CA2024049A1 - Cryptographic method and apparatus for public key exchange with authentication - Google Patents
Cryptographic method and apparatus for public key exchange with authenticationInfo
- Publication number
- CA2024049A1 CA2024049A1 CA 2024049 CA2024049A CA2024049A1 CA 2024049 A1 CA2024049 A1 CA 2024049A1 CA 2024049 CA2024049 CA 2024049 CA 2024049 A CA2024049 A CA 2024049A CA 2024049 A1 CA2024049 A1 CA 2024049A1
- Authority
- CA
- Canada
- Prior art keywords
- type
- transformation
- session key
- key
- numbers
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 230000009466 transformation Effects 0.000 claims abstract description 70
- 239000002131 composite material Substances 0.000 claims abstract description 39
- 238000004891 communication Methods 0.000 claims abstract description 35
- 230000006854 communication Effects 0.000 claims abstract description 35
- 230000001131 transforming effect Effects 0.000 claims abstract description 12
- 238000000844 transformation Methods 0.000 claims description 21
- 230000002427 irreversible effect Effects 0.000 claims description 20
- 230000005540 biological transmission Effects 0.000 claims description 16
- 238000003860 storage Methods 0.000 claims description 12
- 230000008569 process Effects 0.000 description 15
- 238000013459 approach Methods 0.000 description 5
- 238000004519 manufacturing process Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000013478 data encryption standard Methods 0.000 description 3
- 238000009826 distribution Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- JJQDIWJXVDJXRH-KNTRCKAVSA-N (e)-1,5-diphenyl-3-(2-phenylethynyl)pent-1-en-4-yn-3-ol Chemical compound C=1C=CC=CC=1C#CC(C#CC=1C=CC=CC=1)(O)\C=C\C1=CC=CC=C1 JJQDIWJXVDJXRH-KNTRCKAVSA-N 0.000 description 1
- NLZUEZXRPGMBCV-UHFFFAOYSA-N Butylhydroxytoluene Chemical compound CC1=CC(C(C)(C)C)=C(O)C(C(C)(C)C)=C1 NLZUEZXRPGMBCV-UHFFFAOYSA-N 0.000 description 1
- 241000905957 Channa melasoma Species 0.000 description 1
- 241001108995 Messa Species 0.000 description 1
- 241001274660 Modulus Species 0.000 description 1
- 206010000210 abortion Diseases 0.000 description 1
- 230000002730 additional effect Effects 0.000 description 1
- 230000009118 appropriate response Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000000205 computational method Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 150000002500 ions Chemical class 0.000 description 1
- KRTSDMXIXPKRQR-AATRIKPKSA-N monocrotophos Chemical compound CNC(=O)\C=C(/C)OP(=O)(OC)OC KRTSDMXIXPKRQR-AATRIKPKSA-N 0.000 description 1
- 229940086255 perform Drugs 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 208000006379 syphilis Diseases 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Landscapes
- Computer And Data Communications (AREA)
Abstract
CRYPTOGRAPHIC METHOD AND APPARATUS
FOR PUBLIC KEY EXCHANGE WITH AUTHENTICATION
ABSTRACT OF THE DISCLOSURE
A technique for use in a public key exchange cryptographic system, in which two user devices estab-lish a common session key by exchanging information over an insecure communication channel, and in which each user can authenticate the identity of the other, without the need for a key distribution center. Each device has a previously stored unique random number Xi, and a previously stored composite quantity that is formed by transforming Xi to Yi using a transformation of which the inverse in computationally infeasible;
then concatenating Yi with a publicly known device identifier, and digitally signing the quantity. Before a communication session is established, two user devices exchange their signed composite quantities, transform them to unsigned form, and authenticate the identity of the other user. Then each device generates the same session key by transforming the received Y
value with its own X value. For further security, each device also generates another random number X'i, which is transformed to a corresponding number Y'i. These Y'i values are also exchanged, and the session key is generated in each device, using a transformation that involves the device's own Xi and X'i numbers and the Yi and Y'i numbers received from the other device.
FOR PUBLIC KEY EXCHANGE WITH AUTHENTICATION
ABSTRACT OF THE DISCLOSURE
A technique for use in a public key exchange cryptographic system, in which two user devices estab-lish a common session key by exchanging information over an insecure communication channel, and in which each user can authenticate the identity of the other, without the need for a key distribution center. Each device has a previously stored unique random number Xi, and a previously stored composite quantity that is formed by transforming Xi to Yi using a transformation of which the inverse in computationally infeasible;
then concatenating Yi with a publicly known device identifier, and digitally signing the quantity. Before a communication session is established, two user devices exchange their signed composite quantities, transform them to unsigned form, and authenticate the identity of the other user. Then each device generates the same session key by transforming the received Y
value with its own X value. For further security, each device also generates another random number X'i, which is transformed to a corresponding number Y'i. These Y'i values are also exchanged, and the session key is generated in each device, using a transformation that involves the device's own Xi and X'i numbers and the Yi and Y'i numbers received from the other device.
Description
r~ ~ 9 CRYPTOGRAPHIC METHOD ~ND APPARATUS
FOR PUBLIC KEY EXCHANGE WITH_AUTHENTICATION
BACKGROUND OF THE INVENTION
This invention relates generally to cryptogra-phic systems and, more particularly, to cryptographic systems in which an exchange of information on an unse-cured communications channel is used to establish a com-lo mon cipher key for encryption and decryption of subse-quently transmitted messages. Cryptographic systems are used in a ~ariety of applications requiring the secure transmission of information from one point to another in a communications network. Secure transmission may be needed between computers, telephones, facsimile ma-chines, or other devices. The principal goal of encryp-tion is the same in each case: to render the aommuni-cated data secure from unauthorized eavesdropping.
By way o~ definition, "plaintext" is used to refer to a message before processing by a cryptographic system. "Ciphertext" is the form that the message takes during transmission over a communications channel. "En-cryption" or "encipherment" is the process of transfor-mation from plaintext to ciphertext. "Decryption" or "decipherment" is the process of transformation from ciphertext to plaintext. ~oth encryption and decryption are controlled by a "cipher key" or keys. Without know-ledge of the encryption key, a message cannot be encryp-ted, even with knowledge of the encrypting process.
Similarly, without knowledge of the decryption key, the message cannot be decrypted, even with knowledge of the decrypting process.
More specifically, a cryptographic system can be thought of as having an enciphering transformation Ek, ~hich is defined by an enciphering algorithm E
FOR PUBLIC KEY EXCHANGE WITH_AUTHENTICATION
BACKGROUND OF THE INVENTION
This invention relates generally to cryptogra-phic systems and, more particularly, to cryptographic systems in which an exchange of information on an unse-cured communications channel is used to establish a com-lo mon cipher key for encryption and decryption of subse-quently transmitted messages. Cryptographic systems are used in a ~ariety of applications requiring the secure transmission of information from one point to another in a communications network. Secure transmission may be needed between computers, telephones, facsimile ma-chines, or other devices. The principal goal of encryp-tion is the same in each case: to render the aommuni-cated data secure from unauthorized eavesdropping.
By way o~ definition, "plaintext" is used to refer to a message before processing by a cryptographic system. "Ciphertext" is the form that the message takes during transmission over a communications channel. "En-cryption" or "encipherment" is the process of transfor-mation from plaintext to ciphertext. "Decryption" or "decipherment" is the process of transformation from ciphertext to plaintext. ~oth encryption and decryption are controlled by a "cipher key" or keys. Without know-ledge of the encryption key, a message cannot be encryp-ted, even with knowledge of the encrypting process.
Similarly, without knowledge of the decryption key, the message cannot be decrypted, even with knowledge of the decrypting process.
More specifically, a cryptographic system can be thought of as having an enciphering transformation Ek, ~hich is defined by an enciphering algorithm E
2~2~
that is used in all enciphering operations, and a key K
that distinguishes Ek from other operations using the algorithm E~ The transformation Ek encrypts a plain-text message M into an encrypted message, or ciphertext C. Similarly, the decryption is performed by a transfor-mation Dk defined by a decryption algorithm D and a key K.
Dorothy E ~ R . Denningl in "Cryptography and Data Security," Addison-Wesley Publishing Co. 1983, suggests that, for complete secrecy of the transmitted message, two requirements have to be met. The first is that it should be computationally infeasible for anyone to systematically determine the deciphering transforma-tion Dk from intercepted ciphertext C, even if the corresponding plainkext M is known. The second is that it should be computationally infeasible to systematical-ly determine plaintext M from intercepted ciphertext C.
Another goal o~ cryptography systems is that o~ data authenticity. This requires that someone should not be able to substitute false ciphertext C' for ciphertext C
without detection.
By way o~ further background, cryptographic systems may be classified as either "symmetric" or "as~mmetric .17 In symmetric systems, the enciphering and deciphering keys are either the same~easily determined from each other. When two parti~s wish to communicate through a symmetric cryptographic system, they must first agree on a key, and the key must be transferred from one party to the other by some secure means. This usually requires that keys be agreed upon in advance, p~rhaps to be changed on an agreed timetable, and transmitted by courier or some other secured method.
Once the keys are known to the parties, the exchange of messages can proceed through the cryptographic system.
An asymmetric cryptosystem is one in which the enciphering and deciphering keys differ in such a way that at least one key is compu-tationally in~easible to determine from the other. Thus, one o~ the transforma-tions Ek or Dk can be revealed without endangeringthe other.
In 1376, the concept of a "public key" encryp-tion system was introduced by W. Diffie and M. Hellman, "~ew DirectiQns in Cryptographyl" IEEE Trans. on I~fo.
Theory, Vol. IT-22(6), pp. 644-54 (Nov. 1976). In a public key system, each user has a public key and private key, and two users can communicate k~owing only each other's public keys. This permits the establish-ment of a secured communication channel between two users without having to exchange "secret" keys before the communication can begin. As pointed out in the previously cited text by Denning, a public key system can be operated to provide secrecy by using a private key ~or decryption; authenticity by us~ng a private key for encryption; or both, by using two sets of encryp-tions and decryptions.
In general, asymmetric cryptographic systems require more computational "energy" for encryption and decryption than symmetric systems. Therefore, a common development has been a hybrid system in which an asym-metric system, such as a public key system, is first used to establish a "session key" for use between two parties wishing to communicate. Then this common ses-sion key is used in a conventional symmetric crypto-graphic system to transmit messages from one user tothe other. Diffie and Hellman have proposed such a public key system for the exchange o~ keys on an unse-cured communications channel. However, as will be described, the Diffie-Hellman public key system is subject to active eavesdropping. That is to ~ay, it pro~ides no foolproof authentication of its messages.
