Multiple password documents

US 7,814,317 B1
Filed: 10/19/2004
Issued: 10/12/2010
Est. Priority Date: 10/19/2004
Status: Active Grant

First Claim

Patent Images

1. An apparatus to encrypt a payload, comprising:

a session key generator configured to generate a session key;

a hasher configured to generate a hash of the session key;

a payload encrypter configured to encrypt the payload with the session key, to encrypt both the session key and the hash of the session key using a received password, and to store in a file;

the encrypted payload, the password-encrypted session key, and the encrypted hash of the session key;

wherein the payload encrypter is further configured to encrypt the session key using a fallback key, and append the fallback-encrypted session key to the file;

wherein the payload encrypter is further configured to send the file to a receiver;

a decryptor, coupled to the receiver, the decryptor configured to receive the password, and to decrypt the password-encrypted session key to obtain a decrypted session key, and to decrypt the encrypted hash of the session key to obtain a first hash of the session key;

a second hasher configured to hash the decrypted session key to obtain a second hash of the session key;

a comparer configured to compare the first hash of the session key with the second hash of the session key; and

wherein the decryptor is further configured to decrypt the encrypted payload, using the session key decrypted with the password, when the first hash of the session key matches the second hash of the session key;

wherein the decryptor is further configured to decrypt, in response to determining that the first hash of the session key does not match the second hash of the session key, the fallback-encrypted session key, using the fallback key, and to decrypt the encrypted payload using the session key decrypted with the fallback key.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus, method, and computer-readable media capable of encrypting and unencrypting secure documents with multiple passwords and/or fallback keys. Embodiments allow documents to unencrypt themselves or be able to be unencrypted with multiple passwords. Methods embodiments include the creation of self-encrypted documents that provide for multiple password decryption, and may include the automatic generation of at least one fallback key to facilitate unencryption of documents.

Citations

52 Claims

1. An apparatus to encrypt a payload, comprising:
- a session key generator configured to generate a session key;
  
  a hasher configured to generate a hash of the session key;
  
  a payload encrypter configured to encrypt the payload with the session key, to encrypt both the session key and the hash of the session key using a received password, and to store in a file;
  
  the encrypted payload, the password-encrypted session key, and the encrypted hash of the session key;
  
  wherein the payload encrypter is further configured to encrypt the session key using a fallback key, and append the fallback-encrypted session key to the file;
  
  wherein the payload encrypter is further configured to send the file to a receiver;
  
  a decryptor, coupled to the receiver, the decryptor configured to receive the password, and to decrypt the password-encrypted session key to obtain a decrypted session key, and to decrypt the encrypted hash of the session key to obtain a first hash of the session key;
  
  a second hasher configured to hash the decrypted session key to obtain a second hash of the session key;
  
  a comparer configured to compare the first hash of the session key with the second hash of the session key; and
  
  wherein the decryptor is further configured to decrypt the encrypted payload, using the session key decrypted with the password, when the first hash of the session key matches the second hash of the session key;
  
  wherein the decryptor is further configured to decrypt, in response to determining that the first hash of the session key does not match the second hash of the session key, the fallback-encrypted session key, using the fallback key, and to decrypt the encrypted payload using the session key decrypted with the fallback key.

2. The apparatus of 1 wherein the session key generator generates the session key randomly.

3. The apparatus of 2, wherein the payload encrypter is further configured to receive more than one password.

4. The apparatus of 3 wherein the payload encrypter is further configured to encrypt the hash of the session key for each password received.

5. The apparatus of 4 wherein the payload encrypter is further configured to store in the file the encrypted hash of the session key for each password received.

6. The apparatus of 5 wherein hashing the session key with a received password uses:
- SHA1 or MD5 algorithms.

7. The apparatus of 5 wherein the encryption of the payload with the session key or the encryption of the hash of the session key uses:
- ARC4, AES, RSA, 3DES, DSA, Skipjack, Blowfish, or Two-Fish algorithms.

