<<< Date Index >>>     <<< Thread Index >>>

[FYI] New NSA Patent: Method of passing a cryptographic key that allows third party access to the key



<http://cryptome.org/nsa-access.htm>

Method of passing a cryptographic key that allows third party access 
to the key  

Abstract

A method of passing a cryptographic key that allows recovery of the 
key by a third party by generating a first random number by a first 
user; generating "key.sub.1 " by the first user; generating a second 
random number "k.sub.2a " by the first user; computing "y.sub.1 " by 
the first user; computing "y.sub.2 " by the first user; computing 
"r.sub.1 " by the first user; computing "z" by the first user; 
computing "s" by the first user; computing "G" by the first user; 
passing (G,z,r.sub.1,s) from the first user to the second user; 
receiving "Y" by the second user; computing "T" by the second user; 
computing "y.sub.1 " by the second user; computing "k.sub.1a " by the 
second user; computing "key.sub.1 " by the second user; intercepting, 
by a third party, (G,z,r.sub.1,s) transmitted from the first user to 
the second user; presenting "G" and "z," by the third party, to a key-
escrow agent; computing "y.sub.2 " by the key-escrow agent; computing 
"key.sub.2 " by the key-escrow agent, where key.sub.2 =key.sub.1 ; 
returning "key" from the key-escrow agent to the third party if the 
third party is authorized to receive "key.sub.2 "; and using 
"key.sub.2 " by the authorized third party, to decrypt an encrypted 
message sent between the first user and the second user which was 
encrypted using "key.sub.1."

Inventors: Petro; John (Columbia, MD)
Assignee: The United States of America as represented by the National 
Security Agency (Washington, DC)
Appl. No.: 722385
Filed: October 11, 1996

Current U.S. Class: 380/21; 380/23
Intern'l Class: H04K 001/00
Field of Search: 380/21,23,28-30,285,286

[...]

What is claimed is:

1. A method of passing a cryptographic key that allows recover of the 
key by a third party, comprising the steps of:

a) generating a first random number "k.sub.1a " by a first user, 
where "k.sub.1a " is a non-zero member of a group "Z.sub.q " and 
where "q" is a prime number;

b) generating "key.sub.1 =m(k.sub.1a)" by the first user, where "m" 
is a hashing function;

c) generating a second random number "k.sub.2a " by the first user, 
where "k.sub.2a " is a non-zero member of the group "Z.sub.q ";

d) computing "y.sub.1 =m(h.sub.p2 (k.sub.2a))" by the first user, 
where "h.sub.p2 " is a public function of a public-key encryption 
function of a second user;

e) computing "y.sub.2 =m(H.sub.p (k.sub.1a))" by the first user, 
where "H.sub.p " is a public function of a public-key encryption 
function of a key escrow agent;

f) computing "r.sub.1 =f(y.sub.1,k.sub.1a)" by the first user, where 
"f" is a secure encryption function;

g) computing "z=f(y.sub.2, key.sub.1)" by the first user;

h) computing a signature, by the first user, by computing 
"A=(1/k.sub.2a)(x.sub.a B+k.sub.1a C)mod q,"where "z", "r.sub.1 ", 
and "s" are substituted for "A", "B", and "C," where the equation for 
computing a signature is solved for "s," and where "x.sub.a " is a 
long-term secret of the first user;

i) computing "G=g k.sub.1a mod p" by the first user;

j) passing (G,z,r.sub.1,s) from the first user to the second user;

k) receiving "Y=g x.sub.a mod p" by the second user, where "g" is a 
base element, and where "p" is a prime integer;

l) verifying the computed signature, by the second user, by computing 
"T=(Y.sup.B *G.sup.C).sup.((1/A) mod q) mod p," where "z", "r.sub.1 
", and "s" are substituted for "A", "B", and "C";

m) computing "y.sub.1 =m(h.sub.s2 (T))" by the second user, where 
"h.sub.s2 " is a secret function of the public-key encryption 
function of the second user;

n) computing "k.sub.1a =(f.sup.-1)(y.sub.1,r.sub.1)" by the second 
user;

o) computing "key.sub.1 =m(k.sub.1a)" by the second user;

p) intercepting, by a third party, (G,z,r.sub.1,s) transmitted from 
the first user to the second user;

q) presenting "G" and "z," by the third party, to a key-escrow agent;

r) computing "y.sub.2 =m(H.sub.s (G))" by the key-escrow agent, where 
"H.sub.s " is a secret function of the public-key encryption function 
of the key-escrow agent;

s) computing "key.sub.2 =(f.sup.-1)(y.sub.2, z)" by the key-escrow 
agent, where key.sub.2 =key.sub.1 ;

t) returning "key.sub.2 " from the key-escrow agent to the third 
party if the third party is authorized to receive "key.sub.2 "; and

u) using "key.sub.2," by the authorized third party, to decrypt an 
encrypted message sent between the first user and the second user 
which was encrypted using "key.sub.1 ". 

[...]




-- 
To unsubscribe, e-mail: debate-unsubscribe@xxxxxxxxxxxxxx
For additional commands, e-mail: debate-help@xxxxxxxxxxxxxx