DE19638623A1 - Computer system with process for handling coded data - Google Patents

Abstract

The computer system has an interface 3 for receiving the coded data from a network 2. There is at least one output unit for outputting the public key data. The received data is handled by a central processor 4. Between the output unit and the central processor is a decryption unit 5. Use of the data is made by output units , such as a disc drive 6, a monitor 7 or a printer 8. For the printer and monitor the information is handled by the decoding units 5 and there is no requirement to return this data to the processor.

Description

The present invention relates to a computer system with an interface for receiving encrypted data, at least one output unit for Output of unencrypted data and a central unit to receive the Data from the interface and for the transmission of data to be output to a Output unit according to the preamble of claim 1.

The invention further relates to a method for the output of encrypted Data in which the encrypted data is received via an interface, the encrypted data are transmitted to a central unit and the decrypted data are output by an output unit after the Preamble of claim 7.

In computer networks, individual computer systems are connected to each other send mutually encrypted data. As an example of such a network is to call the internet. There is information and audiovisual signals spread. The majority of the offer is free information. Monetary values So far, hardly any information has been offered, but remains on conventional Distribution channels limited.

There are three reasons for this:
First, methods for convenient payment processing have not yet been widely used. Second, there are only a few procedures for secure information transfer. Secure procedures are mainly based on cryptographic public / private key procedures. These processes are characterized in that each participant in the information exchange has two keys:
A public key KÖ and a private key KP. A connection between the two cannot be deduced. Each participant's public key can be found in public directories. The private key remains secret and is only known to the subscriber himself. Information I that has been encrypted with the public key KÖ can only be decrypted with the private key KP and vice versa.

Public / private key processes perform two important functions:

• a) They ensure that information transmitted through public channels only from legitimate recipients can be used. To do this, encrypts the Information provider the message with the public key of the lawful Recipient and sends the encrypted message over public channels. This encrypted message can be received by anyone, but only by lawful Deciphered and used.
• b) They ensure that the receiver is one transmitted over public channels Information can be sure that this is actually from the lawful sender comes from.

For this purpose, the information provider encrypts message I with his own private key and sends the encrypted message I over public Channels. If at a recipient L the decryption attempt with the succeeds public key of the supplier Z, this ensures that the message I really comes from the legitimate supplier Z.

Third, information available to the recipient in digital form from to be abused. This problem is much bigger than with non-digital carrier media (e.g. paper) because it is digitally distributed is quick, lossless and cheap.

According to the latter third reason, the main disadvantage is that conventional information dissemination over networks that over the network provided data, even if they are transmitted encrypted, in the  The recipient's computer system is decrypted in such a way that the Spreading the decrypted data is not controllable.

It is the object of the present invention, a computer system and a To develop methods for the output of encrypted data so that encrypted data transmitted by a network can be used by the computer system can, but the further distribution of the unencrypted data is difficult.

This object is achieved by the features of claim 1 and Claim 7 solved, with further refinements from the Subclaims result.

The essence of the invention is that the encrypted information by a Encryption unit so decrypted for output by the output unit be that the unencrypted data is not immediately digitally processed or can be saved.

The decryption does not take place on the central processor running program, but only in or immediately before the output unit, that is e.g. B. the printer or the graphics card. The decrypted data is not in digital, directly electronically redistributable form. This is in the sense of Information provider who is interested in the use by the recipient, one wants to exclude digital retransmission. This creates an equivalence e.g. B. achieved for paper printing, in which the data is used directly, ie read can be, but can not be redistributed without considerable effort.

The computer system according to the invention is characterized in that between the Central unit and the output unit a decryption unit is provided, which decrypts the data coming from the central unit and which the decrypted data only to those for the output of unencrypted data  provided / n output unit (s), wherein none in the computer system Means for transmitting the decrypted data back to the central unit or are provided to another unit of the computer system. Advantage of that Computer system according to the invention is that the encrypted data only for decrypt certain predetermined output units of the computer system are so that this data can only be used via these output units. A transmission of the decrypted data to, for example, a Output interface or a storage unit of the computer system is in the computer system according to the invention not possible, so that the unencrypted Data on these output units can not be distributed.

In one embodiment of the invention, the decryption unit of the Computer system data using an asymmetrical Encryption process or by means of a public-private key process have been encrypted. The advantage of such encrypted data is that it are secure against decryption by unauthorized persons.

The output unit of the computer system according to the invention, for which the encrypted data can be decrypted by the decryption unit for example the screen or the printer of the computer system. This is advantageous because this means that the unencrypted data is at most as Screen information or printer information is available and thus one unproblematic distribution is not possible.

