JPH02106787A - Cryptographic device - Google Patents

Abstract

PURPOSE: To improve the management of a cipher key by forming a cipher by means of connecting it to a key in accordance with a ciphering procedure and preventing the key from being ciphered only when a control vector is precisely applied to cipher hardware. CONSTITUTION: A 64 bits key K is ciphered with the key ciphering key KK (constituted of 64 bits on the left half named as KKL and 64 bits on the right half named as KKR) of 128 bits and the 64 bits control vector C of a register 40'. In such a case, a register 46L exclusively OR-operates CL of a register 40L and KKL of a register 42L and sets KKL+CL. A register 46 exclusively OR-operates CR of a register 40R and KKR of a register 42R and sets KKL +CR. Namely, a method for using C where the left half bit part and the right half bit part are equal and the 64 bits control vector is obtained by reducing the method for using a 128 bits control vector. Thus, the control vector is doubled and the newly improved cipher can be obtained. Then, the improved method of cipher key management can be obtained.

Description

DETAILED DESCRIPTION OF THE INVENTION A. Field of Industrial Application The present invention generally relates to data processing technology, and particularly to cryptographic processing applications in data processing.

B. Prior art and its problems The following related patent applications related to the present invention are cited as references.

(a) B. Brachell et al., U.S. Patent Application No. 55502, May 29, 1987, "Control of Cryptographic Keys by a Generator for Establishing Control Values."

(b) U.S. Pat.

(c) U.S. Patent Application No. 233,515, filed Aug. 17, 1988, by S. Matthias et al., entitled "Cryptographic Processing of Data with Control Vectors."

(cl) U.S. Patent Application No. 237,938, Aug. 26, 1988 by S. Matthias et al.
IN processing”.

(e) "Data Validation with a Modified Search Code Based on a Public One-Way Encryption Function," U.S. Patent Application No. 90633, August 29, 1987, by B. Brachell et al.

Concept of control vector: Control vector defines the usage attributes of the dark 53'' key,
A simple data structure that controls the transmission of cryptographic keys from one network device to another.

The control vector is combined with the key to form a cipher by a cryptographic procedure that decrypts the key only if the control vector is correctly applied to the cryptographic hardware.

FIG. 7 is a system for cryptographically combining a 64-bit control vector to a 128-bit cryptographic key, as described in the aforementioned related patent applications (Brachell et al. and Mathias et al.). For simplicity, the procedure for encrypting plaintext X using key K is expressed as eK(X)=Y. (Y indicates the resulting ciphertext.) Conversely, the procedure for decoding ciphertext Y with key K to reproduce plaintext X is written as dK(Y)=X. 128-bit key encryption key KK (KKl-
64 bits in the left half, named KKR, and 64 bits in the right half, named KKR) and 64 bits in register 40".
The procedure for encrypting the 64-bit key K using the bit control vector C is an application of the multiplex encryption described in the aforementioned ``Key Security Management Using Control Vectors'' (Matthias et al.). KKL10C (d KKR+C
It is written as (e KKL+C(K))). "Ten" means exclusive OR. Encryption is performed in the following steps.

First, in the exclusive OR device 46, the exclusive OR of the 64-bit control vector C and KKL, KKR of the register 42 is determined. Encryption device 41 instead
, the K in the register 44 is encrypted by KK+-10C, and the result is sent to the decryption device 43 as K K R
It is decrypted (also referred to as decryption, hereinafter the same) by 10C, and the result is sent to K K L 10C in the encryption device 45.
Encrypted by eK K L + C (d K K
Since it is complicated to write R + C (e K K L + C (K))), we calculate the exclusive OR operation, that is, the exclusive OR with KK (more precisely, each of K K +- and KKa). KK the operation.

It is written as C. * KK indicates that the key is 128 bits, not 64 bits. That is, KK is a 128-bit key with an asterisk, and a 64-bit key without an asterisk.

e+:+KK, c(K) means that K is encrypted using the 128-bit key KK that is the exclusive OR result of C and the left and right halves of KK.

Figure 8 shows the encrypted value K (Y=e*KK,
This is a system that decrypts C(K)) using a key KK and a control vector C. This is done in the following steps. First, as described above, the exclusive OR of C, KKL, and KKR is calculated.

Instead, in the non-encryption device 47, the encrypted value K is
K1. , decrypt it with 10C, and encrypt the result with K K It 10C in the encryption device 48,
The result is sent to the non-encrypting device 49.
decrypted by According to FIG. 8, KK, C.

and e K K L + C(d K K R0C(e
K can be reproduced only if K K L + C (I< Good morning.

(To be more precise, if the arbitrary length control vector C" and KK are not equal to C, then the ciphertext eKKL0C(dK
Even if KR1C(eKKL+C(K)))) is decrypted, the possibility that a plaintext equal to K4 will be reproduced is 1/2:ζ>;C64, which will affect the processing of the JJfS issue. do not have. An intruder may accidentally discover the value of K by performing cipher analysis using the 11'L pure method of direct search, or may decrypt the ciphertext using any number of keys until the desired plaintext is found. In either case, a considerable number of encryption/decryption procedures are required. ) As stated in ANsr X3.92 (198i), the data encryption algorithm (+) E A ) is
8 is an example of an encrypted alprism that can be manipulated by control vectors using the encryption/decryption scheme described in FIGS. 7 and 8. FIG. It will be appreciated that the control vector concept can be applied to any similar ciphertext by specifying a control vector equal to the length of the key, and to multiple ciphertexts using multiple cipher techniques.

