption system

First Claim

16 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Public-key encryption system

First Claim

16 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links