WO2018125020A1 - Cryptographic transformation device - Google Patents

Cryptographic transformation device Download PDF

Info

Publication number
WO2018125020A1
WO2018125020A1 PCT/UA2017/000065 UA2017000065W WO2018125020A1 WO 2018125020 A1 WO2018125020 A1 WO 2018125020A1 UA 2017000065 W UA2017000065 W UA 2017000065W WO 2018125020 A1 WO2018125020 A1 WO 2018125020A1
Authority
WO
WIPO (PCT)
Prior art keywords
cryptographic
functions
under
dstu
data
Prior art date
Application number
PCT/UA2017/000065
Other languages
French (fr)
Inventor
Yankovskyi Ihor MYKOLAIOVYCH
Tsapko Denys PETROVYCH
Voliar Tetiana VOLODYMYRIVNA
Original Assignee
Limited Liability Company "Innovation Development Hub"
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Limited Liability Company "Innovation Development Hub" filed Critical Limited Liability Company "Innovation Development Hub"
Publication of WO2018125020A1 publication Critical patent/WO2018125020A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0637Modes of operation, e.g. cipher block chaining [CBC], electronic codebook [ECB] or Galois/counter mode [GCM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • the utility model relates to the field of cryptographic data protection, and can be used as part of the cryptographic data protection and electronic digital signature tools as a platform, involving the implementation of cryptographic transformation functions and functions of processing of the basic data objects of the public key infrastructure.
  • the developed cryptographic algorithms enable data encryption and decryption, and further can be used for electronic signature and authentication of certain data.
  • Cryptographic algorithms are based on the use of private keys, on the mixed use of public keys, or publ ic and private keys. Under the concept of use of the public key cryptographic algorithms, publ ic keys are commonly available and any user can send encrypted data using a public key, however only the owner of a private key is able to decrypt the sent data.
  • Publ ic key cryptograph i c algorithms rely on the fact that availability of the public keys prevents identification of the private keys and decryption of the data.
  • the prior art discloses a method of signing of electronic documents using analog-digital signature with additional verification (application No. WO 2014062093. 24.04.20 1 4 ) by means of a device for electronic digital document signing, which includes a storage, a microprocessor, at least one data input/output port, and a biometric data input device.
  • the storage contains a private key and the software implementing the checksum calculation and electronic digital signature algorithms.
  • the microprocessor connected to the storage, to the input/output port and to the biometric data input device, processes the data and outputs the processed data to an electronic calculating machine via the port.
  • the disadvantage of the prior art solution is the limited functionality, unavailabi l ity of the document signing device as separate, but only as part of the cryptographic data protection and electronic digital signature tools.
  • the prior art discloses a system (application No. US 2005005 1 0 1 A 1 . 06.01 .2005) having a kernel module signature verification unit and a method of use thereof.
  • the module automatically controls the signature path and retrieves the signature data, provided by each module when attempting to load into the kernel.
  • the signature data, obtained from the kernel module path is extracted by means of the cryptographic kernel infrastructure to veri fy the signature data, provided by the cryptographic kernel infrastructure service, when the same kernel module attempts to register procedures and mechanisms in the cryptographic kernel infrastructure. It is used in the UNIX systems only.
  • the disadvantage is that the cryptographic software can only be run in the application space of the UNIX operating system, and can not be run in the kernel space of the other systems.
  • the prior art discloses a cryptographic service in the form of a software (patent No. US 641 2069 B l , 25.06.2002), installed on a hard or a floppy disk, and linked to the default computer operating system.
  • the operating system has the application space and the kernel space.
  • the cryptographic service software performs cryptographic operations in the operating system kernel space.
  • This software includes the program interface at the kernel space appl ication level and the cryptographic service module having the cryptographic algorithm l i brary.
