FILE ENCRYPTION WITH KEY RECOVERY
BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention relates to a file encryption method and system. The invention also relates to a file encryption method and system of the type which uses a strong encryption algorithm based either on a shared secret key or a public key/private key cryptosystem, but which provides for emergency access to the file by legal authorities. The invention further relates to a file encryption method and system in which a "key recovery key" accessible by a key recovery agent is prepended to the encrypted file, and in which tampering with the key recovery key will prevent decryption of the encrypted file.
2. Discussion of Related .krt Current encryption methods and systems, including both shared secret key and public/private key methods and systems, are sufficiently powerful that without the key required to unlock a given message or file, the message or file cannot be
recovered, even by law enforcement and national security agencies . To prevent such encryption methods and systems from being used by international criminal or terrorist organizations, or by hostile nations, the U.S. Government has prohibited their export unless provision for emergency access by legal authorities is included.
One solution to the problem of including emergency access to strongly encrypted files is described in U.S. Patent Nos . 5,557,346 and 5,557,765, which are assigned to Trusted Information Systems (TIS). The solution described in these patents, which as disclosed is limited to symmetric or shared secret key based systems, is essentially to encrypt the shared secret key by means of a public key, the corresponding private key of which is held by an escrow or key recovery agent, and to prepend the encrypted secret key to the encrypted file. The effect of the public key encryption of the secret key is to form a "digital lockbox, , containing a "spare secret key," as described in TIS promotional literature.
The use of a "digital lockbox" to store the "spare secret key" is only effective so long as the spare secret key contained therein has not been tampered with. As a result, the TIS method and system also includes provision for verifying the authenticity of a "law enforcement access field" (LEAF) containing the spare secret key and for terminating the decryption procedure if the LEAF is not authentic. However, because the secret key protected by the LEAF in the TIS system
is a "spare, " it is still possible for anyone with the original secret key and access to the encrypted file to decrypt the encrypted file by also tampering with the decryption software so as to simply bypass the step in the decryption process which terminates the decryption procedure when the LEAF is not authentic, even as the party attempting to gain access through the spare key is prevented from doing so. This appears to be a critical flaw in the TIS system, and is the principal problem addressed by the present invention.
There are of course ways to protect decryption software from tampering that would effectively overcome this flaw in the TIS system, allowing use of the basic procedure without compromising security, by encoding the software in tamper- resistant hardware. This was the premise behind the U.S. Government's "clipper initiative," for which the TIS system is promoted as a replacement. In the "clipper" system and method, the encryption and decryption algorithms are kept entirely secret, as are the encryption keys, even from the user, by building the algorithms and keys into an integrated circuit referred to as the "clipper chip." However, for reasons which are described in detail in the TIS patents, including the complete surrender of key control and the requirement that all users purchase the special hardware, the purely software- implemented TIS "digital lockbox" concept offers a far more viable solution to the problem of emergency access than does the clipper initiative. As a result, it would be desirable to overcome the vulnerability of the TIS system to tampering with
the decryption software without resorting to a "clipper chip" type hardware solution.
As a result, a need exists for an alternative both to the clipper initiative and to the TIS system, and in particular one which not only detects tampering with the "spare key" through which emergency access to an encrypted file can be obtained, but which also positively prevents decrypting of the encrypted file when the "spare key" has been tampered with without the need to also protect the decryption software from tampering. In addition, it would be desirable to provide a "spare key" system that can be used with a private key/public key cryptosystem, in which the recipient's private key is held only by the recipient, and yet which also prevents decryption when the spare key has been tampered with.
The main flaw in the TIS system can best be understood in connection with Figs. 7 and 8, which schematically and in simplified fashion illustrate the TIS system, and in particular by Fig. 8, which illustrates the decryption portion of the method and system. Basically, the flaw results from the fact that if the results of a tamper detection scheme are ignored, which can be accomplished by modifying block 1 in Fig. 8, then decryption of the encrypted file, which occurs at block 2 in Fig. 8, can be carried out based solely on information already in the possession of the decrypter, namely the original secret key Ks.
