United States Patent [19]
`
`Ganesan
`
`-
`
`llllllllllllllIIIllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
`5,557,678
`Sep. 17, 1996
`
`US005557678A
`[11] Patent Number:
`[45] Date of Patent:
`
`[54] SYSTEM AND METHOD FOR
`CENTRALIZED SESSION KEY
`DISTRIBUTION, PRIVACY ENHANCED
`MESSAGING AND INFORMATION
`DISTRIBUTION USING A SPLIT PRIVATE
`KEY PUBLIC CRYPTOSYSTEM
`
`[75] Inventor: Ravi Ganesan, Arlington, Va.
`
`[73] Assignee: Bell Atlantic Network Services, Inc.,
`Arlington, Va.
`
`[21] Appl. No.2 277,376
`[22] Filed:
`Jul. 18, 1994
`
`H04L 9/16; H04L 9/30
`[51] Int. Cl.6
`[52] U.S. Cl. ............................... .. 380/21; 380/30
`[58] Field of Search ........................................ .. 380/21, 30
`
`[56]
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`4,200,770
`4/1980 Hellman et a1. .
`4,218,582
`8/1980 Hellman et a1. .
`4,405,829
`9/1983 Rivest et a1. .
`l/1984 Hellman et a1. .
`4,424,414
`8/1989 Brown ..................................... .. 380/44
`4,860,353
`4,888,800 12/1989 Marshall et a1. ........................ .. 380/21
`4,926,478
`5/1990 Gruenberg.
`4,965,827 10/1990 McDonald.
`4,995,082
`2/1991 Schnorr.
`5,029,208
`7/1991 Tanaka .................................... .. 380/21
`5,052,040
`9/1991 Preston et a1. .
`5,150,411
`9/1992 Maurer .................................... .. 380/30
`5,208,853
`5/1993 Armbruster et a1. .
`5,241,594
`8/1993 Kung .
`5,241,597
`8/1993 Bright.
`5,241,598
`8/1993 Raith.
`5,251,258 10/1993 Tanaka .
`5,253,294 10/1993 Maurer .
`5,299,263
`3/1994 Beller et al. .
`5,376,169 12/1994 Seheidt et al. .......................... .. 380/21
`
`OTHER PUBLICATIONS
`Bruce Schneier, “Applied Cryptopgraphy”, Wiley & Sons,
`1994 Sections 3.4 and 16.3 and p. 576. Multiple Key Public
`Key.
`
`Digital Multisignatures, C. Boyd, Proceedings of the Inst. of
`Math, and its Appl. on Cryptography and Coding, 15-17
`Dec. 1986.
`A Method for Obtaining Digital Signatures and Public Key
`Cryptosystems, R. L. Rivest et al., CACM, vol. 21, pp.
`120-126, Feb. 1978.
`
`Primary Examiner—Gilberto Barron, Jr.
`Attorney, Agent, or Firm-Lowe, Price, LeBlanc & Becker
`
`ABSTRACT
`[57]
`A encryption method and system using split key public
`encryption. A ?rst and second user private encryption key
`and a corresponding ?rst and second user public encryption
`key are generated. The ?rst and second user private encryp
`tion keys are divided into a ?rst and second private user key
`portion and a corresponding ?rst and second central author
`ity key portion. The ?rst and second private user key
`portions are respectively disclosed to the ?rst and second
`users. The central authority key portions and the user public
`encryption keys are maintained by a central authority (CA).
`The ?rst user request a communications session with the
`second user through the CA. After receiving the request, the
`CA encrypts a session encryption key with (i) the central
`authority key portion and user public encryption key asso
`ciated with a ?rst user to form a ?rst encrypted session key
`and (ii) the central authority key portion and user public
`encryption key associated with the second user to form a
`second encrypted session key. The ?rst encrypted session
`key is provided to the ?rst user and the second encrypted
`session key is provided to the second user. The ?rst user
`applies the ?rst user’s private user key portion to decrypt the
`?rst encrypted session key and the second user applies the
`second user’s private user key portion to decrypt the second
`encrypted session key. The ?rst user and the second user
`apply the decrypted common session key to encrypt and
`decrypt messages exchanged during a communications ses
`sion. The method and system also provide for authorized
`wiretapping, video and data distribution and private
`enhanced messaging (PEM).
`
`25 Claims, 5 Drawing Sheets
`
`v
`
`rmm m
`ststun in /
`
`mun 2,5
`mm! in
`
`[mm
`IRENE
`
`mam m
`IESSAGE
`
`204
`
`mm"
`m usu mum at uni
`\ mutt minim
`m m vsri
`
`mat
`tnmur tlmnrm
`"IBM at uni
`an
`\ ulvirr mlmmll m
`um um ruluc
`illllll’lllll m
`
`Eiltiluli
`llllL'ESl' Flli
`mm!
`
`211
`
`1
`
`EX 1015
`IPR of Pat. No. 6,892,304
`
`