  • the disadvantage is that the library contains only international cryptographic algorithms, thus can not be used for cryptographic transformation of the national cryptographic algorithms, i.e. under DSTU 4145-2002, etc.
  • the objective of the utility model is to create a cryptographic transformation device to be used either separately or as part of the other cryptographic data protection (CDP) and electronic digital signature (EDS) tools whi le providing for the implementation of the national cryptographic algorithm of Ukraine under DSTU 4145-2002 and of the other national and international cryptographic algorithms under DSTU GOST 28147-2009, COST 34.3 1 1 -95.
  • OS operating systems
  • OS e.g. 32- and 64-bit Windows OS's: 7. 8. 8. 1 , 1 0+, Server 2008 R2, Server 2012-1-, 64-bit Linux OS's with 3.1 3+ kernel, Ubuntu 1 4.04 K
  • the technical results of the proposed object of the utility model is the creation of a cryptographic transformation device, which provides for the connection to other CDP and CDS tools as a platform, involving the implementation of the cryptographic transformation functions and functions of processing of the basic data objects of the public key infrastructure with implementation of the national cryptographic algorithm of Ukraine, specified in DSTU 41 45- 2002, and other national and international cryptographic algorithms, specified in DSTU GOST 28147-2009, GOST 34.3 1 1 -95, and provides for the use of the key data carriers by the third developers.
  • the object of the utility model is attained through the introduction to the cryptographic transformation device of the security mechanism implementation module 3, aimed at providing bidirectional communication between the modules of the cryptographic data protection device.
  • the cryptographic data transformation module 1 comprising:
  • - encryption unit 1 . 1 configured to enable the encryption/decryption cryptographic algorithm, where the encryption/decryption cryptographic algorithm is implemented in the electronic codebook mode, the counter encryption mode, the cipher feedback mode, and the message authentication code mode,
  • - cryptographic algorithm tool 1.3 configured to enable the polynomial basis, key generation, calculation and verification of the electronic digital signature (EDS), and pseudorandom sequence generation,
  • the developer interface module 4 comprising:
  • the data processing interface 4.1 includes a public key certificate processing tool 4.1 . 1 , a tool for generating and processing cryptographic packets containing the encrypted data 4.1 .2, a tool for generating and processing cryptographic packets containing the signed data 4.1 .3, a tool for processing objects of the time recording protocol 4.1 .4, a tool for generating and processing objects of the certificate status identification protocol 4. 1 .7, a tool for generating and processing the revoked certificate lists (RCL) 4.1 .6, a tool for generating and processing storage containers f or private keys and public key certi ficates 4. 1 .5, and configured to be utilized a secure storage for the private keys of the key data carriers,
  • RCL revoked certificate lists
  • - device interface 4.2 configured to implement service functions, hash functions, decryption functions, EDS generation functions, EDS verification functions, functions of data retrieval from a cryptographic packet, and certificate processing functions.
  • Fig. 1 shows the basic flowchart of the cryptographic transformation device.
  • the cryptographic transformation device is to be used separately and/or as a part of the CDP and EDS tools as a platform, involving the implementation of the cryptographic transformation functions and functions of processing o f the basic data objects of the publ ic key infrastructure.
  • the device provides own implementation of cryptographic algorithms under the national and international standards DSTU GOST 28147-2009, GOST 34.3 1 1 -95. enables using of the key data carriers to store private keys and to perform cryptographic operations.
  • the device is used separately and/or as a part of the other hardware, software, software- hardware, and hardware-software tools in order to enable cryptographic transformations to protect classified (except inside information and sensitive information constituting state secrets) and public information, which is to be protected under the laws.
  • the device consists of a set of modu les and tools with external interface module.
  • the cryptographic transformation device can run under the following operat i ng systems