Network configuration of cryptographic device: Figure 3 shows the network connections (host, control device, workstation, etc.) of the cryptographic device.

This consists of the -Uβ device 1-00 of the data processing device 2 and other cryptographic devices 200, 300, etc. connected through the cryptographic distribution channel 1000, and is capable of exchanging cryptographic information. That is, the transmitting device performs encryption and the receiving device decrypts, so that each device can perform secret communication. Each device verifies the data transmission by adding a message confirmation code to the message prepared by the transmitting device, and verifies the message and the message confirmation code by the receiving device. A key is securely generated and encrypted within the device, and the encrypted key is transmitted to the receiving device. Within the receiving device is a key data set (for later use in encrypting and verifying data or for other key management operations) in which the keys are stored in an appropriate form. Such key management procedures, protocols and methods are described in related patent application (b) of Matthias et al.
, (C) and (d).

FIG. 4 is an enlarged view of the cryptographic device 100 of FIG. 3. Each cryptographic device is configured into a cryptographic facility (CF) 4 that creates a set of cryptographic instructions 52, a key storage 22, a cryptographic facility access program (CFAP) 54, and a user application program 55. CF is 128 bits.
Including register 8 which is the master key KM, KM
The left half is 64 bits (KML) and the right half is 64 bits (KML).
MR). (Assume that the cryptographic algorithm executed in the CF is the Data Encryption Algorithm (DEA).) All keys stored outside the CF are stored under the master key and control vector as described in Figure 7. It is encrypted and stored in the key storage device 22. The key in key storage 22 encrypted by the master key is C
Since the model number can be processed by F, it is called a processable key. Other keys (key-encrypting keys, i.e. K E
The key encrypted by K) is stored in a form convenient for distribution to other devices, ie, for transmission to or reception from other devices. (Note: Keys are generated, encrypted, and sometimes in a received form, allowing them to be re-received by the same device that generated them.) Typically, each device in a set has two KEKs: Share.
a) A -th KEK (referred to as KEKI) that encrypts and transmits the key from the first device to the second device. b) encrypting and transmitting the key from the second device to the first device;
Second KEK (referred to as KEK2). In the first device, K E K 1 is indicated through the control vector as the KEK transmit key (because it encrypts the key for transmission to the second device), while KEK2 is the KEK transmit key (because it encrypts the key for transmission to the second device). The key for reception is designated as the KIEK reception key through the control vector. In the second device, the roles of KEKl and KEK2 are reversed, i.e. KEKI is the KIE K receiving key and the KIE
K2 is the KIEK transmission key.

Cryptographic mechanism 4 also includes a random number generator 26 that generates 64-bit random numbers. The output of the random number generator can only be read and interpreted by the CF. The cryptographic mechanism also includes a secure front panel interface 58 and a portable key entry device 60.
It includes a port 59 for connection to. There is a key activation physical switch 61 on the front panel that allows key entry, including the master key, through the key input device 60.

(For cryptographic components corresponding to the cryptographic device 100,
Matthias et al.'s related patent applications (b), (c) and (
I am familiar with d). ) Return to Figure 4 again. The cryptographic instruction set 52 supports key management, data encryption/verification functions, and personal identification number (
Perform financial transaction processing based on PIN) confirmation,
Consists of several Dark Moon Commands. Related patent applications by Matthias et al.
In b), (c) and (d) three examples of cryptographic processing applications are detailed. Typically, the user application program 55 is activated in response to a request for presentation of document No. 118. Follow the steps necessary to meet the request. For example, at 62, a request is made to the CFAP in the form of a macro call that includes one or more parameters (unencrypted data, encrypted data, key and ciphertext,
5, the key, label, etc. used to access the encryption key in the key storage device 22 is specified, and therefore the CF A
I) 54 is assumed to be capable of executing the requested operation. or 6
4, to execute one or more cryptographic instructions (to generate new cryptographic keys and cryptograms, or to encrypt, unencrypt, or re-encrypt data and keys to create appropriate cryptographic instructions). (e.g., for output in encrypted or unencrypted form)
CIi' A I) may outweigh C124. The result is that C) 7Δ[) stores the newly created encryption key in key storage 22 at 654 or returns a value of 1 or more in response to a request from the application program at 66; Both can happen. 64
CF to CF A I) status code, and 66
The status code from the CF AP to the application program indicates normal or abnormal status (indicating whether the requested operation was performed or not).

Operational Key Management with Control Vectors: Since key attributes are typically public (ie, can be known or guessed by system users) rather than secret, control vectors are defined as public or unsecured values. On the other hand, the encryption key defined in the system must be protected, so it is necessary to "link" it using the control vector as the key.
It is necessary to make sure that the key is not exposed when doing so.

(Note 2: The present invention also relates to a technique for incorporating a confidential password into a control vector.) FIG. 5 illustrates the linking of a control vector to a key. In this example, a key generation command KGLEN is used, which causes a key to be generated from the cryptographic machine Ij0. Let's try this procedure.

