BG64520B1 - Multiple module encryption method - Google Patents

Abstract

When an encrypting-decrypting module is being used, there are various methods for determining the key or keys used by said module by analyzing the module input or output data. To remedy this inconvenience, the inventive multiple module method is characterised in that the downstream module starts in encrypting-decrypting operations as soon as part of the results of the upstream module is available.

Description

(54) MULTI-MODULAR ENCODING METHOD

Technical field

The invention relates to the field of digit encryption (encryption) or cryptograms and to the decoding or decryption of information which should remain inaccessible to unauthorized persons or funds within the type of pay-TV systems. In the same (such) systems, the data is encoded in a security environment that consumes considerable computing power and is called the coding subsystem. The data are then transmitted, by known means, to at least one decentralized subsystem where they are decoded; usually by means of IRD (Integrated Reception Decoder) and by chip card. An unauthorized person may be able to gain unlimited access through this chip card and the decentralized subsystem associated with it.

BACKGROUND OF THE INVENTION

It is known in practice to bind together different encryption / decryption agents in an encryption / decryption system. In everything that follows, the encryption / decryption reflection will be used to refer to a separate encryption agent used in the larger encryption / decryption system.

It has long been sought to optimize the performance of these systems in terms of: speed, storage space and security. Speed is meant to take into account the time required to decode the received data.

Symmetric key encryption / decryption systems are known. Their own protection can be distinguished as a function of many criteria.

The first criterion is that of physical protection relating to the easy or difficult application of the test method by separating some components, this is followed by their possible substitution with other components. These replacement components intended to inform the unauthorized person of the origin and mode of operation of the encoding / decoding system shall be selected by him / her in such a way that it is not detected or undetectable, if possible, by the rest of the system.

A second criterion is that of systemic protection, within which attacks are not physically disturbing but continue to cause mathematical analyzes. Typically, these attacks will be controlled by high-power computers that will attempt to disrupt (destroy) algorithms and coding codes.

Symmetric encryption / decoding tools are, for example, systems related to DES (information encryption standard). These relatively old tools now only offer systemic and physical protection, which are entirely relative. This, in this case, is so widespread that DES, whose key sequences (codes) are so small as to satisfy system security conditions, have been replaced by new encryption / decryption tools or longer keys. Typically, these means having symmetric keys require algorithms containing coding cycles.

Other attacking strategies refer to simple powerful analysis and time analysis. In the ordinary powerful analysis, the fact is that the microprocessor occupied with encrypting or decrypting information is connected to a voltage source (power) (usually 5V). When it is idle (idle), a fixed AC goes through it. When activated, the instantaneous oscillation i depends not only on the input information, but also on the encryption algorithm. Ordinary powerful analyzes are included when measuring current i as a function of time. The kind of algorithm that the microprocessor executes can be derived from this.

Similarly, the time analysis method is included in measuring the calculation time as a function of the example presented to the decryption module. Thus, the relationship between the presented example and the result of calculating the result enables it to recover encrypted modular secret parameters such as the key. Such a system is described in the document "Timing Attacks on Implementations of Diffie-Helman, RSA, DSS, and Other Systems" published by Paul Kocher, Criptography Research, 870 Market st, Suite 1088, San Francisco, CA-USA.

In order to improve the security of the coding system, algorithms have been created with asymmetric keys, such as the so-called RSA (Rivest, Shamir and Aldeman) systems. These systems contain the generation of a pair of matching keys, one of which is the so-called encryption-protected public keys, and the other is a so-called encryption-protected private key. These algorithms provide a high level of protection for both system and physical protection. They are, on the other hand, slower than traditional (conventional) systems, especially at the decoding (phase) stage.

State-of-the-art attacking techniques require the so-called DPA concept, valid (intended) for differential power analyzes. These methods are based on assumptions, verifiable after a long number of attempts, for the presence of 0 or 1 in the case of the coding key (code). They are almost indestructible, thus representing them for longer undetectable, and correspond to both the physically introduced component and the mathematical analysis component (composite). Their mode of action is reminiscent of an oil exploration technique where a burst of known power (explosion) is generated on the surface and where headsets and probes placed also at known distances on the burst side allow assumptions to be made for reservoir layouts composition of the subspace without having to do so much digging by virtue of reflecting sudden waves by limiting the sedimentary beds in that subspace. The DPA attacks are described more specifically in §2.1 in the document "A Cauionary Note Regarding Evaluation of AES Candidates on Smart Cards" published on 1 February 1999 by Suresh Chari, Charanjit Jutia, Josyula R. Rao and Pankaj Rohatgi, of IBM TD . Waston Research Center, Yorktown Heights, NY.

The need to counter (resist) DPA attacks reinforces the use of so-called "white" detection systems, either in the input or output of the encoding / decoding algorithm. The research technique is described in §3.5 of the said document.