With knowledge of the public keys, an eavesdropper can decrypt received ciphertext, and then re encrypt the resulting plaintext for transmission to the intended receiver, who has no way of kn~wing that the message has been intercepted. The present invention relates to a significant improvement in techniques for public key exchange or public key management~
One possible solution to the authentication problem in public key management, is to establish a key distributiQn canterl which issues secret keys to autho-rized users. The center provides the basis for identity authentication of transmitted messages. In one typical technique, a user wishing to transmit to another user sends his and the other user's identities to the cen-ter; e.g. (A,B). The center sends to A the ciphertext message EA(B,K,T,C), where EA is the enciphering transformation ~erived from A's private key, K i$ the session key, T is the current date and time, and C =
EB(A,K,T~, where EB is the enciphering transforma-tion derived rom B's privatP key. Then A sends to B
the message C~ ~hus A can send to B the session key K
encrypted with B'~ pri~ate key; yet A has no knowledge of B's private Xey. Moreover, B can Yerify that the message truly came from A, and both parties have the time code for further message identity authentication.
~he difficulty, of course, is that a central facility must be established as a repository of private keys, and it must he administered by some entity that is trusted by all users. This difficulty is almost impos-sible to overcome in some applications, and there is, th0refore, a significant need for an alternative ap-proach to public key management. The present invention fulfills this need.
~ ~ 2 ~
Although the present invention has general application in many areas of communication employing public key management and exchange, the invention was first developed to satisfy a specific need in communi cation by facsimile (FAX) machines. As is now well known, FAX machines transmit and receive graphic images over ordinary telephone networks, by first reducing the images to digital codes, which are then transmitted, after appropriate modulation, over the telephone lines.
FAX machines are being ussd at a rapidly increasing rate for the transmission of business information, much of which is of a confidential nature, over lines that are unsecured. Thexe is a substantial risk of loss of the confidentiality o~ this imformation, either by deli-berate eavesdropping, or by accidental transmission toan incorrectly dialed telephone number.
Ideally, what is needed is an encrypting/de-crypting box connectable between the FAX machine and the telephone line, such that secured communications can take place between two similarly equipped users, with complete secrecy of data, and identity authenti cati~n between the users. For most users, a prior exchange of secret keys would be so inconvenient that they could just as well exchange the message itself by the 6ame secret technique. A public key exchange system is by far the most convenient solution but each avail-able Yariation of these systems has its own problems, as discussed above. The Diffie-Hellman approach lacks the means to properly authenticate a message, and al-- 30 though a key distribution center would solve this problem, as a practical matter no such center exists for FAX machine users, and none is likely to be estab-lished in the near future. Accordingly, one aspect of the present invention is a key management technique that is directly applicable to data transmission using FAX machines.
~2~
SUMMARY OF THE INVENTION
The present invention resides in a public key cry~tographic system that accomplishes both secrecy and identity authentication, without the need ~or a key dis-tribution center or other public facility, and without the need or double encryption and double decryption of messages. Basically, the inventiQn achieves these goals by using a digitally signed composite quantity that is lG pre-stored in each user communication device. In con-trast with the conventional Diffie-Hellman technique, in which random numbers Xi are selected for each com-munication session, the present invention requires that a unique number Xi be preselected and pre-stored in each device that is manufactured. Also stored in the device is the signed composite of a Yi value and a pub-licly known device identi~ier. The Yi value is obtained by a transformation from the Xi valua, using a transfor-mation that is practically irreversible.
2V Before secure communications are established, two devices exchange these digitally signed quantities, which may then be easily transformed into unsigned form. The resulting identifier information is used to authenticate the other user's identity, and the result-ing Yi value from the other device is used in a trans-fvrmation with Xi to establish a session key. Thus the session key is establishe~ without fear of passive or active eavesdropping, and each user is assured of the other's identity before procPeding with the txansfer of a message en~rypted with the session key that has been established.
One way ~f defining the invention is in terms of a session key generator, r-omprising storage means for storing a number of a first type selected prior to placing the key generator in service, and a digitally o ~
signed composite ~uantity containing both a unique and publicly known identifier of the session key generatox and a number o a second type obtained by a practically irre~ersible transformation of th~ number of the first type. The session key generator has a ~irst input con-n~cted to receive the number of the first type, and a second input connected to receive an input guantity transmitted ~Yer an insecure communications channel from anvther session key generator, the input quantity being digitally signed and containing both a publicly known identifier of the other session key generator and a number o~ the second type generated by a practically irreversible transformation oP a number of the ~Eirst type stored in the other session key generator. The session key generator also has a first output for trans-mitting the stored, digitally signed composite quantity over the insecure communications channel to the other session key generator, a second output, means ~or deco-ding the signed input quantity received at the second input, to obtain the identifier of the other session key generator and the received number oP the second type, and means Por generating a session key at the second output, by performing a practically irreversible transformation of the number of the second type re-ceived through th~ second input, using the number ofthe first type received through the first input.
F~r further security of the session Xey, the session key generator further includes a third input, connected to receive another number of the first type, generated randomly, a-nd means for generating at the first output, for transmission with the digitally signed composite quantity, a number of the second type obtained by a practically irreversible transformation oP the number of the Pirst type received through the third input. The session key generator also includes means for receiving from the second input another num-ber of the second type generated in and transmitted ~rom the other session key generator. The means for gen-erating a session key perorms a practically irrevers~
ible transformation involving both numbers o~ the first type/ received at ~he first and third inputs, and both numbers o~ the second type received at the second in-put, whereby a di~ferent ~ession key may be qenerated for each message transmission session.
More specifically, the number Gf the second type stored in digitally signed form in the storage means is obtained by the transformation Ya = ~a mod p, where Xa is the number of the first type stored in the storage means, and ~ and p are publicly known transformation parameters. The number of the second type received in the digitally signed composite quantity ~rom the other session key generator is desig-nated Yb, and the means for generating the session key performs the transformation K = YbXa mod p.
When additiona~ numbers X'a and X'~ are also generated prior to transmission, the means for genera-ting tha session key performs the transformation K = (y~b)xamod p ~ (yb)X amod p, where X'a is the number o~ the first type that is randomly generated, Yib is the additional number of the second type received from the other sessi~n key genera-tor, and the ~ ~ymbol means an exclusive 0~ ~pera-ti~n.
In terms of a novel method, the invention com-prises the steps of transmitting from each device adigitally signed composite quantity to the other de-vice, the composite quan~ity including a publicly known device identifier IDa and a number Ya derived by a practically irreversible transformation of a secret number Xa that it is unique to the device, receiving a 3 ~
similarly structured digitally signed composite quan-t~ty from the other device, and transforming the re-ceived digitally signed composite quantity into an unsigned composite quantity containing a device iden-tifier IDb of the other device and a number Yb that wasdarived by transformation from a secret number Xb that is unique to the other device. Then the method perEorms the steps of verifying the identity of the other device rom the de~ice iden~ifier ID~, and generating a ses-1~ sion key by performing a practically irreversible trans-formation involving the numbers Xa and Yb.
Ideally, the method also includes the steps of generating another number X'a randomly prior to genera-tion o~ a session key, transfvrming the number X'a to a number Y'a using a practically irreversible transorma-tion, transmitting the number Y'a to the other device, and receiving a number Y'b from the other device. In this case, the step o~ generating a session key in-cludes a practically irreversible transformation invol-ving the numbers Xa, X'a, Yb and Ylb.
In particular, the transformations from X num-bers to Y numbers is of the type Y = ~ mod p, where ~ and p are chosen to maximize irrevPrsibili-ty of the transformations, and the step of generating a session key includes the transformation K = (Y'b) mod p ~ (Yb) mod p, where 0 denotes an exclusive OR operation.
It will be appreciated from this brief summary that the present invention represents a signi~icant advance in the ~ield of cryptography. In particular, the invention provides for both secrecy and identity authenticity when exchanging transmissions with another user to establish a common session key. Other aspects and advantages of the invention will become apparent from the following more detailed description, taken in conjunction with the accompanying drawings.
BRIEF DESCRIPTION_OF THE DRAWINGS
FIGURE 1 is a block diagram showing a public key rryptographic system of the prior art;
FIG. 2 is a block di~gram similar to FIG. 1, and showing how active eavesdropping may be used to attack the system;
FIG. 3 ~s a block diagram of a pu~lic key cryp-tGgraphic ~ystem in accordance with the present inven-tion;
FIG~ 4 is a block diagram of a secure facsi-mile system embodying the present invention; and FIG. 5 is a block diagram showing more detail of the cryptographic processor of FIG. 4.
DESCE~IPTION OF THE PREFERRED BODIMENT
As shown in the accompanying drawings ~or pur-poses of illustration, the present invention is con-cerned with a public key cryptographic system. As dis-cussed at lenyth in the preceding background section of this specification, public key systems have, prior to this invention, been unable to provide both secrecy and identity authentication o~ a mes~age without either a costly double transformation at each end of the communi-cations channel, or the use of ~ey distribution center.
U.S. Patent No. 4,200,770 to Hellman et al.
discloses a cryptographic apparatus and method in which two parties can converse by first both ganerating the same session key as a result of an exchange of messages over an insecure channel. Since the technique disclosed in the Hellman et al. '770 patent attempts to provide both secrecy and authentication in a public k~y crypto-graphic system, the principles of their technique will be summarized here. This should provide a better basis 2 ~
for an understanding of the present invention.
In accordance with the Hellman et al. tech-nique, two numbers ~ and p ars ~elected for use by all users of the system, and may be made public. For increased ecurity, p is a large prime number, and u has a predeined mathematical relationship to p, but these restrictions are not important for purposes of this explanation. Before starting communication~ tw~
users, A and B, indicated in FIG. 1 at lO and 12, per-form an exchange of messages that results in their bothcomputing the same cipher key, or session key K, to be used in transmitting data back and forth between them.
The ~irst step in astablishing the session key is that each user generates a secret number in a random number generator 14, 16. The numbers are designated Xa, Xb, respectively, and are selected from a set of positive integers up to p~l. Each user also has a session key generator 18, 20, one function of which is to generate other numbers Y from the numbers X, ~ and p, using the transformations:
Ya = ~Xa mod p Yb = ~Xb mod p The values Ya, Yb are then processed through a conven-tional transmitter/receiver 22, 24, and exchanged over an insecure communications channel 26.