  • the cryptographic transformation device is further provided with the special protection mechanisms, and performs the control of the integrity of the cryptographic transformations and the key data protection, testing of the device as to proper operation and blocking thereof in case of failures, protection against the data confidentiality breach due to the faulty actions by an operator or in the result of disturbances in the device components, differentiates access to the device functions, to the cryptographic scheme and to the key data. Also, the device tits the trusted channel to retrieve the data to be secured, the mechanisms for sweeping the key data after validity expiration thereof, and the mechanisms for protecting the key data on the carriers thereo f from unauthorized reading.
  • Main functions of the cryptographic transformation device are:
  • the cryptographic transformation device utilizes the fol lowing cryptographic algorithms:
  • the cryptographic transformation device provides the following interfaces.
  • Data processing interface is the interface designed for the device to be used as a part of the CDP and EDS tools, and enables the following functions:
  • Tool interface is the interface designed for the cryptographic transformation device to be used by the developer of the CDP and EDS tool as a part of the said tool.
  • the interface provides for the following functions:
  • decryption function Decrypt
  • the cryptographic transformation device executes the hash-function calculation based on the data, for which the EDS is calculated and verified.
  • the starting hash vector is by defaul t the starting zero-value hash vector (zero binary 256-bit vector), or the starting hash vector provided by a user, while the substitution table is DKF. according to the "Manual of procedures for providing and using keys for the cryptographic data protection means", approved by the Order No. 1 14 of the State Service of Special Communication and Information Protection o f Ukraine (by default. DKE No. 1 under the Annex 1 to the aforesaid Manual).
  • another embodiment of the device provides for the interface to further i nc l ude a set of context-based functions involving the functions of formation, initialization, use and destruction of the contexts.
  • the cryptographic transformation device implements the software protection mechanisms, which provide for:
  • control of integrity of the cryptographic transformations and the key data protection testing of the device for the proper operation and blocking thereof in case of disturbances: protection against the data confidentiality breaches due to the faulty actions by an operator or in the result of disturbances in the Library components;
  • the cryptographic transformation device utilizes the fol lowing keys:
  • Public keys are distributed in the public key certificates.
  • the cryptographic transformation device provides for the generation of the following keys:
  • the device is further configured to generate keys according to DSTU 41 45-2002 and to the Manual of the key data generation and key management. Private keys are stored in the secure key stores.
  • the cryptographic transformation device When generating and processing the public key certificates, the cryptographic transformation device generates a request to certi fy a public key, generates the publ ic key certificate based on the key certificate request, generates the public key certificates for the actors (user, key certification center, time recording protocol server, certificate status i denti fication protocol server), uploads the certificate (requisites retrieval), veri fies the certi ficate EDS. matches the public key, contained in the certificate, and the private key from the key storage.
  • the key data is deleted from the memory of the electronic calculating machine after it has been used.
  • the suggested cryptographic transformation device due to the module struct ure, can be used separately or as part of the CDP and EDS tools, and provides for the implementat ion of the national cryptographic algorithm of Ukraine, specified in DSTU 4145-2002, and of the olher national and international cryptographic algorithms, specified in DSTU GOST 28 1 47-2009. GOST 34.3 1 1 -95, and provides for the support by various operating systems, e.g. 32- and 64-bit Windows OS's: 7, 8, 8.1 , 10+, Server 2008 R2, Server 2012+, 64-bit Linux OS's wi th 3. 1 3 ⁇ kernel, Ubuntu 14.04+.
  • various operating systems e.g. 32- and 64-bit Windows OS's: 7, 8, 8.1 , 10+, Server 2008 R2, Server 2012+, 64-bit Linux OS's wi th 3. 1 3 ⁇ kernel, Ubuntu 14.04+.

