DE2811872C1 - Method of key allocation - Google Patents

Description

The invention relates to a method for secret agreement a common ground key between two equipped with electronic key devices Transceiver stations A and B, which by an electric Message connection duplex or half duplex with each other are connected and previously have no shared secret key information must have.

The object of the invention is, in this case a common Allocate key information without a third party (Unauthorized) to derive this key in finite time can.

It is not necessary that a third Job participates in this procedure or that the two Participants from the outset via a key information feature.

When messages are encrypted from one place to another to be transmitted to others, is an indispensable Assumption that these two places about the same Key information. This key information  can be electrical or electromechanical in the Devices may be stored, or they may, for. B. if necessary from an operator to be entered. In any case, must but in some form with the participants of the encrypted Transmission be present, whatever - especially with larger networks - the risk of compromise key material.

In the American encryption systems "Vinson" and "Tenley" uses procedures in which the participants an encrypted transfer previously needed Key material from a key panel is allocated. But for this it is necessary that these participants have personal keys with which the required key material encrypted from the key center is transferred to these. This personal Keys must be apart from the respective participants as well still be stored in the key centers, which also again disadvantageous is:

• - The personal keys can be compromised become.
• - The key center can fail.
• - The personal keys must be assigned in advance which is a relatively large one Administrative burden means and sometimes also not possible.

A procedure without personal keys and without Key control over long distances an electronic Allocated key assignment while safely preventing that an unauthorized person is in possession of this key, is not known yet.

In "Multiuser cryptographic techniques" by Diffie and Hellmann, AFIPS-Conference proceedings, Vol. 45, p 109 to 112, is on page 110, right column, under the Heading "Public Key Cryptography" the task described for a system that also has the task, dispense with a physical key distribution to be able to solve. It is based on the mental assumption that there are two corresponding keys E and D give, one of which (E) only for encryption and the other (D) can only be used for decryption should. For the uninitiated, D from E should not be calculated to let. Therefore, E should be published, and only the owner of the (secret) key D should can decrypt the message encrypted with it. But it is in the same reference (page 111, 1st paragraph) described that the task has not been solved be.

Another disadvantage of this method would be that for all Participant required for decryption key D individually calculated and stored secretly.  

The method described below is intended to contrast allow two duplex or half duplex (for example, over Radio) connected stations the same basic key without a third digit (key center) must be turned on, without that before Key material (personal keys or similar) available must be and without an unauthorized person, even if he the transmission route taps, can learn this key.

The problem is solved by the specified in the main claim Characteristics. Advantageous developments are in the dependent claims listed.

In the following, the inventive method will be described in detail become.

Given a transmission path with the two terminals A and B ( Fig. 1). This transmission path can be tapped by a point C. Between A and B information is now exchanged, from which A and B can compute the identically same key, but to which C may not (or at least not in finite time) be able to do so.

The point A has a first digital information a and a second x (both may be binary numbers, for example). Station B also has first digital information b and the same information x as A. The information a and b are kept secret. This is not a Problem, since a is needed only in A and b only in B. The Information a and b can z. B. if necessary each time new by z. B. a true random number generator (noise generator) be generated.

The information x must be identical in both A and B. be equal. It can be stored here be derived from date-time or even z. B. generated by a random number generator, from A to B be transmitted openly, as they are not kept secret must become. The tappers C may hear them.

The procedure now proceeds as follows ( Figure 2):

• a) Site A forms a link from a first Information a with a second information x. The  Result of this link f (a, x) - for example a binary number - becomes open (not kept secret) transferred to B (it can also be encrypted be transmitted).
• b) point B applies to this transferred value f (a, x) again the same link - but this time with a third information b - an, thus forms f (b, f (a, x)), which again can be a binary number that is secret Key information passed to the key device becomes.
• c) point B calculates f (b, x), which again (open) to A is transmitted.
• d) Point A again applies the same conjunction rule with the size a, so calculates f (a, f (b, x)). This value is also given here as secret key information to the key device.
  Also conceivable are linkage rules f (y, x, x₀). The two values x, x₀ play the same role as before x, ie they must be equally known at both points A and B. Specifically, z. B. x = x₀ or x₀ = 0 or x₀ = 1 are set. The procedure then runs exactly as described above, but it is now formed: in stage a) f (a, x, x₀) in stage b) f (b, x, f (a, x, x))) in stage c) f (b, x, x₀) in stage d) f (a, x, f (b, x, x))) The requirements of the linking instructions f specified below apply mutatis mutandis to the same.

