[go: up one dir, main page]

WO2003017565A1 - Procede de stockage et de recuperation surs des donnees - Google Patents

Procede de stockage et de recuperation surs des donnees Download PDF

Info

Publication number
WO2003017565A1
WO2003017565A1 PCT/BY2001/000012 BY0100012W WO03017565A1 WO 2003017565 A1 WO2003017565 A1 WO 2003017565A1 BY 0100012 W BY0100012 W BY 0100012W WO 03017565 A1 WO03017565 A1 WO 03017565A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
encrypted
user
trustee
encryption
Prior art date
Application number
PCT/BY2001/000012
Other languages
English (en)
Inventor
Valentin Alexandrovich Michtchenko
Original Assignee
Michtchenko Valentin Alexandro
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Michtchenko Valentin Alexandro filed Critical Michtchenko Valentin Alexandro
Priority to PCT/BY2001/000012 priority Critical patent/WO2003017565A1/fr
Publication of WO2003017565A1 publication Critical patent/WO2003017565A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response

Definitions

  • the invention relates to systems and methods providing centralized services for safe storage of secret information.
  • Cryptography is the process for encrypting or scrambling messages such that the messages can be stored and transmitted securely.
  • Cryptography can be used to achieve secure communications, even when the transmission media (for example, the Internet) is public or untrustworthy.
  • Cryptography is also used by computer users for encrypting sensitive files, so that an intruder cannot understand them. Cryptography can be used to ensure data integrity as well as to maintain secrecy.
  • a data item can be scrambled so that it appears like random gibberish and is very difficult to transform back to the original data without a secret key.
  • This message can consist of ASCII text, a database file, or any other data.
  • the encryption and decryption keys are often, but not always, the same key.
  • symmetric algorithms There are two main classes of encryption algorithms: symmetric algorithms and public-key algorithms (also known as asymmetric algorithms).
  • Symmetric algorithms are the most common type of encryption algorithm. They are known as symmetric because the same key is used for both encryption and decryption. Unlike the keys used with public-key algorithms, symmetric keys are frequently changed.
  • symmetric algorithms are very fast and, thus, are preferred when encrypting large amounts of data.
  • Some of the more common symmetric algorithms are RC2, RC4, and the Data Encryption Standard (DES).
  • Public-key (asymmetric) algorithms use two different keys: the public key and the private key.
  • the private key is kept private to the owner of the key pair, and the public key can be distributed to anyone who requests it (often by means of a certificate). If one key is used to encrypt a message, then the other key is required to decrypt the message.
  • Public-key algorithms are very slow - on the order of 1 ,000 times slower than symmetric algorithms. Consequently, they are typically used only to encrypt session keys. They are also used to digitally sign messages.
  • Digital signatures can be used to distribute an unencrypted data item, while allowing the recipients to be able to verify that the message comes from its purported sender and that it has not been tampered with. Signing a message does not alter the message, it simply generates a digital signature string that can either be bundled with the message or transmitted separately.
  • Digital signatures are generated by using public-key signature algorithms: a private key is used to generate the signature, and the corresponding public key is used to validate the signature.
  • Certificates are a common way to achieve authentication.
  • a certificate is a set of data that completely identifies an entity, and is issued by a Certification Authority.
  • a method for data protection makes use of means allowing to store and protect "core" data secrets, such as private cryptographic keys, credit card numbers, and other small pieces of secret data.
  • core data secrets
  • This responsibility is left to individual application programs or to personal computer users themselves.
  • programs are available that allow users to encrypt and store data, such programs cannot typically be used by other application programs.
  • each application program has to devise a safe and secure method to store such data.
  • the encrypted data stored in the computer definitely are connected to the initial data and basically may be decrypted by selection of keys.
  • a smart card is particularly well suited as a receptacle for core data secrets such as those described above.
  • smart cards can be used to authenticate users by requiring each user to insert his or her personal smart card into a receptacle associated with the user's personal computer. Tamper-proof smart cards have been designed for just these purposes.
  • a method for encrypting disclosed in [WO 00/65767] is known. This method allows any machine text (any file), by repeated transformation with compression, to be transformed into two encoded files, one of which is a product of repeated transformations (core). The second file represents information about the parameters of these transformations (flags) and has no meaning or connection with the initial text.
  • the feature of such representation is that one of the files (core) can have a small size and a preset resistance (security) against an attack (that is selected by the user). Unlike the hash-function, the initial text (file) can be restored from the core file with the help of other file (flags) and special secret key information.
  • This method for encryption allows the both parts of the encrypted message to be independent from the initial text. In this case the initial text cannot be restored by any of these parts separately.
  • the both inventions provide centralized storage for core data secrets referred to as data items.
  • the architecture includes a storage server, a plurality of installable storage providers, and one or more authentification providers.
  • a default storage provider allows storage of data items on magnetic media such as a hard disc or a floppy disk or other media.
  • Data items are encrypted by the user's computer by using the user's key which is derived from the user's password supplied during logon.
  • the user's key is deposited by the network control computer such as a storage server.
  • the user sends the user's key to the server.
  • the server adds to the key the user's authentification, which is at the same time transmitted to the authorized user of the user's computer and encrypts the resulting combination.
  • the encrypted combination is returned back and is locally stored by the user.
  • the encrypted combination is sent to the server that decodes the combination for deriving a data item.
  • the data item is returned to the user's computer only in case the decoded user's authentification matches the presently authentified user of the user's computer.
  • the aim of the invention consists in providing a safe method for data storage protected from unauthorized access by using all advantages of communication media and the Internet.
