WO2009018513A1 - Systèmes et procédés visant à mettre en oeuvre une boîte de verrouillage logicielle en mutation - Google Patents

Systèmes et procédés visant à mettre en oeuvre une boîte de verrouillage logicielle en mutation Download PDF

Info

Publication number
WO2009018513A1
WO2009018513A1 PCT/US2008/071895 US2008071895W WO2009018513A1 WO 2009018513 A1 WO2009018513 A1 WO 2009018513A1 US 2008071895 W US2008071895 W US 2008071895W WO 2009018513 A1 WO2009018513 A1 WO 2009018513A1
Authority
WO
WIPO (PCT)
Prior art keywords
request
response
key
information
mutating
Prior art date
Application number
PCT/US2008/071895
Other languages
English (en)
Inventor
Richard Malina
William Cochran
Stuart Stubblebine
Original Assignee
Imagineer Software, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Imagineer Software, Inc. filed Critical Imagineer Software, Inc.
Publication of WO2009018513A1 publication Critical patent/WO2009018513A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution

Definitions

  • BACKGROUND OF THE INVENTION It is sometimes useful to distribute confidential or protected digital content to one or more electronic devices. For example, a company may place files containing proprietary information on one or more computers. Of course, proprietary software can be installed on one or more computers. In these situations, access to the digital content is often controlled or restricted. The company may wish to restrict access to its confidential files to a small group of its employees. The software company may wish to restrict access to its software to those who have paid for or registered the software.
  • One common way of protecting such confidential information is with the use of a secret password. Under this scheme, digital content is encrypted so that it cannot be accessed unless the user of the device enters a pre- established password.
  • a mutating lock box is a software construct that allows for digital content to be stored securely on a device.
  • the digital content is encrypted with a strong encryption mechanism (e.g., one that uses a key that is so large that a brute force attack is impractical) and stored on the user device.
  • the only way that a user may view the digital content is to obtain an appropriate cryptographic key, and that cryptographic key is not stored on the user device. Therefore, even if a malicious third party is able to gain access to the protected digital content, they will not be able to access the data without first obtaining the key.
  • the cryptographic key that is required to decrypt the digital content is stored on a trusted key server.
  • the user device transmits a request for the appropriate cryptographic key to the key server. This request performs two functions: 1) it identifies the encrypted digital content whose cryptographic key is requested, and 2) it authenticates the user of the device, for example, by requiring a password from the party that is requesting the key.
  • the trusted key server verifies the identity of the requestor and responds by transmitting the cryptographic key that is associated with the encrypted digital content to the device.
  • a mutating lock box architecture decreases the possibility of a successful password dictionary attack. First, the key used to encrypt the information on the lock box is relatively large. As a consequence, a dictionary attack requires an increased level of effort.
  • the third party in order to carry out a dictionary attack on the password, the third party must submit a separate request for the cryptographic key to the key server for each possible password value.
  • the trasted key server can determine when a dictionary attack is taking place, because it will receive a large number of requests for the cryptographic key that belongs to a particular piece of digital content.
  • Embodiments of the invention implement technology described in U.S. Patent
  • digital content in a mutating lock box includes cryptographic elements (i.e., mutating identifiers, cryptographic keys for white data, cryptographic keys for black data, and a large shared secret) which permit the user device to use a Mutating Identifier Protocol and, in some cases, Black Content Protocol.
  • cryptographic elements i.e., mutating identifiers, cryptographic keys for white data, cryptographic keys for black data, and a large shared secret
  • the client device is configured with a mutating lock box that includes encrypted content.
  • the key server includes the cryptographic key that decrypts the encrypted content.
  • the client device requests the cryptographic key for the encrypted content by transmitting a request to the key server.
  • the request includes the identifier for the encrypted content and an encrypted authentication value.
  • the authentication value is a hash of the password provided by the user of the client device.
  • the key server receives the request and verifies that the authentication value is correct.
  • the key server also locates a cryptographic key which corresponds to the content identifier.
  • the key server transmits a response to the client device that includes the requested cryptographic key.
  • the client device uses the cryptographic key to decrypt the encrypted mutating information.
  • the client device includes at least one secret drawer, which includes the encrypted content, and at least one request drawer, which includes information which the client device uses to request a cryptographic key for the content in the drawer.
  • the key server includes the cryptographic key that is associated with the content in the request drawer and an authentication value which it can use to verify the identity of the client device.
  • the client device transmits a first request to the key server.
  • the first request includes an identifier for the lock box and an identifier for the request drawer.
  • the key server receives the first request from the client device, and transmits a first response.
  • the first response includes information that the client device uses to discover a cryptographic key that allows it to open the request drawer in its mutating lock box.
  • the client device transmits a second request to the key server.
  • the second request includes authentication information that the key server can use to verify the identity of the client device.
  • the second request includes an encrypted pre-master secret and an authentication value.
  • the authentication value is generated using information which includes a password entered by the user of the client device, values unique to the mutating lock box on the client device, and values unique to the client device itself.
  • the key server receives the second request and uses the authentication value to verify the client device's identity.
  • the key server transmits a second response to the client device.
  • the second response includes the cryptographic key that is used to decrypt the encrypted information in the client device's request drawer.
  • the client device receives the second response and extracts the cryptographic key.
  • the client device uses the cryptographic key to decrypt the encrypted mutating content.
  • the invention is a computer-readable storage medium associated with a first computing device, the computer-readable storage medium having stored thereon a data structure.
  • the data structure includes at least one secret drawer including encrypted content, and an identifier associated with a cryptographic key, the cryptographic key capable of decrypting the encrypted content.
  • the data structure also includes a request drawer including an identifier associated with the data structure, and data used to generate authentication information, the authentication information used to verify the identity of the first device.
  • the first computing device is configured to communicate with a second computing device having a database populated with a one or more keys, where at least one of the keys enables the decryption of the content in the at least one secret drawer.
  • the invention is a computer-based method for using a mutating lock box that is stored on a first device. The method includes transmitting a first request from the first device to a second device, the first request including a secret drawer identifier, which corresponds to encrypted content that is stored in a secret drawer in the mutating lock box, and a mutating lock box identifier, which corresponds to the mutating lock box.
  • the method also includes transmitting a first response from the second device to the first device, the first response including cryptographic information used by the first device to generate authentication information; generating authentication information on the first device; transmitting a second request from the first device to the second device, the second request including the authentication information; and verifying the identity of the first device on the second device, using the authentication information.
  • the method also includes transmitting a second response from the second device to the first device, the second response including a cryptographic key that is suitable for decrypting the encrypted content in the secret drawer; and decrypting the cryptographic content in the secret drawer using the cryptographic key on the first device.
  • the invention is a computer-based method of decrypting encrypted digital content by a device.
  • the method includes sending identification information, wherein the identification information includes the identity of encrypted digital content to be decrypted; receiving a response to sending identification information, wherein said response includes a first data needed to decrypt the encrypted digital content; executing code on the first device to obtain a second data, wherein second data includes data devoid from contents of any computer files accessible by the device; and decrypting encrypted digital content, wherein decrypting requires at least first data and second data.