The TIS patents describe two embodiments, but both suffer from the same defect. On the encryption side, as shown in Fig. 7, after encrypting the message or data file 3 using the secret session key 4 to form EK3(F) at block 5, a LEAF verification string (LVS) is generated based on authentication information, program identifiers, and public keys 6 and encrypted at block 7 to form an encrypted LVS (ELVS) which is prepended to the encrypted data file at block 8 and can then be used to verify the LEAF. The LEAF is formed separately by encrypting the secret key at block 9 and adding verification information and further encryption at block 10.
As shown in Fig. 8, tamper detection is carried out beginning at block 11 by decrypting ELVS using the decrypter's copy of the secret key 12 to recover the authentication information, program identifiers, and public keys 13, which can then be combined with the public key encrypted secret key, generated at block 14, to reconstruct the LEAF (block 15). The reconstructed LEAF is compared with the original LEAF at block 16 and used to decide whether to terminate decryption (block 17) or proceed to recover the original file 18. As is evident from Fig. 8, if the output of the comparator 16, or the decision making step 2, are tampered with, then there is nothing to stop file decryption from being carried out at block 2 based on the secret key 11 which is already in the possession of the decrypting party.
The difference between the two embodiments described in the TIS patents lies in the contents of blocks 6 and 13, and the exact manner in which the LVS, ELVS, and LEAF fields are generated or reconstructed at blocks 7, 10, 12, and 15. These details have to do with the manner in which the LEAF is authenticated in order to detect tampering, and do not affect blocks 1, 2, and 16-18 in Fig. 8. In one embodiment, the LVS is constructed by combining a unique program identifier, a public portion of a program unique public key, and a digital signature made up of a combination of the unique program identifier and program unique first public key signed by the key recovery agent. The LVS is encrypted by session key Ks, while the LEAF itself is formed by encrypting the first public key, combining the first public key with the unique program identifier and a program unique first public key, so that the receiver can verify the sender's identity by using the secret key to decrypt the ELVS, check the digital signature using the public portion of key recovery agent's private key, and then recreate the LEAF. In the second embodiment described in the TIS patents, the LEAF is generated by splitting the secret key and encrypting the split parts under multiple key recovery agent public keys, and the ELVS is formed by an encrypted concatenation of the secret key parts, with the concatenation again being recovered by decrypting the encrypted leaf verification string, used to reconstruct the LEAF for comparing with the original LEAF prepended to the encrypted file. In both embodiments , the result is a comparison between the reconstructed LEAF and the LEAF prepended to the encrypted
file, based on information extracted from the prepended ELVS, the comparison being used to determine whether to proceed with the decryption. No matter how the LEAF is authenticated, if the results of the authentication are ignored, decryption can still be carried out.
Thus, while the procedure described in U.S. Patent Nos . 5,557,765 and 5,557,346 verifies the sender of a message and detects tampering with the LEAF, which corresponds generally to the key recovery key of the present invention, it does not affirmatively prevent the receiver from decrypting the message even if the key recovery key is not verified, because the LEAF is not necessary to the decryption process. Instead, the secret key Ks used to encrypt and decrypt the file is assumed to be possessed by both the sender and receiver or "negotiated" between the sender and receiver (col. 12, lines 47-49 and col.13, lines 13-15), and by itself is all that is necessary to decrypt the encrypted file.
This ability to alter the LEAF as described above essentially negates the utility of the TIS method and system, since alteration of the LEAF under the TIS system would be undetectable by the key recovery agent until access to the encrypted file was required, at which point the encrypted message might already also be in the possession of a party with possession of the shared secret key, and it would be too late to prevent damage caused by opening the contents of the file to the decrypting party.
SUMMARY OF THE INVENTION
It is accordingly an objective of the invention to provide a file encryption system and method that permits access to the encrypted file by an investigating agency via a key recovery key, and therefore complies with U.S. export regulations, while preventing decryption of the encrypted file if the key recovery key has been tampered with.