Abstract

A cryptographic transformation device, due to the introduction of a security mechanism implementation module, a cryptographic transformation module, comprising an encryption unit (1.1), a hash tool (1.2), a cryptographic algorithm tool (1.3), a key exchange module (2) and a developer interface module (4), which includes a data processing interface (4.1), and a device interface (4.2), provides for the connection to other cryptographic data protection and electronic digital signature tools as a platform, involving the implementation of cryptographic transformation functions and functions of processing of the basic data objects of the public key infrastructure with implementation of the national cryptographic algorithm of Ukraine, specified in DSTU 4145-2002, and other national and international cryptographic algorithms, specified in DSTU GOST 28147-2009, GOST 34.311-95, and provides for the use of the key data carriers by the third developers.

Description

CRYPTOGRAPHIC TRANSFORMATION DEVICE
The utility model relates to the field of cryptographic data protection, and can be used as part of the cryptographic data protection and electronic digital signature tools as a platform, involving the implementation of cryptographic transformation functions and functions of processing of the basic data objects of the public key infrastructure.
The developed cryptographic algorithms enable data encryption and decryption, and further can be used for electronic signature and authentication of certain data. Cryptographic algorithms are based on the use of private keys, on the mixed use of public keys, or publ ic and private keys. Under the concept of use of the public key cryptographic algorithms, publ ic keys are commonly available and any user can send encrypted data using a public key, however only the owner of a private key is able to decrypt the sent data. Publ ic key cryptograph i c algorithms rely on the fact that availability of the public keys prevents identification of the private keys and decryption of the data.
The prior art discloses a method of signing of electronic documents using analog-digital signature with additional verification (application No. WO 2014062093. 24.04.20 1 4 ) by means of a device for electronic digital document signing, which includes a storage, a microprocessor, at least one data input/output port, and a biometric data input device. Thus, the storage contains a private key and the software implementing the checksum calculation and electronic digital signature algorithms. The microprocessor, connected to the storage, to the input/output port and to the biometric data input device, processes the data and outputs the processed data to an electronic calculating machine via the port.
The disadvantage of the prior art solution is the limited functionality, unavailabi l ity of the document signing device as separate, but only as part of the cryptographic data protection and electronic digital signature tools.
Further, the prior art discloses a system (application No. US 2005005 1 0 1 A 1 . 06.01 .2005) having a kernel module signature verification unit and a method of use thereof. The module automatically controls the signature path and retrieves the signature data, provided by each module when attempting to load into the kernel. The signature data, obtained from the kernel module path, is extracted by means of the cryptographic kernel infrastructure to veri fy the signature data, provided by the cryptographic kernel infrastructure service, when the same kernel module attempts to register procedures and mechanisms in the cryptographic kernel infrastructure. It is used in the UNIX systems only.
The disadvantage is that the cryptographic software can only be run in the application space of the UNIX operating system, and can not be run in the kernel space of the other systems.
Also, the prior art discloses a cryptographic service in the form of a software (patent No. US 641 2069 B l , 25.06.2002), installed on a hard or a floppy disk, and linked to the default computer operating system. The operating system has the application space and the kernel space. The cryptographic service software performs cryptographic operations in the operating system kernel space. This software includes the program interface at the kernel space appl ication level and the cryptographic service module having the cryptographic algorithm l i brary. The disadvantage is that the library contains only international cryptographic algorithms, thus can not be used for cryptographic transformation of the national cryptographic algorithms, i.e. under DSTU 4145-2002, etc.
The objective of the utility model is to create a cryptographic transformation device to be used either separately or as part of the other cryptographic data protection (CDP) and electronic digital signature (EDS) tools whi le providing for the implementation of the national cryptographic algorithm of Ukraine under DSTU 4145-2002 and of the other national and international cryptographic algorithms under DSTU GOST 28147-2009, COST 34.3 1 1 -95. enabling the support of various operating systems (OS), e.g. 32- and 64-bit Windows OS's: 7. 8. 8. 1 , 1 0+, Server 2008 R2, Server 2012-1-, 64-bit Linux OS's with 3.1 3+ kernel, Ubuntu 1 4.04 K
The technical results of the proposed object of the utility model is the creation of a cryptographic transformation device, which provides for the connection to other CDP and CDS tools as a platform, involving the implementation of the cryptographic transformation functions and functions of processing of the basic data objects of the public key infrastructure with implementation of the national cryptographic algorithm of Ukraine, specified in DSTU 41 45- 2002, and other national and international cryptographic algorithms, specified in DSTU GOST 28147-2009, GOST 34.3 1 1 -95, and provides for the use of the key data carriers by the third developers.