  • the invention is a computer-based method of decrypting encrypted digital content by a device.
  • the method includes sending identification information, wherein the identification information includes the identity of encrypted digital content to be decrypted and sending authentication information, wherein successful verification of the authentication information is necessary for authorization to decrypt encrypted digital content.
  • the method also includes receiving decryption data in response to sending identification information and sending authentication information wherein decryption data is needed to decrypt the encrypted digital content; and decrypting encrypted digital content, wherein decrypting requires the decryption data.
  • the invention is a computer-based method of decrypting encrypted digital content that is stored on a first device.
  • the method includes transmitting a first request from the first device to a second device, wherein the first request includes at least one identifier that is associated with the digital content and transmitting a first response from the second device to the first device, wherein the first response includes a first cryptographic key.
  • the method also includes receiving the first response on the first device and using information in the first response to generate a first cryptographic key; decrypting encrypted authentication information that is stored on the first device using the first cryptographic key; transmitting a second request from the first device to the second device, wherein the second request includes the authentication information, and using the authentication information to verify the identity of the first device; transmitting a second response from the second device to the first device, wherein the second response includes a second cryptographic key; and receiving the second response on the first device and using the cryptographic key to decrypt the encrypted digital content.
  • the invention is a system for decrypting encrypted digital content.
  • the system includes a first device configured to transmit an identifier that is associated with the encrypted digital content and an authentication value to a second device, receive a cryptographic key from the second device, and decrypt the encrypted content using the cryptographic key.
  • the system also includes a second device configured to receive the identifier from the first device, verify the identity of the first device using the authentication value, locate the cryptographic key that is associated with the identifier, and transmit the cryptographic key to the first device.
  • the invention is a system for decrypting encrypted digital content, the system including a first device and a second device, the first device being in operative communication with the second device.
  • the first device is configured to transmit a first request to a second device, the first request including at least one identifier that is associated with the encrypted digital content; receive a first response from the second device, the first response including a first cryptographic key and a message authentication code; decrypt encrypted authentication information using a cryptographic key that is derived using the first response; transmit a second request to the second device, the second request including the authentication information; receive a second response from the second device, the second response including a second cryptographic key; and decrypt the encrypted digital content using the second cryptographic key.
  • the second device is configured to receive the first request from the first device, the first request including the identifier that is associated with the encrypted digital content; transmit a first response to the first device, the first response including the first cryptographic key and the message authentication code; receive a second request from the first device, the second request including the authentication information; verify the identity of the first device using the authentication information; and transmit a second response to the first device, the second response including the second cryptographic key.
  • the invention is a first device configured to store encrypted digital information, the first device comprising a processor and a memory module.
  • the processor is configured to transmit an identifier that is associated with the digital content and authentication information to a second device; receive a cryptographic key from the second device; and decrypt the encrypted digital information using the cryptographic key.
  • the memory module is configured to store the encrypted digital information and an identifier that is associated with the encrypted digital information.
  • the invention is a first device configured to store encrypted digital information, the first device including a processor and a memory module.
  • the processor is configured to transmit a first request to a second device, wherein the first request includes at least one identifier associated with the encrypted digital information; receive a first response from a second device, wherein the first response includes cryptographic information; derive a first cryptographic key suitable for decrypting encrypted authentication information that is stored on the memory module of the first device using the cryptographic information in the first response; transmit a second request to the second device, wherein the second request includes the authentication information; receive a second response from the second device, wherein the second response includes a second cryptographic key; and decrypt the encrypted digital information using the second cryptographic key.
  • the memory module is configured to store the encrypted digital information; at least one identifier that is associated with the encrypted digital information; and the encrypted authentication information.
  • the invention is a key server configured to implement a mutating lock box protocol for decrypting encrypted digital information stored on a client device, the key server including a processor and a memory module.
  • the processor is configured to receive a first request from the client device, wherein the first request includes at least one identifier associated with the encrypted digital information; transmit a first response to the client device, wherein the first response includes cryptographic information for deriving a first cryptographic key suitable for decrypting encrypted authentication information that is stored on the client device; receive a second request from the client device, wherein the second request includes the authentication information; transmit a second response to the client device, wherein the second response includes a second cryptographic key for decrypting the encrypted digital information.
  • the memory module is configured to store the cryptographic information for deriving the first cryptographic key and the second cryptographic key.
  • FIG. 1 is a schematic representation of a system that is configured to use Mutating Identifier and Black Content Protocols.
  • FIG. 2 is a schematic representation of a system configured to use a mutating lock box.
  • FIG. 3 A is a schematic representation of a first embodiment of a mutating lock box.
  • FIG. 3B is a schematic representation of an alternative first embodiment of a mutating lock box.
  • FIG. 4 is a schematic representation of a first embodiment of a trusted key server.
  • FIG. 5 is a schematic depiction of a first embodiment of an open mutating lock box transaction.
  • FIG. 6 is a schematic depiction of a second embodiment of a mutating lock box.
  • FIG. 7 is a schematic representation of a second embodiment of the trusted key server.
  • FIG. 8 is a schematic depiction of an authentication value that is used by the mutating lock box of FIG. 6.
  • FIG. 9 is a schematic depiction of a first embodiment of an open mutating lock box transaction.
  • FIG. 10 is a flow chart depicting a process that is used by the client device to generate a cryptographic key for the request drawer.
  • some embodiments are implemented using various computer devices, such as personal or home computers, servers, and other devices that have processors or that are capable of executing programs or sets of instructions, including special purpose devices such as set top boxes (e.g., digital cable or satellite decoders).
  • special purpose devices such as set top boxes (e.g., digital cable or satellite decoders).
  • some embodiments may be implemented using existing hardware or hardware that could be readily created by those of ordinary skill in the art.
  • the architecture of exemplary devices will not be explained in detail, except to note that the devices will generally have a processor, memory (of some kind), and input and output devices or interfaces.
  • the input devices which can include a keyboard, mouse, touch screen, or the like can be used by a user to input commands and data into a system.
  • the output devices can include a CRT or LCD monitor or the like, can be used to inform the user of the result of the methods that are run on the systems disclosed herein.
  • the devices may also have operating systems and application programs that are managed by the operating systems.
  • the hardware devices or software executed by the hardware devices also provides some ability, depending on the role of the device in the particular embodiment of the invention implemented, to compress or decompress data or to encode data or decode encrypted data.
  • a decompression capability may be provided using available codecs, such as hardware-implemented Moving Picture Experts Group (“MPEG”) codecs.
  • MPEG Moving Picture Experts Group
  • a decryption capability may be provided using a decryption hardware or software module capable of decrypting data that is encrypted using a particular encryption algorithm.
  • FIG. 1 depicts a system 20, that is suitable for using the Mutating Identifier Protocol as disclosed in the '402 Publication.
  • the system 20 includes a first device 22, a second device 24, and an authenticator device 28. It will be assumed that the first device 22 has data that it wants to transmit to the second device 24.
  • the first device 22, the second device 24, and the authenticator device are connected by two-way links 30, 32, and 38 which can include all or part of one or more of computer networks such as the Internet.
  • the system 20 may include a random number generator 39 which is a specialized device designed to produce numbers that are truly random (i.e., numbers that are as random as is possible with the particular technology used to implement the invention of the '402 Publication).
  • the authenticator device 28 uses the random number generator 39 to generate numbers used by a protocol implemented or followed by the system 20.
  • the system 20, can use mutating identifiers ("mutating IDs") to facilitate the transfer of information from the first device 22 to the second device 24.
  • a mutating ID is an identifier that has at least two portions: 1) an identifying number and 2) a secret key. Preferably, both portions of the mutating ID are random values. Mutating IDs are generated and tracked by the authenticator device 28. Therefore, before the first device 22 and the second device 24 can communicate they must first obtain at least one mutating ID from the authenticator device 28. hi addition, each mutating ID can only be used one time, and when the first device 22 or the second device 24 has used its supply of mutating IDs, it must obtain additional mutating IDs from the authenticator device 28 before it can continue to communicate.
  • mutating IDs are used to exchange a session key between the first device 22 and the second device 24.
  • names are assigned to the various devices (or computer systems associated with those devices) used in the protocol.
  • Alice (A) and Bob (B) represent the first device 22 and the second device 24, respectively, and Trent (T) represents the authenticator 28, a trusted arbiter of communication.
  • Table 1 is a list of other symbols used in this document to explain multiple embodiments of the proposed protocol.
  • Trent has assigned Alice a mutating ID that includes a random number N A and a secret key K A for some symmetric cipher and Bob a mutating ID that includes a number N B and a secret key K B for some symmetric cipher.
  • Alice and Bob each have credentials (e.g., A cred and B cred, respectively) that are known only to Trent and to the respective holder of the credential.
  • Alice can request a session key (e.g., K AB ) from Trent by encrypting her credentials and a publicly known identifier for Bob (e.g., Bi d ) with her secret key K A and append her number to the result. Alice transmits the result to Bob.
  • K AB session key
  • Bi d publicly known identifier for Bob
  • Bob concatenates his credentials B cred and a publicly known identifier of Alice (e.g., Aid) with the message from Alice and encrypts the result with his secret key K B .
  • Bob appends his number K B to the result of the encryption and sends the resulting message to Trent.
  • Trent identifies that the message has come from Bob because Trent knows that the number N B is associated with Bob. Trent decrypts the message using K B and verifies Bob's credentials B cred . Trent also decrypts and verifies the part of the message constructed by Alice. If Bob's credentials B cred match his number N B and his identifier Bi d provided by Alice and Alice's credentials A cred match her number N A and her identifier Ai d provided by Bob, Trent verifies the request. After verifying the request, Trent generates a message for Alice and a message for Bob.
  • the message for Alice includes a new number N A ', a new secret key K A ', Alice's credentials A cre d, and a session key K AB - Trent encrypts the message for Alice with Alice's current secret key K A .
  • the message for Bob includes a new number N B ', a new secret key K B ', Bob's credentials B cred , and a session key K AB - Trent encrypts the message for Bob with Bob's current secret key K B . Trent sends the messages to Alice and Bob.
  • Alice receives her message and decrypts it using her current secret key K A and retrieves the session key K AB, her new number N A ', and her new secret key K A ' ⁇
  • Bob also receives his message and decrypts it using his current secret key K B and retrieves the session key K AB , his new number N B ', and her new secret key K B '.
  • Embodiments of the invention may also implement the Black Content Protocol disclosed in the '402 Publication.
  • the secret keys of mutating IDs (e.g., K A and K B ) need to remain secret in order to protect the security of transmitted data encrypted with the secret keys. For example, if Trent provides Alice with a new mutating ID encrypted with Alice's current secret key (e.g., K A ), an eavesdropper who has determined Alice's current secret key can obtain Alice's new mutating ID. The eavesdropper can then use the new mutating ID to send false data and/or to obtain the plaintext of future data exchanged between Alice and Trent.
  • Eavesdroppers can determine (or attempt to determine) a key used to encrypt particular data by performing an attack. For example, an eavesdropper can perform a brute force attack.
  • a brute force attack includes decrypting ciphertext with every possible key until a key is found that produces coherent or recognizable data (e.g., human readable data). If the eavesdropper obtains or knows the plaintext (or a portion or pattern thereof) corresponding to obtained ciphertext, the eavesdropper can more easily determine whether a correct candidate key has been found.
  • the eavesdropper can apply candidate keys until a candidate key produces the plaintext including the individual's name. The eavesdropper can then assume, with some certainty, that the remaining information included in the generated plaintext corresponds to the PIN.
  • PIN personal identification number
  • the eavesdropper has no knowledge of the plaintext or a pattern of the plaintext (i.e., has no content hint)
  • the eavesdropper's ability to determine whether a correct candidate key has been found is greatly reduced and, perhaps, eliminated.
  • plaintext includes a random number encrypted with a particular key, no matter how many keys the eavesdropper attempts in a brute force attack, the eavesdropper will have no way to determine whether candidate plaintext is the true plaintext corresponding to the ciphertext. Decrypting an encrypted random number with any candidate key will produce a random number that is equally likely to be the original random number as every other random number produced by every other candidate key.
  • an eavesdropper could possibly perform a plaintext or partial- plaintext attack on the encrypted message and uncover a secret key of Alice or Bob used to encrypt the message. For example, assume that Alice sends the following message to Bob that is intercepted by an eavesdropper.
  • a ⁇ B N A E(K A , A cred B id )
  • the eavesdropper can perform a brute force attack on the intercepted message because Bob's identifier Bi d and the format of the above message are known or public.
  • the eavesdropper can obtain Alice's secret key K A and her credentials A cre d-
  • the eavesdropper can use Alice's current secret key K A to obtain all data encrypted with Alice's current secret key K A , such as her next mutating ID (e.g., N A ' and K A ").
  • An eavesdropper can use other knowledge about an encrypted message or the communication protocol used to generate an encrypted message to perform brute force attacks. For example, an eavesdropper can use the mutating ID number (e.g., N ⁇ ), which is passed in the clear, to perform a brute force attack. An eavesdropper could also use knowledge of the algorithm used to generate the mutating ID numbers to perform a brute force attack.
  • mutating ID number e.g., N ⁇
  • keys used to encrypt undiscoverable or "black” data i.e., data that is random or has no content hints
  • keys used to encrypt discoverable or "white” data i.e., data that is known, may be later disclosed, is recognizable, or has a known or easily guessed format
  • the discoverable data and the undiscoverable data are encrypted together or with the same encryption key (e.g., a recognizable name and a corresponding possibly random PIN encrypted with the same key)
  • a key determined through a brute force attack using the discoverable data is also the key used to encrypt the undiscoverable data and, therefore, the undiscoverable data can be discovered.
  • Black Content Protocol Data included in the black data class can be encrypted with one or more keys that are used only to encrypt black data (hereinafter referred to in this example as “black data keys”).
  • black data keys data included in the white data class can be encrypted with one ore more keys that are only used to encrypt white data (hereinafter referred to in this example as “white data keys”). It should be understood that the black data keys cannot be determined from (or are unrelated to) the white data keys.
  • the black and white data keys are chosen (e.g., randomly) so as to avoid creating an predetermined relationship to one another, which differs, for example, from the way in which public and private key pairs are created in public key infrastructure systems.
  • Such private and public keys have a predetermined relationship to one another, often a complex mathematical inverse. It should also be that the data does not need to be separated and placed in contiguous blocks of data according to the data class that the portions of data belong to.
  • one or more keys can be used to encrypt the undiscoverable data (e.g., the secret keys K A , K B , and Kc) and one or more keys (e.g., one or more mutating IDs) can be used to encrypt the discoverable data (e.g., BiJ). Since the same keys are never used to encrypt undiscoverable data and discoverable data, the possibility of an eavesdropper determining undiscoverable date is reduced.
  • the Black Content Protocol can be used by the system 20, as shown in FIG.
  • Implementations of the protocol can be used by an entity to request a periodic mutation of a mutating ID, to request an encryption key, and to request a decryption key.
  • an entity such as the first device 22
  • can communicate with another entity such as the second device 24 using the responses from the authenticator device 28.
  • the first device 22 can request an encryption key from the authenticator device 28, use the encryption key to encrypt a message for the second device 24, and send the encrypted message to the second device 24.
  • the second device 24 receives the encrypted message and can request a decryption key from the authenticator device 28, receive a decryption key from the authenticator device 28, and use the decryption key to decrypt the encrypted message.
  • the mutating identifiers on the first device 22 and the second device 24 may be stored in a secure memory device, referred to as a mutating lock box.
  • the mutating identifiers stored in the mutating lock box can be encrypted to reduce the possibility of being compromised by a brute force attack.
  • the data stored in the mutating lock box is separately encrypted, as described above and in the '402 Publication, such that black data and white data are not encrypted using the same keys.
  • Activating or opening the mutating lock box can require multiple steps or factors. For example, an entity attempting to activate the mutating lock box may be required to provide a user password or a personal identification number.
  • FIG. 2 is a depiction of a system 40 configured to use a mutating lock box.
  • the system 40 includes a client device 42, which corresponds to the first device 22 or second device 24 discussed above, and a trusted key server 44, which corresponds to the authenticator device 28 discussed above.
  • client device 42 which corresponds to the first device 22 or second device 24 discussed above
  • trusted key server 44 which corresponds to the authenticator device 28 discussed above.
  • both the first device 22 and the second device 24 have mutating identifiers and other cryptographic content associated with the use of the Mutating Identifier and, perhaps, Black Content Protocols stored on their memory modules.
  • the mutating identifiers and other cryptographic elements are stored in mutating lock boxes on both the first device 22 and the second device 24.
  • the first device 22 and the second device 24 must first open their mutating lock boxes using the techniques described below.
  • the client device 42 will be used to discuss the systems and processes that are used by both the first device 22 and the second device 24 when they need to open their mutating lock boxes and extract their mutating identifiers and other cryptographic elements.
  • the client device 42 and the key server 44 are connected to each other via a two-way communication link 46.
  • the two-way communication link 46 may include one or more networks or communication systems, such as a private network (i.e., an intranet), the Internet, the telephone system, wireless networks, satellite networks, cable TV networks, and various other private and public networks and systems, used in various combinations.
  • the two-way communication link 46 may transfer data between the client device 42 and the key server 44 using wired communications and/or wireless communications or other physical media suitable for carrying data from one entity to another.
  • the client device 42 and the trusted key server 44 each include a processor 52 (e.g., 52a ad 52b), a computer-readable storage medium such as a memory module 54 (e.g., 54a and 54b), and an input/output module 56 (e.g., 56a and 56b).
  • a memory module 54 can be included in a processor 52 and/or an input/output module 56 in place of or in addition to being included as a separate component.
  • the input/output modules 56 can also be located in an apparatus external to the device housing the corresponding processor 52.
  • Other computer- readable storage media for example optical, electronic, magnetic, or other types of storage media, can also be used.
  • the processor 52 can include one or more processors or similar circuitry.
  • the memory modules 54 store instructions and data retrieved and executed by the processor 52.
  • the functions performed by each processor 52, and consequently the instructions and data stored in the memory module 54 of each device, can be configured based on the role a particular device.
  • the processor 52a for the client device 42 is configured to run software that implements the mutating lock box.
  • FIG. 3 A is a depiction of one embodiment of the mutating lock box 60.
  • the mutating lock box 60 includes mutating content 62 that is encrypted with a strong encryption mechanism (i.e., an encryption mechanism that uses a large enough key that a brute force attack is impractical).
  • the mutating content 62 may include one or more mutating identifiers, one or more cryptographic keys for encrypting white data, one or more cryptographic keys for encrypting black data, and one or more shared secrets.
  • FIG. 3B is an alternative embodiment of a mutating lock box 60b.
  • the lock box includes multiple drawers 66. Each drawer 66 includes its own mutating content 62.
  • each drawer 66 includes its own mutating content identifier 64, which the key server 44 uses to identify the cryptographic keys associated with the mutating content 62.
  • the processor 52b for the key server 44 is configured to run software which is capable of responding to a requests for the appropriate key from the client device 42.
  • FIG. 4 is a depiction of one embodiment of the key server software 70.
  • the key server software 70 includes a database 72 which stores a number of associated mutating content identifier/cryptographic key pairs 74.
  • the database 72 allows the processor 52b for the key server 44 to identify the cryptographic key 76 that is associated with a given mutating content identifier 64. It should be understood that other embodiments of the invention may include other mechanisms or data structures that are suitable for associating a content identifier 62 with a cryptographic key.
  • each device includes an input/output module 56 that interfaces with the communication link 46.
  • Each input/output module 56 can also interface with additional devices over the same or additional communication links.
  • each input/output module 56 can output data to another device.
  • each input/output module 56 can receive data from another device and forward the data to the associated processor 52 and/or memory module 54.
  • the input/output module 56 of a particular apparatus can be located external to the apparatus housing the processor 52 and/or the memory module 54.
  • the client device 42 requests a cryptographic key from the key server 44 which the client device 42 uses to decrypt the mutating content 62.
  • Alice (A) represents the client device 42 and Trent (T) represents the trusted key server 44.
  • Carol (C) can also represent a third device included in the system 40. The symbols listed in Table 1 are also used to describe this embodiment.
  • FIG. 5 is a depiction of the first embodiment of an open lock box transaction 80.
  • the open lock box transaction 80 includes a request 82 and a response 84.
  • Alice initiates the open lock box transaction 80 by transmitting the request 82 to Trent.
  • the request 82 includes a content identifier 82a (contentID), an encrypted pre-master secret 82b, an encrypted authorization message 82c, and a message authentication code 82d (MAC Req ).
  • Alice prepares the request 82 by retrieving the mutating content identifier 64 from the lock box on her memory module 54a. As described above (referring to FIG.
  • this mutating content identifier 64 is a unique value that corresponds to a cryptographic key that is stored on Trent's memory module 54b.
  • the mutating lock box on Alice's memory module 54a may include only one piece of mutating content 62, in which case Alice may have only one mutating content identifier 64 that she can send to Trent.
  • the lock box on Alice's memory module 54a may include multiple pieces of digital content 62, each stored in a drawer 66 as described above. In this case, Alice may have more than one content identifier 64 stored on her memory module 54a and chooses the content identifier 64 that corresponds to the mutating content 62 that she wishes to access.
  • Alice prepares the encrypted pre-master secret 82b.
  • Alice generates a pre-master secret (secret) which is a random value of a certain size (i.e., 48 bytes).
  • Alice may generate the pre-master secret using a random number generating device, a pseudo-random number generating function, or any other device or method that is suitable for generating data that is generally random.
  • Alice uses a pseudo-random number generating function (F(x)) to generate the pre-master secret.
  • F(x) pseudo-random number generating function
  • the pseudo-random number generating function accepts a value (x) as its input and produces a value (secret) as its output.
  • the disclosed embodiments of the open mutating lock box transaction utilize pseudo-random number generating functions to produce cryptographic keys. These are one-way functions (e.g., hashes) that produce the same output for any given input, allowing Alice and Trent to separately produce the same cryptographic keys by providing the same input to the same pseudo-random number generating function.
  • the pseudo-random number generating functions described below may each be distinct one-way functions or the same one-way functions that use a slightly modified and pre-established seed value (in addition to at least a portion of the pre-shared secret) as inputs.
  • Alice uses a public key cryptographic algorithm, such as RSA (E RSA ), and Trent's public key (K pu biic) to encrypt the pre-master secret.
  • RSA public key cryptographic algorithm
  • K pu biic Trent's public key
  • Alice prepares the encrypted authorization message 82c.
  • Alice's authorization message (Auth) includes information that is known only to Alice and to Trent.
  • the authorization message (Auth) consists of a cryptographic hash of a password that Alice's user entered prior to the preparation of the request 82.
  • Alice uses a pseudo-random number generating function (F Auth ) (the "authorization value function") and the pre-master secret (secret) to generate a cryptographic key (K Auth ) (the "authorization value key”).
  • F Auth pseudo-random number generating function
  • secret secret
  • Fauth (secret) K auth
  • Alice uses the authorization value key (K AU ⁇ ) and a symmetric encryption algorithm (E) to encrypt the her authorization message.
  • K AU ⁇ the authorization value key
  • E a symmetric encryption algorithm
  • Alice creates the message authentication code for the request 82d (MACReq).
  • Alice generates a cryptographic key (K.MACReq) (the "request message authentication key") using a pseudo-random number generating function (F M ACReq) (the "request message authentication function”) and the pre-shared secret.
  • K.MACReq the "request message authentication key”
  • F M ACReq pseudo-random number generating function
  • Alice uses the request message authentication key (K.M ACRe q) to generate the message authentication code for the request 82d (MAC req ) by computing a cryptographic hash of the content identifier, the encrypted pre-master secret, and the encrypted authorization code.
  • K.M ACRe q request message authentication key
  • MAC req message authentication code for the request 82d
  • Trent receives the request 82 and determines whether the content identifier 82a is valid (e.g., that it is associated with a cryptographic key on Trent's memory module 54b). If Trent determines that content identifier is valid, Trent uses his private key (Kp ⁇ va te ) and the public key cryptographic algorithm (E RSA ) to decrypt the encrypted pre-master secret (secret). Next, Trent generates the request message authentication key (K.MACR e q) using the request message authentication function (F MACReq ) and the pre-master secret, as described above. Trent uses the request message authentication key (K MACReq ) and the cryptographic hash function to compute the request message authentication code for the request 82 that he received (MAC ⁇ re nt).
  • Trent uses the authorization value function (F Auth ) and the pre-master secret (secret) to generate the authorization value key (K AU ⁇ )-
  • Trent uses the authorization value key (K AU ⁇ ) to decrypt the encrypted authorization information 82c that was transmitted as part of the request 82.
  • Trent verifies that the authorization information (Auth) is valid (e.g., that the hash of the user password matches the value that Trent associates with Alice's user). If Trent determines that Alice's authorization information is valid, he prepares the response 84.
  • the response 84 includes the encrypted cryptographic key that corresponds to the content identifier (K content ) 84a, optional mutation information 84b, and a message authentication code for the request 84c (MACRe s p).
  • Trent prepares the encrypted cryptographic key 84a. Trent retrieves the cryptographic key that is associated with the mutating content identifier 64 (the "content identifier key”). Next, Trent uses a pseudo-random number generating function (FR es p) (the “response key function) and the pre-master secret to generate an encryption key (K Res p) (the "response key”).
  • FR es p pseudo-random number generating function
  • K Res p the pre-master secret
  • Trent uses a symmetric encryption algorithm (E) and the response key (K Resp ) to encrypt the content key.
  • the response 84 may include mutating information (M lnf0 ), for example, to change the mutating content identifier 64 or the encryption key that is associated with the mutating content 62.
  • Trent generates the mutating information (M 1Of0 ) (e.g., a new content identifier or a new copy of the mutated content encrypted with a new cryptographic key) and uses a pseudo-random number generating function (F MU O (the "mutating function”) and the pre-shared secret to generate a cryptographic key (K MU O (the "mutating key").
  • Trent encrypts the mutating information (Mw 0 ) with a symmetric algorithm (E) and the mutating key (K M utatin g ).
  • Trent prepares a message authentication code for the response 84c (MACResp). Trent uses a pseudo-random number generating function (FM ACResp ) (the "response message authentication function") and the pre-master secret to generate a cryptographic key (K MACR ⁇ P ) (the "response message authentication key”).
  • FM ACResp pseudo-random number generating function
  • K MACR ⁇ P the pre-master secret
  • Trent uses a cryptographic hash function and the response message authentication key (K.MACResp) to generate a message authentication code for the response(MACRe s p).
  • Trent transmits the response 54 to Alice.
  • Alice receives the response 84 and uses the response message authentication function (FMACResp) and the pre-master secret to generate the response message authentication key (K M ACResp).
  • FMACResp response message authentication function
  • K M ACResp response message authentication key
  • FMACResp(secret) K MA CResp Alice uses the cryptographic hash function and the response message authentication key to compute a message authentication code (MAC Al i ce ) for the response 84 that she received from Trent.
  • Trent determines that the response 54 was not altered by a third party (i.e., Carol) or otherwise corrupted during transmission.
  • Alice generates the response key (K Resp ) using the response key function (F Resp ) and the pre-master secret.
  • Alice then uses the response key (K R ⁇ P ) to decrypt the cryptographic key (K-content) that is associated with the content identifier.
  • Alice uses the cryptographic key (Kcontent) to decrypt the mutating content 62 associated with the mutating content identifier 64 (contentID).
  • Alice generates the mutating information key (K MU O using the mutating information function (F MU O and the pre-master secret.
  • Alice uses the mutating information key to decrypt the encrypted mutating information (M 1Hf0 ) that was included in the response 54 and uses the mutating information to update her mutating lock box (e.g., by replacing the content identifier or the encrypted data).
  • M 1Hf0 encrypted mutating information
  • the cryptographic method used to protect the mutating content 64 in the mutating lock box 60 is strong enough that a brute force attack is impractical. Therefore, even if Carol is able to obtain a copy of the encrypted mutating content 62 she will not be able to access it without the appropriate cryptographic key (Kcontent)- Further, Carol can only obtain the appropriate cryptographic key (Kcontent) if she knows the password or personal identification number that is associated with the mutating content 62.
  • One method that Carol may use decrypt the mutating content 62 is to attempt to discover the appropriate password using a dictionary attack. For example, Carol could systematically request a cryptographic key (K content ) from Trent using every possible password value until she obtains the key that decrypts the mutating content 62. However, this suspicious behavior will alert Trent that an attack is under way and he can respond accordingly (e.g., by blocking all future communications with Carol or by noting that the cryptographic key (K cOntent ) for the protected digital content 62 in question has been compromised). Therefore, in this first embodiment, even is she obtains an illegitimate copy of the protected content, Carol is not able to use it.
  • Carol may be able to monitor the transmissions between Alice and Trent and discover the password.
  • Carol may have access to a request 82 that is transmitted from Alice to Trent.
  • this request 82 includes a pre-master secret (secret) that is encrypted with Trent's public key (Kp ut ,), and Alice's encrypted authentication value.
  • Carol may generate a large number of possible values for the pre-master secret (secret) and encrypt them using Trent's public key (which should not be hard to obtain as it is meant to be used by certain members of the public).
  • Carol may prepare a hash of each possible password value and store it for later use as described below.
  • Carol compares each one of the encrypted candidate pre-master secrets that she has generated with the encrypted pre-master secret in the request 52. If Carol finds a match, then she has discovered the value of the pre-master secret (secret) used by Alice and Trent during the open mutating lock box transaction 80 in question. Carol can use this pre-master secret and the authorization key function (K AU ⁇ ) to decrypt the authentication information and obtain the password hash. Carol can then compare each one of the possible password hashes that she generated to the decrypted password hash. Once again, if Carol finds a match then she has discovered Alice's password.
  • the mutating lock box is modified to address this and other vulnerabilities.
  • the authentication value includes, in addition to a user password, information that is embedded into the mutating lock box and the client device 42. Therefore, even if Carol has obtained Alice's password, she will not be able to reproduce the authentication value without obtaining the client device 42 and disassembling all of its software to obtain the appropriate authentication information.
  • this second embodiment of the present invention is intended to make a pre-computational attack on Alice's password less feasible.
  • FIG. 6 is a depiction of a first device 42 that is configured with the second embodiment of the mutating lock box 100.
  • This second embodiment of the mutating lock box 100 includes a number (e.g., 2 as shown) of secret drawers 102, a request drawer 104, as well as other cryptographic elements that will be described below.
  • Each secret drawer 102 includes a secret drawer identifier 106 (ID N ), a length variable 108 (length N ), and the encrypted mutating content 110.
  • the secret drawer identifier 106 is a unique value that is associated with the request drawer 102 in which it is stored.
  • the length variable 108 indicates the length (in bytes) of the secret drawer 102.
  • the mutating content is encrypted with a symmetric encryption algorithm (E) and a key 109 (K N ) that is stored on the key server 44, and is not available on the client device 42.
  • the information in the request drawer 104 is used by the client device 42 to request a key 109 (K N ) to decrypt one of the secret drawers 102a.
  • the request drawer 104 includes a mutating lock box identifier 112 (ID BOX ) which is a unique value that is associated with the mutating lock box on the key server 44.
  • the request drawer 104 includes the following information which is encrypted with a cryptographic key 113 (K RD ) (the "request drawer key”): 1) a client/server key 114 (K cS ), a client/server hash key 116 (K h- cs ), and a password random number 118 (Rp).
  • the client/server key 114 (K cS ) is a cryptographic key which is also stored on the key server 44 and used to encrypt a message that the key server 44 transmits to the client device 42 as described below.
  • the client/server hash key 116 (K h-cs ) is also stored on the key server 44 and is used to create message authentication codes for the messages that are transmitted between the client device 42 and the key server 44 as described below.
  • the password random number (P R ) is a random value that is used by the client device 42 to create an authentication value as described below.
  • the request drawer key 113 (K RD ) is not known by the client device 42. To discover the request drawer key 113 (K RD ) the client device 42 must utilize information in the message that it receives from the key server 44. The process used by the client device 42 to discover this message is described below.
  • the memory module 54a for the second embodiment of the mutating lock box 100 includes other information that is stored within the mutating lock box 100 or elsewhere on the client device 42.
  • the mutating lock box 100 also includes a first mutating lock box random number 120 (RLBI), a second mutating lock box random number (R LB ⁇ ), and a public key that is used in connection with a public key encryption algorithm, such as RSA, for the key server 44 (Kp ub ).
  • the memory module 54a of the client device 42 includes a client device random value 126 (R CD ) which is a unique value that is associated with the client device 42 by the key server 44.
  • the memory module 54a of the client device includes system information 128 (sysinfo).
  • the system information is a cryptographic hash of information about the client device, including: 1) persistent information stored on the client device 42 and 2) information gathered during the installation of mutating lock box 100 on the client device 42.
  • the client device random value 126 (R CD ) and the system information are stored in a location on the memory module 54a of the client device 42 that is not associated with the mutating lock box 100.
  • the processor 52b on the key server 44 in this second embodiment is configured to run the key server software.
  • FIG. 7 is a depiction of one embodiment of the key server software 200.
  • the key server software 200 includes a secret drawer key database 210, an authentication value database 212, and a client/server key database 214.
  • the secret drawer database 210 associates a cryptographic key 109 (K N ) with a lock box identifier 112 (ID BOX ) and a secret drawer identifier 106 (ID N )-
  • the secret drawer database 210 is configured such that if the key server 44 is provided with a mutating lock box identifier 112 (ID BOX ) and a secret drawer identifier 106 (ID N ), it can retrieve the appropriate cryptographic key 109 (K N ) for the secret drawer 102 in question.
  • the authentication value database 212 associates a mutating lock box identifier (ID BOX ) with an authentication value 213 (Auth).
  • FIG. 8 is a depiction of the authentication value 213 (Auth) of this second embodiment.
  • the authentication value 213 (Auth) includes: 1) a password salt 213a (saltpw), 2) a password hash 213b, 3) the second mutating lock box random value 122 (R LB2 ), 4) a key server random value 213c (R s ), and the system information value 128 (sysinfo).
  • the password salt value 213a is a random value known to the client device 42 and the key server 44.
  • the password salt value (saltpw) adds randomness and increases the possible search space for the authentication value.
  • the password hash is a cryptographic hash of the client device's password random value 118 (Rp) and a password value (pwd), that may be a password that is entered by the user of the client device 42.
  • the key server random value 213c (R 5 ) is a random value that is generated by the key server 44 and distributed to the client device 42 as part of the open mutating lock box transaction. The other values used to compute the authentication value 213 (Auth) are described above.
  • the client/server key database 214 associates a client/server key 114 (Kc 8 ) and a client/server hash key 116 (Kh -cs ) with a mutating lock box identifier 106 (IDB 0X ).
  • IDB 0X a mutating lock box identifier 106
  • FIG. 9 is a depiction of the open mutating lock box transaction 240 of the second embodiment of the present invention.
  • the open mutating lock box transaction 240 includes four messages, a first request 242, a first response 244, a second request 246, and a second response 248.
  • Alice initiates the open mutating lock box transaction 240 by transmitting a first request 242 to Trent.
  • the first request includes the mutating lock box identifier 112 (ID ⁇ ox) from the request drawer 104, the secret drawer identifier 106 (ID N ) for the secret drawer 102 that is being opened, and a nonce (“Alice's nonce") 250 (NEAiice) generated by Alice for the open mutating lock box transaction 240.
  • ID ⁇ ox the mutating lock box identifier 112
  • ID N secret drawer identifier
  • N nonce
  • Trent receives the first request 242 and uses the mutating lock box identifier (ID BOX ) 112 and the secret drawer identifier 106 (ID N ) to identify the appropriate client/server key 114 (Kcs) and client/server hash key 116 (Kh -cs ) on his memory module 54b. Trent prepares the first response 244.
  • the first response 244 includes a nonce which is generated by Trent ("Trent's nonce") 260 (NE ⁇ rent ) and the key server random number 213c (R s ), both of which are encrypted using a symmetric encryption algorithm (E) and the client/server key 114 (K cs ).
  • the first response 244 includes a message authentication code (MACRespO 264 which is generated using the client/server hash key 116 ( ⁇ h-cs)-
  • Trent transmits the first response to Alice.
  • Alice receives the first response 244.
  • both the client/server key 114 (Kc 5 ) and the client/server hash key 116 (Kh -cs ) are stored in the request drawer 104 of the mutating lock box 100.
  • they are encrypted with an encryption algorithm (E) and the request drawer key 113 (K RD ) and Alice cannot decrypt them because she does not know the request drawer key.
  • Alice may discover the request drawer key 113 (K RD ) by using the first response 244.
  • the request drawer key is generated using a pseudorandom number generating function (F RD (X)) (the "request drawer function") and the following information: 1) a request drawer salt value (salt R o), 2) the client device random number 126 (R CD ), 3) the first mutating lock box random number 120 (R LBI ), and 4) a the system information (sysinfo).
  • F RD (X) pseudorandom number generating function
  • FIG. 10 is a flow chart which depicts the process 280 that Alice uses to generate the request drawer key 113 (K RD ). Alice generates a potential request drawer salt value (saltRo') 282. Next, Alice uses the potential salt value (salt R o') to generate a candidate request drawer key (K RD ') 284.
  • Alice then uses the candidate request drawer key (K RD ') to decrypt the encrypted portion of the request drawer 104, generating a candidate client/server key (K c8 ') and a candidate client/server hash key (K cS-h ') 286. Alice uses the candidate client/server hash key (K cS-h ') to generate a potential message authentication code (MAC) for the first response 288.
  • K RD ' candidate request drawer key
  • K c8 ' a candidate client/server key
  • K cS-h ' candidate client/server hash key
  • Alice compares the potential message authentication code (MAC) that she generated using the candidate client/server hash key (K h-cs ') to the message authentication code for the first response 244 (MACRespO 290. If both message authentication codes are equal 292, then Alice has discovered the appropriate request drawer key 113 (K RD ), client/server key (K cS ), and client/server hash key (K cS-h ) and the process is complete 294. If the codes are not equal, Alice must start the process again 296 (i.e., by generating the next potential value for the request drawer salt value (salt R o)).
  • the process described above requires that Alice generate and test a number of potential request drawer salt values (salt R o) which involves some computational expense. However, this computational expense is relatively small when compared to the computational expense for a third party (i.e., Carol) that attempts to derive the request drawer key 113 (K RD ).
  • Alice uses the client/server key 114 (K c5 ) to decrypt the encrypted portion of the first response 244 and extracts Trent's nonce 260 (NE ⁇ rent ) and the key server random value 213c (R s ). Alice then prepares the second request 246.
  • the second request 246 includes: 1) an encrypted pre-master secret 300 (secret), 2) an encrypted authentication value 213 (Auth), and 3) a message authentication code for the second request 302 (MAC Re q 2 ).
  • Alice generates the encrypted pre-master secret 300 (secret).
  • She generates the pre-master secret (secret) (using the same method described in the previous embodiment) and encrypts it with a public- key encryption algorithm, such as RSA, and Trent's public key (Kp ub ).
  • the authentication value 213 (Auth) is a cryptographic hash including: 1) a password salt value 213a (saltpw), 2) the password hash 213b, 3) the second mutating lock box random number 122 (R LB2 ), 4) the key server random value 213c (Rs), and 5) and the system information (sysinfo).
  • Alice generates a cryptographic key for the authentication value (KA U HI) (the "authentication value key”) using a random function (F Auth OO) and the following information: 1) Alice's nonce 250 (NEAiice), 2) Trent's nonce 260 (NE ⁇ re nt) 5 and 3) the pre- master secret (secret).
  • Alice uses the authentication value key (K Auth ) and a symmetric encryption algorithm (E) to encrypt the authentication value.
  • K Auth authentication value key
  • E symmetric encryption algorithm
  • MAC Req2 message authentication code 302 for the second request, using the client/server hash key (K cS-h ).
  • Trent receives the second request 246 and uses the message authentication code (MAC req2 ) to verify that it was not corrupted or modified by a third party (e.g., Carol) during transmission using the client server hash key (H h-cs )- If Trent finds that the second request 246 is valid, Trent uses the public key encryption algorithm (E RSA ) and his private key (Kpn V ) to decrypt the encrypted pre-master secret 300 (secret) that was included in the second request 246.
  • MAC req2 message authentication code
  • H h-cs client server hash key
  • Trent uses the public key encryption algorithm (E RSA ) and his private key (Kpn V ) to decrypt the encrypted pre-master secret 300 (secret) that was included in the second request 246.
  • E RSA public key encryption algorithm
  • Kpn V his private key
  • Trent then generates the authorization value key (K Auth ) using the authorization value function (FA U ⁇ OO) and the following: 1) Alice's nonce 250 (NEAiice) (which Trent received in the first request 242), 2) Trent's nonce 260 (NE ⁇ rent ) (which Trent generated as part of the first response 244), and 3) the pre-master secret (secret).
  • K Auth the authorization value key
  • FA U ⁇ OO the authorization value function
  • Trent uses the authentication value key (K Auth ) to decrypt the encrypted authentication value 213 (Auth) that was included as part of the second request 246 and verifies that it is the correct authentication value for Alice (i.e., that the authentication value 213 (Auth) in the second request 246 matches the authentication value 213 stored in the authentication value database 212 on Trent's memory module 54b).
  • K Auth authentication value key
  • the second response 248 includes an authentication confirmation code 320 (Y/N) which indicates whether he successfully verified the authentication value in the second request 246, an encrypted new secret drawer identifier 322 (IU N - new ), an encrypted cryptographic key for the secret drawer 109 (K N ), and a message authentication code 326 (MAC R ⁇ ). It should be noted that if Trent could not verify the authentication information 213 (Auth), information in this second response 248 will not contain valid data (i.e., it may contain all zeroes or a random value).
  • Trent If Trent is able to verify the authentication data, Trent generates a cryptographic key for the second response 248 (K ResP2 ) (the "second response key") using a pseudo-random number generating function (F resp2 (x)) (the "second response function") and the following information: 1) Alice's nonce 250 (NEAh ce ), 2) Trent's nonce 260 (NE ⁇ re nt) , and the pre-master secret (secret).
  • K ResP2 the second response key
  • F resp2 (x) the pseudo-random number generating function
  • Trent uses the second response key (K Res p 2 ) and a symmetric encryption algorithm (E) to encrypt a new secret drawer identifier 322 (IUN-n e w) which replaces the current secret drawer identifier 106 (ID N ) and a cryptographic key to decrypt the information in the secret drawer 109 (K N ).
  • K Res p 2 the second response key
  • E a symmetric encryption algorithm
  • Trent prepares a message authentication code 326 (MAC ReSp2 ) using the client/server hash key l l6 (K h-cs ).
  • Trent will also include key material to be used to mutate values in the current secret drawer, as in Black Content Protocols.
  • the key material is chosen at random or through the use of a pseudorandom function by Trent. This key material is encrypted with ID N . new and K N in the message. In these embodiments, Trent sends this message to Alice.
  • Alice receives the second response 248 and verifies that it is valid using the message authentication code 326 (MAC R ⁇ ).
  • Alice generates the second response key (K. Res p2), using the same method as Trent.
  • Alice uses the second response key (K Resp2 ) to decrypt the encrypted portion of the second response 248, and extract the new secret drawer identifier 322 (IU N - new ) and the cryptographic key for the secret drawer 109 (KN).
  • Alice uses the cryptographic key 190 (K N ) to decrypt the mutating content in her secret drawer 102a.
  • Alice replaces the old secret drawer identifier 106 (ID N ) with the new secret drawer identifier 322 (IDN-new) value.
  • Alice and Trent may mutate certain components of the mutating lock box 100. Mutating these values adds additional security by ensuring that no two consecutive open mutating lock box transactions 240 are the same. Therefore, any cryptographic information that Carol discovers with respect to one open mutating lock box transaction 240, will not be useful to open the secret drawers after the open mutating lock box transaction 240 has ends.
  • Alice and Trent mutate the client/server key 114 (K c5 ) and the client/server hash key 116 (K h-cs ).
  • the new values for these keys are generated by Alice and Trent using a pseudo-random number generating function and a portion of a large secret from the secret drawer 102 in Alice's mutating lock box 100.
  • Alice places the new client/server key 114 (K cs ) and the client/server hash key 114 (Kh -C3 ) in the request drawer 104 of her mutating lock box 100.
  • Alice may generate a new request drawer salt value (salt R o') and a new client side random number 126 (R CD ') and create a new request drawer key (K RDNCW ) using the request drawer function.
  • Alice encrypts the request drawer contents, including the mutated client/server key 114 (K c5 ) and client/server hash key 116 (K h-cs ) using request drawer key 113 (K RD ) (or the new request drawer key (KR DNCW ) if she created one) and deletes the request drawer key 113 (K RD ) from her memory module 54a.
  • Trent associates the new client/server key 114 (K cS ) and client server hash key 116 (K h-cs ) with Alice's mutating lock box identifier (ID ⁇ ox) on his memory module 54b so that they can be retrieved during a later open mutating lock box transaction.
  • Alice and Trent may mutate the cryptographic key 109 (K N ) that is used to encrypt the secret drawer.
  • the new key (K N ') is generated using a pseudo-random number generating function and a portion of the large shared secret in Alice's secret drawer 102.
  • the contents of the secret drawer are encrypted using the new key (K N ') on Alice's mutating lock box.
  • Both the original key (K N ) and the new key (K N ') are deleted from Alice's memory module 54a. Trent associates the new key with the secret drawer on his memory module 54b.
  • Alice and Trent may wish to mutate the contents of the secret drawer.
  • the data in the lockbox may be a large secret used for Black Content Protocols or other application. This secret is known by both Alice and Trent. Both Alice and Trent will change the contents in the secret drawer by applying the key material to the unencrypted data. For instance, both could combine the data through bit- wise exclusive-OR, or any other function. In some embodiments, the amount of key material sent is less than the size of the drawer and only a small portion of the data is changed. [00107] Finally, Alice may transmit an acknowledgement 330 to Trent when any mutation is complete and the mutating lock box 100 is closed. For many applications, a particular lockbox should be able to move from one computing environment to another. The protocol is designed to handle two types of lockbox mobility: one that allows authentication of a portable device and one that does not.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un support de stockage lisible par ordinateur associé à un premier dispositif informatique. Ce support de stockage lisible par ordinateur comprend une structure de données stockée sur celui-ci. Cette structure de données comprend au moins un tiroir secret comprenant un contenu codé et un élément d'identification associé à une clé cryptographique. Cette clé cryptographique permet de décoder le contenu codé. La structure de données comprend également un tiroir de demande comprenant un élément d'identification associé à la structure de données, et des données utilisées pour générer des informations d'authentification. Les informations d'authentification sont utilisées pour vérifier l'identité du premier dispositif. Le premier dispositif informatique est conçu pour communiquer avec un second dispositif informatique comprenant une base de données contenant au moins une clé, laquelle clé permettant de décoder le contenu du tiroir secret.
PCT/US2008/071895 2007-08-02 2008-08-01 Systèmes et procédés visant à mettre en oeuvre une boîte de verrouillage logicielle en mutation WO2009018513A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US96307507P 2007-08-02 2007-08-02
US60/963,075 2007-08-02

Publications (1)

Publication Number Publication Date
WO2009018513A1 true WO2009018513A1 (fr) 2009-02-05

Family

ID=40304907

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2008/071895 WO2009018513A1 (fr) 2007-08-02 2008-08-01 Systèmes et procédés visant à mettre en oeuvre une boîte de verrouillage logicielle en mutation

Country Status (1)

Country Link
WO (1) WO2009018513A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9197407B2 (en) 2011-07-19 2015-11-24 Cyberlink Corp. Method and system for providing secret-less application framework

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030187799A1 (en) * 2002-02-27 2003-10-02 William Sellars Multiple party content distribution system and method with rights management features
US20060126826A1 (en) * 2002-10-11 2006-06-15 Rega Carlos A Apparatus and method of encoding and decoding information
US20060195402A1 (en) * 2002-02-27 2006-08-31 Imagineer Software, Inc. Secure data transmission using undiscoverable or black data

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030187799A1 (en) * 2002-02-27 2003-10-02 William Sellars Multiple party content distribution system and method with rights management features
US20060195402A1 (en) * 2002-02-27 2006-08-31 Imagineer Software, Inc. Secure data transmission using undiscoverable or black data
US20060126826A1 (en) * 2002-10-11 2006-06-15 Rega Carlos A Apparatus and method of encoding and decoding information

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9197407B2 (en) 2011-07-19 2015-11-24 Cyberlink Corp. Method and system for providing secret-less application framework

Similar Documents

Publication Publication Date Title
US8930700B2 (en) Remote device secure data file storage system and method
US8644516B1 (en) Universal secure messaging for cryptographic modules
US6959394B1 (en) Splitting knowledge of a password
RU2589861C2 (ru) Система и способ шифрования данных пользователя
US5491752A (en) System for increasing the difficulty of password guessing attacks in a distributed authentication scheme employing authentication tokens
WO2017164159A1 (fr) Système d'authentification, chiffrement et signature biométriques 1:n
CA2913444C (fr) Systeme et procede d'authentification d'utilisateur
He et al. A social-network-based cryptocurrency wallet-management scheme
US20060036857A1 (en) User authentication by linking randomly-generated authentication secret with personalized secret
US20060195402A1 (en) Secure data transmission using undiscoverable or black data
WO2014141263A1 (fr) Système d'authentification otp asymétrique
US20050033963A1 (en) Method and system for authentication, data communication, storage and retrieval in a distributed key cryptography system
EP1079565A2 (fr) Procédé d'établissement sécurisé d'une liaison sécurisée par l'intermédiaire d'un réseau de communication non sécurisé
JP2018026631A (ja) Ssl通信システム、クライアント、サーバ、ssl通信方法、コンピュータプログラム
US10623400B2 (en) Method and device for credential and data protection
Yao et al. An inter-domain authentication scheme for pervasive computing environment
US8307209B2 (en) Universal authentication method
JP6174796B2 (ja) セキュリティシステム、管理装置、許可装置、端末装置、セキュリティ方法、およびプログラム
Thompson et al. Multifactor IoT Authentication System for Smart Homes Using Visual Cryptography, Digital Memory, and Blockchain Technologies
JPH09330298A (ja) パスワード登録方法、認証方法、パスワード更新方法、パスワード登録システム、認証システムおよびパスワード更新システム
CN114710271A (zh) 一种共享加密数据的方法、装置、存储介质和电子设备
WO2009018513A1 (fr) Systèmes et procédés visant à mettre en oeuvre une boîte de verrouillage logicielle en mutation
CN111447060A (zh) 一种基于代理重加密的电子文档分发方法
Neela et al. A Hybrid Cryptography Technique with Blockchain for Data Integrity and Confidentiality in Cloud Computing
JP6165044B2 (ja) 利用者認証装置、システム、方法及びプログラム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08797028

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08797028

Country of ref document: EP

Kind code of ref document: A1