In a further embodiment of the computer system, the output unit is separated provided by the central unit, the decryption unit in the Output unit is integrated. The advantage of this training is that only certain Output units such as B. the printer or the graphics card or the screen of a computer system with which the decryption unit can be provided.  

In a further embodiment of the computer system according to the invention, the private one Key of the decryption unit, which is used to decrypt the public key of the decryption unit serves encrypted data, secret provided in the decryption unit. The advantage of this training is that even if the user of the computer system has access to the encrypted Data would give him the private key through which he encrypted the Decrypt data, is not known.

In the method according to the invention for the output of encrypted data the encrypted data is received via an interface and sent to a Central unit transmitted. Then the encrypted data for the Output transmitted from the central unit to a decryption unit and from this decrypts. The decrypted data is from the Decryption unit to a specific, for the output of unencrypted data provided output unit transmitted and output by this. It is at the inventive method not possible that the decrypted data back to the central processing unit or to another unit of the computer system, from that the unencrypted data should not be processed further (e.g. a Storage unit). Advantageous in the invention The method is encrypted, for example, from a network transmitted data used by the recipient, d. H. for example printed out or displayed, a retransmission of the unencrypted data but is not possible electronically.

The present invention will now be described with reference to exemplary embodiments the only figure explained. This shows the computer system according to the invention schematically.

The computer system 1 according to the invention has an interface 3 which receives encrypted information I _v from a computer network 2 . It is also possible to receive the encrypted data via other information media. For example, unit 2 could also represent a floppy disk or the like, reference number 3 then denoting the corresponding reading unit of the computer system. The encrypted data I _v , which have been received by the interface 3 , are transmitted by this to the central unit 4 of the computer system. It is essential in the computer system according to the invention that the information I is always present in the central unit 4 in encrypted form. For example, if the information I is to be distributed again via the network 2 , this can only be done with the encrypted information I _v . The processing of the information in the central unit 4 also takes place in the encrypted state. To use the information, it must now be made accessible to the user of the computer system 1 . For this purpose, output units 6 , 7 , 8 are provided for the computer system 1 . In the example shown in the figure, the output unit 6 provides a storage unit, such as. B. the floppy disk drive, the output unit 7 is a screen and the output unit 8 is a printer. If the information on the screen 7 is to be displayed to the user of the computer system 1 , the central unit 4 transmits the encrypted information _IV to a decryption unit 5 . The decryption unit 5 decrypts the information and transmits the unencrypted information I _u to the screen 7 . It is essential to the computer system 1 according to the invention that the unencrypted information can only be transmitted from the decryption unit 5 to a specific desired output unit. If the information is also to be output on a printer for use, the central unit 4 transmits the encrypted information _IV to a further decryption unit 5 which, after the information has been decrypted, transmits it to the printer 8 . Instead of providing two decryption units 5 for output to output unit 7 or output unit 8 , as shown in the figure, it would also be possible to provide only one decryption unit 5 , which transmit the unencrypted information I _{u to} either output unit 7 or output unit 8 can.

In the exemplary embodiment explained here, the information received by the computer system 1 via the interface 3 has been encrypted using a public-private key method. For this purpose, the information I was encrypted by the sender before being sent using the public key KÖ of the decryption unit 5 . The private key KP of the decryption unit 5 is not accessible by the decryption unit 5 . Thus, the only way to decrypt the encrypted information I _{v is} to feed it into the decryption unit 5 . In the decryption unit 5 , the encrypted information I _{v is} decrypted using the private key KP of the decryption unit 5 . Since the computer system 1 according to the invention is designed in such a way that the data which have been decrypted by the decryption unit 5 are only delivered to certain output units which are intended for the output of unencrypted data, undesired further distribution of the unencrypted data is not possible. In order to further complicate the undesired further distribution, it would be possible for the decryption unit 5 , which is provided, for example, for a printer as the output unit 8 , to output the unencrypted information as pixel values for the printer.

It should be noted that the term "computer system" according to the present invention is to be understood in a very broad sense. The computer system can thus be a printer which has a central processing unit 4 , an interface 3 for receiving the data to be printed, for example from a personal computer (PC), and the printer drum as the output unit 7 . In this case, the decryption unit is provided between the central processing unit 4 of the printer and the printer drum 7 . Furthermore, the computer system could be a plug-in card for a PC, e.g. B. a graphics card, the interface 3 is the connector, on the data from the CPU of the PC, the central unit 4 is a certain electronic part on the card, and the output unit 7 is the connector for the monitor cable. In this case, the decryption unit 5 is provided between the central electronics 4 of the plug-in card and the monitor cable connector 7 .

The following is a possible embodiment of the invention in the form of an example described.

