Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/12—Transmitting and receiving encryption devices synchronised or initially set up in a particular manner
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
  • H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
  • H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Definitions

• Randomness is a basic and well-known tool in many disciplines of science
• a random result employed at the remote locations is preferably
• Encryption in particular, is a necessary tool in electronic communications
• encryption involves turning a meaningful series of data
• encryption systems allow a receiver of data to detennine that the data has been
• encryption methods may be classified into groups as
• random (one time pad) encryption - as opposed to algorithmic encryption, block enciphering, as opposed to stream enciphering, etc.
• access to the data may be grouped into four. They are:
• asymmetric systems use a system of mutually exchanging
• One approach in key management involves the use of a trusted third party, a
• certificate authority manages key changes for all
• a secure communication system may be regarded as a chain, and the level of
• the master key category preferably
• session keys which session keys are used for the encryption of the bulk of the
• the public key system relies for the user identification
• the identification step may be carried out with the help of a
• key management system should allow users to produce the same random key
• a particular environment in which encryption is important is the Internet.
• the state machines dynamically produce changing keys, by
• the machines at both ends are synchronized by using the same seed bits each
• the overall commander located with army A, has to co-ordinate an attack,
• the overall commander thus sends a message to the commander of Army B, by dispatch rider, which conveys time of and directions for the intended attack.
• the depth of the problem may be demonstrated by illustrating two
• the remotely located random data process preferably preferably
• the key management being to provide at each party
• the apparatus comprising:
• a datastream extractor for obtaining from data exchanged between the
• a key generator for generating a key for encryption/decryption based on the
• the random selector is operable to use results of the
• the key generator is operable to generate a new key after a
• the predetermined number of message bits being substantially
• the apparatus preferably comprises a control messager for sending control
• the apparatus preferably comprises a synchronized state determiner, for
• apparatus is synchronized therewith to generate an identical key.
• the apparatus preferably further comprises a resynchronizer, associated with
• the synchronous state determiner the resynchronizer having a resynchronization
• random selector for selecting, from a part of the bitstream previously used by the
• the series of bits is a series of bits previously used by the random
• control messager is operatively connected to the synchronous
• control messager is operatively connected with the
• the data communication is arranged in cycles, the part of the
• bitstream being exchangeable in each cycle.
• the cycle is arranged into sub-units, each the cycle having an
• the messager is usable to -exchange control messages with the
• the messager is usable to vary a control message in accordance
• the apparatus is operable to respond to messages sent by a remote party to resynchronize using a same bitstream part.
• the apparatus is operable to respond to messages sent by a remote party to resynchronize using a same bitstream part.
• the apparatus preferably comprises circuitry for determining which of itself
• the remote party is a transmitting party and being operable to control the
• the synchronized state determiner comprises:
• a comparator for comparing a result of the calculation with a result received
• the irreversible calculation comprises a one-way function.
• the system is operable to provide key management for a
• the apparatus is constructed modularwise such
• each selector being operable to
• a key generator for generating cryptography keys at predetermined key
• the primary bitstream is obtainable as a stream of bits from a data
• the bits in the primary bitstream are separately identifiable by an
• selector is operable to select the bits by random selection
• each selector comprises an address generator and each address
• the system further comprises a controller for exchanging control
• control data includes any one of a group comprising:
• control data includes any one of a group comprising:
• a hash encoding result of at least some of the bits of the randomization.
• control data includes any one of a group comprising:
• control data includes any one of a group comprising:
• the data communication process is arranged in cycles, the
• the cycles are arranged into sub-units, each the cycle having an
• the controller is usable to include in the control messages, data to