  • the method for safe data storage and restoring comprises the following steps: deriving personal public and private key pairs for a user and a trustee; encrypting, in the user's computer the data secrets to be stored by an encryption algorithm, as a result of which at least two parts of encrypted data (core and flags) are formed; additional encrypting at least one part of the encrypted data (core) by a trustee's public key; sending the part encrypted by the trustee's public key to the trustee's computer, which authentifies the received data by decoding the received part by the trustee's secret key; further encrypting the decrypted part by the user's public key; sending the part of the encrypted data, which was encrypted by the user's pubic key, to the ⁇ user's computer for authentification of the received data by decoding the received part by the user's secret key for further restoring the initial data and matching the restored data with the initial data; confirming authenticity of the data part to be stored by the trustee; storing the decrypted data part by the trustee;
  • a method for recovering stored data comprises the steps of: requesting the data part stored by the trustee with the user's authentification; encrypting the stored data by the user's public keys; - sending the encrypted data part to the user; restoring the encrypted data part by the user's secret key; restoring the initial data from the restored data part (core) and the stored data part (flags) by reverse transformation;
  • the further improvement of the method is that if additional encrypting is performed before sending to the trustee the part of the encrypted data, then during data restoration respective additional decoding is performed in respect of the data part received from the trustee and restored by the secret user's key.
  • Still further improvement consists in that during restoration of the initial data, the said data are pre-restored from the part of additionally encrypted data received from the trustee and the part of the additionally encrypted data stored by the user and derived during first encryption, thereafter are restored the initial data from the pre-restored data part and from the data part stored after the first encryption.
  • Fig. 1 shows a block-scheme of transforming initial data according to the invention.
  • Fig. 2 shows a block -scheme of transforming initial data with additional encryption of core part according to the invention.
  • Fig. 1 shows a scheme for data encrypting and storing according to the claimed method.
  • a method for secret transferring data comprises the following steps:
  • main encryption 1 is performed in such a manner that the length of the content part is substantially shorter than the length of the accessory part.
  • Such a transformation can be termed as transformation with compression of the content part of data.
  • the main encryption 1 is performed in such a manner that the content part has a fixed length (e.g. 1 KB) that is substantially shorter that the accessory part.
  • a fixed length e.g. 1 KB
  • a method for restoring initial data comprises the steps of:
  • the claimed method uses the advantages of methods for encryption with asymmetrical short part of data allowing at the same time to essentially improve the process of decoding on the account of encryption of the short part of data only. At the same time no unauthorized decoding of the rest (accessory) part of data is possible because it has no notional connection with the content of the initial text.
  • keys and the algorithm of the basic encryption can be also distributed through public channels.
  • the stability (resistance) of encryption will be determined by the stability(resistance) of the encryption under RSA.
  • the length of RSA key in such case may be essentially more than standard (from 512 or 1024 bit up to 1 KB or more) and the total time for decryption of large files essentially decrease.
  • the method for data encryption can be characterized by the following features, in particular:
  • the information (C n ) finally transformed at the given step is additionally transformed under the RSA method with the use of the public key of the asymmetric key pair of the recipient - data trustee.
  • the finally transformed part of information is transmitted to the trustee through one or several communication channels.
  • any standard procedure of verification may be used.
  • a procedure of issue a certificate may be stipulated, or an identification record may be added to the stored information.
  • the method for decoding the encrypted data comprises the steps of:
  • Fig. 2 illustrates further improvement of the method.
  • Still further improvement of the method allows to perform one more transformation 7 of the encrypted data part that is to be sent. All other operations are the same as on Fig.1.
  • the trustee receives only the secondary "core” sent according to the appropriate procedure with asymmetrical keys.
  • the rest part (secondary flags) is stored in the memory 2 of user's computer.
  • the length of the message sent for storage can be essentially reduced without any decrease of resistance of protection, but even with increase thereof. Accordingly, during decoding it is necessary to perform the procedures of additional decoding 7 that are similar to the former one, but are carried out in the reverse order.
  • This method allows to provide the encryption resistance by means of the number of transformation cycles, by a key length as well as by the resistance of the RCA algorithm.
  • Essential advantage of the present invention also lies in the combination of the first method of encryption with the RSA algorithm. This combination also provides reliable identification of users and the trustee allowing to organize a centralized system for safe storage of information.
  • the feature of the claimed method versus the prior art inventions also consists in that only short nucleus are stored in the centralized depot, while the basic volume of data is stored at the user.
  • the part stored at the user has no semantic connection with the initial text, therefore it cannot be restored by any unauthorized user.
  • the short essential data part also is meaningless, since the resistance of this part is determined by the length of the accessory part comparable with the initial text, and by the amount of transformation cycles, which may be set arbitrary large.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne des systèmes et des procédés qui servent à fournir des services centralisés permettant un stockage sûr de données confidentielles. Ces systèmes et ces procédés font appel à une combinaison avantageuse de procédés de chiffrement générant au moins deux sections indépendantes de données chiffrées, et d'un algorithme RSA. Cette combinaison permet en outre d'identifier de manière fiable les utilisateurs et l'administrateur, et d'organiser un système centralisé assurant un stockage sûre des données. Ces procédés permettent la mise en oeuvre d'un chiffrement résistant, grâce à l'application d'un nombre prédéterminé de cycles de transformation et à la résistance de l'algorithme RSA. Ce procédé permet un chiffrement rapide associé aux avantages du système RSA.
PCT/BY2001/000012 2001-08-20 2001-08-20 Procede de stockage et de recuperation surs des donnees WO2003017565A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/BY2001/000012 WO2003017565A1 (fr) 2001-08-20 2001-08-20 Procede de stockage et de recuperation surs des donnees