In the foregoing, under the function f (y, x) is always to understand the same linking rule. She must, for the procedure to accomplish the task, three Satisfy conditions:

• Of course, both places A, B must have the same secret key information. So we have to say: f (b, f (a, x)) = f (a, f (b, x))
  (Condition 1) The listener knows the information x, f (a, x) and f (b, x), but not a and b. Of course, he must not be able to calculate the secret key information in finite time. This results in the second condition for the linking rule:
• Even with knowledge of x, f (a, x) and f (b, x) it may not be possible, with finite expenditure in finite time, to derive a, b or f (b, f (a, x)) = f (a, f (b, x)), or in general:
  With knowledge of the output variable f (y, x) and an input variable x, it must not be possible to calculate the other input variable y from it with finite time in finite time. (Condition 2)
  Finally, it does not help if the points A and B also have to drive an immense amount of effort to calculate the function f (y, x). This results in the third condition:
• - With knowledge of the two input-side sizes y, x must the output size b (y, x) with little effort in a short time Time be predictable. (Condition 3)

Linking rules similar to those in the previous For example, to meet the section's claims multiplication and exponentiation modulo p, ie in the Galois field (GF) p, where p is a prime number should be. The addition modulo p satisfies the condition 2 not while these are from the exponentiation on best fulfilled.

These functions are summarized in the table of FIG .

The linking rule of the form f (y, x, x₀) can  be realized by the y-repeated application a link F (x, z) in the form:

This formula is a general rule for construction of candidate links f (y, x) or f (y, x, x₀).

For F (x, z) an arbitrary function (arbitrary nonlinear). For example, could F (x, z) is a key operation with z as input and x as a key.

The mentioned calculations are expediently carried out by means of binary numbers. As prime number p becomes a prime number of the form

or

recommended.

The calculation modulo p is then done simply by truncating the overflow and adding it to or subtracting it from the remaining binary number. The calculation of the powers x ^y is done by continuous multiplication of powers of two of x modulo p:

x ^y modulo p = x ^{(a₀ · 2⁰ + a₁ · 2¹ + a₂ · 2² +)} . , , mod. p

= x ^{a₀ · 2⁰} · x ^a₁2¹ . , , mod. p

With
a _ν ∈ {0,1}

ν = 1, 2, 3. , ,

while the multiplications are summations of powers of two to be executed:

Fig. 4 shows an example of an arrangement for carrying out the method. Based on this figure, the procedure of the procedure will be explained again in connection.

The two stations 1, 2 of a communications network are connected to each other via the transmission link 3, not shown. They each contain a key device 4, 5 for encryption or decryption of the information to be transmitted. The key of these key devices 4, 5 is stored in each case an associated key memory 6, 7 .

Assume that the first station 1 now wants to agree with the second station 2 a common key to be stored in the key memories 6, 7 .

For this purpose, first the information a stored in a first memory 10 is linked to the quantity x stored in a second memory 12 in the logic circuit 8 . The result of this combination, f (a, x), passes via the switch 15 , the transmission link 3 to the station 2 , where it passes via the switch 16 to the same identical with 8 logic circuit 9 , where it is identical to that in the first memory 11th stored information b to the result f (b, f (a, x)) is linked, which is then supplied via the switch 17 to the key memory 7 .

To perform the procedure in the opposite direction, the switches 14, 15, 16 and 17 are brought into the other position. The quantity x stored in the second memory 13 is supplied via the changeover switch 16 to the logic circuit 9 , where it is combined with the information b stored in the first memory 11 to f (b, x).

This value is then transmitted via the changeover switch 17 , the transmission path 3 and the switch 14 to the logic circuit 8 , where it is linked to the information a stored in the first memory 10 in the logic circuit 8 to f (a, f (b, x)) , This result is then stored via the switch 15 in the key memory 6 .

Thus now have both key devices 4, 5 in their associated keystores 6, 7 on the same identical key and the encrypted transmission of the payload on the Klartext terminal pairs 22, 23 of the key devices can begin.

For the switches 14, 15, 16 and 17 automatically controlled electronic switches (gate circuits) are expediently used.

The information a can be generated in an advantageous manner by random sequence generators 18, 19 and supplied from there to the memories 10, 11 .

These random sequence generators 18, 19 can also be used to randomly generate the quantity x in a station (eg 1 ), which are then fed to the memory (eg 12 ) and simultaneously transmitted via the transmission link 3 , the memory (eg 13 ) of the remote station (eg 2 ) is supplied.

The size x can also be fixed in the memories 12, 13 once (possibly secret) or it can be z. B. by the same clock circuits in both stations 20, 21 at any time in both stations identical to the memories 12, 13 are provided.

The illustrated circuits can be constructed with commercially available digital circuits, for the realization of the combination circuit 8, 9 and the (not shown in the drawing) control for the entire procedure sequence can be used with advantage microprocessor circuits.