8. A method of encrypting a payload, comprising:
- generating a session key;
  
  encrypting the payload with the session key;
  
  generating a hash of the session key;
  
  encrypting both the session key and the hash of the session key using a received password;
  
  storing an encrypted file with the encrypted payload, the password-encrypted session key, and the encrypted hash of the session key;
  
  encrypting the session key using a fallback key, and appending the fallback-encrypted second session key to the file;
  
  sending the encrypted file with the encrypted payload, the password-encrypted session key, the encrypted hash of the session key, and the fallback-encrypted session key to a receiver;
  
  decrypting the password-encrypted session key to obtain a decrypted session key;
  
  decrypting the encrypted hash of the session key to obtain a first hash of the session key;
  
  generating a second hash of the session key from the decrypted session key; and
  
  if the first hash of the session key matches the second hash of the session key, decrypting the encrypted payload using the session key decrypted with the password;
  
  in response to determining that the first hash of the session key does not match the second hash of the session key, decrypting the fallback-encrypted session key with the fallback key and decrypting the encrypted payload using the session key decrypted with the fallback key.

9. The method of 8 wherein the session key is generated randomly.

10. The method of 9 further comprising:
- receiving more than one password.

11. The method of 10 further comprising:
- encrypting the hash of the session key for each password received.

12. The method of 11 further comprising:
- storing in the encrypted file;
  
  the encrypted hash of the session key for each password received.

13. The method of 12 wherein hashing the session key with a received password uses:
- SHA1 or MD5 algorithms.

14. The method of 12 wherein the encryption of the payload with the session key or the encryption of the hash of the session key uses:
- ARC4, AES, RSA, 3DES, DSA, Skipjack, Blowfish, or Two-Fish algorithms.

15. An apparatus to encrypt a payload, comprising:
- means for generating a session key;
  
  means for encrypting the payload with the session key;
  
  means for generating a hash of the session key;
  
  means for encrypting both the session key and the hash of the session key using a received password;
  
  means for encrypting the session key using a fallback key;
  
  means for storing an encrypted file with;
  
  the encrypted payload, the password-encrypted session key, the encrypted hash of the session key, and the fallback-encrypted session key;
  
  means for sending the encrypted file with the encrypted payload, the password-encrypted session key, the encrypted hash of the session key, and the fallback-encrypted session key to a receiver;
  
  means for decrypting the password encrypted session key to obtain a decrypted session key;
  
  means for decrypting the encrypted hash of the session key to obtain a first hash of the session key;
  
  means for generating a second hash of the session key from the decrypted session key; and
  
  means for decrypting the encrypted payload with the decrypted session key if the first hash of the session key matches the second hash of the session key;
  
  means for decrypting, in response to determining that the first hash of the session key does not match the second hash of the session key, the fallback-encrypted session key using the fallback key, and decrypting the encrypted payload using the session key decrypted with the fallback key.

16. The apparatus of 15 wherein the session key generator generates the session key randomly.

17. The apparatus of 16 further comprising:
- means for receiving more than one password.

18. The apparatus of 17 further comprising:
- means for encrypting the hash of the session key for each password received.

19. The apparatus of 18 further comprising:
- means for storing in the encrypted file the encrypted hash of the session key for each password received.

20. The apparatus of 19 wherein the means for hashing the session key with a received password uses:
- SHA1 or MD5 algorithms.

21. The apparatus of 19 wherein the means for encrypting the payload with the session key or the means for the encryption of the hash of the session key uses:
- ARC4, AES, RSA, 3DES, DSA, Skipjack, Blowfish, or Two-Fish algorithms.

22. A non-transitory computer-readable storage medium, encoded with data and instructions, such that when executed by a computer, the instructions causes the computer to:
- generating a session key;
  
  encrypting a payload with the session key;
  
  generating a hash of the session key;
  
  encrypting both the session key and the hash of the session key using a received password;
  
  encrypting the session key with a fallback key;
  
  storing an encrypted file with;
  
  the encrypted payload, the password-encrypted session key, the encrypted hash of the session key, and the fallback-encrypted session key;
  
  sending the encrypted file with the encrypted payload, the password-encrypted session key, the encrypted hash of the session key, and the fallback-encrypted session key to a receiver;
  
  decrypting the encrypted session key to obtain a decrypted session key;
  
  decrypting the encrypted hash of the session key to obtain a first hash of the session key;
  
  generating a second hash of the session key from the decrypted session key; and
  
  if the first hash of the session key matches the second hash of the session key, decrypting the encrypted payload with the decrypted session key;
  
  in response to determining that the first hash of the session key does not match the second hash of the session key, decrypting the fallback-encrypted session key using the fallback key, and decrypting the encrypted payload using the session key decrypted with the fallback key.