Moreover, the fact that computing power is limited in a decentralized subsystem of a pay-as-you-go TV system creates a problem that has not yet been satisfactorily resolved to perform the connectivity described previously to a sufficient degree.

SUMMARY OF THE INVENTION

It is an object of the invention to provide an accessible coding / decoding method that is compatible with current assay methods such as those described above.

The object of the invention is achieved by the method in which the specific feature of the method is related to the fact that the intermediate module does not start (does not start) until the result of the previous (or earlier in the order) module is determined, but starts as soon as as some of the information is already available (available). So it is not possible for an external observer to determine the input or output conditions for this module.

Once decoding in the decentralized subsystem, coupled with a chip card, begins, this chip card only supplies relatively limited computing power compared to the coding subsystem, for example, it is advantageous to use a publicly available asymmetric key (code) that operates relatively quickly during the next decoding steps. This makes it possible, on the one hand, to preserve the system's intrinsic characteristics when performing the procedure, and, on the other, to concentrate the intrinsically related computing power in the coding subsystem.

It has been found that the additional protection is enhanced by the possibility of sequencing or partially interconnecting two encoding / decoding means that follow one another in sequence. This sequence or partial interaction should provide for the process involved in starting (triggering) the action of the second encoding / decoding agent on the data at a time when the first encoding / decoding agent has not yet established (determined) its operation (impact) on the same data. This makes it possible to mask the data as it would be obtained from the operation of the first module and before they are subjected to the operation of the second module.

Connection can start when, as data, computerized (obtained after calculations, processing) at the output of the first module are partially accessible for processing by the second module.

The invention provides for protection against the aforementioned attacks by combining (combining) different means of encryption / decryption in a coding / decoding system, and the possibility of placing them in sequence or partially interconnected in the order in which these means follow each other.

In a specific embodiment of the invention, the coding / decoding system comprises a coding subsystem where three algorithms are used sequentially.

a / Asymmetric algorithm A1 with own key dl. This algorithm A1 signs (sign, marker) all the information represented by the message t, this operation, transmitting the first cryptogram with 1, through the means of mathematical operations, which are mainly indicated in the specialty by the formula: cl = m exponent dl, mod nl. In this formula, nl forms part of the public key of the asymmetric algorithm Al, mod represents the well-known mathematical operator of correspondences in the group of integers, and dl is the own key of algorithm A.

B / symmetric algorithm S using the secret key k. This algorithm converts a cryptogram with 1 into a cryptogram with c2.

c / asymmetric algorithm A2 with own key d2. This algorithm A2 converts the cryptogram c2 into a cryptogram c3, by means of the mathematical operation denoted as before by: c3 = c2 exponent d2, mod n2, in which formula n2 forms part of the public key of the asymmetric algorithm A2, and d2 is the eigenvalue of the A2 algorithm.

The cryptogram c3 exits the coding subsystem and enters the decentralized subsystem by means known to it. In the case of pay-as-you-go TV systems, this may equally replace video information or messages.

The decentralized subsystem uses three algorithms A1 ', S' and A2 'in the order opposite to the above. These three algorithms form part of three encryption / decryption means A1-A G,

S-S 'and A2-A2' described between the coding subsystem and the decentralized subsystem and representing the encryption / decryption system.

d / The algorithm A2 'performs a mathematical operation on c3, which restores c2 and is denoted (depicted): c2 = c3 exponent e2 mod n2. In this formula, the group containing e2 and n2 is the public key of the asymmetric algorithm A2A2 '.

f / The symmetric algorithm S 'executing the secret key k restores the cryptogram by 1.

А The asymmetric algorithm AG with the public key el, nl is restored by performing the mathematical operation denoted: m = cl exponent el modnl.

The link in the decentralized subsystem theme contains at startup the decoding step is / while c2 has not yet been completely restored from the previous step d /, and the decoding startup step f7 until cl has been completely restored from step is /. The advantage is to thwart an attack with the intention of, for example, first separation, in the decentralized subsystem, of the cryptogram with 1 at the end of the step is / so that it can be compared with all the information m, and then by means of cl and w it will attack the algorithm AG, and then gradually trace the coding chain again.

The sequence is not required in the coding subsystem that is installed in a second physical environment. This is on the other hand useful in the decentralized subsystem. In the case of pay-per-view television, IRD is actually (actually) installed at the user's premises and may be attacked by the type previously described.

It could be answered that an attack by a combination of three sequentially decrypting algorithms AG, S 'and A2' has a much lower chance of success than if the cryptograms cl and c2 are completely reconstructed between each step d /, is / and ΰ . In addition, the fact that the algorithm AG and A2 'are used with the public keys el, nl and e2, n2 implies that the calculation tools required in the decentralized subsystem are very limited compared to those in the coding subsystem.

For example, to install (enter) objects, the steps a / and c /, so to speak, encrypted steps with their own keys, are 20 times longer than the decoding steps d / and f / c of public keys.

