WO1999049613A1 - Cryptographic key-recovery mechanism - Google Patents

Cryptographic key-recovery mechanism Download PDF

Info

Publication number
WO1999049613A1
WO1999049613A1 PCT/US1999/003665 US9903665W WO9949613A1 WO 1999049613 A1 WO1999049613 A1 WO 1999049613A1 US 9903665 W US9903665 W US 9903665W WO 9949613 A1 WO9949613 A1 WO 9949613A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
key
kra
dynamic
static
Prior art date
Application number
PCT/US1999/003665
Other languages
French (fr)
Inventor
Aharon Friedman
Eva Bozoki
Original Assignee
Fortress Technologies, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fortress Technologies, Inc. filed Critical Fortress Technologies, Inc.
Priority to AU49517/99A priority Critical patent/AU4951799A/en
Publication of WO1999049613A1 publication Critical patent/WO1999049613A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Definitions

  • the present invention is directed to cryptography and, more particularly, to a key escrow and key recovery method for use with a cryptography system using static (permanent) and dynamic (changing over time) cryptographic keys.
  • Cryptography has become essential to the acceptance of electronic commerce and sensitive electronic communications over a network.
  • secure digital signatures and verification methods provide high assurance that a party is who it represents itself to be in order to prevent unauthorized users and eavesdropping. This assurance is vital to the general acceptance of, for example, commerce over the Internet, the use of electronic money, cellular communications, and remote computer login procedures.
  • certain well-known cryptographic methods are used to encrypt information in a manner that is very difficult to decrypt without certain secret information, thus making these signatures and verifications secure.
  • One type of cryptographic method which is commonly used is public key cryptography.
  • a message encryption technique employs an encipherment function which utilizes a number referred to as a session key to encipher data (i.e., message content). Only the pair of hosts in communication with each other have knowledge of the session key, so that only the proper hosts, as paired on a particular conversation, can encrypt and decrypt digital signals.
  • encipherment functions Two examples are the National Bureau of Standards Data Encryption Standard (DES) (see e.g., National Bureau of Standards, “Data Encryption Standard", FIPS-PUB-45, 1977) and the more recent Fast Encipherment Algorithm (FEAL)(see e.g., Shimizu and S. Miyaguchi, "FEAL-Fast Data Encipherment Algorithm," Systems and Computers in Japan, Vol. 19, No. 7, 1988 and S. Miyaguchi, "The FEAL Cipher Family", Proceedings of CRYPTO '90, Santa Barbara, Calif, Aug., 1990).
  • IDEA Industry Definition
  • encipherment function is the electronic codebook technique.
  • Session key agreement between two communications hosts may be achieved using public key cryptography.
  • public key cryptography See e.g., U.S. Patent Nos. 5,222,140, 5,299,263.
  • N pq where p and q are large prime numbers
  • the Discrete-Log problem is defined as follows:
  • CDH Composite Diffie-Hellman
  • N, g, g* mod N, g y mod N where N ⁇ pq and p and q are large primes.
  • each user i has a public key P j (e.g., a modulus N) and a secret key S ; (e.g., the factors p and q).
  • P j e.g., a modulus N
  • S secret key
  • a message to user i is encrypted using a public operation which makes use of the public key known to everybody (e.g., squaring a number mod N). However, this message is decrypted using a secret operation (e.g., square root mod N) which makes use of the secret key (e.g., the factors p and q).
  • Public key cryptographic techniques may be used for authentication. Authentication is a (theoretically) fool-proof technique for a party to verify that a party contacting it is the party is asserts to be. For example, a confidential network may require that a party authenticate itself before gaining access to the network.
  • Fig. 1 A is a block diagram of a typical cryptography device 100 that may be utilized in the present invention.
  • the device 100 has a processor 102 including one or more CPUs 102, a main memory 104, a disk memory 106, an input/output device 108, and a network interface 110.
  • the devices 102-110 are connected to a bus 120 which transfers data, i.e., instructions and information between each of these devices 102-110.
  • Fig. IB illustrates a network 150 over which cryptography devices 100 may communicate and which may be utilized in the present invention.
  • Two or more cryptography devices 100, 100' may be connected to a communications network 152, such as a wide area network; which may be the Internet, a telephone network, or leased lines; or a local area network.
  • Each device 100 may include a modem 154 or other network communication device to send encrypted messages over the communications network 152.
  • a cryptography device 100 may be a gateway to a sub-network 156. That is, the device 100 may be an interface between a wide area network 152 and a local area (sub) network 156.
  • An example of a public key cryptographic technique which may be performed by the device 100 is the well known Diffie-Hellman key exchange protocol.
  • the Diffie-Hellman protocol conventionally provides a partially secure distribution system utilizing a symmetric crypto-key between two nodes of a local area network (LAN) or wide area network (WAN).
  • LAN local area network
  • WAN wide area network
  • both nodes compute their common crypto-key from their own private key, as well as from the other node's public key.
  • the nodes exchange their public keys, but maintain (for security) their computed crypto-key.
  • each pair of nodes will compute a different common secret crypto-key, which in turn will be used in a symmetric algorithm (using, e.g., well-known DES or IDEA algorithms, discussed above).
  • a symmetric algorithm using, e.g., well-known DES or IDEA algorithms, discussed above.
  • the private key of each node is changed periodically. This will lead to two Diffie- Hellman key exchanges in each period, since the nodes do not have to be synchronized.
  • KRA key recovery authority
  • each node shares a permanent session key with a key recovery authority (KRA) and every pair of nodes share a permanent and a dynamic session key with each other.
  • KRA key recovery authority
  • each nodes exchange dynamic public keys (encrypted with a static common key shared by the two nodes), each node also sends its dynamic private key encrypted with the session key it shares with the KRA. Because neither node knows the other node's session key with its KRA, it cannot decrypt the dynamic private key.
  • KRA key recovery authority
  • S ⁇ T static private
  • P RRA public
  • the KRA exchanges static public keys with each of the nodes, thus develops a static common key (session key), K J ⁇ J , with each of them using, for example, the Diffie-Hellman protocol.
  • the KRA maintains a list of the static public keys of all nodes.
  • the (static) session key with any of the nodes can be "recovered” at any time.
  • two nodes, say i and j exchange their dynamic public keys (encrypted with their static session key K ⁇ t)), then each one attaches its dynamic secret key, encrypted with the static session key between it and the KRA.
  • a time stamp is also included.
  • FIG 1 A is a block diagram of a typical cryptography device
  • FIG IB illustrates a communications network over which cryptography devices may communicate
  • FIG 2 schematically illustrates a VPN that may be used in accordance with the present invention.