It is also an objective of the claimed invention to provide a file encryption system and method of the type described above, in which file decryption is prevented if the key recovery key has been tampered with, thus allowing both detection of tampering and at the same time preventing access to the file by anyone if tampering has occurred, and which also makes it impossible to avoid the decryption prevention features by tampering with the decryption software.
It is a further objective of the invention to provide a file encryption system and method of the type described above, which can be applied to both symmetric (shared secret key) and asymmetric (public key/private key) cryptosystems .
It is yet another objective of the invention to provide a file encryption system and method of the type described above, in which tampering with the decryption software so as to avoid decryption-prevention features is accomplished without the need to protect the decryption software by hardware.
In its broadest form, the invention achieves these objectives by basing file encryption and decryption on a unique value and by combining the unique value with the key recovery key in such a manner that the unique value cannot be recovered by the recipient of the file unless the key recovery key has not been tampered with.
In the case of a symmetric cryptosystem, the above objectives are achieved by basing file encryption and decryption on a session key formed from the shared secret key and a unique value, the unique value being generated during the encryption process and combined with the key recovery key so that decryption is only possible when the correct key recovery key is prepended to the file to be decrypted.
In the case of an asymmetric cryptosystem, the above objectives also achieved by combining the unique value with the key recovery key, except that instead of generating a session key, the file is encrypted by the unique value and the combination of the unique value and the key recovery key is encrypted by a public key of the recipient for prepending to the encrypted file along with the key recovery key.
In a preferred embodiment of a symmetric version of the invention, the session key is a random number or other session specific value or string encrypted by the shared secret key, the key recovery key is the session key encrypted by the key recovery agent's public key, and the encrypted data file is
stored with the key recovery key and a tamper-prevention string consisting of a combination of the original random number or other session specific value or string, the key recovery key and a hash of the encrypted data file. To recover the unique value necessary to regenerate the session key without unlocking the key recovery key, the decrypting party must combine the hash of the encrypted file and the key recovery key. If the key recovery key has been tampered with in any way, then the original random number cannot be recovered, no matter how the decryption software is altered.
On the other hand, in a preferred embodiment of the asymmetric version of the invention, the unique value, which could also be a random number or other session specific value or string, is used to encrypt the data file directly, is encrypted by the key recovery agent's public key to form the key recovery key, and is combined with the key recovery and, optionally, other values such as the hash of the encrypted file, to form an altered unique value which is then encrypted using a public key of the recipient and prepended to the file. The altered unique value is protected because it can only be recovered using the private key of the recipient, while the original unique value necessary to decrypt the file can only be recovered if the key recovery key prepended to the file has not been tampered with.
As a result, according to the principles of the preferred embodiment of the invention, even though the file encryption
method and system of the invention utilizes a shared secret key or private key under exclusive control of the user or users, the session key or unique value necessary to decrypt the encrypted file is not shared but rather can only be recovered by the decrypting party if the unique value is known by the decrypter, and the unique value can only be known to the decrypter if the key recovery key prepended to the file is correct. Moreover, the correct key recovery key cannot be recreated by the decrypter in order to reconstruct the original random number or session specific value or string because the key recovery key depends on the original session key or unique value.
Because the method and system of the invention cannot be defeated by collaboration or tampering with the key recovery key and decryption software, it will be understood that the method and system of the invention is equally applicable to encryption of communications between remote parties, and also to encryption of files for storage purposes, for example to protect data on an individuals hard disk, so that if the computer were stolen or data on the a server were accessed, it could not be read and become available to others .
BRIEF DESCRIPTION OF THE DRAWINGS
Fig. 1 is a flowchart illustrating the shared secret key based file encryption and key recovery key generating process, as well as the steps by which decryption of the encrypted file
is made dependent on the authenticity of the key recovery key in order to prevent tampering, according to the method of a first preferred embodiment of the invention.
Fig. 2 is a flowchart illustrating a file decryption process according to the method of the first preferred embodiment of the invention.
Fig. 3 is a flowchart illustrating a public key/private key based file encryption and decryption process according to the method of a second preferred embodiment of the invention.