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/BY2001/000012 WO2003017565A1 (fr) 2001-08-20 2001-08-20 Procede de stockage et de recuperation surs des donnees

Publications (1)

Publication Number Publication Date
WO2003017565A1 true WO2003017565A1 (fr) 2003-02-27

Family

ID=4083757

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/BY2001/000012 WO2003017565A1 (fr) 2001-08-20 2001-08-20 Procede de stockage et de recuperation surs des donnees

Country Status (1)

Country Link
WO (1) WO2003017565A1 (fr)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0912011A2 (fr) * 1997-10-20 1999-04-28 Sun Microsystems, Inc. Procédé et dispositif de chiffrage et de récupération de clé
WO2000065767A1 (fr) * 1999-04-27 2000-11-02 Mischenko Valentin Alexandrovi Procede de chiffrement d'information et dispositif pour la mise en oeuvre du procede

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0912011A2 (fr) * 1997-10-20 1999-04-28 Sun Microsystems, Inc. Procédé et dispositif de chiffrage et de récupération de clé
WO2000065767A1 (fr) * 1999-04-27 2000-11-02 Mischenko Valentin Alexandrovi Procede de chiffrement d'information et dispositif pour la mise en oeuvre du procede

Similar Documents

Publication Publication Date Title
US11461487B2 (en) Method for strongly encrypting .ZIP files
EP0755598B1 (fr) Systeme de distribution de cle cryptographique pour reseau informatique
US6819766B1 (en) Method and system for managing keys for encrypted data
US7499551B1 (en) Public key infrastructure utilizing master key encryption
US6266420B1 (en) Method and apparatus for secure group communications
US6160891A (en) Methods and apparatus for recovering keys
EP0725512B1 (fr) Système de communication de données utilisant des clés publiques
US6549626B1 (en) Method and apparatus for encoding keys
US7860243B2 (en) Public key encryption for groups
US20060195402A1 (en) Secure data transmission using undiscoverable or black data
US20090144565A1 (en) Method and system for asymmetrically encrypting .ZIP files
US20060204006A1 (en) Cryptographic key split combiner
US20080098214A1 (en) Encryption/decryption method, method for safe data transfer across a network, computer program products and computer readable media
EP1501238B1 (fr) Méthode et système de distribution de clé comprenant une étape d'authentification et une de distribution de clé à l'aide de KEK (key encryption key)
EP0912011A2 (fr) Procédé et dispositif de chiffrage et de récupération de clé
WO2012053886A1 (fr) Procédé et système de chiffrement et de déchiffrement de fichier dans un serveur
US20020184501A1 (en) Method and system for establishing secure data transmission in a data communications network notably using an optical media key encrypted environment (omkee)
Curry An introduction to cryptography and digital signatures
US20020001388A1 (en) High speed copy protection method
JP2002544690A (ja) 安全な通信およびアクセス制御のためのシステム、デバイスおよび方法
WO2003017565A1 (fr) Procede de stockage et de recuperation surs des donnees
CN111447060A (zh) 一种基于代理重加密的电子文档分发方法
WO2004054208A1 (fr) Transfert d'informations secretes
Oberoi et al. A Survey on Cryptography, Encryption and Compression Techniques.
LAME THE ROLE OF CRYPTOGRAPHY IN INFORMATION AND DATA SECURITY

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BY BZ CA CH CN CO CR CU CZ DE DM DZ EC EE ES FI GB GD GE GH HR HU ID IL IN IS JP KE KG KP KR LC LK LR LS LT LU LV MA MD MG MN MW MX MZ NO NZ PL PT RO RU SE SG SI SK SL TJ TM TR TT TZ UA US UZ VN YU ZA

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ UG ZW AM AZ BY KG KZ MD TJ TM AT BE CH CY DE DK ES FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW MR NE SN TD TG US

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP