Abstract: A system is provided that uses identity-based encryption to support secure communications between senders and recipients over a communications network. Private key generators are used to provide public parameter information. Senders encrypt messages for recipients using public keys based on recipient identities and using the public parameter information as inputs to an identity-based encryption algorithm. Recipients use private keys to decrypt the messages. There may be multiple private key generators in the system and a given recipient may have multiple private keys. Senders can include private key identifying information in the messages they send to recipients. The private key identifying information may be used by the recipients to determine which of their private keys to use in decrypting a message. Recipients may obtain the correct private key to use to decrypt a message from a local database of private keys or from an appropriate private key server.

Abstract: A system is provided that allows encrypted content to be distributed to users over a communications network. A policy enforcement service may use an identity-based encryption algorithm to generate public parameter information and private keys. Data content may be encrypted prior to distribution using an identity-based encryption engine. The encryption engine may use the public parameter information from the policy service and public key information to encrypt the data. The public key information may be based on policy information that specifies which types of users are allowed to access the data that is encrypted using that public key. A user may obtain a private key for unlocking particular encrypted data by providing a key request to the policy enforcement service that contains the public key. The policy enforcement service may enforce the policies given by the policy information and may provide private keys only to authorized users.

Abstract: A system is provided that uses identity-based encryption to support secure communications. Messages from a sender to a receiver may be encrypted using the receiver's identity and public parameters that have been generated by a private key generator associated with the receiver. The private key generator associated with the receiver generates a private key for the receiver. The encrypted message may be decrypted by the receiver using the receiver's private key. The system may have multiple private key generators, each with a separate set of public parameters. Directory services may be used to provide a sender that is associated with one private key generator with appropriate public parameters to use when encrypting messages for a receiver that is associated with a different private key generator. A certification authority may be used to sign directory entries for the directory service. A clearinghouse may be used to avoid duplicative directory entries.