`

`US. Patent
`
`Sep. 17, 1996
`
`Sheet 1 of 5
`
`5,557,678
`
`4
`22
`i
`/
`um BUDGET
`SERVER
`SERVER
`
`26
`/
`m
`mm
`SERVER /
`
`14
`(
`
`14
`/
`
`1
`7
`
`usm /30
`smwu
`
`usm /32
`STATION
`
`USER
`STATION
`
`34
`
`14
`\k um __36
`smmn
`
`§3
`USER
`
`smum\
`
`12
`\
`
`50
`/
`CENTRAL
`numoam
`PROCESSOR
`
`CENTRAL
`nunmnmr
`SERVER
`
`/
`60
`
`PUBLIC SWITCHEU TELEPHONE NETWORK
`
`swncu
`
`
`
`/’ 70
`
`LUCAI.
`ARE“
`nnwunx
`
`40
`USER
`smmn/
`.
`
`38,, USER
`smum
`
`i
`15
`
`Figure 1
`
`2
`
`

`

`US. Patent
`
`Sep. 17, 1996
`
`Sheet 2 of 5
`
`5,557,678
`
`I
`
`ENCRYPT
`SESSIUN KEY -
`
`214
`
`V
`
`BEURYPT
`SESSIUN KEY
`
`215
`
`GENERATE
`MESSAGE
`
`218
`/
`
`ENIIRYPT
`MESSAGE
`
`220
`
`IIEBRYPT
`MESSAGE
`
`222
`
`202
`
`204
`
`205
`
`208
`
`,
`
`GENERATE
`USER PRIVATE ENURYPTIUN
`KEY ANU
`USER PUBLIC ENBRYPTIUN KEY
`I
`IIIVIUE
`USER PRIVATE
`ENCRYPTIUN IKEY
`L
`TRANSMIT
`USER PURTIUN UF USER
`PRIVATE ENIIRYPTIUN
`KEY TU USER
`
`Y
`STURE
`CENTRAL AUTIIURITY
`PURTIUN UE USER
`PRIVATE ENBRYPTIUN KEY
`AND USER PUBLIC
`ENCRYPTIUN KEY
`
`210
`\
`
`212
`
`I
`GENERATE
`REIIUEST EUR
`SESSIUN
`
`I
`
`GENERATE
`SESSIUN KEY
`
`Figure 2
`
`3
`
`

