Family of encryption keys

US 7,995,758 B1
Filed: 11/30/2004
Issued: 08/09/2011
Est. Priority Date: 11/30/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

generating an original symmetric encryption key useable to encrypt and decrypt information;

generating from the original symmetric encryption key a family of symmetric encryption keys useable to encrypt and decrypt information, the symmetric encryption keys of the family having a relationship such that a descendent key of the family is derivable from each key that is an ancestor of the descendent key in the family; and

rolling over a key used in securing information, said rolling over comprising providing a next symmetric encryption key of the family in an order opposite that of an order of key generation;

wherein said rolling over is performed using a hardware processor; and

wherein the family of symmetric encryption keys is used in a document control system to secure documents, the method further comprising synchronizing offline access information with a client, the offline access information comprising a key from the family of symmetric encryption keys.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and techniques relating to cryptographic keys include, in one implementation, a technique involving: generating a symmetric encryption key; and generating from the symmetric encryption key a family of symmetric encryption keys having a relationship such that a descendent key of the family is derivable from each key that is an ancestor of the descendent key in the family. Generating the family of symmetric encryption keys can involve cryptographically hashing the original symmetric encryption key and resulting hashed encryption keys. The technique can further include rolling over a key used in securing information by providing a next symmetric encryption key of the family in an order opposite that of an order of key generation; and a client can cryptographically hash a first symmetric encryption key to produce a second symmetric encryption key of the family and decrypt information associated with an electronic document with the key thus produced.

Citations

22 Claims

1. A method comprising:
- generating an original symmetric encryption key useable to encrypt and decrypt information;
  
  generating from the original symmetric encryption key a family of symmetric encryption keys useable to encrypt and decrypt information, the symmetric encryption keys of the family having a relationship such that a descendent key of the family is derivable from each key that is an ancestor of the descendent key in the family; and
  
  rolling over a key used in securing information, said rolling over comprising providing a next symmetric encryption key of the family in an order opposite that of an order of key generation;
  
  wherein said rolling over is performed using a hardware processor; and
  
  wherein the family of symmetric encryption keys is used in a document control system to secure documents, the method further comprising synchronizing offline access information with a client, the offline access information comprising a key from the family of symmetric encryption keys.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein generating the family of symmetric encryption keys comprises cryptographically hashing the original symmetric encryption key and resulting hashed encryption keys to produce the family.
  - 3. The method claim 2, further comprising:
    - cryptographically hashing, at a client, a first symmetric encryption key of the family one or more times to produce a second symmetric encryption key of the family; and
      
      decrypting, at the client, information associated with an electronic document with the second symmetric encryption key.
  - 4. The method of claim 3, wherein decrypting information comprises decrypting information in the electronic document with multiple symmetric encryption keys from the family.
  - 5. The method of claim 3, wherein decrypting information comprises decrypting another key useable to decrypt the electronic document.
  - 6. The method of claim 3, wherein the first symmetric encryption key is associated with a group of users of a document control system, and said decrypting information comprises decrypting an encrypt dictionary in the electronic document with the second symmetric encryption key.
  - 7. The method of claim 3, wherein the first symmetric encryption key is associated with a policy of a document control system, and said decrypting information comprises decrypting the electronic document.
  - 8. The method of claim 2, further comprising providing the family of symmetric encryption keys along with an indication of a reverse order of the family such that the keys of the family are useable in the reverse order.
  - 9. The method of claim 2, wherein generating the original symmetric encryption key comprises employing a randomized source to produce a 256 bit binary encryption key useable to decrypt binary data that has been encrypted with the 256 bit binary encryption key.
  - 10. The method of claim 2, wherein cryptographically hashing the original symmetric encryption key comprises employing a standardized secure hash function.
  - 11. The method of claim 1, wherein the family of symmetric encryption keys comprises a first family of symmetric encryption keys of size N, and said rolling over further comprises providing an encryption key from a second family of encryption keys once keys from the first family have been used.
  - 12. The method of claim 11, further comprising:
    - receiving input specifying the size N; and
      
      receiving input specifying when to perform said rolling over.

13. A non-transitory machine-readable medium embodying a software product comprising instructions operable to cause one or more data processing apparatus to perform operations comprising:
- rolling over a symmetric encryption key useable to encrypt and decrypt information, said rolling over comprising providing a new symmetric encryption key from which an old symmetric encryption key is derivable;
  
  wherein the old symmetric encryption key is derivable from the new symmetric encryption key by cryptographically hashing the new symmetric encryption key;
  
  wherein the new and old symmetric encryption keys are part of a first family of encryption keys of size N, and said rolling over further comprises providing an encryption key from a second family of encryption keys once keys from the first family have been used; and
  
  wherein said first and second families of encryption keys are used in a document control system to secure documents, the operations further comprising synchronizing offline access information with a client, the offline access information comprising a key from each of the first family and the second family.
- View Dependent Claims (14)
- - 14. The non-transitory machine-readable medium of claim 13, the operations further comprising:
    - receiving input specifying the size N; and
      
      receiving input specifying when to perform said rolling over.

15. A non-transitory machine-readable medium embodying a software product comprising instructions operable to cause one or more data processing apparatus to perform operations comprising:
- cryptographically hashing a first symmetric encryption key one or more times to produce a second symmetric encryption key; and
  
  decrypting information associated with an electronic document with the first symmetric encryption key in addition to the second symmetric encryption key wherein said first and second symmetric encryption keys are used in a document control system to secure one or more documents, the operations further comprising synchronizing offline access information with the document control system, the offline access information comprising the first symmetric encryption key.
- View Dependent Claims (16, 17, 18)
- - 16. The non-transitory machine-readable medium of claim 15, wherein decrypting information comprises decrypting another key useable to decrypt the electronic document.
  - 17. The non-transitory machine-readable medium of claim 15, wherein the first symmetric encryption key is associated with a group of users of a document control system, and said decrypting information comprises decrypting an encrypt dictionary in the electronic document with the second symmetric encryption key.
  - 18. The non-transitory machine-readable medium of claim 15, wherein the first symmetric encryption key is associated with a policy of a document control system, and said decrypting information comprises decrypting the electronic document.

19. A system comprising:
- a document control server system including hardware, where the server system synchronizes offline access information with clients, including;
  
  sending an encryption key obtained in reverse order from a family of encryption keys generated by cryptographically hashing a first key of the family multiple times to form a total of N keys in the family of encryption keys,along with an indication of the reverse order of the family of encryption keys such that the total of N keys in the family are usable in the reverse order of key generation; and
  
  a client system including hardware, where the client system receives the offline access information from the document control server system and allows access to an electronic document, when offline, using the encryption key, including cryptographically hashing the encryption key as needed to access historical documents.
- View Dependent Claims (20, 21, 22)
- - 20. The system of claim 19, wherein the document control server system generates the family of encryption keys.
  - 21. The system of claim 19, wherein the document control server system receives the family of encryption keys from an encryption key server.
  - 22. The system of claim 19, wherein the document control server system provides persistent control over access to documents and includes a user interface to receive input specifying the total N and input specifying when to roll over an encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Adobe Inc.
Original Assignee
Adobe Systems Incorporated (Adobe Inc.)
Inventors
Shapiro, William M.
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
YALEW, FIKREMARIAM A

Application Number

US11/000,637
Time in Patent Office

2,443 Days
Field of Search

380/259
US Class Current

380/259
CPC Class Codes

H04L 9/0833   involving conference or gro...

H04L 9/0891   Revocation or update of sec...

H04L 9/12   Transmitting and receiving ...

Family of encryption keys

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Family of encryption keys

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links