  • FIG 3 is a flowchart illustrating the steps taken to decrypt messages between two nodes by a third party in accordance with the present invention. Detailed Description of the Invention Preliminaries
  • key recovery is used herein as a generic term encompassing the various key escrow, trusted third-party, exceptional access, data recovery and key recovery encryption systems. All these key recovery systems share the following essential elements relevant to this invention:
  • devices 100 (A) and 100' (B) are each units from the NetFortressTM VPN family of products (VPN-1, VPN-3 or Remote), available from Fortress Technologies, Tampa, Florida, which products use Fortress Technologies' SPS (Secret Packet ShieldTM) core technology, such as described in U.S. patent number 5,757,924 to Friedman et al. and owned by Fortress Technologies. The contents of this patent are fully incorporated herein by reference. Of course, any cryptography devices may be used, as desired, which are programmed to perform the inventive method described below.
  • FIG 2 schematically illustrates a VPN 100 (a network security device) that may be used in accordance with the invention.
  • the security device 10 comprises a first interface 0 which is connected to the client host 12. Specifically, the interface 0 is connected to a network interface in the client host 12 via a cable or wire 13.
  • the security device 10 comprises a second interface 1 which is connected to a portion of a network 150, such as the one described in FIG IB.
  • the interface 1 is connected to an Ethernet so that the interfaces 0, 1 are Ethernet interfaces such as SMC Elite Ultra Interfaces.
  • a CPU 14 is connected to the interfaces 0, 1.
  • the CPU is for example an Intel 486 DX 62-66.
  • a static memory 16 e.g. flash EEPROM
  • a dynamic memory 18 e.g. RAM
  • An optional encryption module 20 performs encryption and large number arithmetic operations.
  • the encryption unit may be implemented as a programmable logic array. Alternatively, the encryption module may be omitted and its function may be carried out using a software program which is executed by the CPU 14.
  • the interface 0 is put in a promiscuous mode. In this mode, the interface 0 passes all communications from the client host 12 that is sensed on the cable 13 to the CPU 14.
  • the network connection is via the interface 1 which is set to the same IP address as the client 12.
  • the VPN 100 responds to the Address Resolution Protocol by sending its own (rather than the client's) MAC address. This adds a level of security by blocking attempts to bypass the device 10 using the Ethernet protocol.
  • the CPU 14 maintains two databases.
  • One database is a static database stored in the Flash ROM 16. This database contains permanent information about secured nodes in the network, i.e., the node IP address, time entered into the database, the nodes permanent public key.
  • a second database is a dynamic database.
  • the dynamic database contains information about secured and unsecured nodes, i.e., the node IP address, time last updated, a flag indicating whether the node is secured (e.g., has its own network security device), a flag indicating whether the node is in transition (i.e., in the middle of a key exchange), a pointer to a common secret key with that node.
  • the transition flag has three possible values, 0-not in transition, 1 -pending reply from remote host, and 2-pending computation of common key.
  • the software executed by the CPU 14 has three components: (1) operating system, (2) networking system, (3) key computation algorithms.
  • the operating system and the networking system are both part of a Unix like kennel.
  • the key computation algorithm reside in memory and are signaled into action by the networking system.
  • the operating system can be colorfully described as a lobotomized Linux system with all drives taken out except the RAM, disk and Ethernet interfaces.
  • the networking system is for communication, key exchange, encryption, configuration, etc.
  • Public key cryptography can be used to negotiate securely a unique common secret key between any two VPN units.
  • Each unit has four keys associated with it: static (remaining the same during the lifetime of the unit, and characteristic to that unit) private, and public keys S A st and P A st , and dynamic (changing periodically) private, and public keys, S A *"(t) and P A *"(t).
  • KRA is the Key Recovery Authority which stores the static public keys of all VPN units under its jurisdiction: P ⁇ t). Note that the KRA will typically not know the VPN units' static private key, S ⁇ t), nor will it know their dynamic keys.
  • the KRA has static private and public keys associated with it, S ⁇ 1 and P KR '. Common keys between two entities (two VPN units or one VPN unit and its KRA) are always calculated by each party. These common keys are obtained by each node or KRA performing functions on the other node's or KRA's public key. As a result, the
  • Each VPN unit and a corresponding KRA negotiate a static common session key, K KRA ,. 5 ', using, e.g., the Diffie-Hellman key exchange protocol (exchanging their static public keys). After exchanging their public keys, a single common session key is calculated by both sides from their own static private keys and the other party's static public key.
  • the KRA also stores the static public key of all VPN units with which it performed a Diffie-Hellman key exchange. Depending on the need, these public keys may be released to third parties (such as government agencies), as desired.
  • units A and B also illustratively use the Diffie-Hellman key exchange protocol (exchanging their static public keys) to develop their static common crypto key, K ⁇ B 8 '. Note that this key will not be used to encrypt or decrypt messages but instead will be used in the dynamic public key exchange.
  • units A and B perform a second Diffie- Hellman key exchange protocol.
  • each unit A and B with exchange their respective dynamic public keys encrypted with the static common key, K ⁇ B st (t), previously calculated.
  • K A>B dyn is calculated.
  • the message transmitted by unit A to unit B comprises:
  • unit B can decrypt unit A's dynamic public key P A *"(t). However, since unit B does not know the static common key shared by KRA and unit A, unit B can not decrypt unit A's dynamic private key. Unit B will also send unit A its dynamic private key encrypted with the common key it shares with its KRA, along with a time stamp.
  • step 50 the Authority which is, e.g., authorized by a Court Order, starts recording the decrypted messages between units A and B.
  • step 55 the Authority retrieves the static public key of unit A, P a st , and the static private key of KRA, S KR ', from KRA and from these it calculates the static common session key between KRA and unit A,
  • step 60 the Authority retrieves the second D-H exchange message from A-B, E K ⁇ A) (S ⁇ f j), and after decryption, it obtains the dynamic private key of unit A, (S A ⁇ T)). The Authority then retrieves the second D-H exchange message from B-A,
  • the Authority calculates the dynamic common session key of units A and B, K* n A ⁇ B ( ⁇ ) > from S A *"(T) and P B ⁇ , in step 75
  • the dynamic common session key is the key needed to decrypt the messages in question between units A and B.
  • KRA Key Recovery Authority
  • S KRA static private
  • P RRA public
  • the KRA maintains a list of the static public keys of all nodes. Thus, the (static) session key with any of the nodes can be "recovered” at any time.
  • K KR ⁇ V which can be recovered from the KRA (as described in steps 2 and 3)
  • the dynamic private keys of each node, S ⁇ t) can be recovered (and P ⁇ t) calculated) from a recording of any session.