In step 71, application A uses CII' A to generate a key.
I]. Step 72 before executing the KGEN instruction
CFAP generates a 64-bit control vector that specifies the attributes of the key to be generated. Control vector C is passed to CF in step 73 as part of the KGEN instruction. In response, in step 75, the cIS generates a 64-bit random number (using a random number generator readable only by C17) that is of odd parity. This represents the generated key K. K is encrypted by the exclusive OR mechanism of the control vector C passed in step 73 and sent to the master.
The key KM is accessed according to the encryption rules described in FIG. The encryption key, denoted e*KM,c(K), is returned in step 76. (Note: e
*KM, (”: (K) means KM l-+C
, KMR11C, etc., is a simple representation of multiplex 118 encoding using various keys. ) Instead, depending on the case, C1 ga A r-) is the encryption key e>:! KM,C(
K) and control vector C of step 77 are stored in key storage 22 in step 78 (in which case the key label of step 79 is returned to the application program in step 80), or the value is stored in step 8o. is returned to the requesting application program. In either case, the key generation procedure and cryptographically "linking" of the control vector to the generator key of the present invention ensures that the control vector is public and non-confidential, and is 1/I and outside the cryptographic mechanism. It will be determined that the generated key is not clearly exposed.

Although the control vector is not sensitive, it must be supplied, designated, and provided as input to the cryptographic mechanism whenever the key to which it is linked is used. Every bit in the control vector must be the same as specified when the key was generated and encrypted. If C is not specified correctly, an unspecified and unpredictable key value will occur. The encryption key and control vector are CF A
I) to CI? Among the larger steps that are treated as parameters of the cryptographic commands issued in the above, there is always the regeneration of a previously encrypted key (i.e., decryption of the key) by the control vector. The cryptographic mechanism thus examines the control vector to ensure that the key is used as an input parameter of the requesting cryptographic instruction. This preliminary test of the control vector is called a post-CV test. When one or more encryption keys and control vectors are provided as parameters in the cryptographic instruction, the C■ check not only checks the consistency of the control vectors, but also checks the correlation of one control vector with respect to other controls as necessary.
An i-test will also be conducted. Figure 6 shows the steps required by the cryptographic mechanism when processing a cryptographic command, but each command basically consists of the following three steps.
It consists of two functions. a) CV test 81, b) key regeneration 82, C) request command processing 83 [first requested operation is CV test 8]. This consists of matching control vectors and determining whether the use of the requested key parameters matches the requested instructions. If the post-CV check cannot be passed, instruction execution is aborted. In all cases, a status code is returned to the CFAP to inform it of the condition. If the post-CV inspection is passed, processing continues.

The next required operation is key regeneration 82, ie, decryption of the encrypted key. According to the method of cryptographically combining the control vector and the key, even the slightest bit of fraud (changing bits of the control vector and changing incorrect attributes to the key) can be avoided.
If there is, an indeterminate key value will occur. In short, the target cryptographic key is not recovered by the cryptographic instructions. The final request operation is processing 83 of the request cryptographic command. If the control vector and key are specified correctly, the instruction will be processed correctly. However, if fraud occurs, the operation result will be an invalid value. CV@ inspection, key regeneration, and instruction execution methods are further described in the related patent application (b) of Matthias et al., cited above.

The degree of key management provided by a control vector is highly related to the number of bits in the control vector. Especially 10 to 5
A short control vector of 0 bits has limited use and can only support a small portion of key management. Related Patent Applications (b), (c), and (d) of Matthias et al., cited above, discuss the use of a 6/I bit control vector, which suggests that in moderately complex cryptographic systems, key usage and 64-bit control vectors are more useful than other control vector types for managing distribution. A 64-bit control vector thus satisfies many cryptosystem implementations. However, for highly sophisticated key management control, a control vector of 64 bits or more is required.

It is an object of the present invention to provide an improved method for cryptographic key management.

It is also an object of the present invention to provide an improved method of cryptographic key management that is more applicable than the prior art and has an equivalent or better security function.

It is also an object of the present invention to provide a method for modifying cryptographic key management such that new and improved cryptography is provided to users of cryptographic systems.

Another object of the present invention is to expand the size of the control vector in order to increase the number of times of encryption/decryption required for control vector processing.

It is also an object of the present invention to extend the size of the control vector while making the key regeneration procedure transparent to the cryptographic hardware.

Another object of the present invention is to provide two methods for executing arbitrary length control vectors.
The goal is to provide: a) One is position definition, where the bits in the control vector are defined according to their relative positions. b) The other is definition by tag, where the bits in the control vector are defined according to the field tag definition that precedes them.

It is also an object of the present invention to clearly separate three types of control vectors: single-length control vectors, village-length control vectors, and arbitrary-length control vectors, so that one type of control vector is not confused with another type or used incorrectly. It is to do so.

Another object of the present invention is to provide an improved key management method in which the key generator allows the key to be used at certain time intervals and disables the key at other times. It is to be.

Another object of the present invention is to link the key to a password that must be correctly specified in advance when using the key.
To provide an improved method of key management in which a key becomes unusable unless a password is entered correctly.