The term "mod p" means modulo p, or using modulo p arithmetic. Transforming an expressi~n to modulo p can be made by dividing the expression by p and retaining only the remainder. For example, 34 mod 17 = 0, 35 mod 17 = 1, and so forth. Similarly, the expression for Ya may be computed by first computing the exponential expression ~Xh, then dividing the result by p and retaining only the remaindex.
-12- c,~ t~3 If c~ and p are appropriately chosen, it is computationally infeasible to compute Xa from Ya. That is to say, the cost of performing such a tasX, in terms o~ memory or computin~ time needea, is large enough to de~er eavesdroppers. In any event, new X and Y values can be chosen for each message, which is short enough to preclude the possibility of any X value being compu-ted from a corresponding Y value.
After th~ exchange of the values Ya, Yb, each user computes a session key K in its session key genera-tor 18/ 20, by raising the other user's Y value to the power represented by the user's own X value, all modulo p. For user A, the computation is:
K = ybXa mod p Substituting for Yb, ~ Xb~Xa mod p = ~XaXb mod p.
For user B, the computation is:
K = YaXb mod p.
Substituting for Ya, K = (~Xa)Xb mod p = ~XaXb mod p.
The two users A, B now have the same session key K, which is input to a conventional cryptographic device 28, 30. A transmitting cryptographic device, e.g. 28, transforms a plaintext message M into ciphertext C or tran~mission on the communications channel 26, and a receiving cryptographic devica 30 makes the inverse transformation back to the plaintext M.
The Hallman et al. 770 patent points out that the generation of a session key is secure from eaves-dropping, because the information exchanged on the in-secure channel include~ only the Y values, from which the corresponding X values cannot be easily computed.
However, this form of ~ey exchange system still has two significank problems. One is that the system is vulner-able to attack from active ea~esdropping, rather than ~2~a~9 the passive eavesdropping described in the patent. The other is that identity authentication can be provided only by means of a public key directory.
Active eavesdropping takes place when an unau-5 thorized person places a substitute message on the com-munications channel. FIG. 2 depict:s an example o~
active eavesdropping using the same components as FIG.
1. The active eavesdropper E has broken the continuity of the un~ecured line 2S, and is recei~ing messages from A and relaying them to B, while ~ending appro-priate responses to A as well. In effect, E is pretend-ing to be B, with device Eb, and is also pretending to be A, with device Ea. E has two cryptographic devices 34a, 34b, two session key generators 36a, 36b, and two number generators 38a, 38b. When device Eb receives Ya from A, it generates Xb' from num~er generator 38b, computes Yb' from Xb' and transmits Yb' to A. Device Eb and user A compute the same session key and can begin communication of data. Similarly, device Ea and user B
exchange Y numbers and both generate a session key, ifferent from the one used by A and Eb. Eavesdropper E
is able to decrypt the ciphertext C into plaintext M, then encipher again for txansmission to B. A and B are unaware that they are not communicating directly with each other.
In accordance with the present invention, each user is provided with proof of identity of the party with whom he is conversing, and both active and passive eavesdropping are rendered practically impossible. FIG.
3 shows the key management approach of the present invention, using the same reference numerals as FIGS. 1 and 2, except that the session key generators are refer-red to in FIG. 3 as 18i and 20', to indicate that the key generation function is different in the present in-vention. The user devices also include a number storage ~2~
area 40, 4~. Storage area 40 contains a preselectednumber Xa, stored at the time of manufacture of the A
device, and another number referred to as "signed Ya,-l also stored at the time of manufacture. Xa was chosen at random, and i~ unique to the device. Ya was c~mputed from Xa using the transformation Ya = ~Xa mod p Then the Ya value was concatenated with a number IDa uniquely identiyiny the user A device, such as a manu-facturer's serial number, ~nd then encoded in such away that it was digitally "signed" ky the manufacturer for purposes of authenticity. The techniques for digi-tally signing data are Xnown in the cryptography art, and some will be discussed below. For the present, one need only consider that the number designated "~;igned ~Ya,IDa)" contains the value Ya and another value IDa uniquely identifying the A device, all coded as a "sig-nature" confinning that the number originated from the manufacturer and from no-one else. U~er B's device 12 has stored in its storage area 42 the values Xb and signed (Yb,IDb).
Usars A and B exchange the signed ~Ya,IDa) and signed (Yb,IDb) values, and each sessi~n key generator 18, 20 then "unsigns" the received values and verifies that it is conversing with the correct user device. The user identifiers IDa and IDb are known publicly, so user device A verifies that the number IDb is contained in the signed (Yb,IDb) number that was received. Like-wise, user device B verifies that the value signed (Ya,IDa~ contains the known value IDa. By performing the process of 'lunsigning" the received messages, the user devices also confirm that the signed data origi-nated from the manufacturer and not from some other entity.
Since the Xa, Xb values are secret values, and 2~2~9 it is infe~sible to obtain them from the transmitted signed (Ya,IDa) and signed (Yb,IDb) values, the users may both compute identical session keys in a manner similar to that disclosed in the Hellman ~t al. '770 patent. If an eavesdropper E were to attempt to substi-tute fAke messages for the exchanged ones, he would be unable to satisfy the authentication re~uirements. E
could intercept a signed (Ya,IDa) transmission, could unsign the message and ob~ain ~ha values Ya and IDa. E
1~ could simi~arly obtain the values Yb and I~b. However, in order ~or E and ~ to use the same ~essi~n key, E
would have to generate a value Xe, compute Ye and con-catenate it with IDb, which is known, and then digital-ly "sign" the composite number in the same manner as the manufacturer. As will be explained, digital signing involves a transformation that is very easy to effect in one direction, the unsigning direction, but is compu-tationally infeasible in the other, the signing direc-tion. Therefore, eavesdropper E would be unable to establish a common session key with either A or B
because he would be unable to generate messages that would satisfy the authentication requirements.
As described thus ~ar, the technique of the invention establishes a session key that is derived ~rom X and Y values stored in the devices at the time of manufacture. Ideally, a new session key should be -stablished for each exchange of message traffic. An addi~ional unsecured exchange is needed to accomplish this.
30The number generator 14 in the A device 10 generates a random number X'a and the number genPrator 16 in the B device 12 generates a random number X'b.
These are supplied to the session key yenPrators 18, 20, respectively, which generate values Y'a and Y'b in accordance with the transformations:
~2~
yl X'a d Y'b = ~ b mod p.
These values are also exchanged between the A and B
devices, at the same time that the values vf signed ~Ya,IDa) and signed (Yb,IDb) are exchanged. After the authenticity of the message has been confirmed, as described above, the session key generators perform the following transformations to derive a session key. At the A device, the session key is computed a~
Ka = ~Y'b~amod p ~ (yb~X amod p, and at the B devi~e, the session key is computed as Xb - (Y'a)Xbmod p ~ (Ya)X'bmod p where "~" means an exclusive OR operation.
Thus the session key is computed at each de-vice using one fixed number, i.e. fixed at manufactur-ing time, and one variable number, i.e. cho~en at ses-sion time. The numbers are exclusive ORed together on a ~it-by-bit basis. It can be shown that ~a - ~b by sub-stituting for the Y values. Thus:
Ka = (~X~b)Xamod p ~ (~xb)x~amod p = ( ~xXa ) X ' bmOd p ~ X a ) Xbmod p = (ya)X bmod p a~ (Y'a)Xbmod p = (Y'a)~bmod p ~ (ya~X bmod p = Kb.
This common session key satisfies secrecy and authentication requirements, and does not rPquire double encryption-decryption or the use of a public key directory or key distribution cent~r. The only re~uire-ment is that of a manufacturer who will undertake to supply devices that have unique d~vice IDIs and select-ed X values encoded into them. For a large corporation or other organization, this obligation could be assumed by the organization itself rather than the manufactu-rer. For example, a corporation might purchase a large number of communications devices and complete the c~
`17-manufacturing process by installing unique ID's, X
values, and signed Y values in the units be~ore distri-buting them to the users. This would relieve the manu-facturer from the obligation.
The process described above uses parameters that must meet certain numerical restrictions. The l~ngth restrictions are to ensure suf~icient security, and the other requirements are to ensure that each transformation using modulo arithmetic produces a u~ique transformed counterpart. Fir~t, the modulus p must be a strong prime number 512 bits long. A strong prime number is a primP number p that meets the addi-tional r~quirement that (p-l)/2 has at least one large prime factor or is preferably itself a prime number.
The base number ~ must be a 512-bit random number that satisfies the relationships:
~(p 1)/2mOd p = p l, and 1 < c~ < p-l.
Finally, the values X and X' are chosen as 512-bit random numbers such that 1 < X, X' ~ p-l.
As indicated above, the process of authenti-cation in the invention ~epends on the ability of the manufacturer, or the owner of multiple devices, to supply a signed Y value with each device that is dis-tributed. A digital signature is a property of a mes-sage that is private to its originator. Basically, the signing process is effected by a transformation that is extremely difficult to per~orm, but the inverse trans-3~ formation, the "unsigning," can be performed easily byevery user. The present invention is not limited to the use of a particular digital signature technique.
One approach i5 to use an RSA public key signa-ture technique. The RSA technique takes its name from the initial letters of its originators, Rivest, Shamir ~ ~ 2 ~ S~
and Adleman, and is one of a class of encryption schemes known as exponentiation ciphexs~ An exponentia-tion cipher makes the transformation C = pe mod n, where e and n constitute the enciphering key. The in-verse transformation is accomplished by P = C~ mod n.
With appropriate selectiorl of n, d ~nd e, thP values of n and d can be made puhlic without giving away the expo nent e used in the encryption transformation. There-fore, a digital signature can be applie~ tv data by per-forming the exponentiation transformati~n with a secretexponent e, and providing a public decryption expo~ent d, which, of course, will be effective to decrpyt only properly ~'signed" messages.
In the pre~erred embodiment o~ the present in-vention, another approach is used for digital ~igna-ture, namely a modular square-root transformation. In the expression x = m~ mod n, the number m is said to be the s~uare root of x mod n, or the modular square root o~ x. If n is appropriately selected, the trans-formation is very difficult to perform in one direc-tion. That is to say, it is very difficult to compute m from x, although easy to compute x from m. If the modu-lus n is selected to be the product o~ two large prime numbers, the inverse or s~uare-root transformation can only be made if the factors of the modulus are known.
Therefore, the modulus n is chosen as the product of two prime numbers, and the product is l,024 bits long.
Further, the factors must be different in length by a few bits. In the devices using the present inven~ion, the value "signed (Ya,IDa)" is computed by first assembling or concatenating the codes to be signed.
These are:
1. A numerical code IDa uniquely identifying the A device. In the present embodiment of the inven-tion, this is a ten-digit (decimal) number encoded in -19- 2~2~
ASCII format, but it could be in any desired format.
2. A number of ASCII numerical codes indica-ting a version number of the device. This may be used for device testing or analyzing problems relating to device incompatability.
3. The value Ya computed from the chosen value of Xa, encoded in binary form.
that is used in all enciphering operations, and a key K
that distinguishes Ek from other operations using the algorithm E~ The transformation Ek encrypts a plain-text message M into an encrypted message, or ciphertext C. Similarly, the decryption is performed by a transfor-mation Dk defined by a decryption algorithm D and a key K.
Dorothy E ~ R . Denningl in "Cryptography and Data Security," Addison-Wesley Publishing Co. 1983, suggests that, for complete secrecy of the transmitted message, two requirements have to be met. The first is that it should be computationally infeasible for anyone to systematically determine the deciphering transforma-tion Dk from intercepted ciphertext C, even if the corresponding plainkext M is known. The second is that it should be computationally infeasible to systematical-ly determine plaintext M from intercepted ciphertext C.
Another goal o~ cryptography systems is that o~ data authenticity. This requires that someone should not be able to substitute false ciphertext C' for ciphertext C
without detection.
By way o~ further background, cryptographic systems may be classified as either "symmetric" or "as~mmetric .17 In symmetric systems, the enciphering and deciphering keys are either the same~easily determined from each other. When two parti~s wish to communicate through a symmetric cryptographic system, they must first agree on a key, and the key must be transferred from one party to the other by some secure means. This usually requires that keys be agreed upon in advance, p~rhaps to be changed on an agreed timetable, and transmitted by courier or some other secured method.
Once the keys are known to the parties, the exchange of messages can proceed through the cryptographic system.
An asymmetric cryptosystem is one in which the enciphering and deciphering keys differ in such a way that at least one key is compu-tationally in~easible to determine from the other. Thus, one o~ the transforma-tions Ek or Dk can be revealed without endangeringthe other.
In 1376, the concept of a "public key" encryp-tion system was introduced by W. Diffie and M. Hellman, "~ew DirectiQns in Cryptographyl" IEEE Trans. on I~fo.
Theory, Vol. IT-22(6), pp. 644-54 (Nov. 1976). In a public key system, each user has a public key and private key, and two users can communicate k~owing only each other's public keys. This permits the establish-ment of a secured communication channel between two users without having to exchange "secret" keys before the communication can begin. As pointed out in the previously cited text by Denning, a public key system can be operated to provide secrecy by using a private key ~or decryption; authenticity by us~ng a private key for encryption; or both, by using two sets of encryp-tions and decryptions.
In general, asymmetric cryptographic systems require more computational "energy" for encryption and decryption than symmetric systems. Therefore, a common development has been a hybrid system in which an asym-metric system, such as a public key system, is first used to establish a "session key" for use between two parties wishing to communicate. Then this common ses-sion key is used in a conventional symmetric crypto-graphic system to transmit messages from one user tothe other. Diffie and Hellman have proposed such a public key system for the exchange o~ keys on an unse-cured communications channel. However, as will be described, the Diffie-Hellman public key system is subject to active eavesdropping. That is to ~ay, it pro~ides no foolproof authentication of its messages.
With knowledge of the public keys, an eavesdropper can decrypt received ciphertext, and then re encrypt the resulting plaintext for transmission to the intended receiver, who has no way of kn~wing that the message has been intercepted. The present invention relates to a significant improvement in techniques for public key exchange or public key management~
One possible solution to the authentication problem in public key management, is to establish a key distributiQn canterl which issues secret keys to autho-rized users. The center provides the basis for identity authentication of transmitted messages. In one typical technique, a user wishing to transmit to another user sends his and the other user's identities to the cen-ter; e.g. (A,B). The center sends to A the ciphertext message EA(B,K,T,C), where EA is the enciphering transformation ~erived from A's private key, K i$ the session key, T is the current date and time, and C =
EB(A,K,T~, where EB is the enciphering transforma-tion derived rom B's privatP key. Then A sends to B
the message C~ ~hus A can send to B the session key K
encrypted with B'~ pri~ate key; yet A has no knowledge of B's private Xey. Moreover, B can Yerify that the message truly came from A, and both parties have the time code for further message identity authentication.
~he difficulty, of course, is that a central facility must be established as a repository of private keys, and it must he administered by some entity that is trusted by all users. This difficulty is almost impos-sible to overcome in some applications, and there is, th0refore, a significant need for an alternative ap-proach to public key management. The present invention fulfills this need.
~ ~ 2 ~
Although the present invention has general application in many areas of communication employing public key management and exchange, the invention was first developed to satisfy a specific need in communi cation by facsimile (FAX) machines. As is now well known, FAX machines transmit and receive graphic images over ordinary telephone networks, by first reducing the images to digital codes, which are then transmitted, after appropriate modulation, over the telephone lines.
FAX machines are being ussd at a rapidly increasing rate for the transmission of business information, much of which is of a confidential nature, over lines that are unsecured. Thexe is a substantial risk of loss of the confidentiality o~ this imformation, either by deli-berate eavesdropping, or by accidental transmission toan incorrectly dialed telephone number.
Ideally, what is needed is an encrypting/de-crypting box connectable between the FAX machine and the telephone line, such that secured communications can take place between two similarly equipped users, with complete secrecy of data, and identity authenti cati~n between the users. For most users, a prior exchange of secret keys would be so inconvenient that they could just as well exchange the message itself by the 6ame secret technique. A public key exchange system is by far the most convenient solution but each avail-able Yariation of these systems has its own problems, as discussed above. The Diffie-Hellman approach lacks the means to properly authenticate a message, and al-- 30 though a key distribution center would solve this problem, as a practical matter no such center exists for FAX machine users, and none is likely to be estab-lished in the near future. Accordingly, one aspect of the present invention is a key management technique that is directly applicable to data transmission using FAX machines.
~2~
SUMMARY OF THE INVENTION
The present invention resides in a public key cry~tographic system that accomplishes both secrecy and identity authentication, without the need ~or a key dis-tribution center or other public facility, and without the need or double encryption and double decryption of messages. Basically, the inventiQn achieves these goals by using a digitally signed composite quantity that is lG pre-stored in each user communication device. In con-trast with the conventional Diffie-Hellman technique, in which random numbers Xi are selected for each com-munication session, the present invention requires that a unique number Xi be preselected and pre-stored in each device that is manufactured. Also stored in the device is the signed composite of a Yi value and a pub-licly known device identi~ier. The Yi value is obtained by a transformation from the Xi valua, using a transfor-mation that is practically irreversible.
2V Before secure communications are established, two devices exchange these digitally signed quantities, which may then be easily transformed into unsigned form. The resulting identifier information is used to authenticate the other user's identity, and the result-ing Yi value from the other device is used in a trans-fvrmation with Xi to establish a session key. Thus the session key is establishe~ without fear of passive or active eavesdropping, and each user is assured of the other's identity before procPeding with the txansfer of a message en~rypted with the session key that has been established.
One way ~f defining the invention is in terms of a session key generator, r-omprising storage means for storing a number of a first type selected prior to placing the key generator in service, and a digitally o ~
signed composite ~uantity containing both a unique and publicly known identifier of the session key generatox and a number o a second type obtained by a practically irre~ersible transformation of th~ number of the first type. The session key generator has a ~irst input con-n~cted to receive the number of the first type, and a second input connected to receive an input guantity transmitted ~Yer an insecure communications channel from anvther session key generator, the input quantity being digitally signed and containing both a publicly known identifier of the other session key generator and a number o~ the second type generated by a practically irreversible transformation oP a number of the ~Eirst type stored in the other session key generator. The session key generator also has a first output for trans-mitting the stored, digitally signed composite quantity over the insecure communications channel to the other session key generator, a second output, means ~or deco-ding the signed input quantity received at the second input, to obtain the identifier of the other session key generator and the received number oP the second type, and means Por generating a session key at the second output, by performing a practically irreversible transformation of the number of the second type re-ceived through th~ second input, using the number ofthe first type received through the first input.
F~r further security of the session Xey, the session key generator further includes a third input, connected to receive another number of the first type, generated randomly, a-nd means for generating at the first output, for transmission with the digitally signed composite quantity, a number of the second type obtained by a practically irreversible transformation oP the number of the Pirst type received through the third input. The session key generator also includes means for receiving from the second input another num-ber of the second type generated in and transmitted ~rom the other session key generator. The means for gen-erating a session key perorms a practically irrevers~
ible transformation involving both numbers o~ the first type/ received at ~he first and third inputs, and both numbers o~ the second type received at the second in-put, whereby a di~ferent ~ession key may be qenerated for each message transmission session.
More specifically, the number Gf the second type stored in digitally signed form in the storage means is obtained by the transformation Ya = ~a mod p, where Xa is the number of the first type stored in the storage means, and ~ and p are publicly known transformation parameters. The number of the second type received in the digitally signed composite quantity ~rom the other session key generator is desig-nated Yb, and the means for generating the session key performs the transformation K = YbXa mod p.
When additiona~ numbers X'a and X'~ are also generated prior to transmission, the means for genera-ting tha session key performs the transformation K = (y~b)xamod p ~ (yb)X amod p, where X'a is the number o~ the first type that is randomly generated, Yib is the additional number of the second type received from the other sessi~n key genera-tor, and the ~ ~ymbol means an exclusive 0~ ~pera-ti~n.
In terms of a novel method, the invention com-prises the steps of transmitting from each device adigitally signed composite quantity to the other de-vice, the composite quan~ity including a publicly known device identifier IDa and a number Ya derived by a practically irreversible transformation of a secret number Xa that it is unique to the device, receiving a 3 ~
similarly structured digitally signed composite quan-t~ty from the other device, and transforming the re-ceived digitally signed composite quantity into an unsigned composite quantity containing a device iden-tifier IDb of the other device and a number Yb that wasdarived by transformation from a secret number Xb that is unique to the other device. Then the method perEorms the steps of verifying the identity of the other device rom the de~ice iden~ifier ID~, and generating a ses-1~ sion key by performing a practically irreversible trans-formation involving the numbers Xa and Yb.