Abstract

Nodes I, I=1, N are communicating with each other encrypted. They each have static private (Si) and public (Pi) keys, which never change and dynamic private (Sidyn) and public (P¿i?dyn) keys, which are functions of time (t). A key recovery authority (KRA) also has static private (S¿KRA?) and public (PKRA) keys, which never change. The KRA exchanges static public keys with each of the nodes, thus develops a static common key (session key), KKRA,i, with each of them using, for example, the Diffie-Hellman protocol. The KRA maintains a list of the static public keys of all nodes. Thus, the (static) session key with any of the nodes can be 'recovered' at any time. When two nodes, say i and j, exchange their dynamic public keys (encrypted with their static session key K?st¿ij(t)), then each one attaches its dynamic secret key, encrypted with the static session key between it and the KRA. A time stamp is also included. With knowledge of the session key, KKRA,i, which can be recovered from the KRA, the dynamic private keys of each node, Sidyn(t), can be recovered (and P¿i?dyn(t) calculated) from a recording of any session (70). From S¿i?dyn(t) and P¿j?dyn(t) one can calculate the dynamic session key between the two nodes (K¿i,j?dyn(t)) (75). However, all other parties are still protected since their dynamic public keys are exchanged encrypted. Note that all nodes are still protected, and their session concealed, because their private keys are encrypted.

