Search

US-12621143-B2 - Systems and methods for blockchain-based secure key exchange with key escrow fallback

US12621143B2US 12621143 B2US12621143 B2US 12621143B2US-12621143-B2

Abstract

A system described herein provides for the secure maintaining and providing of information, such as public keys used in Public Key Infrastructure (“PKI”) techniques or other techniques, using a distributed ledger (e.g., “blockchain”) system with a fallback to a key escrow system. A first device may encrypt a communication using a first key, and output the encrypted communication to a second device. The first device may attempt to record a second key, that is associated with the first key, to the blockchain system, and may determine that the second key was not recorded to the blockchain system based on the attempt. The first device may output the second key to a third device based on determining that the second key was not recorded to the blockchain system. The second device may obtain the second key from the third device, and use the second key to decrypt the encrypted communication.

Inventors

  • Muhammad Salman Nomani
  • John M. Stokes

Assignees

  • VERIZON PATENT AND LICENSING INC.

Dates

Publication Date
20260505
Application Date
20220412

Claims (20)

  1. 1 . A first device, comprising: one or more hardware processors configured to: encrypt a communication using a first key; output the encrypted communication to a second device; attempt to record, to a blockchain system, a second key that is associated with the first key, wherein the blockchain system includes a plurality of computing devices that each implement a respective node of the blockchain system, wherein attempting to record the second key includes outputting the second key to a particular computing device of the plurality of computing devices of the blockchain system; determine, after outputting the second key to the particular computing device, that the second key was not recorded to a blockchain maintained by the blockchain system, wherein determining that the second key was not recorded to the blockchain includes determining that a threshold minimum quantity of confirmations of recording the second key to the blockchain were not received from the plurality of computing devices of the blockchain system within a threshold duration of time after outputting the second key to the particular computing device; and output the second key to a third device based on determining that the second key was not recorded to the blockchain maintained by the blockchain system, wherein the second device: obtains the second key from the third device, and uses the second key to decrypt the encrypted communication.
  2. 2 . The first device of claim 1 , wherein the one or more hardware processors are further configured to: output, to the second device, an indication based on the second key not being recorded to the blockchain, wherein the second device obtains the second key from the third device based on the indication that the second key was not recorded to the blockchain.
  3. 3 . The first device of claim 2 , wherein the indication includes at least one of: an identifier of the third device, or an identifier of one or more records, maintained by the third device, that are associated with the second key.
  4. 4 . The first device of claim 1 , wherein the second device attempts to retrieve the second key from the blockchain system, and obtains the second key from the third device based on being unsuccessful in retrieving the second key from the blockchain system.
  5. 5 . The first device of claim 1 , wherein the encrypted communication is associated with a session identifier, wherein outputting the second key to the third device includes outputting the session identifier to the third device, wherein the second device uses the session identifier to obtain the second key from the third device.
  6. 6 . The first device of claim 1 , wherein the communication is a first communication, wherein the threshold duration of time is a first threshold duration of time, wherein the one or more hardware processors are further configured to: determine that a second threshold duration of time has passed since the attempt to record the second key to the blockchain maintained by the blockchain system; encrypt a second communication using a third key; and based on determining that the second threshold duration of time has passed since the attempt to record the second key to the blockchain system, record a fourth key, that is associated with the third key, to the blockchain maintained by the blockchain system.
  7. 7 . The first device of claim 6 , wherein the one or more hardware processors are further configured to: output the encrypted second communication to the second device, wherein the second device obtains the fourth key from the blockchain system and uses the fourth key to decrypt the encrypted second communication.
  8. 8 . A system, comprising: a first device, comprising one or more hardware processors configured to: encrypt a communication using a first key; output the encrypted communication to a second device; attempt to record, to a blockchain system, a second key that is associated with the first key, wherein the blockchain system includes a plurality of computing devices that each implement a respective node of the blockchain system, wherein attempting to record the second key includes outputting the second key to a particular computing device of the plurality of computing devices of the blockchain system; determine, after outputting the second key to the particular computing device, that the second key was not recorded to a blockchain maintained by the blockchain system, wherein determining that the second key was not recorded to the blockchain includes determining that a threshold minimum quantity of confirmations of recording the second key to the blockchain were not received from the plurality of computing devices of the blockchain system within a threshold duration of time after outputting the second key to the particular computing device; and output the second key to a third device based on determining that the second key was not recorded to the blockchain maintained by the blockchain system; and the second device, wherein the second device comprises one or more hardware processors configured to: obtain the second key from the third device; and use the second key to decrypt the encrypted communication.