Claims (16)

1. A method for the secret agreement of a common basic key between two equipped with electronic key devices transmitting-receiving stations A and B, which are connected by an electrical communication link duplex or half-duplex and previously have no shared secret key information, characterized in that the first station (A) has first information (a) and second information (x) that the second station (B) has the same second information (x) and a third information (b) that the first and third information ( a, b) is kept secret, while the common second information (x) may be open, that the first station (A) forms a first link f (a, x) whose result is transmitted to the second station (B) that the second station (B) according to the same linking rule forms a second link f (b, x), the result of the first station (A) üb It is assumed that the second station (B) from the value of the first link f (a, x) transmitted to it by means of the same link with the third information (b) the size f (b, f (a, x)) and the first Station (A) from the transmitted value of the first variable f (b, x) by the same link with the first information (a) the size f (a, f (b, x) forms that the linking rule f (y, x) is chosen such that f (b, f (a, x)) = f (a, f (b, x)) and that this size is used as secret key information at the first and second stations (A, B). 2. The method according to claim 1, characterized that the linking rule f (y, x) also so is chosen, that with knowledge of the input quantity (y) and the second information (x) is the quantity f (y, x) can be calculated with little effort in a short time, but with knowledge of the linking rule f (y, x) and the second information (x) the input quantity (y) only with a great deal of effort in very long time is predictable. 3. The method according to claim 1 or 2, characterized that the second information (x) in all Fixed devices is stored.   4. The method according to claim 1 or 2, characterized that the second information (x) from a well-known information, such as date or time, is derived. 5. The method according to claim 1 or 2, characterized that the second information (x) in one of the two stations (A or B) by an electronic Generated random character generator and the other Station is transmitted. 6. The method according to any one of the preceding claims, characterized in that the information, values and sizes are represented in the form of binary numbers are and the necessary shortcuts as bills be performed with binary numbers. 7. The method according to any one of the preceding claims, characterized in that the following linkage rule is used: f (a, x) = a x x modulo p
f (b, x) = bx modulo p
f (b (f (a, x)) = b · a · x modulo p
= a · b · x modulo p = f (a (f (b, x)) 8. The method according to one or more of claims 1 to 6, characterized in that the following linkage rule is used: f (a, x) = xa modulo p
f (b, x) = x ^b modulo p
f (b, f (a, x)) = (xa) ^b modulo p = x ^ab modulo p =
x ^ba modulo p = (x ^b ) a modulo p = f (a, f (b, x)) 9. The method according to claim 7 or 8, characterized that p is a primary number. 10. The method according to claim 9, characterized in that for p is a prime number of the form is used, where n is a whole positive number. 11. The method according to one or more of the preceding claims, characterized in that the first information (a) and / or the third information (b) in the Make (A or B) before each procedure by a random generator in place and Job is recreated and saved and not can be output from the devices. 12. Method according to one or more of the preceding Claims, characterized in that the generated  Key information f (b, f (a, x)) = f (a, f (b, x) in the Key devices of the bodies (B or A) in addition to a secret basic key already stored there is used. 13. An arrangement for carrying out the method according to any one of the preceding claims with at least two stations which are interconnected by an electrical transmission path, each containing a key device for encrypting data or voice signals to which the required key is supplied from an electronic key memory, characterized in that this key this key memory ( 6, 7 ) from a logic circuit ( 8, 9 ) is supplied to him by a mathematical combination of a locally in a first electronic memory ( 10, 11 ) stored information (a, b) with one generated by the remote station via the transmission path ( 3 ) generated size that this size there previously by the same logic circuit ( 8, 9 ) by linking one in both stations ( 2, 1 ) identically equal in a second electronic memory ( 12, 13 ) saved second info rmation (x) was generated with the same information (a, b) stored locally in the first electronic memory ( 10, 11 ), and that the combining circuit ( 8, 9 ) satisfies the conditions set forth in one or more of the preceding claims. 14. Arrangement according to claim 13, characterized in that the first electronic memory ( 10, 11 ) for the information a or b of a random number generator ( 18, 19 ) is loaded, the information a or b in a random or quasi-random manner generated. 15. An arrangement according to claim 13 or 14, characterized in that the two stations (1) and (2) the common size, the second information (x) to the second electronic memory (12, 13) of each of an electronic timepiece circuit (20, 21 ) is supplied, which is constructed in a known manner so that it at the same time in all stations ( 1, 2 ) supplies the same value. 16. Arrangement according to claim 13 or 14, characterized in that the two stations ( 1, 2 ) common size (x) by a random sequence generator, which may be identical to the aforementioned random sequence generator ( 18 ) in one of the two stations ( 1 ), where it is stored in the second electronic memory ( 12 ), transmitted via the electrical transmission path ( 3 ) to the remote station ( 2 ) and stored there likewise in the second electronic memory ( 13 ).