Description

CRYPTOGRAPHIC KEY-RECOVERY MECHANISM
Field of the Invention
The present invention is directed to cryptography and, more particularly, to a key escrow and key recovery method for use with a cryptography system using static (permanent) and dynamic (changing over time) cryptographic keys.
Background of the Invention
Cryptography has become essential to the acceptance of electronic commerce and sensitive electronic communications over a network. For example, secure digital signatures and verification methods provide high assurance that a party is who it represents itself to be in order to prevent unauthorized users and eavesdropping. This assurance is vital to the general acceptance of, for example, commerce over the Internet, the use of electronic money, cellular communications, and remote computer login procedures. Typically, certain well-known cryptographic methods are used to encrypt information in a manner that is very difficult to decrypt without certain secret information, thus making these signatures and verifications secure. One type of cryptographic method which is commonly used is public key cryptography.
Eavesdropping in a network can be thwarted through the use of a message encryption technique. A message encryption technique employs an encipherment function which utilizes a number referred to as a session key to encipher data (i.e., message content). Only the pair of hosts in communication with each other have knowledge of the session key, so that only the proper hosts, as paired on a particular conversation, can encrypt and decrypt digital signals. Two examples of encipherment functions are the National Bureau of Standards Data Encryption Standard (DES) (see e.g., National Bureau of Standards, "Data Encryption Standard", FIPS-PUB-45, 1977) and the more recent Fast Encipherment Algorithm (FEAL)(see e.g., Shimizu and S. Miyaguchi, "FEAL-Fast Data Encipherment Algorithm," Systems and Computers in Japan, Vol. 19, No. 7, 1988 and S. Miyaguchi, "The FEAL Cipher Family", Proceedings of CRYPTO '90, Santa Barbara, Calif, Aug., 1990). Another encipherment function is known as IDEA. One way to use an encipherment function is the electronic codebook technique. In this technique a plain text message m is encrypted to produce the cipher text message c using the encipherment function f by the formula c=f(m,sk) where sk is a session key. The message c can only be decrypted with the knowledge of the session key sk to obtain the plain text message m=f(c,sk).
Session key agreement between two communications hosts may be achieved using public key cryptography. (See e.g., U.S. Patent Nos. 5,222,140, 5,299,263). Before discussing public key cryptographic techniques, it is useful to provide some background information. Most practical modern cryptography is based on two notorious mathematical problems believed (but not proven) to be hard (i.e., not solvable in polynomial time, on the average). The two problems are known as Factorization and Discrete-Log. The Factorization problem is defined as follows: Input: N, where N=pq where p and q are large prime numbers
Output: p and/or q.
The Discrete-Log problem is defined as follows:
Input: P,g,y, where y≡g" mod P, and P is a large prime number Output: x.
(The Discrete-Log problem can be similarly defined with a composite modulus N=pq).
Based on the Factorization and Discrete-Log problems, some other problems have been defined which correspond to the cracking problems of a cryptographic system.
One system of such a problem which has previously been exploited in cryptography (see, e.g., H.C. Williams, "A Modification of RSA Public-Key Encryption", IEEE Transactions on Information Theory, Vol. IT-26, No. Nov. 6, 1980) is the Modular Square Root problem, which is defined as follows: Input: N,y, where y≡x2 mod N, and N=pg, where p and q are large primes
Output: x.
Calculating square roots is easy if p and q are known but hard if p and q are not known. When N is composed of two primes, there are in general four square roots mod N. As used herein, zs ~x mod N is defined to mean that x is the smallest integer whereby z2≡x mod N.
Another problem is known as the Composite Diffie-Hellman (CDH) problem, which is defined as follows:
Input: N, g, g* mod N, gy mod N, where N≡pq and p and q are large primes.
Output: g*3' mod N. It has been proven mathematically, that the Modular Square Root and Composite
Diffie-Hellman problems are equally difficult to solve as the above-mentioned factorization problem (see, e.g., M.O. Rabin, "Digitalized Signatures and Public Key Functions as
Intractable as Factorization", MIT Laboratory for Computer Science, TR 212, Jan. 1979; Z. Shmuely, "Composite Diffie-Hellman Public Key Generating Schemes Are Hard To Break", Computer Science Department of Technion, Israel, TR 356, Feb. 1985; and K.S. McCurley, "A Key Distribution System Equivalent to Factoring:, Journal of Cryptology, Vol. 1, No. 2, 1988, pp. 95-105). In a typical public-key cryptographic system, each user i has a public key Pj (e.g., a modulus N) and a secret key S; (e.g., the factors p and q). A message to user i is encrypted using a public operation which makes use of the public key known to everybody (e.g., squaring a number mod N). However, this message is decrypted using a secret operation (e.g., square root mod N) which makes use of the secret key (e.g., the factors p and q). Public key cryptographic techniques may be used for authentication. Authentication is a (theoretically) fool-proof technique for a party to verify that a party contacting it is the party is asserts to be. For example, a confidential network may require that a party authenticate itself before gaining access to the network.
Fig. 1 A is a block diagram of a typical cryptography device 100 that may be utilized in the present invention. The device 100 has a processor 102 including one or more CPUs 102, a main memory 104, a disk memory 106, an input/output device 108, and a network interface 110. The devices 102-110 are connected to a bus 120 which transfers data, i.e., instructions and information between each of these devices 102-110.
Fig. IB illustrates a network 150 over which cryptography devices 100 may communicate and which may be utilized in the present invention. Two or more cryptography devices 100, 100' may be connected to a communications network 152, such as a wide area network; which may be the Internet, a telephone network, or leased lines; or a local area network. Each device 100 may include a modem 154 or other network communication device to send encrypted messages over the communications network 152. A cryptography device 100 may be a gateway to a sub-network 156. That is, the device 100 may be an interface between a wide area network 152 and a local area (sub) network 156. An example of a public key cryptographic technique which may be performed by the device 100 is the well known Diffie-Hellman key exchange protocol. The Diffie-Hellman protocol conventionally provides a partially secure distribution system utilizing a symmetric crypto-key between two nodes of a local area network (LAN) or wide area network (WAN). In this protocol, both nodes compute their common crypto-key from their own private key, as well as from the other node's public key. The nodes exchange their public keys, but maintain (for security) their computed crypto-key.
For example, assume two nodes wish to communicate with each other via encrypted packet information. Each has their own private and public key, and consequently each pair of nodes will compute a different common secret crypto-key, which in turn will be used in a symmetric algorithm (using, e.g., well-known DES or IDEA algorithms, discussed above). Typically, the private key of each node is changed periodically. This will lead to two Diffie- Hellman key exchanges in each period, since the nodes do not have to be synchronized.
Further, it is known to use two private and two public keys in each node, i.e., one static key, which never changes, and one dynamic key, which is changed periodically (e.g., every 24 hours), in each private and public pair. One can use the static common crypto-key, developed via a Diffie-Hellman key exchange, to encrypt every consecutive dynamic key exchange. Summary of the Invention
Described is a key escrow and key recovery method suitable for use with cryptography devices, such as the NetFortress™ VPN family of products. These products use four keys, static (permanent) private and public keys and dynamic (changes over time) private and public keys. Briefly, each node shares a permanent session key with a key recovery authority (KRA) and every pair of nodes share a permanent and a dynamic session key with each other. When two nodes initiate communication, the nodes exchange dynamic public keys (encrypted with a static common key shared by the two nodes), each node also sends its dynamic private key encrypted with the session key it shares with the KRA. Because neither node knows the other node's session key with its KRA, it cannot decrypt the dynamic private key. However, a third party having a court order may be able to obtain the node/KRA session key for the two communicating nodes and thus obtain the dynamic private key for each node, permitting it to decrypt messages encrypted with the nodes' dynamic crypto key. In particular, nodes 1, 1=1, N are communicating with each other encrypted. They each have static private (S_) and public (P;) keys, which never change and dynamic private (Si dy ) and public (Pi*™) keys, which are functions of time (t). A key recovery authority (KRA) also has static private (S^^T) and public (PRRA) keys, which never change. The KRA exchanges static public keys with each of the nodes, thus develops a static common key (session key), KJ^J, with each of them using, for example, the Diffie-Hellman protocol. The KRA maintains a list of the static public keys of all nodes. Thus, the (static) session key with any of the nodes can be "recovered" at any time. When two nodes, say i and j, exchange their dynamic public keys (encrypted with their static session key K^t)), then each one attaches its dynamic secret key, encrypted with the static session key between it and the KRA. A time stamp is also included. With the knowledge of the session key, Kj^i, which can be recovered from the KRA, the dynamic private keys of each node, S^t), can be recovered (and P ^t) calculated) from a recording of any session. From S ^t) and Pj dyn(t) one can calculate the dynamic session key between the two nodes (K ^t)). However, all other parties are still protected since their dynamic public keys are exchanged encrypted. Note that all nodes are still protected, and their session concealed, because their private keys are encrypted.
Brief Description of the Drawing
The present invention is described with reference to the following figures:
FIG 1 A is a block diagram of a typical cryptography device;
FIG IB illustrates a communications network over which cryptography devices may communicate;
FIG 2 schematically illustrates a VPN that may be used in accordance with the present invention; and
FIG 3 is a flowchart illustrating the steps taken to decrypt messages between two nodes by a third party in accordance with the present invention. Detailed Description of the Invention Preliminaries
The term "key recovery" is used herein as a generic term encompassing the various key escrow, trusted third-party, exceptional access, data recovery and key recovery encryption systems. All these key recovery systems share the following essential elements relevant to this invention:
* A mechanism, external to the primary means of encryption and decryption, by which a third party (such as a government law enforcement agency) can obtain covert access to the plaintext of encrypted data. * the existence of a highly sensitive secret key (or collection of keys) which must be secured for an extended period of time.
In a network similar to network 150 illustrated in FIG IB, we may assume that illustratively, devices 100 (A) and 100' (B) are each units from the NetFortress™ VPN family of products (VPN-1, VPN-3 or Remote), available from Fortress Technologies, Tampa, Florida, which products use Fortress Technologies' SPS (Secret Packet Shield™) core technology, such as described in U.S. patent number 5,757,924 to Friedman et al. and owned by Fortress Technologies. The contents of this patent are fully incorporated herein by reference. Of course, any cryptography devices may be used, as desired, which are programmed to perform the inventive method described below. FIG 2 schematically illustrates a VPN 100 (a network security device) that may be used in accordance with the invention. The security device 10 comprises a first interface 0 which is connected to the client host 12. Specifically, the interface 0 is connected to a network interface in the client host 12 via a cable or wire 13. The security device 10 comprises a second interface 1 which is connected to a portion of a network 150, such as the one described in FIG IB. Illustratively, the interface 1 is connected to an Ethernet so that the interfaces 0, 1 are Ethernet interfaces such as SMC Elite Ultra Interfaces.
A CPU 14 is connected to the interfaces 0, 1. The CPU is for example an Intel 486 DX 62-66. A static memory 16 (e.g. flash EEPROM) is connected to the CPU 14 and a dynamic memory 18 (e.g. RAM) is connected to the CPU 14. An optional encryption module 20 performs encryption and large number arithmetic operations. The encryption unit may be implemented as a programmable logic array. Alternatively, the encryption module may be omitted and its function may be carried out using a software program which is executed by the CPU 14. The interface 0 is put in a promiscuous mode. In this mode, the interface 0 passes all communications from the client host 12 that is sensed on the cable 13 to the CPU 14. The network connection is via the interface 1 which is set to the same IP address as the client 12. The VPN 100 responds to the Address Resolution Protocol by sending its own (rather than the client's) MAC address. This adds a level of security by blocking attempts to bypass the device 10 using the Ethernet protocol.
The CPU 14 maintains two databases. One database is a static database stored in the Flash ROM 16. This database contains permanent information about secured nodes in the network, i.e., the node IP address, time entered into the database, the nodes permanent public key. A second database is a dynamic database. The dynamic database contains information about secured and unsecured nodes, i.e., the node IP address, time last updated, a flag indicating whether the node is secured (e.g., has its own network security device), a flag indicating whether the node is in transition (i.e., in the middle of a key exchange), a pointer to a common secret key with that node. The transition flag has three possible values, 0-not in transition, 1 -pending reply from remote host, and 2-pending computation of common key.
The software executed by the CPU 14 has three components: (1) operating system, (2) networking system, (3) key computation algorithms. The operating system and the networking system are both part of a Unix like kennel. The key computation algorithm reside in memory and are signaled into action by the networking system. The operating system can be colorfully described as a lobotomized Linux system with all drives taken out except the RAM, disk and Ethernet interfaces. The networking system is for communication, key exchange, encryption, configuration, etc.
Public key cryptography can be used to negotiate securely a unique common secret key between any two VPN units. Each unit has four keys associated with it: static (remaining the same during the lifetime of the unit, and characteristic to that unit) private, and public keys SA st and PA st, and dynamic (changing periodically) private, and public keys, SA*"(t) and PA*"(t).
KRA is the Key Recovery Authority which stores the static public keys of all VPN units under its jurisdiction: P^t). Note that the KRA will typically not know the VPN units' static private key, S ^t), nor will it know their dynamic keys. The KRA has static private and public keys associated with it, S^1 and PKR '. Common keys between two entities (two VPN units or one VPN unit and its KRA) are always calculated by each party. These common keys are obtained by each node or KRA performing functions on the other node's or KRA's public key. As a result, the
10 common keys are never transmitted and consequently the common keys represent a shared secret between the two entities. Normal operation
Each VPN unit and a corresponding KRA negotiate a static common session key, KKRA,.5', using, e.g., the Diffie-Hellman key exchange protocol (exchanging their static public keys). After exchanging their public keys, a single common session key is calculated by both sides from their own static private keys and the other party's static public key. As previously mentioned, the KRA also stores the static public key of all VPN units with which it performed a Diffie-Hellman key exchange. Depending on the need, these public keys may be released to third parties (such as government agencies), as desired.
In regard to exchanges between two VPNs (which each may be hardware, software or a combination thereof), units A and B also illustratively use the Diffie-Hellman key exchange protocol (exchanging their static public keys) to develop their static common crypto key, K^B 8'. Note that this key will not be used to encrypt or decrypt messages but instead will be used in the dynamic public key exchange.
Once the static common key is calculated, units A and B perform a second Diffie- Hellman key exchange protocol. In the second exchange, each unit A and B with exchange their respective dynamic public keys encrypted with the static common key, K^B st(t), previously calculated. Based on the received dynamic public keys encrypted with the other units static common key, a dynamic common key KA>B dyn is calculated.
Note that during the second Diffie-Hellman exchange, when unit A sends its dynamic public key to unit B (encrypted with the static common key shared by A and B), it attaches its dynamic private key encrypted with its common session key shared with the KRA. A
11 time stamp is also attached. Illustratively, the message transmitted by unit A to unit B comprises:
Ek S,A,B( )(PAdyn(t)))EK(KRA,A)(SA dyn(t))>t
From this message, unit B can decrypt unit A's dynamic public key PA*"(t). However, since unit B does not know the static common key shared by KRA and unit A, unit B can not decrypt unit A's dynamic private key. Unit B will also send unit A its dynamic private key encrypted with the common key it shares with its KRA, along with a time stamp.
Listening by an "Authorized" 3rd party
To decrypt messages by a third party, the following steps are followed, which are to be accompanied by the flowchart of FIG 3.
In step 50, the Authority which is, e.g., authorized by a Court Order, starts recording the decrypted messages between units A and B. In step 55, the Authority retrieves the static public key of unit A, Pa st, and the static private key of KRA, SKR ', from KRA and from these it calculates the static common session key between KRA and unit A,
K KR^Λ-
Next, in step 60, the Authority retrieves the second D-H exchange message from A-B, EK^^A) (S^f j), and after decryption, it obtains the dynamic private key of unit A, (SA^T)). The Authority then retrieves the second D-H exchange message from B-A,
EKOCR B) (SB*"(T))> ^d after decryption, it obtains dynamic private key of unit B (Sb dyn(T)), in step 65. Then, in step 70, the Authority calculates the dynamic public key of unit B,
PB^T , from Sb*"(T)-
12 Lastly, the Authority calculates the dynamic common session key of units A and B, K*n AιB(τ)> from SA*"(T) and PB^, in step 75 The dynamic common session key is the key needed to decrypt the messages in question between units A and B.
Conclusion The inventive method of the present invention may be summarized by the following steps below: 1. Nodes I, 1=1, N are communicating with each other encrypted. They each have static private (S and public (Pi) keys, which never change and dynamic private
(Si dyn) and public (Pi dyn) keys, which are functions of time (t). 2. The Key Recovery Authority (KRA) also has static private (SKRA) and public (PRRA) keys, which never change. The KRA exchanges static public keys with each of the nodes, thus develops a static common key (session key), Kj^;, with each of them using, for example, the Diffie-Hellman protocol.
3. The KRA maintains a list of the static public keys of all nodes. Thus, the (static) session key with any of the nodes can be "recovered" at any time.
4. When two nodes, say i and j, exchange their dynamic public keys (encrypted with their static session key Ksy(t)), then each one attaches its dynamic secret key, encrypted with the static session key between it and the KRA. A time stamp is also included: o Eκ"ϋ (t) (p; )) E K(KRA ) (s; t)), t
5. With the knowledge of the session key, KKR^ V which can be recovered from the KRA (as described in steps 2 and 3), the dynamic private keys of each node, S^t), can be recovered (and P^t) calculated) from a recording of any session. From
13 S^t) and Pj**^) one can calculate the dynamic session key between the two nodes
(Kj ryr^t)). jjowever, all other parties are still protected since their dynamic public keys are exchanged encrypted. 6. All nodes are still protected, and their session concealed, because their private keys are encrypted.
The above described embodiments of the invention are intended to be illustrative only. Numerous alternative embodiments may be devised by those skilled in the art without departing from the spirit and scope of the following claims.
14