Means for Solving the C0 Problem The present invention first advantageously converts a 64-bit control vector into 12 bits.
This article relates to a method of expanding to 8 bits. This method consists of an exclusive OR of the left half of C, 64 bits, and the left half of KK, 64 bits, and an exclusive OR of the right half of C, 64 bits, and the right half of KK, 64 bits. In the first place, a 128-bit control vector is conceptually equivalent to a 6/I-bit control vector.

However, the additional 6/'I bits of the 128-bit control vector allows the length of the control vector to be doubled without any key management controls, especially extra encryption/decryption. In fact, 128-bit control vectors can be created manually without increasing computer expense.

The present invention is then directed to a method for extending a 64-bit control vector to an arbitrary length control vector. However, this requires two to four extra encryption operations for each 64-bit portion of the control vector. Therefore, the extra cost increases in proportion to the length of the control vector. Basically, an arbitrary length control vector is first manipulated using a hash function. This converts the control vector C with a large number of bits Nx to the hash value C' with fewer bits N (Nx is N
larger than In the example of the present invention, N = 1.28) is mapped. A particularly useful hash [the number of columns is
A non-secure one-way function, such as a modified search code (MDC) algorithm, that computes a 128-bit hash-direction function of the control vector. MDC is described in the aforementioned Brachell [da J Tsuji patent application (e). This 128-bit result is combined with KK to form two keys, KKI- and KKFt, in exactly the same way that a 128-bit control vector is combined with KK. More precisely, M is calculated on the control vector 128
If we represent a bit MDC, then the left half of M (34 bits is exclusive-ORed with the left half of KK, and the right half of M is 64 bits
The bit is exclusive-ORed with the right half of KK. Note that the arbitrary length control vector is conceptually equivalent to a 128-bit control vector.

Let C represent an arbitrary length control vector. The present invention is based on C
There are two considerations regarding the structural specifications of . One is C
If the field information in is a position specification (i.e., depending on the position, whether the original shape was the left half or the right half)
. The other case is when the tag positioning is a specification such that the C field consists of a tag and data. In this case, the fields are in random order. Additionally, only fields necessary for key management and control need be specified in the control vector. Since specifications in which positions and tag positions are mixed are also possible, the present invention also includes such specifications.

The testing of 128-bit control vectors is the same as that of 64-bit control vectors. However, the latter is at most 6
It includes all 128-bit tests, compared to 4-bits. The same applies to checking arbitrary length control vectors.

That is, testing is always based on control vectors, except that very long control vectors may exist and more control bits and fields need to be tested.

The control vector check is performed on a 128-bit hashed control vector in one direction 1'5! : Not done for l numbers. This hash value is C[? It is only calculated internally and does not appear outside the CF due to darkening as part of the key regeneration process.

(The control vector and the hash interval number are usually available, so even if the hash value is leaked to the outside, confidentiality will not be lost.) The arbitrary length C is 128 bits C
as well as provide extra space to define or extend key usage and control parameters. Since tag positioning is itself arbitrary, arbitrary length C is particularly easy to support this. More particularly, according to the present invention, a method is provided in which an arbitrary length C.sub.2 supports a list of dates and times in which a certain key is used. The present invention also provides a method of incorporating a security password into a control vector to ensure that the key is not used except when the correct password is entered.

D. Example double-length control vector: In FIGS. 1 and 2 showing the first example of the present invention, 6
A 4-bit control vector is advantageously extended to a 128-bit control vector. The additional 64 bits of the 128-bit control vector allow cryptographic systems and their users to better manage cryptographic keys.

The differences between FIG. 1 and FIG. 7 are as follows. In the system shown in FIG. 1, at 46r, CI- of register 40I and K K I- of register /l 21-1 are exclusive-ORed to K K L, 0 C1, and 4.6 L. CL of register 40R and KKR of register 4.2R are exclusive ORed to become K K R + CR. In FIG. 7, C is exclusive-ORed with KKL and -KR to result in KKI-C and KKR+C. That is, in Figure 7, the same 64-bit control vector was exclusive-ORed with the bits in both the left and right halves of KK, whereas in Figure 1, separate 64-bit control vectors were XORed with the bits in both the left and right halves of KK. Exclusively ORed. Otherwise, FIG. 1 and FIG. 7 are identical.

For simplicity, the 64-bit control vector and KK are shown in Figure 7.
If K is encrypted by e *K K .

C64,(K), and in Fig. 1, the case where K is encrypted using a 128-bit control vector and KK is expressed as e.
*K K , written as C128 (K ). The output result Y in FIG. 7 is Y=e*KK, C64(K). Similarly, the output result Y in FIG. 1 is Ye *K
K, C1-28(K).

The differences between the system of FIG. 2 and FIG. 8 are as follows.

In the system of FIG. 2, register 46I.

and register 4-OL's CI- and register 42L's KK
I- is exclusive ORed to K K L +CL,
In register 4.6 R, CI't in register 40R and KKK in register 42R are exclusive ORed and K K R
It will be 10 CR. In FIG. 8, C is K K i- and K
Exclusively ORed with KR, K K L 1C and KK
It became rt+C. Thus, the difference between FIG. 2 and FIG. 8 is that a separate 64-bit control vector is exclusive-ORed with each bit portion of KK.