`

`U.S. Patent
`
`Sep . 17, 1996
`
`Sheet 3 of 5
`
`5,557,678
`
`GENERATE
`MESSAGE
`REOUESTING
`WIRETAP
`
`I
`
`ENGRYPT
`MESSAGE
`(1st AUTHORIZED
`SIGNTURE)
`I
`FURTHER ENCRYPT
`ENCRYPTEO MESSAGE
`(2nd AUTHORIZED
`SIGNATURE)
`I
`OECRYPT
`MESSAGE
`
`I
`
`GENERATE
`SECONO MESSAGE
`WITH SESSION KEY
`I
`
`ENGRYPT
`SECOND MESSAGE
`
`314
`
`__I
`
`PARTIALLY OECRYPT
`SECONO MESSAGE
`(Ist AUTHORIZED
`SIGNATURE)
`I
`
`FULLY OECRYPT
`SECONO MESSAGE
`(2nd AUTHORIZED
`SIGNATURE)
`
`I
`
`GENERATE
`SWITCH INSTRUCTION
`
`I
`
`ENCRYPT
`SWITCH INSTRUCTION
`
`I
`
`OECRYPT
`SWITCH INSTRUCTION /a22
`I
`RECONFIGURE
`SWITCH, ANO
`__/ 324
`INTERCEPT ANO
`OIVERT COMMMUNICATION
`
`I
`
`OECRYPT
`OIVERTEO
`COMMUNICATION
`
`Figure 3
`
`4
`
`

`

`U.S. Patent
`
`Sep. 17, 1996
`
`Sheet 4 0f 5
`
`5,557,678
`
`\ 404
`
`M»- 408
`
`GEHERATE
`MESSAGE
`%
`GENERATE
`HASH MESSAGE
`J,
`ENGRYPT
`HASH MESSAGE
`
`l
`
`ENGRYPT
`MESSAGE
`E
`FURTHER EHGRYPT
`HASH MESSAGE
`A
`UEGRYPT
`MESSAGE AND
`HASH MESSAGE
`
`Figure 4
`
`5
`
`

`

`U.S. Pa tent
`
`Sep. 17, 1996
`
`Sheet 5 0f 5
`
`5,557,678
`
`I
`
`ENORYPT
`VIOEO ENORYPTION
`KEY WITN SESSION
`KEY
`
`I
`
`FURTHER ENORYI’T
`ENORYPI'EO VIOEO
`
`OEENORYPT
`ENORYPTEO VIDEO
`ENORYPTION KEY
`
`I
`
`OEENOIIYPT
`ENORYPTEO VIOEO
`
`518
`
`5n2\’
`
`ENORYPT
`VIDEO
`WITH VIDEO
`ENORYPTION KEY
`I
`
`p
`
`“
`
`STORE
`momma VIDEO
`I
`OENERATE
`REOUEST TO
`VIEW VIDEO
`
`I
`
`GENERATE
`SESSION KEY
`
`I
`
`\I
`
`ENORYPT
`SESSION KEY
`
`I
`
`OEORYPI
`SESSION KEY
`
`Figure 5
`
`6
`
`

