Patent Application
20070140496
Encryption or authentication of messages and other data has become a standard practice of businesses and individuals to safeguard the information when transmitted over a public network, such as the Internet, or via wireless communication mechanisms. Many different encryption or authentication methods involve algorithms that encrypt information as a function of a key, such as a 128 bit string. Usually, the longer the key, the more difficult it is to decrypt the information, or to undetectably modify or forge the information, without knowledge of the key.
When keys are used for too long a time, a significant amount of information becomes encrypted or authenticated under the same key. A larger amount of encrypted or authenticated information under the same key makes it easier to determine how to decrypt the information, or forge undetectably modified or replaced information, without knowing the key, especially if that encrypted or authenticated information contains predictable or repetitive information.
When two strings that are to be encrypted or authenticated have an identical initial portion, and the encryption algorithm when encrypting or authenticating, respectively, each string has the same initial encryption state information and uses the same key, then it is possible to determine, at least partially, how to decrypt both messages, or to undetectably modify either message or forge a third related message, respectively. For this reason it is normal practice to ensure that either some portion of that initial encryption state, or some of that initial portion of the string to be encrypted or authenticated, respectively, or both, differs between each two instances of encryption or authentication, respectively, under the same key. Whether part of the string itself, or separate initial state, this portion that differs with each instance of encryption or authentication, respectively, is known commonly as an “initialization vector”.
Escrow of keys is done to allow select investigative organizations to obtain keys to monitor information being transmitted. Often this monitoring is retrospective, analyzing information that was transmitted and recorded at an earlier time. Changing keys often to reduce the volume of encrypted or authenticated information under one key makes it difficult to manage an escrow of the keys. There may be communication breakdowns or other events which make communication of new keys to all concerned systems difficult. There is a need for a better way to manage escrow of keys while controlling the amount of information encrypted or authenticated under any one key.
A method of managing encryption keys creates a new encryption key as a predictable and retrospectively repeatable function of a current encryption key. Information is then encrypted or authenticated using the new encryption key. In one embodiment, the transition to the use of a new encryption key is a function of the amount of information encrypted or authenticated using the current encryption key. In a further embodiment, the new encryption key is used after a predetermined number of times of use of the current encryption key.
In yet a further embodiment, the new encryption key is created by using the current encryption key to encrypt a pre-agreed block of information, which may be an appropriate-length representation of the current encryption key. In a further embodiment, the current encryption key and a time-independent, or only coarsely time-dependent, method of creating a new encryption key is escrowed.
In the following description, reference is made to the accompanying drawings that form a part hereof, and in which is shown by way of illustration specific embodiments which may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention, and it is to be understood that other embodiments may be utilized and that structural, logical and electrical changes may be made without departing from the scope of the present invention. The following description is, therefore, not to be taken in a limited sense, and the scope of the present invention is defined by the appended claims.
The functions or algorithms described herein are implemented in software or, in one embodiment, in a combination of software and human implemented procedures. The software comprises computer executable instructions stored on computer readable media such as memory or other type of storage devices. The term “computer readable media” is also used to represent any means by which the computer readable instructions may be received by the computer, such as by different forms of wireless transmissions. Further, such functions correspond to modules, which are software, hardware, firmware or any combination thereof. Multiple functions are performed in one or more modules as desired, and the embodiments described are merely examples. The software is executed on a digital signal processor, ASIC, microprocessor, or other type of processor operating as a computer system, such as a personal computer, server, digital instrument or other computer system.
A block diagram of a system implementing encryption key escrow and devices communicating using encryption keys is first described, along with a block diagram of a typical computer system capable of using the encryption key and changing keys in a manner that is predictable and retrospectively repeatable by an escrow agent. In one embodiment, the change is effected in a known time-independent manner. The term “time-independent” is meant to include changing keys in a coarsely time-dependent manner. This is followed by description of algorithms for using current encryption keys and generating the new keys. The term “encryption key” is meant to encompass the use of the key for authentication and for decryption.
The new key generation may be triggered by a passage of a predetermined amount of time, the encryption of a predetermined amount of information, or after a predetermined number of uses of the current encryption key. This may be done to prevent a large amount of information from being encrypted or authenticated by the same key, or to prevent duplication under the same key of the information being used as an “initialization vector”. The encryption or authentication of too much information using the same key renders it easier to decrypt the encrypted information, or to modify or forge messages undetectably, respectively, without having the key. The encryption of two strings using the same “initialization vector” may make it possible to decrypt at least part of both strings and to determine at least partial content relationships between the remaining portions of the two strings. The authentication of two strings using the same “initialization vector” may make it possible to modify undetectably either string, or to forge undetectably a related string.
In one embodiment, the new key is generated by simply encrypting the current key using the current key both as the encryption key and, in an appropriate-length representation, as the string to be encrypted. Successive new keys may be generated in the same manner. Any other type of method that is predictable and retrospectively repeatable may be used. In one embodiment, a method that is not time-dependent, or that is only coarsely time-dependent, may also be used, such as encrypting strings predictable to the escrow system and other intended users of the key, for example, encrypting successive integers represented as strings. The use of a time-dependent method, where the precise time of next-key generation affects the resulting new key, can make any later determination of the generated key by the escrow system extremely difficult. Use of a method that includes the coarse time of key use, such as the expected first hour or first day of key use, causes only minor difficulty in such a later determination. It is predictable and retrospectively repeatable in that an escrow agent may repeat the generation of the new key within a limited number of tries using a coarse time.
Computer-readable instructions stored on a computer-readable medium are executable by the processing unit 202 of the computer 210. A hard drive, RAM and non-volatile memory are some examples of articles including a computer-readable medium.
In one embodiment, information received from another device may be encrypted or authenticated using a new key. Since the information so encrypted or authenticated, respectively, cannot be decrypted or authenticated, respectively, using the current key, it may be assumed that a new key was generated, and the device may then determine that it needs to generate a corresponding new key in order to decrypt or authenticate, respectively, such information at 440.
In one embodiment, the new encryption key is created as a predictable and retrospectively repeatable function at 450. The key may also be created as a function of the current encryption key. In further embodiments, it may be created based on a string of bits predictable to the escrow system and other intended users of the key. Other methods of creating a new key that can be reliably and safely reconstructed at an arbitrary later time by an investigative organization, based solely on escrowed information, the approximate time at which the key was used, or both, also may be used. Information may then be encrypted or authenticated using the new key at 460. Other users may optionally be notified that the key has been changed at 470, or may detect that a new key is being used by being unable to decrypt or authenticate, respectively, received information using a current key, generating a new key, trying to decrypt or authenticate, respectively, the received information using the new key, and succeeding at that decryption or authentication, respectively.
The Abstract is provided to comply with 37 C.F.R. §1.72(b) to allow the reader to quickly ascertain the nature and gist of the technical disclosure. The Abstract is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims.
