Abstract: An apparatus, method, and computer program product for achieving interoperability between cryptographic key recovery enabled and unaware systems. The method includes the steps of encrypting data using a cryptography key to generate ciphertext; generating a key recovery block containing key recovery information for the ciphertext; determining whether a receiver for the ciphertext is key recovery unaware; and sending the key recovery block to a key recovery client when it is determined that the receiver is key recovery unaware. In a preferred embodiment, the ciphertext is sent to the receiver only after receiving confirmation from the key recovery client of the receipt of the key recovery block. Also in a preferred embodiment, the key recovery block is sent as part of an Internet Message Control Protocol (ICMP) message.

Abstract: An apparatus, method, and computer program product for achieving interoperability between cryptographic key recovery enabled and unaware systems. The method includes the steps of encrypting data using a cryptography key to generate ciphertext; generating a key recovery block containing key recovery information for the ciphertext; determining whether a receiver for the ciphertext is key recovery unaware; and sending the key recovery block to a key recovery client when it is determined that the receiver is key recovery unaware. In a preferred embodiment, the ciphertext is sent to the receiver only after receiving confirmation from the key recovery client of the receipt of the key recovery block. Also in a preferred embodiment, the key recovery block is sent as part of an Internet Message Control Protocol (ICMP) message.

Abstract: An apparatus, method, and computer program product for high-availability multi-agent cryptographic key recovery. The present invention defines a key recovery block that specifies allowable subsets of the total set of key recovery agents that can participate in a key recovery. For each subset, key recovery information is computed and stored after the subset is specified. This key recovery information is only useable by that subset because it is computed using that subset of public keys of the agents. When key recovery is initiated, a trusted processor (a key recovery coordinator) validates the contents of the key recovery block and it uses and is allowed to use any of the subsets of the agents to process the key recovery request. Since many subsets could be specified, the likelihood of key recovery failure is greatly diminished.

Abstract: A Secure Key Management Framework (SKMF) defines an infrastructure for a complete set of cryptographic services augmented with key recovery enablement. There are three major layers—the application layer invokes the SKMF layer, while the SKMF layer invokes the service provider (SP) layer. The application layer code invokes the cryptographic API and key-recovery API supported by the SKMF. Multiple key recovery mechanisms and cryptographic mechanisms can be implemented as service providers that log-in underneath the framework using the well-defined service provider interfaces provided by the framework. The SKMF implements the supported ATP calls by making appropriate invocations of the service provider modules using the SPIs.

Abstract: A method, system, and computer program are disclosed to transport an encrypted key across multiple, diverse systems which provides the relevant and necessary information to guarantee a successful decryption of the key. The method prepares an ASN.1 encoding file at the sender which contains the key. The receiver performs the method to decode the ASN.1 encoded file. In this manner, only the data and the contents of the portable key need to be sent to guarantee successful decryption at the receiver.