Fig. 4 is a schematic depiction of the file encryption process of the first preferred embodiment, and of a system for implementing the preferred encryption process.
Fig. 5 is a schematic depiction of the file decryption process of the first preferred embodiment, and of a system for implementing the preferred decryption process.
Fig. 6 is a schematic depiction of the file both the file encryption and decryption processes of the second preferred embodiment, and of a system for implementing the preferred processes .
Fig. 7 is a schematic depiction of the prior art TIS file encryption system and method.
Fig. 8 is a schematic depiction of the decryption portion of the prior art TIS file encryption system and method.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
In its broadest form, the invention is a method and system in which file encryption and decryption are based on a unique value and the unique value is combined with a key recovery key in such a manner that the unique value cannot be recovered by the recipient of the file unless the key recovery key has not been tampered with.
The two principal embodiments of this broad concept are an application to a shared secret key based system, and an application to a public key/private key cryptosystem. The first embodiment is illustrated in Figures 1, 2, 4, and 5, and the second embodiment is illustrated in Figures 3 and 6.
In the method and system of the first preferred embodiment of the invention, a shared secret key is used to encrypt a session specific value to form a session key, the session key is used to encrypt a file and in turn is encrypted by the public key of a key recovery agent to form a key recovery key, and the session specific value is combined with the key recovery key and also prepended to the file so as to permit recovery of the session specific value, and therefore regeneration of the session key, if and only if the key recovery key has not been tampered with.
Fig. 1 illustrates the steps by which a file is encrypted and the key recovery key (KRK) is generated according to the first preferred embodiment of the invention. As illustrated in Fig. 1, a random number is generated by the encrypting party (step 100) and the shared secret key Ks is used to encrypt the randomly generated number R, producing the session key or data encrypting key DEK=E
K3(R) (step 110). The session key DEK is then encrypted by a public key
of the key recovery agent to form the key recovery key (step 120) and the data file F is encrypted using the session key DEK to form the encrypted data file E
DEK(F) (step 130), to which the key recovery key KRK is prepended (step 140).
These steps are similar to those disclosed in the above- cited TIS patents, except that the session key is not negotiated between parties but rather is generated by the encrypting party based on a shared secret key and a session specific value in the form of a random number.
While generating a session key in this manner is known in contexts unconnected with the key recovery problem or the method and system described in the TIS patents, in those contexts the random number is simply prepended to the encrypted file so that it can be used by the decrypting party to regenerate the session key based on the shared secret key already in possession of the decrypting party, whereas the present invention combines the random number, which is initially known only to the encrypting software, with a key recovery key,
thereby preventing decryption of the encrypted file whenever the key recovery key has been tampered with.
The shared secret key Ks can be any value or string usable in an encryption and decryption process, and may be stored in, generated by, or negotiated by the encryption and decryption hardware and/or software in such a manner that it is known only to the party or parties wishing to encrypt the file and subsequently decrypt it. In addition, generation of the session key by encrypting the random number or other session specific value using the shared secret key can be accomplished by any suitable algorithm, such as the DES encryption algorithm, the encryption algorithm used to form the session key forming no part of the present invention.
In the case of a program that encrypts files for storage on a hard disk to protect against unauthorized access to the computer or theft of the computer or hard disk, the shared secret key Ks can easily be protected by storage on a smart card or other removable media which is inserted into a smart card reader for use in both file encryption and decryption, whereas in the case of remote communications the shared secret key can be stored with the respective encryption and decryption software so long as the software itself is secure.
It will therefore be appreciated by those skilled in the art that the illustrated encryption scheme could utilize any key-generating algorithm, and that the encrypted file could
either be used to protect communications between computers, or to protect data on an individual's hard disk, so that if the computer were stolen or data on a server were accessed, the data could not be read and thus become available to others.