`

`5,557,678
`
`1
`SYSTEM AND IWETHOD FOR
`CENTRALIZED SESSION KEY
`DISTRIBUTION, PRIVACY ENHANCED
`MESSAGING AND INFORMATION
`DISTRIBUTION USING A SPLIT PRIVATE
`KEY PUBLIC CRYPTOSYSTEM
`
`BACKGROUND OF INVENTION
`
`25
`
`30
`
`2
`ably with the term “decrypt”. Accordingly, as used herein in
`describing the use of public and private keys, the term
`“transform” could be substituted for the term “encrypt” and
`the term “invert” could be substituted for the term “decrypt”.
`If sender x wishes to send a message to receiver y, then
`x, “looks-up” y’s public key e, and computes M:E(C,ey) and
`
`sends it to y. User y can recover M using its private-key by computing M=D(C,dy). An adversary who makes a copy
`of C, but does not have
`cannot recover M. However,
`public-key cryptosystems are ine?icient for large messages.
`Public-key cryptosystems are quite useful for digital
`signatures. The signer, x, computes S=E(M, dx) and sends
`[M,S] to y. User y “looks-up” x’s public-key ex, and then
`checks to see if M:D(S,ex). If it does, then y can be
`con?dent that x signed the message, since computing S, such
`that M:D(S, ex), requires knowledge of d,,, x’s private key,
`which only x knows.
`Public-key cryptography also provides a convenient way
`of performing session key exchange, after which the key that
`was exchanged can be used for encrypting messages during
`the course of a particular communications session and then
`destroyed, though this can vary depending on the applica
`tion.
`One public key cryptographic system is the Rivest,
`Sharnir, Adleman (RSA) system, as described in Rivest,
`Shamir and Adleman, “A Method of Obtaining Digital
`Signatures and Public Key Cryptosystems”, CACM, Vol 21,
`pp 120-126, February 1978. RSA is a public-key based
`cryptosystem that is believed to be very di?icult to break. In
`the RSA system the pair (cl-Ni), is user i’s public-key and d,
`is the user’s private key. Here N,=pq, where p and q are large
`primes. Here also e,d,=lmod¢(N,), where ¢(N,-)=(p—1)(q—l)
`which is the Euler Toitient function which returns the
`number of positive numbers less than N,-, that are relatively
`prime to Ni. A Carmichael function is sometimes used in lieu
`of a Euler Toitient function.
`To encrypt a message being sent to user j, user i will
`compute C=M(ei)modNj and send C to user j . User j can then
`perform M:C("i)modNj to recover M. Useri could also send
`the message using his signature. The RSA based signature of
`user i on the message, M, is MdimodNi. The recipient of the
`message, user j, can perform M(d‘)modN,-(Ei)modN,-, to verify
`the signature of i on M.
`In a typical mode of operation, i sends j, M("‘)modNi along
`with M and a certi?cate C=(i,e,Ni) (dCA)modNCA, where C
`is generated by a Certi?cate Authority (CA) which serves as
`a trusted off-line intermediary. User j can recover i’s public
`key from C, by performing C(eC"))modNcA, as ea, and NCA
`are universally known. It should also be noted that in an RSA
`system the encryption and signatures can be combined.
`Modi?cations to RSA systems have been proposed to
`enable multi-signatures to be implemented. Such an
`approach is described in Digital Multisignature, C. Boyd,
`Proceedings of the Inst. of Math, and its Appl. on Cryptog
`raphy and Coding, Dec. 15-17, 1986. The proposed
`approach extends the RSA system by dividing or splitting
`the user private key d into two portions, say d,- and dj, where
`d,-*d]=d.
`Recently an improved system and method for split key
`public encryption has been disclosed using a split private