• the controller is usable to vary a control message in accordance
• the primary data source is obtainable as a stream of bits from a
• the primary data source comprises a stream of data bits divisible
• bits in the data units are separately identifiable by addresses
• the method comprises selecting the bits by using the randomizer as an address
• selecting is carried out by using identically set pseudorandom
• the method further comprises exchanging control data between the plurality of the plurality of the plurality of the plurality of the plurality of the plurality of the plurality of the plurality of the plurality of the plurality of the plurality of the plurality of the plurality of the plurality of the plurality of the plurality of the plurality of the plurality of the plurality of the plurality of the plurality of the plurality of the plurality of the plurality of the plurality of the plurality
• control data includes any one of a group comprising:
• redundancy check data of at least some of the derived data source
• a hash encoding result of at least some of the derived data source is a hash encoding result of at least some of the derived data source.
• the method preferably comprises determining from the control data whether
• the method preferably further comprises a step of exchanging the
• the method preferably further comprises:
• the method preferably further comprises creating in advance a future cycle's
• the method may be used to provide key management for a symmetric
• Fig. 1 is a generalized block diagram showing two parties communicating over an open network in accordance with a first embodiment of the present
• Fig. 2 is a generalized block diagram showing a communication device for
• Fig. 3 is a simplified diagram showing how each party may obtain an
• Fig. 4 is a simplified block diagram illustrating apparatus located with a
• Fig. 5 is a simplified diagram illustrating a random data production procedure
• Fig. 6 is a simplified block diagram showing a device for secure
• Fig. 7 is a simplified block diagram showing two communication devices of
• Fig. 8 is a simplified block diagram showing a secure communication
• Fig. 9 is a simplified diagram showing how a process using random data
• FIG. 10 is a diagram showing the structure of Fig. 9 in greater detail
• Fig. 11 is a simplified diagram showing in tabular form a protocol for
• Fig. 1 is a simplified block diagram showing two users, Party A and Party B,
• FIG. 2 is a simplified diagram illustrating a preferred secure communication
• link management device 10 for location at a party for secure management of a
• the link management device 10 carries out key management by using a
• the device is
• Link management device 10 comprises six major functional components,
• a main process unit 20 carries out local user processing. It may be the
• a Manage/control unit 30 manages and controls the key management issue
• a router and arranger unit 40 routes messages to a communication port 44,
• the router and arranger unit 40 additionally supports other units, by ananging, preparing and
• An encryption engine 50 is responsible for encrypting messages for secure
• a pointer generator RndGenPLRB 62 prepares or generates pointers
• a random processor 70 associated with the pointer generator 62, uses the
• Main processor 20 transmits/receives regular messages (unencrypted) via a
• the message is preferably passed untouched tlirough
• Router & Arranger 40 to or from the communication port 44, while messages
• Enc/Dec unit 52 to be output, in the fonn of cipher text, - via cipher text, CIPH, line
• the router & arranger 40 arranges the cipher text and
• Router & Arranger 40 to be areanged and sent to random processor 70.
• & arranger also sends the message via CIPH line 43 to encryption engine 50, for decryption by Enc/Dec unit 52.
• the decrypted message is then sent to the main
• Enc/Dec unit 52 is preferably fed with changing keys, randomly produced in
• a key generation unit 54 as will be explained in more detail below and distributed
• the random processor 70 is preferably loaded with a bit sequence via
• loader SB line the bit sequence being from secure
• bits sequence is supplied from the router and arranger but a
• the unit 54 for randomly producing keys.
• the sequence is preferably additionally fed
• Manage/control unit 30 is responsible for the activation, synchronization and
• control lines for
• control line CI, 31 is
• control line C2, 32 is connected to encryption engine 50,
• control line C3, 33 is comiected to pointer generator 62, control line C4, 34 is
• the link management device 10 thus encrypts secure messages using
• the messages are decrypted using continually changing keys
• two parties may provide a secure channel between two communicating parties, for
• produced and exchanged keys may be used by the receiver for decryption, even
• FIG. 3 is a simplified diagram of a process
• the diagram illustrates in tabular form a preferred process for use in the random