Claims

CLAIMSWhat is claimed is:
1. A method of determining a dynamic common key for decrypting messages transmitted between first and second nodes by a third party, comprising the steps of:
retrieving a static public key of the first node, PA st, and a static private key of a corresponding key recovery authority (KRA) node, SKR ', from said KRA node, wherein said KRA node has a static public key of each of said first and second nodes stored therein; determining a static common session key, K^KR^A. between said KRA and said first nodes, based on said PA st and SKRA 5'; retrieving a first exchange message, EK(KRAjA) (SA'T ), transmitted from said first node to said second node; detern- ning a dynamic private key of said first node, (S^CO), based on said
ER(KRA,A) ($A CO); retrieving a second exchange message, E^J^B) (S^ O), transmitted from said second node to said first node; determining a dynamic private key of said second node, (S╬▓^T)), based on said
R(K A,B) B CO); determining a dynamic public key of said second node, P^ , based on said S╬▓^T); and determining said dynamic common key, K^BC , based on said S^CO and said
PB*", for decrypting messages transmitted between said first and second nodes by said third party.
15
2. The method of claim 1, wherein said first and second exchange messages include a time stamp.
3. The method of claim 1, wherein said first and second nodes comprise respective cryptography devices.
4. A method of decrypting a dynamic public key of a first node by a second node, comprising the steps of: retrieving a static public key, PA st, from said first node; determining a static common key, KA╬╣B st, based on said PA st; retrieving a dynamic public key, PA dyn, from said first node which is encrypted with
said K^B*'; and retrieving a dynamic private key, Sa dyn, from said first node which is encrypted with a common session key between said first node and a key recovery authority (KRA) third party node KK^A; wherein said S,*Γäó encrypted with said K^^A. is utilized for decrypting said dynamic public key of said first node.
5. The method of claim 4, wherein said step of determining said static common key, KA╬╣B st, is further based on a static private key of said second node.
6. The method of claim 5, wherein said S,^ encrypted with said KJ^A further includes a time stamp.
16
7. The method of claim 4, wherein said first and second nodes comprise respective cryptography devices.
8. A transmitted data message, transmitted from a first node to a second node, for decrypting the first node's dynamic public key, comprising: a dynamic public key, PA dy , from said first node which is encrypted with a static common key between said first and second nodes, KA╬╣B St; and a dynamic private key, Sa*┬░, from said first node which is encrypted with a common session key between said first node and a key recovery authority (KRA) third party node
KRA,A> wherein said S,*11 encrypted with said KJ^A is utilized for decrypting said dynamic public key of said first node.
9. The message of claim 8, wherein said first node comprises a cryptography device and said second node is a key recovery authority (KRA) third party node.
10. The message of claim 8, wherein said first and second nodes comprise respective cryptography devices.
11. The message of claim 8 further comprising a time stamp.
17
12. A Key Recovery Authority (KRA) device for calculating a dynamic common key between a first and a second node for decrypting messages transmitted between said first and second nodes, said KRA device comprising: a memory for storing a respective static public key of each of said first and second nodes; and a processor for: retrieving said static public key of the first node, PA st, with a static private key of said KRA device, determining a static common session key, K^KJ^A, between said KRA device and said first node, based on said PA st and S^1, retrieving a first exchange message, K(^R A) (S^ O), transmitted from said first node to said second node, determining a dynamic private key of said first node, (S^ O), based on said
ER(KRA,A) C^A CO), retrieving a second exchange message, E^R^ (SB^ ), transmitted from said second node to said first node, determining a dynamic private key of said second node, (SB^C ), based on
said EK(KRA)B) (SB dyn(T)), determining a dynamic public key of said second node, Pg^ , based on said S╬▓^T), and determining said dynamic common key, K^BCO, based on said S^C and said PB**1, for decrypting messages transmitted between said first and second nodes by said third party.
18
13. The KRA device of claim 12, wherein said first and second exchange messages include a time stamp.
14. The KRA device of claim 12, wherein said first and second nodes comprise respective cryptography devices.
19
PCT/US1999/003665 1998-02-20 1999-02-19 Cryptographic key-recovery mechanism WO1999049613A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU49517/99A AU4951799A (en) 1998-02-20 1999-02-19 Cryptographic key-recovery mechanism