The specific steps in the encryption process during which decryption of the encrypted file is prevented if the key recovery key has been tampered with are also illustrated in Fig. 1. In this example, a portion of the encrypted file, such as the first 16 bytes, is hashed, for example by computing the MD5 hash value (step 150), and the resulting hash value is then combined with the session specific value R and the key recovery key KRK to obtain a modified value R'= R XOR (MD5(F1.16) XOR KRK (step 160), which is prepended to the data file (step 170) in place of the R value that would, in conventional systems, be prepended to the file to permit recovery of the session key.
The procedure for accessing the file using the key recovery key is not illustrated but simply involves using the private key of the key recovery agent to decrypt the key recovery key KRK and thereby recover the encrypted session key DEK, which can then be used to directly decrypt the encrypted file. Because the session key DEK rather than the shared secret key Ks is recovered, the integrity of the shared secret key is protected, and knowledge by the key recovery agent of the random number is not necessary.
On the other hand, as illustrated in Fig. 2, the owner of the shared secret key Ks does not have direct access to the session key DEK, and therefore must recover the session specific value or random number R in order to re-generate the session key and decrypt the encrypted file. This is accomplished by requiring, as a pre-requisite to decryption of the encrypted data file EDEX(F) following retrieval of the encrypted data file, the key recovery key, and the value R' (step 190), that the hash of a portion of the encrypted data file be performed (step 200) and that the result be combined with the key recovery key and the value R' using the same operation (step 210) as was performed during encryption, namely an exclusive OR operation on the key recovery key, the MD5 hash of the first 16 bytes of the encrypted file, and R' , resulting in recovery of the original session specific value R. Once R is extracted from R' , decryption of the file content can proceed in the known fashion by encrypting the session specific value R using the shared secret key Ks to obtain the session key DEK (step 220), and then decrypting the encrypted file using the session key DEK to recover the original file F (step 230).
The method illustrated in Figs. 1-2 can be further understood in connection with Figs. 4 and 5. As shown in Fig. 4, the respective encryption operations of generating the session key, the key recovery key, the MD5 hash, and the prepended value R', and encrypting the original file, are indicated by elements 300-340 respectively, while input,
retrieval, or generation of the original random number R, shared secret key Ks, data file F, and public key of the key recovery agent
are indicated by blocks 350-380, and the resulting file to be stored or transmitted is indicated by block 390, with elements 320 and 330 in particular being unique to the present invention.
On the decryption side of the preferred system and method, as shown in Fig. 5, are elements which generate an MD5 hash of a portion of the decrypted file (block 400), and extract R by performing an exclusive OR operation on the MD5 hash, the key recovery key, and the prepended value R' (block 410). Also included are a session key generator (block 420) identical to block 300 on the encryption side, which uses shared secret key input 430 and extracted value R to generate key DEK, and the file decryption block 440 for recovering the original data file, indicated in this figure by reference numeral 450. It will be apparent from an examination of Figs . 4 and 5 , that all of the illustrated operations can be performed either by software on a general purpose computer or with the assistance of dedicated circuitry. The file represented by block 390 can be stored on or transmitted by any desired medium and, as indicated above, the shared secret key Ks can be stored with the encryption software or separately stored, as necessary, or can be negotiated with or obtained from a remote party using a variety of known methods. The public key of the key recovery agent must of course be obtained from the key recovery agent,
but could either be pre-packaged with the encryption software or obtained and stored by other well-known methods.
Because the tamper-prevention procedure does not affect generation of the key recovery key KRK or encryption of the file using the session key DEK, the key recovery agent can still decrypt the file by recovering the data encryption key using the private key corresponding to the public key by which the session key was encrypted in the first place to form the key recovery key, which should make the method and system of the invention suitable for export.
The second preferred embodiment of the invention, illustrated in Figures 3 and 6, is essentially the same as the first preferred embodiment, except that the unique value modification and recovery aspects of the method and system of this embodiment, which prevent decryption if the key recovery key have been tampered with, are adapted for use with a public key/private key cryptosystem. This type of system and method has the advantage that the key necessary to decrypt the file is held only by the recipient, and need not be made available at any time either to key recovery agent or the sender of the file.