It can be concluded that FIGS. 7 and 8 are the same as FIGS. 1 and 2 only that C=CL=CR. In other words, the method of using a 128-bit control vector can be reduced to a method of using C and a 64-bit control vector in which the left half bit part and the right half bit part are equal. In other words, the 64-bit control vector is C's 128
The partial, 128-bit control vector is degenerate. The advantage of FIGS. 1 and 2 is that the control vector can be doubled without extra effort or expense.

In fact, the definition of a 64-bit control vector (Figures 7 and 8)
The definition of a 128-bit control vector (Figs. 1 and 2) has two structural and implementation advantages. Hardware and software that implements 64-bit control vectors can easily support 128-bit control vectors. This is because both are performed by a triple cryptographic operation involving different keys originating from KKL and KKR. The encryption procedure is exactly the same. 1
New hardware and software that implements 28-bit control vectors can now support 64-bit control vectors by simply setting CL = CR at the software level. As a result, both the 64-bit and 128-bit control vectors are transparent to the cryptographic hardware.

Arbitrary length control vector: In FIGS. 9 and 10 showing the second embodiment of the present invention,
64 pits) Control vectors are conveniently extended to arbitrary length control vectors. The infinite number of bits that this system provides allows for the greatest degree of cryptographic key management control.

FIG. 9 shows the 64-bit encryption key K in register 44 and the 128-bit key encryption key K in register 42.
K (K K A combination of L and KKR.

KK=KKL//KKR) and the arbitrary length of register 90 (
In other words, this is a system that performs encryption using an infinite) vector C1nf. The operation is as follows.

First, the hash function processing device 92 calculates the public one-way hash function of C1nf, and produces a 128-bit hash value consisting of the left half 64 bits ML read into the register 941 and the right half 64 bits MR read into the register 94R. issue. In the one-way function performed by the processing device 92, it is computationally impossible to calculate the input data to the function from the output result of the function, but it is easy to calculate the output result from the input data. have a property.

Direction functions are detailed in the prior art.

W. Daffey et al., New Directions in Cryptography J.
1,976, IE HE Report on Information Theory-1-
1IT-22, No. 6, pp. 644-654), the strict definition for a one-way function is as follows.

The open number f is called a one-way function in the following case. Whereas y=f(x) can be easily obtained for all X in the region of f, even with the value of y and the function of f, f (x )=y Calculating the number However, this is different from irreversibility.The solution for point y is not unique, that is, r(xl)=y=f'(x
2) When there are different points x1 and x2, the function is "irreversible". What I will discuss here is not the difficulty of back calculation, but rather, it is much more difficult to calculate X such that (x) = y using the value of y and the function of.

Modified search code (see Figures 11, 12, and 13)
Due to the computational algorithm, the definition of one-way functions becomes more strict. According to the MDC algorithm, f (x
It is computationally impossible to obtain x1 and x2 such that i )=f (x2 ). To meet this stringent requirement, the MDC must be at least 128 bits long. Otherwise, f(xl,)=f(x
2) A birthday type attack will be used to find ×1 and ×2.

The next operation in FIG. 9 will be further described.

The exclusive OR device 46L selects the 64-bit value Ml- of the register 941- and the 64-bit value KKI of the register 42I.
- to determine the exclusive OR of exclusive OR devices 4 and 6 R.
Then, the 64-bit value MR of register 94R and register 42
Find the exclusive OR of the 64-bit value KKR of R. Instead, in the encryption device 41, K in the register 44 is KKL+M
K K R is encrypted by the decryption device 43
10M Unencrypted by R, KK by encryption device 45
Encrypted by L+MK. The resulting Y is e
*KK, expressed as cInf(K). (“+” indicates an exclusive OR operation.) Shown in FIG. This is a system in which the 64-bit value Y, which is the encryption key of the register 44, is decrypted.

The procedure in FIG. 10 is basically the reverse of FIG. 9 in about six steps.

First, the hashish numerical value processing device 92 calculates the public one-way hash function of Cinf (in the same manner as the public one-way hash function in FIG. 9), and calculates the 128-bit values M L and I
Issue VI R. Next, find the exclusive OR of ML and KKL, MR and KKI, and get KKL+ML.

Put out K K R + M R. Instead, the non-encryption device 47
Then, K is decrypted by K K L, + M L, encrypted by K K fl + M R by the encrypting device 48, and decrypted by K K +-+ M I- by the de-encrypting device 49. . In short, e*KK, Ci n
f (K)): cKK, C1nf & thus, K is decrypted and reproduced.

The public one-way hash function calculation method in the processing device 92 of the embodiment uses a modified search code (Ml)C) calculation algorithm. MDC is described in related patent application (e) mentioned above. FIG. 11 shows a simple MDC operation, M D COP. Here, M l)C is calculated using two different systems. Figure 12 shows 6
The calculation of a 128-bit MDC is shown using a method that involves two encryption operations for every 4 bits of input data. 1st
Figure 3 shows the calculation of a 128-bit MDC by a method that involves four encryption operations for each 64-bit input data. In both methods, it is necessary to divide the arbitrary-length control vector input data in plain text into 64-bit blocks.
For confirmation, a hexadecimal value F F " is embedded in the final block. The plaintext is processed sequentially by the MDC algorithm until all blocks are completed. The output result of the function is 1.
It is a 28-bit MDC.