  9. 9 . The system of claim 8 , wherein the first device is further configured to: output, to the second device, an indication based on the second key not being recorded to the blockchain, wherein the second device obtains the second key from the third device based on the indication that the second key was not recorded to the blockchain.
  10. 10 . The system of claim 9 , wherein the indication includes at least one of: an identifier of the third device, or an identifier of one or more records, maintained by the third device, that are associated with the second key.
  11. 11 . The system of claim 8 , wherein the second device is further configured to: attempt to retrieve the second key from the blockchain system; and obtain the second key from the third device based on being unsuccessful in retrieving the second key from the blockchain system.
  12. 12 . The system of claim 8 , wherein the encrypted communication is associated with a session identifier, wherein outputting the second key to the third device includes outputting the session identifier to the third device, wherein the second device uses the session identifier to obtain the second key from the third device.
  13. 13 . The system of claim 8 , wherein the first and second keys are associated with a double ratchet encryption technique.
  14. 14 . The system of claim 8 , wherein the communication is a first communication, wherein the threshold duration of time is a first threshold duration of time, wherein the first device is further configured to: determine that a second threshold duration of time has passed since the attempt to record the second key to the blockchain maintained by the blockchain system; encrypt a second communication using a third key; and based on determining that the second threshold duration of time has passed since the attempt to record the second key to the blockchain system, recording a fourth key, that is associated with the third key, to the blockchain maintained by the blockchain system.
  15. 15 . A method, comprising: encrypting, by a first device, a communication using a first key; outputting the encrypted communication to a second device; attempting to record, to a blockchain system, a second key that is associated with the first key, wherein the blockchain system includes a plurality of computing devices that each implement a respective node of the blockchain system, wherein attempting to record the second key includes outputting the second key to a particular computing device of the plurality of computing devices of the blockchain system; determining, after outputting the second key to the particular computing device, that the second key was not recorded to a blockchain maintained by the blockchain system, wherein determining that the second key was not recorded to the blockchain includes determining that a threshold minimum quantity of confirmations of recording the second key to the blockchain were not received from the plurality of computing devices of the blockchain system within a threshold duration of time after outputting the second key to the particular computing device; and outputting the second key to a third device based on determining that the second key was not recorded to the blockchain maintained by the blockchain system, wherein the second device: obtains the second key from the third device, and uses the second key to decrypt the encrypted communication.
  16. 16 . The method of claim 15 , further comprising: outputting, to the second device, an indication based on the second key not being recorded to the blockchain, wherein the indication includes at least one of: an identifier of the third device, or an identifier of one or more records, maintained by the third device, that are associated with the second key, wherein the second device obtains the second key from the third device based on the indication that the second key was not recorded to the blockchain.
  17. 17 . The method of claim 15 , wherein the second device attempts to retrieve the second key from the blockchain system, and obtains the second key from the third device based on being unsuccessful in retrieving the second key from the blockchain system.
  18. 18 . The method of claim 15 , wherein the encrypted communication is associated with a session identifier, wherein outputting the second key to the third device includes outputting the session identifier to the third device, wherein the second device uses the session identifier to obtain the second key from the third device.
  19. 19 . The method of claim 15 , wherein the communication is a first communication, wherein the threshold duration of time is a first threshold duration of time, the method further comprising: determining that a second threshold duration of time has passed since the attempt to record the second key to the blockchain maintained by the blockchain system; encrypting a second communication using a third key; and based on determining that the second threshold duration of time has passed since the attempt to record the second key to the blockchain system, recording a fourth key, that is associated with the third key, to the blockchain system.
  20. 20 . The method of claim 19 , further comprising: outputting the encrypted second communication to the second device, wherein the second device obtains the fourth key from the blockchain system and uses the fourth key to decrypt the encrypted second communication.

Description

CROSS-REFERENCE TO RELATED APPLICATION This Application is a Continuation-in-Part of U.S. patent application Ser. No. 17/321,378 filed on May 14, 2021, titled “SYSTEMS AND METHODS FOR BLOCKCHAIN-BASED SECURE KEY EXCHANGE,” the contents of which are herein incorporated by reference in their entirety. BACKGROUND Some encryption techniques, such as Public Key Infrastructure (“PKI”) techniques, may make use of public keys, which may be used to encrypt messages that may be decrypted using an associated private key, and/or may be used in other techniques. Public keys may be distributed or stored by key escrow systems, which may provide a single point of failure and/or an opportunity for a “man-in-the-middle” attack, via which public key may be obtained, modified, and/or otherwise compromised. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 illustrates an example overview of one or more embodiments described herein; FIG. 2 illustrates an example of using a shared public key via a private blockchain system, in accordance with some embodiments, in a communication that utilizes double ratchet techniques to secure communications; FIG. 3 illustrates an example of establishing a private blockchain system, in accordance with one or more embodiments; FIG. 4 illustrates an example of using a shared public key via a private blockchain system, in accordance with some embodiments, in a communication that utilizes double ratchet techniques to secure communications; FIGS. 5 and 6 illustrate example processes for using a shared public key via a private blockchain system, in accordance with some embodiments, in a communication that utilizes double ratchet techniques to secure communications; FIGS. 7-10 illustrate an example of using a key escrow fallback in situations where public key retrieval via a blockchain is unsuccessful, in accordance with some embodiments; FIG. 11 illustrates an example process for utilizing a Key Escrow System as a fallback for a blockchain system for a key distribution procedure, in accordance with some embodiments; FIG. 12 illustrates an example process for utilizing a Key Escrow System as a fallback for a blockchain system for a key retrieval procedure, in accordance with some embodiments; FIG. 13 illustrates an example environment in which one or more embodiments, described herein, may be implemented; FIG. 14 illustrates an example arrangement of a radio access network (“RAN”), in accordance with some embodiments; and FIG. 15 illustrates example components of one or more devices, in accordance with one or more embodiments described herein. DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS The following detailed description refers to the accompanying drawings. The same reference numbers in different drawings may identify the same or similar elements. Embodiments described herein provide for the secure maintaining and providing of information, such as public keys used in PKI techniques or other techniques, using a secure distributed ledger (e.g., “blockchain”) system. For example, embodiments described herein may utilize a blockchain system in lieu of a key escrow system in the exchange and/or providing of public keys in a Diffie-Hellman key exchange technique, a key wrap exchange technique, or other type of technique in which public keys are provided from one entity to another. For example, as discussed herein, a first entity may generate an asymmetric key pair that includes a public key and a private key, and may provide the public key to a blockchain system for retrieval by one or more other entities. For example, the entities may be engaged in a secure messaging session, in which messages are encrypted and may be decrypted using one or more keys, including the public key. For example, the messaging session may be associated with multiple key derivation functions, in which a first key or set of keys (e.g., “root” keys) are used in the generation of one or more other keys (e.g., “send” keys and/or “receive” keys). A root key derivation function, for example, may be performed by first and second entities engaged in the communication session to generate respective send and/or receive keys for each entity. The entities may make use of different private keys in their respective root derivation functions, but may utilize one or more shared public keys for their respective root derivation functions. Examples of techniques that make use of multiple key derivation functions, including a root derivation function utilizing one or more shared public keys, include a “double ratchet” encryption technique, a “Signal Protocol,” and/or other types of techniques. In some embodiments, the contents of the secured ledger system (e.g., blockchain) may be publicly available or accessible, but the information stored therein may have no meaning or use to an attacker or other malicious user, in the context of obtaining public keys associated with PKI techniques or other techniques. In some embodiments, a private blockchain may be used, i