• the random process may be illustrated as follows: Given a sequence (or stream) of
• each bit has an addressable position in the stream
• content may be analogous to the colors black white of the ball analogy.
• the SB sequence comprising N ordered stream bits, is held in a field 74 which is
• row 1 being the 'rb#l row, which indicates a random
• bit position in the M ordered random bits sequence (random bit number), row 2 is the
• PLRB row Place of Random Bit ) which indicates in each of its cells - plrbi , plrb 2 ,
• plrb 3 , ••• , plrb M - a different address in the SB stream to find a bit, that is to say each cell
• the pointer is a pointer to any of the bits in the SB bitstream.
• row 3 denoted the 'RB - Content' row - which is to say the row
• PLRB row positions contain data content 3,5,9,3, respectively. Then random bit
• bit number 3 is selected from the
• bit number 5 is selected from the SB, bit position no. 5
• bit number 9 is selected from the SB, which bit position has a content of 1.
• SB stream is relatively long and comprises well
• the ratio should not be exactly 50%:50%.
• the PLRB stream that is to say M «N. Furthermore it is preferable that the PLRB stream, the
• Fig. 4 is a simplified schematic diagram
• arrows 75 symbolize selection by pointers of a bit from the respective bit stream
• the PLRB pointer data items (plrbj, where 1 ⁇ j ⁇ M) are defined such that 1
• ⁇ plrbj ⁇ N and allowing repetitions means allowing two or more 'plrb's to be the
• the structure may be incorporated within random
• Random processor 70 preferably comprises PLRB register 66, which holds M
• the pointers are preferably input into random selector (FISH)
• the random processor 70 further comprises
• an SB register 74 which holds the N SB stream bits, and also comprises an RB
• Random selector (FISH) 76 receives as an input the content of PLRB register
• the M random bits may then be
• Random processor 70 preferably has two inputs as follows:
• Fig. 5 is a simplified schematic diagram
• RndProC j The random processes illustrated in FIG. 5 are named RndProC j and
• the index may be added to those parameters used
• PLRB are changed for each process, and are selected from independent sources, in
• FIG. 6 is a block diagram illustrating a
• FIG. 6 illustrates in greater detail the device of FIG. 2 above, for achieving
• a cunent execution step is indicated by index i, and the next consecutive step is
• FIG. 6 differs from foregoing figures by including in encryption
• step i Dl delay register 55 outputs, via j line 53, into
• Encryption unit 52 a previously generated key, K-, for use as an
• Fig. 2 above had a pointer, or random address, generator 62.
• Fig. 2 had a pointer, or random address, generator 62.
• the pointer generator is replaced by a random address unit 60
• the pointer generator 62 is only one part.
• random address unit 60 is preferably
• the pointer generator 62 Preferably, the pointer generator 62,
• step i via RndForUse line 73, the i th step random sequence of M random bits, and in turn generates PLRB ⁇ , which it places in PLRB ⁇ +j register 64.
• step i D2 delay register 65 outputs the step i PLRB ⁇ pointers
• LoaderPLRB line 72 into PLRB ⁇ , for use in current process i.
• FIG. 6 illustrates consecutive process activation. Consecutive process
• encryption engine 50 encrypts or decrypts a secure piece of a
• random processor 70 receives input data from inputs as follows:
• the pointers were generated one process earlier, that is to
• Random Processor 70 is now able to produce the M random bits of the i step, which may now be placed in RB register 77.
• key generation unit 54 preferably
• the key is preferably generated
• the index i is preferably incremented and the above
• FIG. 7 is a simplified block diagram
• FIG. 7 two parties are illustrated, each having the
• Party A transmits a secure message to party B. It is assumed that the parties
• Party A can
• the ciphertext is preferably used as a source for
• successive SB streams may be used to generate the successive SB streams.
• the successive SB streams may be used to generate the successive SB streams.
• party B uses the ciphertext, following receipt from the
• Router & Arranger box 40 which Router & Arranger box 40 is able to provide successive streams of bits SB j ,
• the successive SB streams may be
• PLN line 42 is here notated as PLN (x) - 'x' being the symbol for plaintext
• CIPH line 43 is here notated as CIPH (y) as 'y' is a common symbol for
• the symbol 'y**' indicates data as it arrives from the channel, which may be a
• new encrypted message may be started using the last produced key of the previous
• Such a key may have been retained, for example in the Dl key register 55.
• the parties remain in synchronization, they are able to
• the features include an ability to overcome
• bits of the cipher text itself are used as one
• a system of acknowledgements between the parties preferably prevents occurrence
• step i pointer bits PLRB j are selected, stream bits SB- are selected,
• a key K- is used for encryption decryption of a message
• the currently obtained random bits RB j are preferably used for generating
• step i+1 for the next step, step i+1.
• the random bits Rb j are used to obtain both
• key management is referred to hereinbelow as key management.
• one party may be in process i+1, or
• parties may be using key Ki+1 or even Ki+2, or higher, while the other party is still
• control messages by exchanging control messages between the parties.
• control messaging is carried out as follows:
• control messages themselves may be in plain text - that is to say not in themselves
• encrypted and preferably comprise indicator bits indicating states of sensitive
• Sensitive process data includes any of the random output bits, the bits
• the indicator bits are preferably produced by carrying out a one way function
• detection code used on the sensitive data for example a CRC of the sensitive data.
• the indicator bits allow another party to realize immediately if it is in synchronism or not, by comparing received indicator bits with self calculated indicator bits.
• the CRC check bits are preferably too sparse
• the correction is applied to the SB stream bits, from which eventually the
• RB random bits are selected.
• bit selection is followed by executing an error correction mechanism at least on
• the limits are generally set on system design and
• loss may occur for example as the result of a high noise event or a cut in the
• communications is to insert noise into the communication, causing synchronization
• the parties are generally remotely located, and the aim of the resynchronization is to achieve identical sensitive data
• Fig. 8 is a simplified block diagram
• the present embodiments preferably exchange the resynchronization points randomly at
• Fig. 8 shows more detailed versions of encryption engine 50 and random
• address generator unit 60 showing additional features for handling
• Encryption engine 50 thus additionally comprises a backup key register BU-
• Kgm 59 a backup key memory MEM BU-K 58, a key in use register -InUse 51,
• the random address generator 60 The random address generator 60,
• the pointers in use register PLRBInUse 67 takes from D2 register 65, the set of pointers prepared during the
• PLRBInUse 67 takes data for use as pointers
• pointer register BUPLRB 68 has preferably been used to store, at an earlier stage,
• register BUPLRB box 68 is preferably data that has been generated earlier on in
• pointers in use register PLRBInUse 67 takes on the role of a gate that
• the backup key stored in backup key memory MEM BU-K 58 is a backup key stored in backup key memory MEM BU-K 58.
• backup random bit register BU-RB 78 which has been accumulating random bits as described above in respect of backup pointer
• in-use key register K-InUse 51 plays the role of a gate that decides
• the backup random bits register BU-RB 78 preferably accumulates and
• the back up random bits it stores may be an outcome of
• the backup random bits are used as random input for the backup random bits.
• backup pointers - stored in backup pointer register BUPLRB 68- may be considered
• backup data is preferably changed randomly, and the changing-over of backup data
• the back up synchronization, or sensitive, data refers to the backup
• a connection refers to an encrypted communication from one party to
• a connection preferably comprises consecutive units defined here as sections, each section being a stream of ciphertext bits of a defined length.
• a Regular connection is a connection that begins in synchronization
• a Successful connection is a any connection that ends with the parties
• connection is built of 1 or more sections.
• backup random generator BU-RndGenPLRB 69 produced in backup random generator BU-RndGenPLRB 69, are entered and stored in backup pointer register BUPLRB 68 to replace the previous backup
• Both the back up key and the back up pointers are preferably
• first K Sections may be from the first
• connection in the cycle or at most from the very first few connections of a
• the parties After recognition of loss of synchronization, the parties preferably
• connection begins a new cycle, meaning that new random data is initially
• connection may be considered the first successful regular connection of the new
• Fig. 9 is a simplified diagram showing
• randomness preferably has already been used for and by the regular keys
• loss of synchronization may occur at or near one
• one party may have moved on and changed over
• Fig. 10 is a simplified connections diagram
• the four areas are herein denoted as follows: a

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Storage Device Security (AREA)

Applications Claiming Priority (1)

Publications (2)

Family

ID=34531846

Family Applications (1)

Country Status (1)

Cited By (1)

Citations (6)

Family Cites Families (1)

• 2002
  • 2002-07-16 EP EP02747644A patent/EP1540877A4/de not_active Withdrawn

Patent Citations (6)

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events