In the case of C1nf, the control vectors are C1, C2,...
It is divided into Cn blocks. A hexadecimal FF" is embedded (depending on the number of bytes) at the bottom of Cn, resulting in 8 bytes. This embedding is done by the cryptographic hardware (this is a necessary part of the public one-way hash function itself). ).The blocks C1, C2,...,Cn are manipulated by the MDC algorithm (by encrypting each block two or four times) to produce a 128-bit MDC.The left half of the 128-bit MDC ( K K L
+M1. , and the right half of the 128-bit MDC (
MR) and KKR, calculate the exclusive OR and obtain K K R + M R.

Calculating the 128-bit hash value of an arbitrary length control vector using a strict one-way number like the Ml)C al prism is very important for meticulous security protection. This is necessary to avoid finding two different valid control vectors C1 and C2 (but resulting in the same hash value). If Ml)C(
If 01 and C2 are found where C])=MDC(C2), the integrity of the process is violated. To explain the reason for this, it is assumed, for example, that C1 is a control vector that only encrypts data, and C2 is a control vector that only decrypts data. Knowing that the encrypted data key has a control vector C1, an intruder can easily defeat security by simply specifying C2 instead of C1. That is, the intruder passes the encrypted data key and C2 along with the intercepted ciphertext (which the user unknowingly encrypted with the data key) to the unencrypted command. The decryption instructions cannot discover that C2 is invalid or prevent the correct data key from being regenerated internally within the CF, and the data becomes decrypted.

FIG. 22 shows how the hash function processing device 92 is connected to the bus 12 in the cryptographic mechanism (CF) 4.

The hash function processing device 92 may be part of the cryptographic processing device 16, but may be separated and connected to the bus 12. The hash function processing device 92 executes the above-described public one-way hash function of the control vector.

Encrypted portion in control vector @: It can be determined by the present invention that cryptographic processing performed using only 64-bit control vectors, only 128-bit control vectors, and only arbitrary-length control vectors cannot be performed safely. However, there are cases where these coexist within the same cryptographic system, and there are also systems where they are necessary. In this case, the separation of cryptographic processing and
This is absolutely essential for the security of cryptography. In other words, even if a key is encrypted using one control vector specification method, an intruder cannot tamper with No. 116 hardware that can receive encryption keys under another specification method. You have to do it like this. For example, c*KK, C1
Let 28(K) represent a key encrypted with a 128-bit control vector.

In this case, c*'KKC,128(K) is 118 encrypted by a 64-bit control vector by the method in which the cryptographic hardware decrypts (! *K K, c128 (K) and regenerates K. This cannot be said to be a key because C128 and C64 may have contradictory specifications such as 0128 disallowing the use of a certain key but C64 permitting it.

One difficulty with the above specification is clear. In a particular implementation, assume that the left and right halves of the 128-bit control vector are (reasonably) equal and that CL represents a valid 64-bit control vector C. Let me intentionally illustrate the problem.

Bit 13 of CL, CR and C is set 2 l'3'1°
and all other bits are set 2B°0". Bit 13-B"1° in CL means that the encrypted cryptographic variable x (X is the key) is the data encryption This means that it is used only for Bit 13 of CI"t restricts the encryption operation in some way (e.g. requires a password first, or only allows the encryption operation to occur between 8 a.m. and 4 p.m.). However, the control Bit 13 of vector C (64-bit control vector) means that X is used for data decryption. If Y is the encrypted value of For example, the intruder is C and KI-3KR.
could be used to request the cryptographic device to decrypt Y using In the latter case, the intruder can decrypt the data with X.

The properties of the encryption required in this case will be described below. It is assumed that C64, C128, and C1nf are methods for encrypting key K using KK using a 64-bit control vector, a 128-bit control vector, and an arbitrary-length control vector, respectively.

is one of these three methods, and let Y be the encryption of K by K using i. If j is one of the three methods but not i, the cryptographic hardware must satisfy the following requirements. When Y and j are passed to the hardware (that is, if method i is taken but the intruder pretends to be j), the encryption hardware will definitely detect the fraud and perform the operation. It must either be interrupted or cause '(not K) to be an indeterminate and unforeseen value that has no meaning to the intruder.

A method for comprehensively separating the three methods of control vector definition is explained below.
It is shown in FIG. This method uses each 64 of each control vector.
bit part, and optionally: M calculated with a long control vector
A 2-bit field (bits i and i+1) of each 64-bit portion of DC is used. The bits never overlap the key's parity bits. This bit indicates that the encrypted value e*KK for all C64, C64(K) is the encrypted value c>:(KK,C
128(K), and also from all C1nfl encrypted values e*KK, Ci n f (K), are the values assigned for K and KK. . This prevents the encrypted K from being decrypted by one or more control vectors. Using anything other than the correct control vector will result in "K" instead of "K".

Control vector check: Control vector check for a 128-bit control vector requires 64
=37 is similar to that of a bit control vector, but in the case of a 128-bit control vector, the only difference is that all 128 bits are subject to inspection.

Therefore, the logic of the 64-bit control vector check described in FIG.
This is similar to the 128-bit control vector test except that the control vector is used as input data to the encryption device.