23. The non-transitory computer-readable medium of 22 wherein the session key generator generates the session key randomly.

24. The non-transitory computer-readable medium of 23 further comprising instructions to:
- receive more than one password.

25. The non-transitory computer-readable medium of 24 further comprising instructions to:
- encrypt the hash of the session key for each password received.

26. The non-transitory computer-readable medium of 25 further comprising instructions to:
- store in the encrypted file the encrypted hash of the session key for each password received.

27. The non-transitory computer-readable medium of 26 wherein hashing the session key with a received password uses:
- SHA1 or MD5 algorithms.

28. The non-transitory computer-readable medium of 26 wherein the encryption of the payload with the session key or the encryption of the hash of the session key uses:
- ARC4, AES, RSA, 3DES, DSA, Skipjack, Blowfish, or Two-Fish algorithms.

29. An apparatus to decrypt an encrypted file, the encrypted file including an encrypted payload, a password-encrypted session key, an encrypted hash of the session key, and a fallback-encrypted session key, comprising:
- a decryptor configured to receive a password, the encrypted file with the encrypted payload, the password-encrypted session key, the encrypted hash of the session key and the fallback-encrypted hash, and to decrypt both the password-encrypted session key and the encrypted hash of the session key using the password;
  
  a hasher configured to hash the decrypted session key;
  
  a comparer configured to compare the hashed decrypted session key with the hash of the session key; and
  
  wherein the decryptor is further configured to decrypt the file payload when the hashed decrypted session key matches the hash of the session key;
  
  wherein the decryptor is further configured to decrypt, in response to determining that the hashed decrypted session key does not match the hash of the session key, the file payload using the session key decrypted using the fallback key.

30. The apparatus of 29 wherein the decryptor is further configured to decrypt another encrypted session key and a second hash value, the comparer is further configured to compare the second hash value with a hash of the decrypted another session key, and the decryptor is configured to decrypt the file payload when the second hash value matches the hash of the decrypted another session key.

31. The apparatus of 30 wherein the decryption of the another session key uses:
- ARC4, AES, RSA, 3DES, DSA, Skipjack, Blowfish, or Two-Fish algorithms.

32. The apparatus of 30 wherein hashing the session key with a received password uses:
- SHA1 or MD5 algorithms.

33. The apparatus of 30 wherein hashing the another decrypted session key with a received password uses:
- SHA1 or MD5 algorithms.

34. The apparatus of 30 wherein the encryption of the payload uses:
- ARC4, AES, RSA, 3DES, DSA, Skipjack, Blowfish, or Two-Fish algorithms.

35. A method of decrypting an encrypted file, the encrypted file including an encrypted payload, a password-encrypted session key, an encrypted hash of the session key, and a fallback-encrypted session key, comprising:
- receiving a password;
  
  receiving the encrypted file with the encrypted payload, the password-encrypted session key, the encrypted hash of the session key, and the fallback-encrypted session key;
  
  decrypting the password-encrypted session key using the password;
  
  decrypting the encrypted hash of the session key using the password;
  
  generating a hash of the decrypted session key;
  
  comparing the hashed decrypted session key with the hash of the session key; and
  
  decrypting the file payload using the decrypted session key when the hashed decrypted session key matches the hash of the session key;
  
  in response to determining that the hashed decrypted session key does not match the hash of the session key, decrypting the fallback-encrypted session key using a fallback key, and decrypting the file payload with the session key decrypted with the fallback key.

36. The method of 35 further comprising:
- decrypting another encrypted session key and a second hash value, comparing the second hash value with a hash of the decrypted another session key;
  
  decrypting the file payload when the second hash value matches the hash of the decrypted another session key.

37. The method of 36 wherein the decryption of the another session key uses:
- ARC4, AES, RSA, 3DES, DSA, Skipjack, Blowfish, or Two-Fish algorithms.

38. The method of 36 wherein hashing the session key with a received password uses:
- SHA1 or MD5 algorithms.

39. The method of 36 wherein hashing the another decrypted session key with a received password uses:
- SHA1 or MD5 algorithms.

40. The method of 36 wherein the encryption of the payload uses:
- ARC4, AES, RSA, 3DES, DSA, Skipjack, Blowfish, or Two-Fish algorithms.