In a particular embodiment of the invention, the algorithms A1 and A2 are the same as their respective AG and A2 '.

In a particular embodiment of the invention also differs from the previous one, in step c / the public keys e2, n2 of the asymmetric algorithm A2 is used, whereas in step d / the cryptogram c3 is described by the proprietary code d2 of that algorithm. This implementation allows a possible (known) alternative when the resources (capabilities of the decentralized subsystem) are converted to processing power; can be difficult to achieve.

Chip cards are also used primarily for decrypted information, there are also chip cards having the capacities required to perform (perform) encryption operations. In this case, the attacks described above will also apply to those encryption cards that operate away from secure locations, such as a control center. This is when the method of the invention also proposes to arrange the coding operations, which means that the next module is not fully capable for some time. Furthermore, the next module does not begin its operations with the result entirely, but in parts, which makes it impractical to carry out the operation of a module with attention to a known input state or output state.

Explanation of the annexed figures

The invention will be discussed in more detail based on the following drawings, drawn from an unrestricted example, wherein:

Figure 1 represents the encryption operations;

Figure 2 - decryption operations;

Figure 3 is an alternative to the encryption method.

Examples of carrying out the invention

In Figure 1, information base m is introduced into the encrypted sequence. The first element A1 performs an encryption operation using the so-called own key composed of exponent dl and mod nl. The result of this operation is represented by cl. According to the mode of operation of the invention, as part of the result with 1 is available (available), the next module begins its action. This next module S performs its encryption operation with a secret key. As soon as there is a partial possibility, the result c2 is transmitted to the module A2 for the third encryption operation, using the so-called own key composed of exponent d2 and mod n2. The end result, here referred to as c3, is ready to be transmitted by known means, such as by wave or cable.

Figure 2 presents the decryption system made up of the three decryption modules A1 ', S', A2 ', which are similar to those used for encryption but rearranged. It begins first with the module A2 ', which performs its decryption operation on the basis of the so-called public key, composed of exponent e2 and mod n2. In the same way as for encryption, as part of the result c2 of module A2 'is available (available), it is transmitted to module S' for the second decryption operation. In order to limit the decryption, the module AG performs its operation on the basis of the so-called public key, composed of exponent 1 and mod nl.

In a particular embodiment of the invention, the keys of the two modules AG and A2 'are identical, meaning that on the encryption side dl = d2 and n1 = n2. Similarly, decryption is e1 = e2 and n1 = n2. In this case, a private key is d, n, and a public key is, n.

In another embodiment of the invention, as shown in Figures 3 and 4, module A2 uses the so-called public key instead of the so-called own key. At the moment of encryption, the public key e2, n2 is used by module A2, (Fig. 3) and during decryption (Fig. 4), module A2 'uses the private key d2, n2 to perform the operation. In addition, this configuration shows overwork for the decryption chain, the use of a private key enhances the protection offered by the A2 module.

The example shown in Figures 3 and 4 is not limited in terms of other combinations. For example, it is possible to configure module A1 so that it performs the encryption operation with the public key and decryption with its own key.

It is also possible to change the location of the encryption / decryption module having a secret key S with a module of the type with asymmetric keys of the same type as modules A1 and A2.

Claims (10)

Claims 1. An encryption and decryption method employing several encryption / decryption modules in a sequence, characterized in that the next encryption / decryption module begins its operation as soon as part of the result of the previous encryption / decryption module. A method according to claim 1, characterized in that the next decryption module begins its decryption operation as soon as part of the result of the previous decryption module is available. A method according to claim 1, characterized in that the next encryption module starts its encryption operation as soon as part of the result of the previous module is available. Method according to claims 1 to 3, characterized in that it uses three modules 5 (A 1, S, A2), the central module (S) is of the form with a secret symmetric key (k). Method according to the preceding claim, characterized in that the first module (A1) and the last module (A2) in the case of encryption and the first module (A2) and the last module (A1) in the case of decryption are of the RS A type with asymmetric keys - own key and public key. Method according to the preceding claim, characterized in that the two modules (Al, A2) use the so-called private key (d, n; dl, nl; d2, n2) for encryption and the so-called public key (e, n; is 1, nl; e2, n2) for decryption. Method according to the preceding claim, characterized in that the two modules (Al, A2) use the same private key (d, η) and a public key (e, n). A method according to claim 6, characterized in that the two modules (Al, A2) use a different sequence of their own (dl, nl; d2, n2) and public (el, nl; e2; n2) keys. Method according to claim 5, characterized in that during encryption, the last module (A2) uses the so-called public key (e2, n2) and during decryption, the first module (A2) uses the so-called private key ( d2, n2). A method according to claims 1 to 3, characterized in that it uses three encryption / decryption modules (Al, A, A2) with asymmetric keys.