The same applies to control vector testing for arbitrary length control vectors. Testing is done on a control vector basis, except that the presence of very long control vectors is considered and therefore more control vector bits and fields are tested. When arbitrary length control vectors are used, control vector testing is performed based on the control vector itself, rather than a 128-bit hash one-way function of the control vector. The hash value is calculated only within the encryption device. It is not passed outside the encryption device and passed from device to device or from the 118 encryption device to the encryption device, nor is it stored and re-entered like a control vector. (The control vector and hash function are usually manually operable, so even if the hash value is leaked, the confidentiality will not be lost.As will be described in another embodiment of the present invention, a secret password is embedded in the control vector.) Tag positioning and data structure of position control vector: As shown in FIG. field 1, field 2, field n). 1 field is 1
It has the above bits and has a predetermined meaning, interpretation, and fixed usage. Related Patent Application (b) of Matthias et al.
The 64-bit control vectors shown in (c) and (d) use position dependent fields and bit definitions.

As shown in FIG. 15(d) of the present invention, the arbitrary length control vector C may consist of fields defined by field identifiers rather than positions within the control vector. The data structure of such tag positioning consists of multiple fields as shown in FIG. 15(d), and these fields include a fixed length field identifier, a fixed length field length, and a fixed length field length as shown in FIG. 15(b). Consists of variable length data.

As in FIG. 15(e) of the present invention, the arbitrary length control vector C may consist of fields defined by field identifiers (i.e. tags), but here the field length is not a length field; Determined by a fixed-length field delimiter placed at the end of the data. The data structure of such tag positioning is shown in Figure 15 (e
), these fields consist of a fixed-length field identifier, variable-length data, and a fixed-length field delimiter, as shown in FIG. 15(c).

As shown in FIG. 15(1) of the present invention, the arbitrary length control vector C may consist of both a continuous position dependent field part and a tag positioning part. In this example, the fixed length position dependent portion appears first in the control vector, followed by the variable length tag positioned portion. The position dependent field portion is a 128-bit field corresponding to a 128-bit control vector.
The variable length tag positioning consists of field definitions,
Such a data structure is particularly advantageous because it consists of a control vector extension that corresponds to a fixed 128-bit portion of the control vector.

As can be seen, there are a variety of ways to implement arbitrary length control vectors that are structurally simple, require less storage and processing, and can be implemented within the same cryptographic system or network or interconnect. Control vector/arbitrary length control vector execution can be performed while maintaining compatibility.

Confidential password and control vector: By incorporating a confidential password into the control vector when using cryptographic keys, more detailed control of cryptographic key usage becomes possible. This is particularly useful for applications that require very high levels of security or employ strict control criteria (ie, control of access to cryptographic keys) during cryptographic processing.

FIG. 16 shows an outline of a data processing system having a cryptographic mechanism. In FIG. 16, data processing system 2 executes a program such that a cryptographic mechanism accesses the program and the application (as shown in FIG. 2 of the aforementioned Matthias et al. related patent application (b)). This program issues requests to process cryptographic keys associated with control vectors. The general form of the control vector is shown in FIG. 10 of the above-mentioned related patent application, but is modified and extended by the present invention (described in more detail below). Control vectors define certain functions.

The associated key is authorized by the key's creator to perform its function. According to the aforementioned related patent application, the cryptographic structure defines a system for authenticating the key management functions that programs request for cryptographic keys, ensuring that they have been authorized by the creator of the keys.

As shown in FIG. 16, included in or connected to data processing system 2 is a cryptographic mechanism 4 characterized by a security boundary 6. As shown in FIG. An input/output path 8 passes through the security boundary 6 to receive cryptographic provision requests, cryptographic keys, and associated control vectors from the program. Security boundary 6 includes a cryptographic instruction storage 10 connected to input/output path 8 by bus 12 . The control vector checking device 14 is connected to the instructions of the storage device 10, and the cryptographic processing device ]6 is also connected to the instructions of the storage device 10. Master key storage device 18 is connected to cryptographic processing device 164. In response to the received provision request, cryptographic mechanism 4 creates a secure storage location for performing key handling operations.

Cryptographic instruction storage 10 receives on input/output path 8 a cryptographic provision request to perform a key handling operation with a cryptographic key. Control vector checking device 14 has input data connected to input/output path 8 and receives control vectors associated with cryptographic keys. The control vector checker 14 also has input data connected to the cryptographic instruction store 10 and receives a control signal to initiate a check whether the control vector has authorized the key management operation requested by the cryptographic provision request.

The control vector validator 14 has an authorization output 20 connected to the input data of the cryptographic processor 16 to signal that the key management operation is authorized. Once the cryptographic processor 16 receives the authorization output, it begins performing the key handling operations requested by the cryptographic key. The encryption key storage device 22 is connected to the input/output path 8
- connect to the control vector inspection device 14. The cryptographic key is encrypted under a storage key (the associated control vector and the logical operation result of the master key stored in master key storage 18), and the cryptographic key storage 22 is The encryption key is stored in the form. The result of this logical operation is written as KM,C.

KM is the 128-bit master key and C is the control vector. If the cryptographic provision request requests one or more keys and control vectors, all control vectors are checked and all are found correctly and the cryptographic processing device]6
A permission signal must be issued for ε.