The object of the utility model is attained through the introduction to the cryptographic transformation device of the security mechanism implementation module 3, aimed at providing bidirectional communication between the modules of the cryptographic data protection device. the cryptographic data transformation module 1 comprising:
- encryption unit 1 . 1 , configured to enable the encryption/decryption cryptographic algorithm, where the encryption/decryption cryptographic algorithm is implemented in the electronic codebook mode, the counter encryption mode, the cipher feedback mode, and the message authentication code mode,
- hash tool 1 .2, configured to enable the cryptographic hash algorithm,
- cryptographic algorithm tool 1.3, configured to enable the polynomial basis, key generation, calculation and verification of the electronic digital signature (EDS), and pseudorandom sequence generation,
key exchange module 2 under the Diffie-He!lman protocol in the set of poi nts of the elliptic curve (ECC DH),
the developer interface module 4 comprising:
- data processing interface 4.1 , intended to provide for the connection and integration of the cryptographic data protection device to the CDP and EDS systems, where the data processing interface 4.1 includes a public key certificate processing tool 4.1 . 1 , a tool for generating and processing cryptographic packets containing the encrypted data 4.1 .2, a tool for generating and processing cryptographic packets containing the signed data 4.1 .3, a tool for processing objects of the time recording protocol 4.1 .4, a tool for generating and processing objects of the certificate status identification protocol 4. 1 .7, a tool for generating and processing the revoked certificate lists (RCL) 4.1 .6, a tool for generating and processing storage containers f or private keys and public key certi ficates 4. 1 .5, and configured to be utilized a secure storage for the private keys of the key data carriers,
- device interface 4.2, configured to implement service functions, hash functions, decryption functions, EDS generation functions, EDS verification functions, functions of data retrieval from a cryptographic packet, and certificate processing functions.
The claimed utility model is disclosed in the following figures.
Fig. 1 shows the basic flowchart of the cryptographic transformation device.
The cryptographic transformation device is to be used separately and/or as a part of the CDP and EDS tools as a platform, involving the implementation of the cryptographic transformation functions and functions of processing o f the basic data objects of the publ ic key infrastructure. The device provides own implementation of cryptographic algorithms under the national and international standards DSTU GOST 28147-2009, GOST 34.3 1 1 -95. enables using of the key data carriers to store private keys and to perform cryptographic operations.
The device is used separately and/or as a part of the other hardware, software, software- hardware, and hardware-software tools in order to enable cryptographic transformations to protect classified (except inside information and sensitive information constituting state secrets) and public information, which is to be protected under the laws. Depending on the application platform, the device consists of a set of modu les and tools with external interface module.
The cryptographic transformation device can run under the following operat i ng systems
(OS):
- 32-, 64-bit Windows OS's: 7, 8, 8.1 , 1 0+, Server 2008 R2, Server 201 2+;
- 64-bit Linux-based OS's with 3.13+ kernel, Ubuntu 14.04+.
The cryptographic transformation device is further provided with the special protection mechanisms, and performs the control of the integrity of the cryptographic transformations and the key data protection, testing of the device as to proper operation and blocking thereof in case of failures, protection against the data confidentiality breach due to the faulty actions by an operator or in the result of disturbances in the device components, differentiates access to the device functions, to the cryptographic scheme and to the key data. Also, the device tits the trusted channel to retrieve the data to be secured, the mechanisms for sweeping the key data after validity expiration thereof, and the mechanisms for protecting the key data on the carriers thereo f from unauthorized reading.
Main functions of the cryptographic transformation device are:
cryptographic data transformation functions;
functions of the developer interface of the CDP and EDS tool;
administrator interface functions.
Cryptographic data transformation functions
The cryptographic transformation device utilizes the fol lowing cryptographic algorithms:
- encryption algorithm under DSTU GOST 28147:2009 in the following modes:
electronic codebook; counter encryption;
cipher feedback;
message authentication code;
hash algorithm under GOST 34.3 1 1 -95;
- algorithms under DSTU 4145-2002:
with implementation in the polynomial basis using the recommended el liptic curves above the fields 163, 167, 173, 1 79, 1 91 , 233, 257, 307, 367, 43 1 ;
key generation; EDS calculation/verification;
pseudo-random sequence generation;
key exchange module under the Diffie-Hellman protocol in the set of points of the el l iptic curve (ECC DH).
Functions of the developer interface of the CDP and EDS tool
The cryptographic transformation device provides the following interfaces. Data processing interface is the interface designed for the device to be used as a part of the CDP and EDS tools, and enables the following functions:
