When cryptographic products that employ different key recovery mechanisms need to intemperate with one another, one of the major obstacles is the inability of the decryptor product to recognize, and optionally validate, the key recovery information generated by the encryptor product. In this paper, a common Key Recovery Block (KRB) format is being proposed to facilitate interoperability between heterogeneous key recovery systems. The KRB serves as a container for mechanism-specific key recovery information, and supports techniques to identify and optionally validate the contained key recovery information. This specification provides an extensible set of KRB validation techniques -however, it makes no attempt to set a preference for one technique over the others. The choice of validation technique(s) used is determined by the policies (with respect to the use of cryptography and key recovery) that apply to the encryptor and decryptor products. It may be noted that the KRB format specification is independent of the encryption algorithm used to protect the confidentiality of the data, and independent of the communication or storage protocol used to carry the encrypted data. It should also be recognized that the KRB format proposed in this paper is of limited scope. It assumes that the key recovery information can be made available to interested parties along with the encrypted data. There are a number of open issues regarding the techniques that allow key recovery information to be associated with encrypted data (whether the key recovery information and the encrypted data are transmitted over the same channel or separate channels) — these issues are beyond the scope of this proposal.
展开▼