The information provider is a newspaper Z, which a reader L ordered from the latter Information I, e.g. B. deliver specially subscribed newspaper pages over the Internet would like to. The newspaper Z is interested in the reader L reading the information I. can, but would like to prevent the information I from the reader L in digital Form to be redistributed. The reader L should have the information I on his Read the screen or print it out on its printer, but not unencrypted save or resend in a form that can be used by third parties. The The information should be transmitted via a public, non-bug-proof channel to be possible. First of all, the reader L therefore requests the information I from the newspaper Z on. The newspaper wants to ensure that the information I only from printer D of the Reader L, but cannot be decrypted by the computer itself. Therefore, the reader L delivers the public when requesting the information Key KÖD of his printer D with z. B. as a forty-digit number combination is printed on the housing of the printer. The KPD's private key Printer D is not known to reader L, but rather in printer electronics integrated. The newspaper creates the desired newspaper pages (I) and encrypts them with the key KÖD to a data stream IV and sends it to by email the reader L. This sends the encrypted data stream IV to his printer D. In the printer D, the data stream IV with the private key KPD of the printer decoded and the desired newspaper pages printed out in legible form I. An analog application is conceivable for the delivery shown on the screen Graphic pages on the Word Wide Web. In this case, the decryption would first in the graphics controller card and not yet in the central processor of the computer  respectively. The supplier of the information could here, for. B. be interested in that the information can only be read, but not printed.

An additional problem has to be solved: the newspaper Z must be able to ensure that the supplied public key KÖD of the alleged printer actually one valid public key e.g. B. is a brand X printer and not one of Reader L self-generated public key, to which this is the appropriate private Key. This verification ensures that the Public / private key procedure on the keys themselves. This is not on the printer the actual public key KÖD printed on the printer itself, but rather the one encrypted with the private key KPX of the printer manufacturer X. public keys KÖD of the special printer copy D, here called KÖDX. This combination of numbers KÖDX is delivered to the newspaper. The newspaper decrypts the number combination first with the well-known public one Key KÖX from the printer manufacturer X and thus receives the guaranteed fake public key KÖD of the special printer copy D, with which in turn is then encrypted the information I before sending. If the number combination KÖDX supplied by reader L is falsified, leads the Decryption with the public key KÖX of the printer manufacturer X by the newspaper to an invalid public key KÖD of the special Printer copies D.

This verification process is state of the art and in various Publications described. The function of the verification instance described there or authorization authority takes over in the example presented here Printer manufacturer X.

Claims (10)

1. Computer system ( 1 ) with

• - an interface ( 3 ) for receiving encrypted data,
• - At least one output unit ( 7 , 8 ) for outputting unencrypted data and
• - a central unit ( 4 ) for receiving the data from the interface ( 3 ) and for transmitting data to be output to an output unit ( 7 , 8 ),

characterized,
that a decryption unit ( 5 ) is provided between the central unit ( 4 ) and the output unit ( 7 , 8 ), which decrypts the data coming from the central unit ( 4 ) and which only decrypts the data provided to the output of unencrypted data Output unit (s) ( 7 , 8 ) transmitted, wherein no means for transmitting the decrypted data back to the central unit ( 4 ) are provided in the computer system ( 1 ). 2. Computer system ( 1 ) according to claim 1, characterized in that the decryption unit ( 5 ) decrypts data which have been encrypted by means of an asymmetrical encryption method. 3. Computer system ( 1 ) according to claim 1 or 2, characterized in that the decryption unit ( 5 ) decrypts data which have been encrypted by means of a public-private key method. 4. Computer system ( 1 ) according to one of the preceding claims, characterized in that the output unit ( 7 , 8 ) is a screen and / or a printer. 5. Computer system ( 1 ) according to one of the preceding claims, characterized in that the output unit ( 7 , 8 ) is provided separately from the central unit ( 4 ) and that the decryption unit ( 5 ) is integrated in the output unit ( 7 , 8 ). 5. Computer system ( 1 ) according to one of claims 3 to 5, characterized in that the private key of the decryption unit ( 5 ), which is used to decrypt data encrypted with the public key of the decryption unit ( 5 ), secret in the decryption unit ( 5 ) is provided. 7. Procedure for the output of encrypted data, in which

• - The encrypted data are received via an interface ( 3 ),
• - The encrypted data are transmitted to a central unit ( 4 ) and
• - The decrypted data are output by an output unit ( 7 , 8 ),

characterized,

• - That the encrypted data for output from the central unit ( 4 ) to a decryption unit ( 5 ) are transmitted,
• - That the encrypted data are decrypted by the decryption unit ( 5 ) and
• - that the decrypted data are transmitted from the decryption unit ( 5 ) to the output unit ( 7 , 8 ) provided for the output of unencrypted data,

the decrypted data not being transmitted back to the central unit ( 4 ).