public key certificate processing;
generation and processing of the cryptographic packets containing the encrypted data; generation and processing of the cryptographic packets containing the signed data;
processing of the objects of the time recording protocol;
generation and processing of the objects of the certificate status identification protocol; generation and processing of RCLs;
availability as a secure storage for the private keys of the key data carriers;
generation and processing of the storage containers for private keys and public key certificates.
Tool interface is the interface designed for the cryptographic transformation device to be used by the developer of the CDP and EDS tool as a part of the said tool.
The interface provides for the following functions:
service functions: GetJnfo, Init, SetContext, UpdaleContext, Log, Final;
encryption function: Encrypt;
decryption function: Decrypt;
EDS generation function: Sign;
EDS verification function: Verify;
function of data retrieving from a cryptographic packet: Messagelnfo;
certi ficate processing function: Certificatelnfo.
When performing EDS generation and veri fication, the cryptographic transformation device executes the hash-function calculation based on the data, for which the EDS is calculated and verified. In the course of the hash-function calculations, the starting hash vector is by defaul t the starting zero-value hash vector (zero binary 256-bit vector), or the starting hash vector provided by a user, while the substitution table is DKF. according to the "Manual of procedures for providing and using keys for the cryptographic data protection means", approved by the Order No. 1 14 of the State Service of Special Communication and Information Protection o f Ukraine (by default. DKE No. 1 under the Annex 1 to the aforesaid Manual).
Further, the following cryptographic mechanisms are utilized i n the tool interface:
key generation under DSTU GOST 28 147 :2009 CKM_GOST28147_KEY_GEN , DSTU 7624:2014;
encryption under DSTU GOST 28 147:2009 in the electronic codebook mode CKM GOST28147_ECB; encryption under DSTU GOST 28147:2009 in the counter encryption mode CKM_ GOST28147_CNT;
encryption under DSTU GOST 28 147:2009 in the cipher feedback mode CKM_GOST28147_CFB;
encryption under DSTU GOST 28147:2009 in the message authentication code mode CKM_GOST28147_MAC;
hashing under GOST 34.3 1 1 -95 CKM GOST343 1 1 ;
key generation under DSTU 4145-2002 CKM_DSTU41 45_KEY_PAIR_G F.N :
EDS calculation and verification under DSTU 4145-2002 CKM_DSTU4145;
EDS calculation and veri fication under DSTU 4145-2002 with hash ing under GOST 34.3 1 1 -95 CKM_GOST343 1 1 _DSTU4145;
retrieval of the encryption key under the Di ffie-Hellman protocol for the el l i pt ic curves CKM_DSTUDH_COFACTOR_DERIVE.
Also, another embodiment of the device provides for the interface to further i nc l ude a set of context-based functions involving the functions of formation, initialization, use and destruction of the contexts.
Moreover, the cryptographic transformation device implements the software protection mechanisms, which provide for:
control of integrity of the cryptographic transformations and the key data protection; testing of the device for the proper operation and blocking thereof in case of disturbances: protection against the data confidentiality breaches due to the faulty actions by an operator or in the result of disturbances in the Library components;
differentiation of access to the Library functions, to the cryptographic scheme and to the key data;
trusted channel to retrieve the data to be secured;
sweeping of the key data after validity expiration thereof;
protection of the key data on the carriers thereof from unauthorized reading.
The cryptographic transformation device utilizes the fol lowing keys:
DKE for algorithms under GOST 34.3 1 1 -95, DSTU GOST 28147:2009;
RK algorithm under DSTU GOST 28147:2009;
private and public keys of the algorithm under DSTU 4 1 45-2002.
Public keys are distributed in the public key certificates.
The cryptographic transformation device provides for the generation of the following keys:
RK algorithm under DSTU GOST 28147:2009;
public keys of the algorithms under DSTU 4 145-2002. The device is further configured to generate keys according to DSTU 41 45-2002 and to the Manual of the key data generation and key management. Private keys are stored in the secure key stores.
When generating and processing the public key certificates, the cryptographic transformation device generates a request to certi fy a public key, generates the publ ic key certificate based on the key certificate request, generates the public key certificates for the actors (user, key certification center, time recording protocol server, certificate status i denti fication protocol server), uploads the certificate (requisites retrieval), veri fies the certi ficate EDS. matches the public key, contained in the certificate, and the private key from the key storage.
The key data is deleted from the memory of the electronic calculating machine after it has been used.
The suggested cryptographic transformation device, due to the module struct ure, can be used separately or as part of the CDP and EDS tools, and provides for the implementat ion of the national cryptographic algorithm of Ukraine, specified in DSTU 4145-2002, and of the olher national and international cryptographic algorithms, specified in DSTU GOST 28 1 47-2009. GOST 34.3 1 1 -95, and provides for the support by various operating systems, e.g. 32- and 64-bit Windows OS's: 7, 8, 8.1 , 10+, Server 2008 R2, Server 2012+, 64-bit Linux OS's wi th 3. 1 3 · kernel, Ubuntu 14.04+.