41. An apparatus to decrypt an encrypted file, the encrypted file including an encrypted payload, a password-encrypted session key, an encrypted hash of the session key, and a fallback-encrypted session key, comprising:
- means for receiving a password;
  
  means for receiving the encrypted file with the encrypted payload, the password-encrypted session key, the encrypted hash of the session key, and the fallback-encrypted session key;
  
  means for decrypting the password-encrypted session key using the password;
  
  means for decrypting the decrypted hash of the session key using the password;
  
  means for generating a hash of the decrypted session key;
  
  means for comparing the hashed decrypted session key with the hash of the session key;
  
  means for decrypting the file payload, using the session key decrypted with the password, when the hashed decrypted session key matches the hash of the session key;
  
  means for decrypting, in response to determining that the hashed decrypted session key does not match the hash of the session key, the fallback-encrypted session key using a fallback key, and decrypting the file payload using the session key decrypted with the fallback key.

42. The apparatus of 41 further comprising:
- means for decrypting another encrypted session key and a second hash value, comparing the second hash value with a hash of the decrypted another session key;
  
  means for decrypting the file payload when the second hash-value matches the hash of the decrypted another session key.

43. The apparatus of 42 wherein the decryption of the another session key uses:
- ARC4, AES, RSA, 3DES, DSA, Skipjack, Blowfish, or Two-Fish algorithms.

44. The apparatus of 42 wherein hashing the session key with a received password uses:
- SHA1 or MD5 algorithms.

45. The apparatus of 42 wherein hashing the another decrypted session key with a received password uses:
- SHA1 or MD5 algorithms.

46. The apparatus of 42 wherein the encryption of the payload uses:
- ARC4, AES, RSA, 3DES, DSA, Skipjack, Blowfish, or Two-Fish algorithms.

47. A non-transitory computer-readable storage medium, encoded with an encrypted file, data and instructions, the encrypted file including an encrypted payload, a password-encrypted session key, an encrypted hash of the session key, and a fallback-encrypted session key, such that when executed by a computer, the instructions cause the computer to:
- receive a password;
  
  receive the encrypted file with the encrypted payload, the password-encrypted session key, the encrypted hash of the session key, and the fallback-encrypted session key;
  
  decrypt the password-encrypted session key using the password;
  
  decrypt the encrypted hash of the session key using the password;
  
  generate a hash of the decrypted session key;
  
  compare the hashed decrypted session key with the hash of the session key; and
  
  decrypt the file payload using the session key decrypted with the password when the hashed decrypted session key matches the hash of the session key;
  
  in response to determining that the hashed decrypted session key does not match the hash of the session key, decrypt the fallback-encrypted session key with the fallback key, and decrypt the file payload with the session key decrypted with the fallback key.

48. The non-transitory computer-readable medium of 47 is further configured with instructions causing a computer to:
- decrypt another encrypted session key and a second hash value, comparing the second hash value with a hash of the decrypted another session key;
  
  decrypt the file payload when the second hash value matches the hash of the decrypted another session key.

49. The non-transitory computer-readable medium of 48 wherein the decryption of the another session key uses:
- ARC4, AES, RSA, 3DES, DSA, Skipjack, Blowfish, or Two-Fish algorithms.

50. The non-transitory computer-readable medium of 48 wherein hashing the session key with a received password uses:
- SHA1 or MD5 algorithms.

51. The non-transitory computer-readable medium of 48 wherein hashing the another decrypted session key with a received password uses:
- SHA1 or MD5 algorithms.

52. The non-transitory computer-readable medium of 48 wherein the encryption of the payload uses:
- ARC4, AES, RSA, 3DES, DSA, Skipjack, Blowfish, or Two-Fish algorithms.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Matthews, Brian L, Ullman, Cayce M, Olechowski, Scott
Primary Examiner(s)
Orgad; Edan
Assistant Examiner(s)
Turchen; James

Application Number

US10/969,220
Time in Patent Office

2,184 Days
Field of Search

713/165, 380/45
US Class Current

713/165
CPC Class Codes

H04L 2463/062   applying encryption of the ...

H04L 63/0435   wherein the sending and rec...

H04L 63/0478   applying multiple layers of...

Multiple password documents

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

Multiple password documents

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links