Ideally, the method also includes the steps of generating another number X'a randomly prior to genera-tion o~ a session key, transfvrming the number X'a to a number Y'a using a practically irreversible transorma-tion, transmitting the number Y'a to the other device, and receiving a number Y'b from the other device. In this case, the step o~ generating a session key in-cludes a practically irreversible transformation invol-ving the numbers Xa, X'a, Yb and Ylb.
In particular, the transformations from X num-bers to Y numbers is of the type Y = ~ mod p, where ~ and p are chosen to maximize irrevPrsibili-ty of the transformations, and the step of generating a session key includes the transformation K = (Y'b) mod p ~ (Yb) mod p, where 0 denotes an exclusive OR operation.
It will be appreciated from this brief summary that the present invention represents a signi~icant advance in the ~ield of cryptography. In particular, the invention provides for both secrecy and identity authenticity when exchanging transmissions with another user to establish a common session key. Other aspects and advantages of the invention will become apparent from the following more detailed description, taken in conjunction with the accompanying drawings.
BRIEF DESCRIPTION_OF THE DRAWINGS
FIGURE 1 is a block diagram showing a public key rryptographic system of the prior art;
FIG. 2 is a block di~gram similar to FIG. 1, and showing how active eavesdropping may be used to attack the system;
FIG. 3 ~s a block diagram of a pu~lic key cryp-tGgraphic ~ystem in accordance with the present inven-tion;
FIG~ 4 is a block diagram of a secure facsi-mile system embodying the present invention; and FIG. 5 is a block diagram showing more detail of the cryptographic processor of FIG. 4.
DESCE~IPTION OF THE PREFERRED BODIMENT
As shown in the accompanying drawings ~or pur-poses of illustration, the present invention is con-cerned with a public key cryptographic system. As dis-cussed at lenyth in the preceding background section of this specification, public key systems have, prior to this invention, been unable to provide both secrecy and identity authentication o~ a mes~age without either a costly double transformation at each end of the communi-cations channel, or the use of ~ey distribution center.
U.S. Patent No. 4,200,770 to Hellman et al.
discloses a cryptographic apparatus and method in which two parties can converse by first both ganerating the same session key as a result of an exchange of messages over an insecure channel. Since the technique disclosed in the Hellman et al. '770 patent attempts to provide both secrecy and authentication in a public k~y crypto-graphic system, the principles of their technique will be summarized here. This should provide a better basis 2 ~
for an understanding of the present invention.
In accordance with the Hellman et al. tech-nique, two numbers ~ and p ars ~elected for use by all users of the system, and may be made public. For increased ecurity, p is a large prime number, and u has a predeined mathematical relationship to p, but these restrictions are not important for purposes of this explanation. Before starting communication~ tw~
users, A and B, indicated in FIG. 1 at lO and 12, per-form an exchange of messages that results in their bothcomputing the same cipher key, or session key K, to be used in transmitting data back and forth between them.
The ~irst step in astablishing the session key is that each user generates a secret number in a random number generator 14, 16. The numbers are designated Xa, Xb, respectively, and are selected from a set of positive integers up to p~l. Each user also has a session key generator 18, 20, one function of which is to generate other numbers Y from the numbers X, ~ and p, using the transformations:
Ya = ~Xa mod p Yb = ~Xb mod p The values Ya, Yb are then processed through a conven-tional transmitter/receiver 22, 24, and exchanged over an insecure communications channel 26.
The term "mod p" means modulo p, or using modulo p arithmetic. Transforming an expressi~n to modulo p can be made by dividing the expression by p and retaining only the remainder. For example, 34 mod 17 = 0, 35 mod 17 = 1, and so forth. Similarly, the expression for Ya may be computed by first computing the exponential expression ~Xh, then dividing the result by p and retaining only the remaindex.
-12- c,~ t~3 If c~ and p are appropriately chosen, it is computationally infeasible to compute Xa from Ya. That is to say, the cost of performing such a tasX, in terms o~ memory or computin~ time needea, is large enough to de~er eavesdroppers. In any event, new X and Y values can be chosen for each message, which is short enough to preclude the possibility of any X value being compu-ted from a corresponding Y value.
After th~ exchange of the values Ya, Yb, each user computes a session key K in its session key genera-tor 18/ 20, by raising the other user's Y value to the power represented by the user's own X value, all modulo p. For user A, the computation is:
K = ybXa mod p Substituting for Yb, ~ Xb~Xa mod p = ~XaXb mod p.
For user B, the computation is:
K = YaXb mod p.
Substituting for Ya, K = (~Xa)Xb mod p = ~XaXb mod p.
The two users A, B now have the same session key K, which is input to a conventional cryptographic device 28, 30. A transmitting cryptographic device, e.g. 28, transforms a plaintext message M into ciphertext C or tran~mission on the communications channel 26, and a receiving cryptographic devica 30 makes the inverse transformation back to the plaintext M.
The Hallman et al. 770 patent points out that the generation of a session key is secure from eaves-dropping, because the information exchanged on the in-secure channel include~ only the Y values, from which the corresponding X values cannot be easily computed.
However, this form of ~ey exchange system still has two significank problems. One is that the system is vulner-able to attack from active ea~esdropping, rather than ~2~a~9 the passive eavesdropping described in the patent. The other is that identity authentication can be provided only by means of a public key directory.
Active eavesdropping takes place when an unau-5 thorized person places a substitute message on the com-munications channel. FIG. 2 depict:s an example o~
active eavesdropping using the same components as FIG.
1. The active eavesdropper E has broken the continuity of the un~ecured line 2S, and is recei~ing messages from A and relaying them to B, while ~ending appro-priate responses to A as well. In effect, E is pretend-ing to be B, with device Eb, and is also pretending to be A, with device Ea. E has two cryptographic devices 34a, 34b, two session key generators 36a, 36b, and two number generators 38a, 38b. When device Eb receives Ya from A, it generates Xb' from num~er generator 38b, computes Yb' from Xb' and transmits Yb' to A. Device Eb and user A compute the same session key and can begin communication of data. Similarly, device Ea and user B
exchange Y numbers and both generate a session key, ifferent from the one used by A and Eb. Eavesdropper E
is able to decrypt the ciphertext C into plaintext M, then encipher again for txansmission to B. A and B are unaware that they are not communicating directly with each other.
In accordance with the present invention, each user is provided with proof of identity of the party with whom he is conversing, and both active and passive eavesdropping are rendered practically impossible. FIG.
3 shows the key management approach of the present invention, using the same reference numerals as FIGS. 1 and 2, except that the session key generators are refer-red to in FIG. 3 as 18i and 20', to indicate that the key generation function is different in the present in-vention. The user devices also include a number storage ~2~
area 40, 4~. Storage area 40 contains a preselectednumber Xa, stored at the time of manufacture of the A
device, and another number referred to as "signed Ya,-l also stored at the time of manufacture. Xa was chosen at random, and i~ unique to the device. Ya was c~mputed from Xa using the transformation Ya = ~Xa mod p Then the Ya value was concatenated with a number IDa uniquely identiyiny the user A device, such as a manu-facturer's serial number, ~nd then encoded in such away that it was digitally "signed" ky the manufacturer for purposes of authenticity. The techniques for digi-tally signing data are Xnown in the cryptography art, and some will be discussed below. For the present, one need only consider that the number designated "~;igned ~Ya,IDa)" contains the value Ya and another value IDa uniquely identifying the A device, all coded as a "sig-nature" confinning that the number originated from the manufacturer and from no-one else. U~er B's device 12 has stored in its storage area 42 the values Xb and signed (Yb,IDb).
Usars A and B exchange the signed ~Ya,IDa) and signed (Yb,IDb) values, and each sessi~n key generator 18, 20 then "unsigns" the received values and verifies that it is conversing with the correct user device. The user identifiers IDa and IDb are known publicly, so user device A verifies that the number IDb is contained in the signed (Yb,IDb) number that was received. Like-wise, user device B verifies that the value signed (Ya,IDa~ contains the known value IDa. By performing the process of 'lunsigning" the received messages, the user devices also confirm that the signed data origi-nated from the manufacturer and not from some other entity.
Since the Xa, Xb values are secret values, and 2~2~9 it is infe~sible to obtain them from the transmitted signed (Ya,IDa) and signed (Yb,IDb) values, the users may both compute identical session keys in a manner similar to that disclosed in the Hellman ~t al. '770 patent. If an eavesdropper E were to attempt to substi-tute fAke messages for the exchanged ones, he would be unable to satisfy the authentication re~uirements. E
could intercept a signed (Ya,IDa) transmission, could unsign the message and ob~ain ~ha values Ya and IDa. E
1~ could simi~arly obtain the values Yb and I~b. However, in order ~or E and ~ to use the same ~essi~n key, E
would have to generate a value Xe, compute Ye and con-catenate it with IDb, which is known, and then digital-ly "sign" the composite number in the same manner as the manufacturer. As will be explained, digital signing involves a transformation that is very easy to effect in one direction, the unsigning direction, but is compu-tationally infeasible in the other, the signing direc-tion. Therefore, eavesdropper E would be unable to establish a common session key with either A or B
because he would be unable to generate messages that would satisfy the authentication requirements.
As described thus ~ar, the technique of the invention establishes a session key that is derived ~rom X and Y values stored in the devices at the time of manufacture. Ideally, a new session key should be -stablished for each exchange of message traffic. An addi~ional unsecured exchange is needed to accomplish this.
30The number generator 14 in the A device 10 generates a random number X'a and the number genPrator 16 in the B device 12 generates a random number X'b.
These are supplied to the session key yenPrators 18, 20, respectively, which generate values Y'a and Y'b in accordance with the transformations:
~2~
yl X'a d Y'b = ~ b mod p.
These values are also exchanged between the A and B
devices, at the same time that the values vf signed ~Ya,IDa) and signed (Yb,IDb) are exchanged. After the authenticity of the message has been confirmed, as described above, the session key generators perform the following transformations to derive a session key. At the A device, the session key is computed a~
Ka = ~Y'b~amod p ~ (yb~X amod p, and at the B devi~e, the session key is computed as Xb - (Y'a)Xbmod p ~ (Ya)X'bmod p where "~" means an exclusive OR operation.
Thus the session key is computed at each de-vice using one fixed number, i.e. fixed at manufactur-ing time, and one variable number, i.e. cho~en at ses-sion time. The numbers are exclusive ORed together on a ~it-by-bit basis. It can be shown that ~a - ~b by sub-stituting for the Y values. Thus:
Ka = (~X~b)Xamod p ~ (~xb)x~amod p = ( ~xXa ) X ' bmOd p ~ X a ) Xbmod p = (ya)X bmod p a~ (Y'a)Xbmod p = (Y'a)~bmod p ~ (ya~X bmod p = Kb.
This common session key satisfies secrecy and authentication requirements, and does not rPquire double encryption-decryption or the use of a public key directory or key distribution cent~r. The only re~uire-ment is that of a manufacturer who will undertake to supply devices that have unique d~vice IDIs and select-ed X values encoded into them. For a large corporation or other organization, this obligation could be assumed by the organization itself rather than the manufactu-rer. For example, a corporation might purchase a large number of communications devices and complete the c~
`17-manufacturing process by installing unique ID's, X
values, and signed Y values in the units be~ore distri-buting them to the users. This would relieve the manu-facturer from the obligation.
The process described above uses parameters that must meet certain numerical restrictions. The l~ngth restrictions are to ensure suf~icient security, and the other requirements are to ensure that each transformation using modulo arithmetic produces a u~ique transformed counterpart. Fir~t, the modulus p must be a strong prime number 512 bits long. A strong prime number is a primP number p that meets the addi-tional r~quirement that (p-l)/2 has at least one large prime factor or is preferably itself a prime number.
The base number ~ must be a 512-bit random number that satisfies the relationships:
~(p 1)/2mOd p = p l, and 1 < c~ < p-l.
Finally, the values X and X' are chosen as 512-bit random numbers such that 1 < X, X' ~ p-l.
As indicated above, the process of authenti-cation in the invention ~epends on the ability of the manufacturer, or the owner of multiple devices, to supply a signed Y value with each device that is dis-tributed. A digital signature is a property of a mes-sage that is private to its originator. Basically, the signing process is effected by a transformation that is extremely difficult to per~orm, but the inverse trans-3~ formation, the "unsigning," can be performed easily byevery user. The present invention is not limited to the use of a particular digital signature technique.
One approach i5 to use an RSA public key signa-ture technique. The RSA technique takes its name from the initial letters of its originators, Rivest, Shamir ~ ~ 2 ~ S~
and Adleman, and is one of a class of encryption schemes known as exponentiation ciphexs~ An exponentia-tion cipher makes the transformation C = pe mod n, where e and n constitute the enciphering key. The in-verse transformation is accomplished by P = C~ mod n.
With appropriate selectiorl of n, d ~nd e, thP values of n and d can be made puhlic without giving away the expo nent e used in the encryption transformation. There-fore, a digital signature can be applie~ tv data by per-forming the exponentiation transformati~n with a secretexponent e, and providing a public decryption expo~ent d, which, of course, will be effective to decrpyt only properly ~'signed" messages.
In the pre~erred embodiment o~ the present in-vention, another approach is used for digital ~igna-ture, namely a modular square-root transformation. In the expression x = m~ mod n, the number m is said to be the s~uare root of x mod n, or the modular square root o~ x. If n is appropriately selected, the trans-formation is very difficult to perform in one direc-tion. That is to say, it is very difficult to compute m from x, although easy to compute x from m. If the modu-lus n is selected to be the product o~ two large prime numbers, the inverse or s~uare-root transformation can only be made if the factors of the modulus are known.
Therefore, the modulus n is chosen as the product of two prime numbers, and the product is l,024 bits long.
Further, the factors must be different in length by a few bits. In the devices using the present inven~ion, the value "signed (Ya,IDa)" is computed by first assembling or concatenating the codes to be signed.
These are:
1. A numerical code IDa uniquely identifying the A device. In the present embodiment of the inven-tion, this is a ten-digit (decimal) number encoded in -19- 2~2~
ASCII format, but it could be in any desired format.
2. A number of ASCII numerical codes indica-ting a version number of the device. This may be used for device testing or analyzing problems relating to device incompatability.
3. The value Ya computed from the chosen value of Xa, encoded in binary form.
4. A random value added to the least-signifi-cant end of the composite message, and used to ensure 0 that the composite message is a perfect modular square.
The last element of the message is needed because of inherent properties of the modular squaring process. If one were to list all possible values o~ a modular square x, ~rom l to n-l, and all corresponding values of the modular square root m, some of the va~lues of x would have multiple possible values o~ m, but others of the values of x would have no corresponding values of m. The value added to the end of the messa~e ensures that tha number for which a modular square root is to be computed, is one that actually has a modular ~quare root. A simple example should help make this clear.
Suppose the modulus n is 78~9. It can be ~eri-fied by calculator that a value x of 98 has four pos-sible ~alues of m in the range 1 to n-1: 7424, 1412, 6437 and 425, such that m2 mod 7849 - 98. However, the x value 99 has no possible modular square root values m. If the composite message to be signed had a numerical value of 99, it would be necessary to acld to it a value such as 1, making a new x value of 100/
which has four possible square root values in the range 1 to n-l, namely 1326, 7839, 10 and 6523. In most instances, it does not matter which of these is picked by the modular square root process employed, since the squaring or l'unsigning" process will always yield the 202~049 composite message value 100 again. However, there are a few values of m that should be avoided for maximum sec-urity. If the x value is a perfect square in ~rdinary arithmetic (such as the number 100 in the example), two values o~ m that should ~e avoided are the square root of x by ordinary arithmetic (the number 10 in t~e ex-ample), and the number that is the difference between the modulus n and the ordinary-arithmetic square root of x (i.e. 7839 in the example3. If a number fitting 1~ this definition is used as a signed message, the signa-ture is subject to being "forged" without knowledge of the factors of n. Therefore, such numbers are a~oided in assigning signatures, and each device can be easily designed to abort an exchange when the signed message takes the ~orm of one of these avoided numbers.
When the modular square root process i5 used for digitally signing the composite data stored in each d~vice, the "unsigniny" process upon receipt of a signed composite message is simply the squaring of the message, modulo n. The value n is not made public, al-though it could be determined by close examination of one of the devices. Even with knowledge of the modulus n, however, the computation of the modular square root is computationally infeasible without knowledge of the factorization of n.
With a knowledge of the factorization of the modulus n, the computation of the modular square root becomes a feasible, although laborious task, which may be performed by any known computational method. It will be recalled that this process is performed prior to dis-tribution of the devices embodying the invention, so computation time is not a critical factor.
It will be understood that the cryptographic technique of the invention may be implemented in any form that is convenient for a particular application.
2 ~
Modular arithmetic is now well understood by those working in the ~ield, and may be implemented in hard-ware form in the manner described in the. '770 Hellman et al. patent. More conveniently, off-the-shelf modular arithmetic devices are available for connection to conventional microprocessor hardware. For example, part number CY1024 manufactur2d by CYLINK, of Sunnyvale, Cali~ornia 94087, per~orms modular addition, multiplica-tion and exponentiation.
For application to ~acsimile communicati~ns, the technigue of the in~ention may be made completely "transparent" to the user. FIG. 4 shows the architec-ture of a device ~or connection between a conventional FAX machine 50 and a telephone line 52. The dlevice includes a first conventional modem 54 (modulator/de-modulator) for connection to the FAX machine 50 and a second modem 56 for connection to the telephone line 52. The modems 54, 56 function to demodulate all mes-sages entering the device from either the FAX machine or the telephone line, and to modulate messages for transmission to the FAX machine or onto the telephone line. The device further includes a communications processor 58 connected between the two modems 54, 56, and a cryptographic processor 60 connected to the communications processor 5~. The communications proces-sor 58 manages message traffic flow to and from the modems 54, 56 and t~ and from the cryptographic proces-sor 60, and ensures that the necessary communications protocols are complied with. In one preferred embodi-ment of the invention, the communications processor isa microprocessor specified by part number MC68000, manu~actured ~y Motorola Corporation.
As sh~wn in FIG. 5, the cryptographic proces-sor 60 includes a conventional microprocessor 62 having a data bus 64 and~ D-~us 66, to which various other ~, ~Ji~
2~24~
~22-modules are connected. The microprocessor 62 may be, for example, a National Semiconductor Company device specified by part number NSC800. The connected modules include a random access memory (RAM) 68, a read-only memory (ROM) 70, which serves as a storage area for the X value and the signed Y value/ an integrated circuit chip 72 for implementation of the Data Encryption Standard ~DES), a modular arithmetic device 74 ~uch as ~he CYLINK CYl024, and an interface module 76 in the form of a dual-port RAM, for connection to the communi-cations processor ~8~
For transparent operation of the device shown in FIGS. 4 and 5, a user supplies not only the tele-phone number of a destination FAX machine, but al~,o the ID of the intended destination FAX encoding/decoding device. When the digitally signed Y values are ex-changed, the sending user de.vice automatically "un-signs" the transmission by performing a modular s~lar-ing function; then compares the intended destination ID
with the user ID returned with the Y value, and aborts the session if there is not a match. The key management steps previously described proceed automatically under control of the cryptographic processor 60, and when a session key has been derived, this is automatically applied in a conventional cryptographic process, such as the DES, to encrypt and decrypt a ~acsimile trans~
mission~
It will be appreciated from the foregoing that the present invention represents a significant ad~ance in cryptographic systems. In particular, the invention provides a technique for establishing a common session key for two users by means of an exchange of messages over an insecure communications channel. What distin-guishes the invention from prior approaches to public key exchange systems is that the technique of the 2 ~ 9 -~3 invention provides for identity authentication of the users without the need for a key distribution center or a public key register. Further, the technique is re-sistant to both passive and active ~av~sdropp.ing. It will also be appreciated that, although an ~mbodiment of the invention has been described in detail ~or purposes of illustration, various modiPications may be made without departing from the spirit and scope of the invention. Accordingly, the invention is not to be limited except as ~y the appended claims,
The last element of the message is needed because of inherent properties of the modular squaring process. If one were to list all possible values o~ a modular square x, ~rom l to n-l, and all corresponding values of the modular square root m, some of the va~lues of x would have multiple possible values o~ m, but others of the values of x would have no corresponding values of m. The value added to the end of the messa~e ensures that tha number for which a modular square root is to be computed, is one that actually has a modular ~quare root. A simple example should help make this clear.
Suppose the modulus n is 78~9. It can be ~eri-fied by calculator that a value x of 98 has four pos-sible ~alues of m in the range 1 to n-1: 7424, 1412, 6437 and 425, such that m2 mod 7849 - 98. However, the x value 99 has no possible modular square root values m. If the composite message to be signed had a numerical value of 99, it would be necessary to acld to it a value such as 1, making a new x value of 100/
which has four possible square root values in the range 1 to n-l, namely 1326, 7839, 10 and 6523. In most instances, it does not matter which of these is picked by the modular square root process employed, since the squaring or l'unsigning" process will always yield the 202~049 composite message value 100 again. However, there are a few values of m that should be avoided for maximum sec-urity. If the x value is a perfect square in ~rdinary arithmetic (such as the number 100 in the example), two values o~ m that should ~e avoided are the square root of x by ordinary arithmetic (the number 10 in t~e ex-ample), and the number that is the difference between the modulus n and the ordinary-arithmetic square root of x (i.e. 7839 in the example3. If a number fitting 1~ this definition is used as a signed message, the signa-ture is subject to being "forged" without knowledge of the factors of n. Therefore, such numbers are a~oided in assigning signatures, and each device can be easily designed to abort an exchange when the signed message takes the ~orm of one of these avoided numbers.
When the modular square root process i5 used for digitally signing the composite data stored in each d~vice, the "unsigniny" process upon receipt of a signed composite message is simply the squaring of the message, modulo n. The value n is not made public, al-though it could be determined by close examination of one of the devices. Even with knowledge of the modulus n, however, the computation of the modular square root is computationally infeasible without knowledge of the factorization of n.
With a knowledge of the factorization of the modulus n, the computation of the modular square root becomes a feasible, although laborious task, which may be performed by any known computational method. It will be recalled that this process is performed prior to dis-tribution of the devices embodying the invention, so computation time is not a critical factor.
It will be understood that the cryptographic technique of the invention may be implemented in any form that is convenient for a particular application.
2 ~
Modular arithmetic is now well understood by those working in the ~ield, and may be implemented in hard-ware form in the manner described in the. '770 Hellman et al. patent. More conveniently, off-the-shelf modular arithmetic devices are available for connection to conventional microprocessor hardware. For example, part number CY1024 manufactur2d by CYLINK, of Sunnyvale, Cali~ornia 94087, per~orms modular addition, multiplica-tion and exponentiation.
For application to ~acsimile communicati~ns, the technigue of the in~ention may be made completely "transparent" to the user. FIG. 4 shows the architec-ture of a device ~or connection between a conventional FAX machine 50 and a telephone line 52. The dlevice includes a first conventional modem 54 (modulator/de-modulator) for connection to the FAX machine 50 and a second modem 56 for connection to the telephone line 52. The modems 54, 56 function to demodulate all mes-sages entering the device from either the FAX machine or the telephone line, and to modulate messages for transmission to the FAX machine or onto the telephone line. The device further includes a communications processor 58 connected between the two modems 54, 56, and a cryptographic processor 60 connected to the communications processor 5~. The communications proces-sor 58 manages message traffic flow to and from the modems 54, 56 and t~ and from the cryptographic proces-sor 60, and ensures that the necessary communications protocols are complied with. In one preferred embodi-ment of the invention, the communications processor isa microprocessor specified by part number MC68000, manu~actured ~y Motorola Corporation.
As sh~wn in FIG. 5, the cryptographic proces-sor 60 includes a conventional microprocessor 62 having a data bus 64 and~ D-~us 66, to which various other ~, ~Ji~
2~24~
~22-modules are connected. The microprocessor 62 may be, for example, a National Semiconductor Company device specified by part number NSC800. The connected modules include a random access memory (RAM) 68, a read-only memory (ROM) 70, which serves as a storage area for the X value and the signed Y value/ an integrated circuit chip 72 for implementation of the Data Encryption Standard ~DES), a modular arithmetic device 74 ~uch as ~he CYLINK CYl024, and an interface module 76 in the form of a dual-port RAM, for connection to the communi-cations processor ~8~
For transparent operation of the device shown in FIGS. 4 and 5, a user supplies not only the tele-phone number of a destination FAX machine, but al~,o the ID of the intended destination FAX encoding/decoding device. When the digitally signed Y values are ex-changed, the sending user de.vice automatically "un-signs" the transmission by performing a modular s~lar-ing function; then compares the intended destination ID
with the user ID returned with the Y value, and aborts the session if there is not a match. The key management steps previously described proceed automatically under control of the cryptographic processor 60, and when a session key has been derived, this is automatically applied in a conventional cryptographic process, such as the DES, to encrypt and decrypt a ~acsimile trans~
mission~
It will be appreciated from the foregoing that the present invention represents a significant ad~ance in cryptographic systems. In particular, the invention provides a technique for establishing a common session key for two users by means of an exchange of messages over an insecure communications channel. What distin-guishes the invention from prior approaches to public key exchange systems is that the technique of the 2 ~ 9 -~3 invention provides for identity authentication of the users without the need for a key distribution center or a public key register. Further, the technique is re-sistant to both passive and active ~av~sdropp.ing. It will also be appreciated that, although an ~mbodiment of the invention has been described in detail ~or purposes of illustration, various modiPications may be made without departing from the spirit and scope of the invention. Accordingly, the invention is not to be limited except as ~y the appended claims,
Claims (16)
1. A secure key generator, comprising:
storage means for storing a number of a first type selected prior to placing the key generator in service, and a digitally signed composite quantity containing both a unique and publicly known identifier of the key generator and a number of a second type obtained by a practically irreversible transformation of the number of the first type;
a first input connected to receive the number of the first type;
a second input connected to receive an input quantity transmitted over an insecure communications channel from another key generator, the input quantity being digitally signed and containing both a publicly known identifier of the other key generator and a number of the second type generated by a practically irreversible transformation of a number of the first type stored in the other key generator;
a first output for transmitting the stored, digitally signed composite quantity over the insecure communications channel to the other key generator;
a second output;
means for decoding the signed input quantity received at the second input, to obtain the identifier of the other key generator and the received number of the second type; and means for generating a session key at the second output, by performing a practically irreversible transformation of the number of the second type re-ceived through the second input, using the number of the first type received through the first input.
storage means for storing a number of a first type selected prior to placing the key generator in service, and a digitally signed composite quantity containing both a unique and publicly known identifier of the key generator and a number of a second type obtained by a practically irreversible transformation of the number of the first type;
a first input connected to receive the number of the first type;
a second input connected to receive an input quantity transmitted over an insecure communications channel from another key generator, the input quantity being digitally signed and containing both a publicly known identifier of the other key generator and a number of the second type generated by a practically irreversible transformation of a number of the first type stored in the other key generator;
a first output for transmitting the stored, digitally signed composite quantity over the insecure communications channel to the other key generator;
a second output;
means for decoding the signed input quantity received at the second input, to obtain the identifier of the other key generator and the received number of the second type; and means for generating a session key at the second output, by performing a practically irreversible transformation of the number of the second type re-ceived through the second input, using the number of the first type received through the first input.
2. A secure key generator as defined in claim 1, wherein the key generator further comprises:
a third input, connected to receive another number of the first type, generated randomly;
means for generating at the first output, for transmission with the digitally signed composite quanti-ty, a number of the second type obtained by a practical-ly irreversible transformation of the number of the first type received through the third input; and means for receiving from the second input an-other number of the second type generated in and trans-mitted from the other key generator;
and wherein the means for generating a session key performs a practically irreversible transformation involving both numbers of the first type, received at the first and third inputs, and both numbers of the second type received at the second input, whereby a different session key may be generated for each message transmission session.
a third input, connected to receive another number of the first type, generated randomly;
means for generating at the first output, for transmission with the digitally signed composite quanti-ty, a number of the second type obtained by a practical-ly irreversible transformation of the number of the first type received through the third input; and means for receiving from the second input an-other number of the second type generated in and trans-mitted from the other key generator;
and wherein the means for generating a session key performs a practically irreversible transformation involving both numbers of the first type, received at the first and third inputs, and both numbers of the second type received at the second input, whereby a different session key may be generated for each message transmission session.
3. A secure key generator as defined in claim 1, wherein:
the number of the second type stored in digi-tally signed form in the storage means is obtained by the transformation Ya = .alpha.Xa mod p, where Xa is the number of the first type stored in the storage means, and .alpha. and p are publicly known transforma-tion parameters;
the number of the second type received in the digitally signed composita quantity from the other key generator is designated Yb; and the means for generating the session key per-forms the transformation K = YbXa mod p.
the number of the second type stored in digi-tally signed form in the storage means is obtained by the transformation Ya = .alpha.Xa mod p, where Xa is the number of the first type stored in the storage means, and .alpha. and p are publicly known transforma-tion parameters;
the number of the second type received in the digitally signed composita quantity from the other key generator is designated Yb; and the means for generating the session key per-forms the transformation K = YbXa mod p.
4. A secure key generator as defined in claim 2, wherein:
the number of the second type stored in digi-tally signed form in the storage means is obtained by the transformation Ya = .alpha.Xa mod p, where Xa is the number of the first type stored in the storage means, and .alpha. and p are publicly known transforma-tion parameters;
the number of the second type received in the digitally signed composite quantity from the other key generator is designated Yb; and the means for generating the session key per-forms the transformation K = (Y'b)xamod p ? (yb)X'amod p, where X'a is the number of the first type that is ran-domly generated, Y'b is the additional number of the second type received from the other key generator, and the ? symbol denotes an exclusive OR operation.
the number of the second type stored in digi-tally signed form in the storage means is obtained by the transformation Ya = .alpha.Xa mod p, where Xa is the number of the first type stored in the storage means, and .alpha. and p are publicly known transforma-tion parameters;
the number of the second type received in the digitally signed composite quantity from the other key generator is designated Yb; and the means for generating the session key per-forms the transformation K = (Y'b)xamod p ? (yb)X'amod p, where X'a is the number of the first type that is ran-domly generated, Y'b is the additional number of the second type received from the other key generator, and the ? symbol denotes an exclusive OR operation.
5. A method of generating a secure session key between two user devices connected by an insecure com-munications channel, comprising the following steps performed at both devices:
transmitting a digitally signed composite quantity to the other device, the composite quantity including a publicly known device identifier IDa and a number Ya derived by a practically irreversible trans-formation of a secret number Xa that it is unique to the device;
receiving a similarly structured digitally signed composite quantity from the other device;
transforming the received digitally signed composite quantity into an unsigned composite quantity containing a device identifier IDb of the other device and a number Yb that was derived by transformation from a secret number Xb that is unique to the other device;
verifying the identity of the other device from the device identifier IDb; and generating a session key by performing a prac-tically irreversible transformation involving the num-bers Xa and Yb.
transmitting a digitally signed composite quantity to the other device, the composite quantity including a publicly known device identifier IDa and a number Ya derived by a practically irreversible trans-formation of a secret number Xa that it is unique to the device;
receiving a similarly structured digitally signed composite quantity from the other device;
transforming the received digitally signed composite quantity into an unsigned composite quantity containing a device identifier IDb of the other device and a number Yb that was derived by transformation from a secret number Xb that is unique to the other device;
verifying the identity of the other device from the device identifier IDb; and generating a session key by performing a prac-tically irreversible transformation involving the num-bers Xa and Yb.
6. A method as defined in claim 5, and further including the steps of:
generating another number X'a randomly prior to generation of a session key;
transforming the number X'a to a number Y'a using a practically irreversible transformation;
transmitting the number Y'a to the other de-vice; and receiving a number Y'b from the other device;
wherein the step of generating a session key includes a practically irreversible transformation in-volving the numbers Xa, X'a, Yb and Y'b.
generating another number X'a randomly prior to generation of a session key;
transforming the number X'a to a number Y'a using a practically irreversible transformation;
transmitting the number Y'a to the other de-vice; and receiving a number Y'b from the other device;
wherein the step of generating a session key includes a practically irreversible transformation in-volving the numbers Xa, X'a, Yb and Y'b.
7. A method as defined in claim 6, wherein:
the transformations from X numbers to Y num-bers is of the type Y = .alpha.X mod p, where .alpha. and p are chosen to maximize irreversibility of the trans-formations; and the step of generating a session key includes the transformation K = (Y'b)Xamod P ? (Yb)X'amod p, where ? denotes an exclusive OR operation.
the transformations from X numbers to Y num-bers is of the type Y = .alpha.X mod p, where .alpha. and p are chosen to maximize irreversibility of the trans-formations; and the step of generating a session key includes the transformation K = (Y'b)Xamod P ? (Yb)X'amod p, where ? denotes an exclusive OR operation.
8. A method of authentication in a public key cryptographic system, the method comprising the steps of:
selecting a unique random number Xi for each cryptographic device to be distributed;
transforming the number Xi to a new number Yi using a practically irreversible transformation;
forming a composite quantity by combining the number Yi with a publicly known device identifier IDi;
digitally signing the composite quantity con-taining Yi and IDi;
storing the signed composite quantity and the number Xi permanently in each device;
exchanging, between two devices, a and b, de-siring to establish secured communication, the signed composite quantities stored in each;
authenticating, in each of the two devices, the identity of the other device; and generating, in each of the two devices, a session key to be used for secured communication.
selecting a unique random number Xi for each cryptographic device to be distributed;
transforming the number Xi to a new number Yi using a practically irreversible transformation;
forming a composite quantity by combining the number Yi with a publicly known device identifier IDi;
digitally signing the composite quantity con-taining Yi and IDi;
storing the signed composite quantity and the number Xi permanently in each device;
exchanging, between two devices, a and b, de-siring to establish secured communication, the signed composite quantities stored in each;
authenticating, in each of the two devices, the identity of the other device; and generating, in each of the two devices, a session key to be used for secured communication.
9. A method as defined in claim 8, wherein the step of authenticating includes:
transforming the digitally signed composite quantity received from the other device into unsigned form: and comparing the value of IDb in the unsigned quantity with the known IDb of the other device.
transforming the digitally signed composite quantity received from the other device into unsigned form: and comparing the value of IDb in the unsigned quantity with the known IDb of the other device.
10. A method as defined in claim 9, wherein:
the step of generating the session key in-cludes performing a transformation that involves a value Yb received from the other device and the value Xa of this device.
the step of generating the session key in-cludes performing a transformation that involves a value Yb received from the other device and the value Xa of this device.
11. A method as defined in claim 10, wherein:
the step of digitally signing includes compu-ting a modular square root of the composite quantity;
and the step of transforming the digitally signed composite quantity to unsigned form includes computing a modular square of the signed quantity.
the step of digitally signing includes compu-ting a modular square root of the composite quantity;
and the step of transforming the digitally signed composite quantity to unsigned form includes computing a modular square of the signed quantity.
12. A method as defined in claim 11, wherein:
the steps of computing a modular square root and computing a modular square both employ a modulus that is the product of two prime numbers.
the steps of computing a modular square root and computing a modular square both employ a modulus that is the product of two prime numbers.
13. A method as defined in claim 8, and fur-ther comprising the steps of:
transforming, in each of the two devices, the digitally signed composite quantity received from the other device into unsigned form; and generating, in each of the two devices, a, b, a random number X'a, X'b;
transforming the numbers X'a, X'b into numbers Y'a, Y'b by a transformation that is practically irre-versible; and exchanging the numbers Y'a, Y'b between the two devices;
and wherein the step of generating the session key includes performing a practically irreversible transformation involving the numbers Xa, X'a, Yb, and Y'b in device a, and the numbers Xb, X'b, Ya, and Y'a in device b.
transforming, in each of the two devices, the digitally signed composite quantity received from the other device into unsigned form; and generating, in each of the two devices, a, b, a random number X'a, X'b;
transforming the numbers X'a, X'b into numbers Y'a, Y'b by a transformation that is practically irre-versible; and exchanging the numbers Y'a, Y'b between the two devices;
and wherein the step of generating the session key includes performing a practically irreversible transformation involving the numbers Xa, X'a, Yb, and Y'b in device a, and the numbers Xb, X'b, Ya, and Y'a in device b.
14. A method as defined in claim 13, wherein:
the transformations from X numbers to Y num-bers is of the type Y = .alpha.X mod p, where .alpha. and p are chosen to maximize irreversibility of the trans-formations; and the step of generating a session key includes the transformations K = (Y'b)Xamod p ? (Yb)X'amod p, for device a, and K = (Y'a)Xbmod p ? (Ya)X'bmod p, for device b, where ? denotes an exclusive OR oper-ation.
the transformations from X numbers to Y num-bers is of the type Y = .alpha.X mod p, where .alpha. and p are chosen to maximize irreversibility of the trans-formations; and the step of generating a session key includes the transformations K = (Y'b)Xamod p ? (Yb)X'amod p, for device a, and K = (Y'a)Xbmod p ? (Ya)X'bmod p, for device b, where ? denotes an exclusive OR oper-ation.
15. A method as defined in claim 13, wherein:
the step of digitally signing includes compu-ting a modular square root of the composite quantity;
and the step of transforming the digitally signed composite quantity to unsigned form includes computing a modular square of the signed quantity.
the step of digitally signing includes compu-ting a modular square root of the composite quantity;
and the step of transforming the digitally signed composite quantity to unsigned form includes computing a modular square of the signed quantity.
16. A method as defined in claim 15, wherein:
the steps of computing a modular square root and computing a modular square both employ a modulus that is the product of two prime numbers.
the steps of computing a modular square root and computing a modular square both employ a modulus that is the product of two prime numbers.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA 2024049 CA2024049A1 (en) | 1990-08-27 | 1990-08-27 | Cryptographic method and apparatus for public key exchange with authentication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA 2024049 CA2024049A1 (en) | 1990-08-27 | 1990-08-27 | Cryptographic method and apparatus for public key exchange with authentication |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA2024049A1 true CA2024049A1 (en) | 1992-02-28 |
Family
ID=4145820
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA 2024049 Abandoned CA2024049A1 (en) | 1990-08-27 | 1990-08-27 | Cryptographic method and apparatus for public key exchange with authentication |
Country Status (1)
| Country | Link |
|---|---|
| CA (1) | CA2024049A1 (en) |
-
1990
- 1990-08-27 CA CA 2024049 patent/CA2024049A1/en not_active Abandoned
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US4956863A (en) | Cryptographic method and apparatus for public key exchange with authentication | |
| EP0482233B1 (en) | Cryptographic system allowing encrypted communication between users with a secure mutual cipher key determined without user interaction | |
| JP2606419B2 (en) | Cryptographic communication system and cryptographic communication method | |
| US6487661B2 (en) | Key agreement and transport protocol | |
| EP0998799B1 (en) | Security method and system for transmissions in telecommunication networks | |
| US6785813B1 (en) | Key agreement and transport protocol with implicit signatures | |
| US5588061A (en) | System and method for identity verification, forming joint signatures and session key agreement in an RSA public cryptosystem | |
| CN104270249B (en) | It is a kind of from the label decryption method without certificate environment to identity-based environment | |
| US6697488B1 (en) | Practical non-malleable public-key cryptosystem | |
| EP1548976B1 (en) | A message deciphering method | |
| EP0739105A1 (en) | Method for signature and session key generation | |
| US6526509B1 (en) | Method for interchange of cryptographic codes between a first computer unit and a second computer unit | |
| CN104301108B (en) | It is a kind of from identity-based environment to the label decryption method without certificate environment | |
| Kaliski Jr et al. | An overview of the PKCS standards | |
| KR19980703838A (en) | Computer-Assisted Exchange Method of Encryption Keys | |
| JPH10242959A (en) | Method for safely executing communication in communication system | |
| US6640303B1 (en) | System and method for encryption using transparent keys | |
| EP1519530A1 (en) | Method for establishing an encrypted communication by means of keys | |
| EP1079565A2 (en) | Method of securely establishing a secure communication link via an unsecured communication network | |
| WO1999025086A2 (en) | Generation of a seed number | |
| JPH08251156A (en) | Method and system for ciphering electronic mail | |
| US6931126B1 (en) | Non malleable encryption method and apparatus using key-encryption keys and digital signature | |
| Lakshmi et al. | Medical image encryption using enhanced Rivest Shamir adleman algorithm | |
| CN110213764B (en) | Wireless safety communication method and device | |
| CA2024049A1 (en) | Cryptographic method and apparatus for public key exchange with authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FZDE | Dead |