`key, see US. patent application Ser. No. 08/277,808 ?led on
`Jul. 20, 1994 for Y. Yacobi and R. Ganesan entitled “A
`System and Method for Identity Veri?ciation, Forming Joint
`Signatures and Session Key Agreement in an RSA Public
`Cryptosystem”. The described system and method, allow
`two system users to verify each other’s identity, form a joint
`
`1. Field of the Invention
`This invention relates to split private key cryptosystem
`and more particularly to an improved system and method for
`session key distribution, privacy enhanced messaging and
`information distribution using a split private key cryptosys
`tern.
`2. Description of the Related Art
`Cryptosystems have been developed for maintaining the
`privacy of information transmitted across a communications
`channel. Typically, a symmetric cryptosystem is used for this
`purpose. Symmetric cryptosystems, which utilize electronic
`keys, can be likened to a physical security system where a
`box has a single locking mechanism with a single key hole.
`One key holder uses his/her key to open the box, place a
`message in the box and relock the box. Only a second holder
`of the identical copy of the key can unlock the box and
`retrieve the message. The term symmetric re?ects the fact
`that both users must have identical keys.
`In more technical terms, a symmetric cryptosystem con
`sist of an encryption function E, a decryption function D,
`and a shared secret-key, K. The key is a unique string of data
`bits to which the functions are applied. Two examples of
`encipherment/deencipherment functions are the National
`Bureau of Standards Data Encryption Standard (DES) and
`the more recent Fast Encipherment Algorithm (FEAL). To
`35
`transmit a message, M, in privacy, the sender computes M=E
`(C,K), where C is referred to as the ciphertext. Upon receipt
`of C, the recipient computes M:D (C,K), to recover the
`message M. An eavesdropper who copies C, but does not
`know K, will ?nd it practically impossible to recover M.
`Typically, all details of the enciphering and deciphering
`functions, E and D, are well known, and the security of the
`system depends solely on maintaining the secrecy of key, K.
`Conventional symmetric cryptosystems are fairly e?icient
`and can be used for encryption at fairly high data rates,
`especially if appropriate hardware implementations are
`used.
`Asymmetric cryptosystems, often referred to as public
`key cryptosystems, provide another means of encrypting
`information. Such systems differ from symmetric systems in
`that, in terms of physical analogue, the box has one lock with
`two non~identical keys associated with it. Either key can be
`used to unlock the box to retrieve a message which has been
`locked in the box by the other key.
`In public key electronic cryptosystems, each entity, has a
`private key, d, which is known only to the entity, and a
`public key, e, which is publicly known. Once a message is
`encrypted with a user’s public-key, it can only be decrypted
`using that user’s private-key, and conversely, if a message is
`encrypted with a user’s private-key, it can only be decrypted
`using that user’s public-key. It will be understood by those
`familiar with the art that although the terms “encrypt” and
`“decrypt” and derivations thereof are used herein in describ
`ing the use of public and private keys in an asymmetric
`public key cryptosystem, the term “transform” is commonly
`used in the art interchangeably with the term “encrypt” and
`the term “invert” is commonly used in the art interchange
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`7
`
`

`

`5,557,678
`
`3
`signature and establish and distribute a session key in an
`RSA environment.
`The system and method developed by Yacobi and Gane
`san provides signi?cant bene?ts where no intermediary
`between the users needs to be empowered with the ability to
`ease drop on encrypted communications. However, in prac
`tical systems, it is often desirable or required, for reasons
`other than security, that an intermediary with such power be
`placed between the users. Such an intermediary can provide
`a central point of audit and service cancellation, as well as
`other bene?ts. For example, public subscription systems,
`such as public electronic mail systems, will normally have
`a central intermediary empowered to monitor the access of
`a subscriber and terminate access should a subscriber fail to
`pay his monthly access fee. However, those conventional
`systems lack the capability to easily and promptly authorize
`a user’s access to the system and distribute a session key or
`implement lawful wiretaps, privacy enhanced messaging
`and secure message distribution.
`Therefore, it is an object of the invention to provide a
`system and method using split private key public encryption
`which facilitates con?rmation of a user’s authorized access
`to another user of the system by a central intermediary each
`time a communication is initiated.
`It is a still further object of the present invention to
`provide a method and system using split private key public
`encryption to facilitate distribution of session keys through
`a central intermediary.
`It is also an object of the invention to provide a method
`and system for session key distribution by a central inter
`mediary using split private key encryption which facilitates
`the authorization and implementation of lawful wiretaps,
`privacy enhanced messaging and secure message distribu
`tion.
`Additional objects, advantages and novel features of the
`present invention will become apparent to those skilled in
`the art from the following detailed description, as well as by
`practice of the invention. While the invention is described
`below with reference to preferred embodiments, it should be
`understood that the invention is not limited thereto. Those of
`ordinary skill in the art having access to the teachings herein
`will recognize additional applications, modi?cations and
`embodiments in other ?elds which are within the scope of
`the invention as disclosed and claimed herein and with
`respect to which the invention could be of signi?cant utility.
`
`SUMMARY OF THE INVENTION
`
`The present invention provides an improved method and
`system using a split key public cryptosystem.
`In accordance with one aspect of the invention, a ?rst and
`second user private encryption key and a corresponding ?rst
`and second user public encryption key for a respective ?rst
`and second user of a split key public cryptosystem are
`generated. The private encryption keys are divided into ?rst
`and second user key portions and corresponding ?rst and
`second central authority key portions. The ?rst and second
`user key portions are respectively disclosed to the ?rst and
`second users. The central authority key portions and public
`encryption keys are disclosed to a central authority.
`After receiving a request from either of the users to
`establish a communications session with the other user, the
`central authority generates a session key. The key is
`encrypted separately with (i) the ?rst central authority key
`portion and corresponding public encryption key to form a
`?rst encrypted session key and (ii) with the second central
`
`50
`
`55
`
`60
`
`65
`
`10
`
`25
`
`30
`
`35
`
`40
`
`4
`authority key portion and corresponding public encryption
`key to form a second encrypted session key. The ?rst and
`second encrypted session keys are respectively disclosed to
`the ?rst and second users. The ?rst user decrypts the session
`key by applying the ?rst user key portion to the ?rst
`encrypted session key. The second user decrypts the session
`key by applying the second user key portion to the second
`encrypted session key. Messages exchanged between the
`?rst and second users during a communications session are
`encrypted/decrypted by applying the session key to the
`message.
`According to another aspect of the invention,which could
`be useful for legal wiretaps, one or more of the users, for
`example the Federal Bureau of Investigation (FBI) and/or
`the Department of Justice, generate a ?rst message(s), such
`as a request for a session key provided to two other users.
`The message is encrypted with both the Justice Depart
`ment’s and the FBI’ s user key portions. The central authority
`decrypts the message by applying the central authority key
`portions and the ?rst and second public encryption keys to
`the message corresponding to the Justice Department’s and
`FBI’s user key portions. Assuming proper decryption veri
`?es that the wiretap is properly authorized, the central
`authority generates a reply message. The reply message
`may, for example, include a session encryption key which
`has been previously provided by the central authority to the
`other system users. The reply message is encrypted with the
`central authority key portions and the public encryption key
`portions corresponding to the Justice Department’s and the
`FBI’s user key portions. The Justice Department and FBI
`decrypt the reply message by applying their respective user
`key portions to the encrypted reply message. Thus the FBI
`and/or Justice Department now have the session key being
`used by the other users to encrypt and decrypt their com
`munications.
`The central authority can also generate another user
`private encryption key and corresponding public encryption
`key, for example, for the switch which establishes and
`controls communication links between other users. This
`private encryption key is likewise divided into a user key
`portion and a corresponding central authority key portion.
`The user key portion is provided to the switch. The central
`authority key portion and the user public encryption keys are
`retained by the central authority.
`The central authority can now generate a message direct
`ing the switch to establish the wiretap, perhaps by copying
`and/or transmitting to the FBI the communications for which
`the wiretap has been authorized. This message is encrypted
`with the central authority key and public encryption key
`corresponding to the switch’s user key portion. The switch
`decrypts the message by applying its user key portion to the
`encrypted message. If the message is properly decrypted, the
`switch knows the message came from the central authority
`and, in response to the message, copies and/or transmits the
`communications to the FBI. and/or Justice Department.
`The F.B.I. and/or Justice Department can decrypt the inter
`cepted communications using the session key which was
`previously provided by the central authority.
`According to still another aspect of the invention which
`can be applied to privacy enhanced messaging (PEM), a ?rst
`user generates a message which is subjected to a hash
`function to form a hash message. The hash message is
`encrypted with the ?rst user key portion. The central author
`ity further encrypts the encrypted hash message by applying
`the ?rst central authority key portion to the encrypted hash
`message to form a fully encrypted hash message. A second
`user applies the ?rst user’s public key portion to decrypt the
`fully encrypted hash message.
`
`8
`
`

`

`5,557,678
`
`5
`In accordance with a still other aspect of the invention
`relating to message distribution, which is particularly suit
`able for video distribution, although not limited thereto, a
`video, is encrypted with a message encryption key to form
`an encrypted video. The message encryption key is prefer
`ably a symmetric encryption key. Upon receipt of a user
`request to view the video, the central authority generates a
`session key as described previously. The message encryption
`key is encrypted with the session key to form an encrypted
`message encryption key. The central authority further
`encrypts the encrypted video with the requesting user’s
`central authority key portion and public encryption key to
`form a fully encrypted video. The requesting user applies the
`session key to decrypt the encrypted message encryption
`key. The requesting user can then apply the decrypted
`message encryption key and the his/her user key portion to
`decrypt the fully encrypted video.
`The system according to the present invention includes
`means, preferably a central security processor, for generat
`ing a ?rst and second user private encryption key and a
`corresponding ?rst and second user public encryption key
`for respective ?rst and second users of the system. The
`security processor or other suitable means divide each of the
`user private encryption keys into a user key portion and a
`corresponding central authority key portion. Modems, inter
`faces and other communication devices may also be pro
`vided for respectively conveying the ?rst and second user
`key portions to the ?rst and second users.
`The central authority key portions and user public encryp
`tion keys are preferably stored on central storage device
`such as a central security server. The central security pro
`cessor and server are preferably located in a secured area and
`linked with system users by a communications network such
`as a small local area network, wide area network or public
`telephone network, or any combination thereof.
`A request of a ?rst user to establish a communications
`session with second user is transmitted, by a suitable trans
`mission device, to the central authority, who is represented
`on the system by the central security processor. The system
`could be implemented as part of an advanced intelligent
`network (AIN), in which case the request would be directed
`to the security processor by the AIN processor. Upon receiv
`ing the request, the central processor generates a session
`encryption key, which is typically a symmetric encryption
`key. The central processor then encrypts the session key
`separately with the ?rst central authority key portion and
`corresponding user public encryption key to form a ?rst
`encrypted session key and with the second central authority
`key portion and corresponding public encryption key to
`form a second encrypted session key. The private key
`portions and public keys are retrieved by the central pro
`cessor from the central server prior to encrypting the session
`key.
`The system has modems, interfaces and other means to
`respectively transmit the ?rst and second encrypted session
`keys to the ?rst and second users. These users are normally
`represented within the system by user stations. The ?rst
`user’s station receives the ?rst encrypted session key and
`second user’s station receives the second encrypted session
`key. Each user station preferably has a processor capable of
`decrypting the encrypted session key by applying the ?rst or
`second user key portion, as applicable, to the received
`encrypted session key. The user station processors then
`apply the session key to encrypt and decrypt messages,
`which may be in the form of analog or digital voice, audio,
`video or data signals, transmitted, via the communications
`network, between the ?rst and said second users.
`
`15
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`65
`
`6
`In another embodiment, the system also includes one or
`more user stations or other means for encrypting a message
`with the ?rst and second user key portions. The encrypted
`message is transmitted via the communications network to
`the central security processor. After receiving the encrypted
`message the central processor decrypts the message by
`retrieving from storage and applying the ?rst and second
`central authority key portions and corresponding public
`encryption keys to the message. The processor then gener
`ates another message encrypted with the ?rst and second
`central authority key portions and the corresponding public
`encryption key portions. This other encrypted message is
`transmitted via the communications network and received,
`for example, by a user station and decrypted by the station
`processor by applying the ?rst and second user key portions
`to the encrypted message. If, for example the system is being
`used for a legal wiretap, the later encrypted message could
`be a session key for encrypting and decrypting messages
`exchanged during a communications session between users
`of the system other than the first and second users.
`A typical system will also include at least one switch or
`other similar central device for establishing communications
`links between system users who desire to have a commu
`nications session. In one system embodiment, the central
`security processor has the capability to generate a user
`private encryption key and a corresponding user public
`encryption key for the switch and divides the user private
`encryption key into a user key portion and a corresponding
`central authority key portion. The user key portion may be
`stored on a switch processor, if desired. The central authority
`key portion and corresponding user public encryption key
`are preferably stored on the central security server.
`Should, for example, a legal wiretap be authorized, the
`central security processor, in another embodiment, is
`capable of generating a message, and encrypting it with the
`central authority key and third user public encryption key
`corresponding to the switch’s user key portion. The message
`could, for example, direct the switch to establish the tap. The
`encrypted message can be transmitted via the communica
`tions network, and received by the switch processor. The
`switch processor decrypts the encrypted message by appli
`cation of the switch’s user key portion. In accordance with
`the decrypted message the switch is recon?gured to copy or
`transmit encrypted messages between certain system users
`to the station or stations of the users who had obtained the
`wiretap authorization.
`In another embodiment, the system incorporates means,
`preferably implemented within the user stations, for gener
`ating a hash message by applying a hash function to a
`message which will be communicated over the system. The
`user station encrypts the hash message with, for example,
`the user key portion of a ?rst user. The encrypted hash
`message is transmitted, via the communications network,
`and received by the central security processor. The central
`security processor further encrypts the encrypted hash mes
`sage with the central authority key portion for the ?rst user
`to form a fully encrypted hash message. The fully encrypted
`hash message is transmitted via the network to another user
`station. After receipt, the recipient user station decrypts the
`message by applying the ?rst user’s public encryption key to
`the fully encrypted hash message.
`In yet another embodiment which is particularly suitable
`for data or video distribution, the system also includes
`means, which could be the central security processor or
`preferably a separate processing unit, for encrypting a mes
`sage, eg a compressed audio/video signal representing a
`video ?lm, with a message encryption key to form an
`
`9
`
`

`

`5,557,678
`
`7
`encrypted video. The message encryption key is preferably
`only known to the video owner or distributor. The encrypted
`video is stored in, for example, the central security server or
`another system server. After receipt of a request from a
`system user to view the video, and authorization from the
`video distributor, a session key is provided to the requester
`and the distributor as described above.
`The distributor, using a user station, encrypts the message
`encryption key with the session key to form an encrypted
`message encryption key and transmits the encrypted key to
`the requester’s station via the system’s communications
`network. The requester’s station decrypts the message
`encryption key using the session key. The central security
`processor retrieves the encrypted video from the central
`server and transmits the encrypted video to the requester’s
`station. The requester’s station receives the encrypted video
`and decrypts it by applying the decrypted message encryp~
`tion key to the encrypted video.
`In accordance with still other aspects of the invention the
`user key portions each have a bit length which is smaller
`than the bit length of the corresponding central authority key
`portion. It is preferred that the bit length of each user key
`portion which must be memorized or stored in a battery
`powered device, such as a cellular phone or personal com
`munications device, is between 56 and 72 bits. The user
`private encryption key may be comprised of a private
`exponent and a modulus N which is a product of a plurality
`of numbers within a set of large secret prime numbers. In
`such cases the user public encryption key is comprised of a
`public exponent and the modulus N. It is also preferred that
`the bit length of each user key portion be no larger than
`?fteen percent of the bit length of the corresponding modu
`lus N but no less than 56 bits.
`The present invention is described above such that the
`public encryption key is used for particular encryption or
`decryption functions and in combination with a particular
`portion of the corresponding private encryption key. How
`ever, it will be understood by those skilled in the art that the
`public encryption key could equivalently be used in the
`reciprocal functions (i.e. for decryption rather than encryp
`tion and visa versa) and with the other portion of the
`corresponding private encryption key from those described
`above.
`
`10
`
`25
`
`35
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 illustrates a system in accordance with the present
`invention.
`FIG. 2 illustrates session key distribution in accordance
`with the present invention.
`FIG. 3 illustrates wiretap authorization and implementa
`tion in accordance with the present invention.
`FIG. 4 illustrates privacy enhanced messaging (PEM) in
`accordance with the present invention.
`FIG. 5 illustrates video distribution in accordance with the
`present invention.
`
`PREFERRED EMBODIMENT OF THE
`INVENTION
`
`The present invention provides a system and method for
`improving conventional cryptosystems using a joint signa
`ture protocol in which two (or more) parties must collabo
`rate in order to compute the digital signature. No single party
`can compute such a signature independently.
`
`45
`
`55
`
`60
`
`65
`
`8
`FIG. 1 schematically illustrates a distributed public cryp
`tosystem 10 in accordance with the present invention. The
`distributed system 10 includes a communications network
`12 which includes a switch 70 for establishing communica
`tion links between system users. A plurality of user stations,
`30-40, are connected to a network 12. If, for instanc