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US7533098P 1998-02-20 1998-02-20
US60/075,330 1998-02-20

Publications (1)

Publication Number Publication Date
WO1999049613A1 true WO1999049613A1 (en) 1999-09-30

Family

ID=22125008

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US1999/003665 WO1999049613A1 (en) 1998-02-20 1999-02-19 Cryptographic key-recovery mechanism

Country Status (2)

Country Link
AU (1) AU4951799A (en)
WO (1) WO1999049613A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004056033A1 (en) * 2002-12-12 2004-07-01 International Business Machines Corporation Systems methods and computer program products for accelerated dynamic protection of data
US7107246B2 (en) * 1998-04-27 2006-09-12 Esignx Corporation Methods of exchanging secure messages
CN107683402A (en) * 2015-05-22 2018-02-09 卡尔蔡司工业测量技术有限公司 For mobile terminal device intelligently to be coupled to and is connected to the system and method on coordinate measurment instrument
US20190182041A1 (en) * 2012-09-30 2019-06-13 Apple Inc. Secure escrow service
CN112260826A (en) * 2015-01-27 2021-01-22 维萨国际服务协会 Method for secure credential provisioning

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5557346A (en) * 1994-08-11 1996-09-17 Trusted Information Systems, Inc. System and method for key escrow encryption
US5557765A (en) * 1994-08-11 1996-09-17 Trusted Information Systems, Inc. System and method for data recovery
US5631961A (en) * 1995-09-15 1997-05-20 The United States Of America As Represented By The Director Of The National Security Agency Device for and method of cryptography that allows third party access
US5633929A (en) * 1995-09-15 1997-05-27 Rsa Data Security, Inc Cryptographic key escrow system having reduced vulnerability to harvesting attacks

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5557346A (en) * 1994-08-11 1996-09-17 Trusted Information Systems, Inc. System and method for key escrow encryption
US5557765A (en) * 1994-08-11 1996-09-17 Trusted Information Systems, Inc. System and method for data recovery
US5640454A (en) * 1994-08-11 1997-06-17 Trusted Information Systems, Inc. System and method for access field verification
US5631961A (en) * 1995-09-15 1997-05-20 The United States Of America As Represented By The Director Of The National Security Agency Device for and method of cryptography that allows third party access
US5633929A (en) * 1995-09-15 1997-05-27 Rsa Data Security, Inc Cryptographic key escrow system having reduced vulnerability to harvesting attacks

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7107246B2 (en) * 1998-04-27 2006-09-12 Esignx Corporation Methods of exchanging secure messages
WO2004056033A1 (en) * 2002-12-12 2004-07-01 International Business Machines Corporation Systems methods and computer program products for accelerated dynamic protection of data
US20190182041A1 (en) * 2012-09-30 2019-06-13 Apple Inc. Secure escrow service
US10708049B2 (en) * 2012-09-30 2020-07-07 Apple Inc. Secure escrow service
CN112260826A (en) * 2015-01-27 2021-01-22 维萨国际服务协会 Method for secure credential provisioning
CN112260826B (en) * 2015-01-27 2023-12-26 维萨国际服务协会 Method for secure credential provisioning
US11856104B2 (en) 2015-01-27 2023-12-26 Visa International Service Association Methods for secure credential provisioning
CN107683402A (en) * 2015-05-22 2018-02-09 卡尔蔡司工业测量技术有限公司 For mobile terminal device intelligently to be coupled to and is connected to the system and method on coordinate measurment instrument

Also Published As

Publication number Publication date
AU4951799A (en) 1999-10-18

Similar Documents

Publication Publication Date Title
US5222140A (en) Cryptographic method for key agreement and user authentication
Peyravian et al. Methods for protecting password transmission
AU743258B2 (en) Improved network security device
US5796833A (en) Public key sterilization
CA2211301C (en) Network security device
EP0998799B1 (en) Security method and system for transmissions in telecommunication networks
US5313521A (en) Key distribution protocol for file transfer in the local area network
JPH088895A (en) Method for key control of internet procedure and its device
US5633928A (en) Key escrow method with warrant bounds
Lenstra et al. A key escrow system with warrant bounds
EP1079565A2 (en) Method of securely establishing a secure communication link via an unsecured communication network
KR20050065978A (en) Method for sending and receiving using encryption/decryption key
CN109104278A (en) A kind of encrypting and decrypting method
Cheema et al. Improving the Secure Socket Layer by modifying the RSA algorithm
WO1999049613A1 (en) Cryptographic key-recovery mechanism
JP3699618B2 (en) Encryption key acquisition method and encryption key exchange apparatus
Gohel Introduction to Network & Cybersecurity
Cohen A secure computer network design
Sakuraii et al. A key escrow system with protecting user's privacy by blind decoding
Mambo et al. On the difficulty of key recovery systems
JPH02246640A (en) Common key delivery system using verification information of management center
Singh et al. Encryption algorithms with emphasis on probabilistic Encryption & time stamp in network security
Peng et al. Proxy cryptography for secure inter-domain information exchanges
Duc et al. The Advanced Encryption Standard and its application in the examination security in Vietnam
SC546 Cryptography on the Internet

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GE GH GM HR HU ID IL IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
NENP Non-entry into the national phase

Ref country code: KR

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase