INTEROPERABLE CRYPTOGRAPHIC KEY RECOVERY SYSTEM WITH VERIFICATION BY COMPARISON
 Inventors: Donald Byron Johnson, Pleasant Valley, N.Y.; Paul Ashley Karger, Acton; Charles William Kaufman, Jr., Norfhborough, both of Mass.; Stephen Michael Matyas, Jr., Poughkeepsie, N.Y.; David Robert Safford, Brewster, N.Y.; Marcel Mordechay Yung, New York City, N.Y.; Nevenko Zunic, Wappingers Falls, N.Y.
 Assignee: International Business Machines Corporation, Armonk, N.Y.
 Appl. No.: 09/133,877  Filed: Aug. 14, 1998
Related U.S. Application Data
 Continuation of application No. 08/681,679, Jul. 29, 1996, Pat. No. 5,796,830.
 Int. CI.7 H04L 9/08; H04L 9/14;
 U.S. CI 380/286; 380/278; 380/28;
 Field of Search 380/21, 23, 28,
380/30, 49, 26 B, 278, 286; 713/171
 References Cited
U.S. PATENT DOCUMENTS
5,724,425 3/1998 Chang et al 380/25
5,761,305 6/1998 Vanstone et al 380/21
5,848,156 12/1998 Murakami 380/21
5,857,022 1/1999 Sudia 380/23
5,901,227 5/1999 Perlman 380/21
5,933,504 8/1999 Vanstone et al 380/30
Primary Examiner—-Tod R. Swann
Assistant Examiner—-Justin T. Darrow
Attorney, Agent, or Firm—-William A. Kinnaman Jr.
A cryptographic key recovery system that is interoperable with existing systems for establishing keys between communicating parties. The sender uses a reversible key inversion function to generate key recovery values P, Q and (optionally) R as a function of a session key and public information, so that the session key may be regenerated from the key recovery values P, Q and (if generated) R. Key recovery values P and Q are encrypted using the respective public recovery keys of a pair of key recovery agents. The encrypted P and Q values are included along with other recovery information in a session header accompanying an encrypted message sent from the sender to the receiver. The key recovery agents may recover the P and Q values for a law enforcement agent by decrypting the encrypted P and Q values in the session header, using their respective private recovery keys corresponding to the public keys. The R value, if generated, is not made available to the key recovery agents, but is ascertained using standard cryptanalytic techniques in order to provide a nontrivial work factor for law enforcement agents. The receiver checks the session header of a received message to ensure that the sender has included valid recovery information. Only when the receiver has verified that the sender has included valid recovery information does the receiver decrypt the received message.
20 Claims, 11 Drawing Sheets