The method of this embodiment begins with generation of a unique value, which as in the first preferred embodiment can be any random or session specific value or string. However, instead of using this value to generate a session key (step
1000), the unique value R is used as the encryption key for file F (step 1010), and the key recovery key KRK is generated by encrypting the unique value with the public key
of the key recovery agent (step 1020).
The key recovery key of this embodiment can be used in exactly the same way as in the first embodiment, i.e., by prepending it to the encrypted file so that the key recovery agent can recovery the unique value R using its private key and thereby decrypt the file. The recipient, on the other hand, is not given direct access to R, but rather to a modified value R' generated by first performing a has of the encrypted file (step 1030), and then combining the hash with the unique value R and the key recovery key KRK using a one-way or irreversible function such as the exclusive OR function (step 1040). The altered value R' is then encrypted using the recipient's public key so that it can only be decrypted by a private key of the recipient (step 1050), and the key recovery key KRK and recipient's recovery key RRK are prepended to the file for transmission or storage with the encrypted file (step 1060).
When the encrypted file is retrieved or received by a party other than the key recovery agent (step 1080), the altered value R' is recovered by decrypting the recipient's recovery key using the private key of the recipient (step 1090), and R is then recovered from R' in the same manner as in the first preferred embodiment of the invention, namely by generating a hash of the encrypted file (step 1100), and
combining R', the hash, and the key recovery key KRK using a one way function such as an exclusive OR function (step 1110). Once R has been recovered, the file can be decrypted using R as the decryption key (step 1120).
The method of the second preferred embodiment of the invention can be further understood in connection with Fig. 6. As shown therein, the respective encryption operations of generating the key recovery key KRK, the MD5 hash, value R' , recipient's recovery key RRK, and encrypting the original file, are indicated by elements 1200-1240, respectively, while input, retrieval, or generation of the original unique value R, the public key of the key recovery agent, the public key of the recipient, the data file F, and the encrypted data file with prepended key recovery key and recipient's recovery key are indicated by blocks 1250-1290, respectively. On the decryption side of the system of this preferred embodiment of the invention are elements which decrypt the recipient's recovery key (block 1300) using the private key of the recipient (block 1310) to recover the altered value R' , generate a hash of the encrypted data file (block 1320), recover the original unique value by combining the altered value R' , the hash, and the key recovery key KRK (block 1330), and finally decrypt the encrypted data file using the unique value (block 1340).
As with the first preferred embodiment of the invention, in the second preferred embodiment of the invention the unique value necessary to decrypt the encrypted file can only be
obtained if the key recovery key KRK has not been altered, because of the manner in which the unique value is combined with the key recovery key. Although the two embodiments differ in the manner in which the unique value is related to the encryption and decryption keys, it will be appreciated by those skilled in the art that both embodiment share the underlying concept of combining, with the key recovery key, some unique value necessary both to generation of the key recovery key and to decryption of the decrypted file, so that the unique value can only be recovered by a recipient of the file if the key recovery key has not been altered. Having thus described various preferred embodiments of the invention, those skilled in the art will appreciate that variations and modifications of the preferred embodiment may be made without departing from the scope of the invention.
For example, in order to prevent possible misuse of the key recovery agent's private key, it is possible to use a "split shares" capability for the key recovery agent's private key, so that more than one person would need to collaborate in order to generate the private key necessary to obtain the data encryption key. The number of persons would be n out of m, where a subset n of the total group of persons, m, would need to put their pieces of the key together to recover the private key recovery agent key. Secret sharing of this kind is well understood.
Also, by way of example, while the specific embodiment described herein and illustrated in the drawings uses a random number as the session specific or unique value that can be uncovered only with a correct key recovery key, those skilled in the art will appreciate that the session specific value can take any form and is not limited to "random" numbers. Furthermore, the prepended combination of the session specific value and key recovery key can be generated by one-way or irreversible functions other than the illustrative exclusive OR function, with or without the MD5 hash, and can optionally be further encrypted or modified.
It is accordingly intended that the invention not be limited by the above description or accompanying drawings, but that it be defined solely in accordance with the appended claims.