Claims

Claims of the utility model
1 , A cryptographic transformation device, characterized in that it comprises:
a module for implementing protection mechanisms, intended to provide the bidirectional connection between the modules of the cryptographic data protection device,
a cryptographic data transformation module comprising:
- an encryption unit, configured to enable the encryption/decryption c ryptographic algorithm, where the encryption/decryption cryptographic algorithm is implemented in the electronic codebook mode, the counter encryption mode, the cipher feedback mode, and the message authentication code mode,
- a hash tool, configured to enable the cryptographic hash algorithm,
- a cryptographic algorithm tool, configured to enable the polynomial basis, key generation, calculation and verification of the electronic digital signature (EDS), and pseudorandom sequence generation,
a key exchange module under the Diffie-Hel lman protocol in the set of poi nts of the elliptic curve (ECC DH),
a developer interface module, comprising
- a data processing interface, intended to provide for the connection and integration of the cryptographic data protection device to the cryptographic data protection and electronic d igital signature systems, where the data processing interlace includes a public key certi ficate processing tool, a tool for generating and processing cryptographic packets contai ning the encrypted data, a tool for generating and processing cryptographic packets containing the signed data, a tool for processing objects of the time recording protocol, a tool for generat ing and processing objects of the certificate status identi fication protocol, a tool for generating and processing the revoked certificate l ists, a tool for generating and processing storage containers for pri vate keys and public key certificates, and configured to be util ized a secure storage for the private keys of the key data carriers,
- a device interface, configured to implement service functions, hash functions, decryption functions, electronic digital signature generation functions, electron i c digital signature verification functions, functions of data retrieval from a cryptographic packet, and certi ficate processing functions.
2. A device of claim 1 , characterized in that the data processing interlace further includes a set of the context-based functions of formation, initialization, use and destruction of the contexts.
3. A device of any of the said claims, characterized in that the device interlace is further configured to generate keys under DSTU GOST 28147:2009 CKM_GOST28147_ KEY_GEN, DSTU 7624:2014.
4. A device of any of the said claims, characterized in that the device interlace is further configured to perform encryption under DSTU COST 28 1 47:2009 in the electron ic codebook mode CKM_GOST28147_ECB.
5. A device of any of the said claims, characterized in that the device interface is further configured to perform encryption under DSTU GOST 28 147:2009 in the counter encryption mode CKM_GOST28147_CNT.
6. A device of any of the said claims, characterized in that the device interface is further configured to perform encryption under DSTU GOST 28 1 47:2009 in the cipher feedback mode CKM GOST28147_CFB.
7. A device of any of the said claims, characterized in that the device interface is further configured to perform encryption under DSTU GOST 28 147:2009 in the message authentication code mode CKM_GOST28147_MAC.
8. A device of any of the said claims, cha racterized in that the device interlace is further configured to perform hashing under GOST 34.3 1 1 -95 CK.M_GOST343 1 1 .
9. A device of any of the said claims, characterized in that the device interface is further configured to generate keys under DSTU 4145-2002 CKM DSTU4145 _KEY_PAI R . G EN.
1 0. A device of any of the said claims, cha racterized in that the device i nterlace is further configured to calculate and veri fy EDS under DSTU 4145-2002 CKM_DSTU4 1 45.
1 1. A device of any of the said claims, ch aracterized in that the device interface is further configured to calculate and verify EDS under DSTU 4145-2002 with hash ing under GOST 34.3 1 1 -95 CKM_GOST343 1 1_DSTU4145.
1 2. A device of any of the said claims, cha racterized in that the device i nterface is further configured to retrieve the encryption key under the Diffie-Mellman protocol for the el liptical curves CKM_DSTUDH_COFACTOR_DERI V E.
1 3. A device of any of the said claims, characterized in that the cryptographic encryption algorithm in the cryptographic data transformation module is implemented under DSTU GOST 28147:2009.
14. A device of any of the said claims, cha racterized in that the hash algorithm in the hash tool is implemented under GOST 34.3 1 1 -95.
15. A device of any of the said claims, cha racterized in that the cryptographic data transformation module further implements the algorithm under DSTU 4145-2002, based on the elliptical curves in the polynomial basis above the fields 163.167, 173, 179.191.233.257.307. 367,431.
16. A device of any of the said claims, characterized in that the service functions of the device interface are Getlnfo, Init, SetContext, UpdateContext, Log, Final, the hash functions Encrypt, the decryption functions - Decrypt, the EDS generation functions - Sign, the EDS verification functions - Verify, the functions of data retrieval from a cryptographic packet - Messagelnfo, and the certificate processing functions - Certificatelnfo.
PCT/UA2017/000065 2016-12-29 2017-06-09 Cryptographic transformation device WO2018125020A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
UAU201613558 2016-12-29
UA201613558 2016-12-29

Publications (1)

Publication Number Publication Date
WO2018125020A1 true WO2018125020A1 (en) 2018-07-05

Family

ID=62710879

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/UA2017/000065 WO2018125020A1 (en) 2016-12-29 2017-06-09 Cryptographic transformation device

Country Status (1)

Country Link
WO (1) WO2018125020A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109510813A (en) * 2018-10-18 2019-03-22 张德辉 A kind of authority checking method and system based on variable two-dimension code
CN109995509A (en) * 2019-05-08 2019-07-09 西安电子科技大学 Authentication key based on message recovery signature exchanges method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2018770A1 (en) * 1989-10-13 1991-04-13 Addison M. Fisher Public/key date-time notary facility
WO2000045241A2 (en) * 1999-01-29 2000-08-03 General Instrument Corporation Self-generation of certificates using a secure microprocessor in a device for transferring digital information
US20080095362A1 (en) * 2006-10-18 2008-04-24 Rolf Blom Cryptographic key management in communication networks
EP2357754A1 (en) * 2008-12-11 2011-08-17 Mitsubishi Electric Corporation Self-authentication communication equipment and equipment authentication system
US20160197726A1 (en) * 2014-12-16 2016-07-07 Fujitsu Limited Cryptographic processing device and cryptographic processing method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2018770A1 (en) * 1989-10-13 1991-04-13 Addison M. Fisher Public/key date-time notary facility
WO2000045241A2 (en) * 1999-01-29 2000-08-03 General Instrument Corporation Self-generation of certificates using a secure microprocessor in a device for transferring digital information
US20080095362A1 (en) * 2006-10-18 2008-04-24 Rolf Blom Cryptographic key management in communication networks
EP2357754A1 (en) * 2008-12-11 2011-08-17 Mitsubishi Electric Corporation Self-authentication communication equipment and equipment authentication system
US20160197726A1 (en) * 2014-12-16 2016-07-07 Fujitsu Limited Cryptographic processing device and cryptographic processing method

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109510813A (en) * 2018-10-18 2019-03-22 张德辉 A kind of authority checking method and system based on variable two-dimension code
CN109510813B (en) * 2018-10-18 2021-07-16 张德辉 Authorization verification method and system based on variable two-dimensional code
CN109995509A (en) * 2019-05-08 2019-07-09 西安电子科技大学 Authentication key based on message recovery signature exchanges method

Similar Documents

Publication Publication Date Title
JP4680596B2 (en) Method and system for securely escrowing private keys within public key infrastructure
US8509449B2 (en) Key protector for a storage volume using multiple keys
US10498712B2 (en) Balancing public and personal security needs
US11115208B2 (en) Protecting sensitive information from an authorized device unlock
JP2017139811A5 (en)
US20100005318A1 (en) Process for securing data in a storage unit
US20180241560A1 (en) Device attestation
US11398906B2 (en) Confirming receipt of audit records for audited use of a cryptographic key
WO2018125020A1 (en) Cryptographic transformation device
US20240114025A1 (en) Modification of device behavior for use in secure networking
US11405201B2 (en) Secure transfer of protected application storage keys with change of trusted computing base
Jang-Jaccard et al. Portable key management service for cloud storage
EP4352643A1 (en) Storage device authenticating host credential and utilizing physically unclonable function (puf) for data encryption/decryption
KR101677138B1 (en) Method of on-line/off-line electronic signature system for security of off-line token
Rawat et al. ECFS: An enterprise-class cryptographic file system for linux
US20230327859A1 (en) System and method for distributed custody access token management
US20220164481A1 (en) Methods and devices for ai model integrity and secrecy protection
EP3539010B1 (en) Balancing public and personal security needs
KR102005787B1 (en) Method for Encrypting Certificate
Omote et al. Protection and recovery of disk encryption key using smart cards
WO2022259013A1 (en) Storage device being authenticated to host by utilizing physically unclonable function (puf) for data encryption/decryption
CN116670672A (en) Exclusive self-hosting method and device
UA116345U (en) DEVICE OF CRYPTOGRAPHIC TRANSFORMATIONS
JP2010135950A (en) Device and method for encryption processing
Omote et al. Practical and Secure Recovery of Disk Encryption Key Using Smart Cards

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17885984

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17885984

Country of ref document: EP

Kind code of ref document: A1