The encryption key is regenerated from the encryption key storage device 22, for example, when the encryption command storage device 0 receives a cipher provision request to reproduce the encryption key from the encryption key storage device 22 on the input/output path 8. It is. The control vector checker 14 then responds on line 20 to the cryptographic processor 16.
A permission signal is issued indicating that the cryptographic key regeneration operation is permitted.

Cryptographic processing unit 16 is responsive to the authorization signal on line 20 to receive an encrypted cryptographic key from cryptographic key storage 22 and to receive a stored key (associated control vector and master key stored in master key storage 18 ).・Decrypt it based on the logical operation result of the key).

The storage key is the result of the exclusive OR of the associated control vector and the master key stored in master key storage 18. Although the logical operation result in the above embodiment is also an exclusive OR operation, this is a different type of logical operation.

The control vector is stored in cryptographic key storage 22 along with the associated cryptographic key. Since all keys are stored in the cryptographic key storage 22 under a master key, encryption/decryption of cryptographic keys is possible under a unified system.

Illustrated in FIG. 16 of the present invention is a system that incorporates a confidential password into a control vector. As shown in FIG. 16, the control vector stored in the cryptographic key storage 22 with the encrypted key has a password field. However, since the password is confidential, it is not stored within the control vector. The password field in the control vector is set to zero (ie, all bits are zero). Therefore, if the password field is 56 bits long, 56 zero bits will be set. The confidential password itself is presented to the cryptographic mechanism 4 through a separate password channel 32 that connects to the input/output path 8. Thus, a user with the right to access the cryptographic key can obtain a copy of the confidential password in advance. If a request to provide a cipher is made using a key for which the control vector has the password, the user must enter the password in clear text as an additional parameter to the request to provide a cipher. A control vector check is then performed as described above,
As a response, the control vector checking device 4 outputs a permission signal indicating that the cryptographic key regeneration operation is permitted to the cryptographic processing device 16 via a line 20. The control vector checker 14 does not check the password field of the control vector. Thereafter, the cryptographic processing device 16 responds to the permission signal and
It receives an encrypted cryptographic key from cryptographic key storage 22 over line 20 and a cleartext password through a separate password channel 32 connected to input/output path 8 that connects to busbar 12 . The password is inserted into the control vector to complete the control vector and executed by a hash function generator that generates an N-bit hash value. Key regeneration is performed conventionally, ie the encrypted key is decrypted under the stored key. This storage key is the N-bit hash value of the control vector and the master
This is the logical operation result of the N-bit master key stored in the key storage device 18.

Passwords are not checked as part of the key regeneration process or the cipher supply request process, but such checking is unnecessary. Once the key is generated, it is encrypted under the hash value of the control vector that incorporates the password. If the user enters an incorrect password when the key is subsequently regenerated, the encryption key is unencrypted under the storage key, which is the logical result of the tamper control vector and the master key, so that it is not actually An indefinite key is regenerated and used to process cryptographic instructions. Regarding cryptographic instructions, in the related patent application (b) of Matthias et al.
The cryptographic instructions are discussed in terms of whether the output result of the instruction is invalid or valid when an unauthorized key is regenerated.

FIG. 17 shows several examples of how to incorporate passwords into control vectors. FIG. 17(a) shows that when the password is a position dependent field of the control vector, the first
Figure 7(b) shows that the password has a field identifier, field length, and data, and the tag position is a field in the structure. Figure 17(c) shows that the password has a field identifier, data, and a delimiter. Tag positioning is when it becomes a field of a structure. Incorporation of a password field into a control vector to authorize cryptographic key use may be conveniently accomplished by any of these or other methods.

FIG. 20 looks at the cryptographic mechanism 4 from another perspective and shows encryption by a control vector incorporating a password (either plaintext or ciphertext).

The control vector of register 90 is of arbitrary length and has an empty (all zero) field shown in FIGS. 16 and 17. Before inputting the control vector containing the password to the hash function processing device 92, the staging and
In register 91, the empty field is filled with the user password provided by password entry device 32. The hash function processing device 92 has a control vector and a user vector.
Outputs an N-bit hash value that also contains the password. The N-bit hash value is exclusive-ORed with the N-bit key encryption key KEK in logic 46 to produce an N-bit calculated key value, which becomes the key to the encryption device 4. . The ciphertext output from the encryption device 4 is specified by an N-bit hash value that includes both a control vector and a password. Similarly, non-encryption is performed by replacing the encryption device 41 with the non-encryption device 47 in FIG. When the ciphertext is decrypted, if the user enters a wrong password and it is given to the control vector, the hash value will not be the correctly calculated key value and the decryption device 47 will Unable to generate plaintext.

Time intervals and control vectors: Incorporating date and time information into control vectors allows for more fine-grained control of cryptographic key usage.

Although this concept can be implemented in several different ways,
Basically, one or more time intervals are built into the control vector that describe when such cryptographic keys are to be processed (in response to a cryptographic provision request). More granularity can be obtained by restricting access to keys based on the instruction type and parameters in the instruction. For example, a control vector may be encoded such that the key can be used in a first period in an encrypted instruction, and in a second period (not equal to the first) in a non-encrypted instruction. This is the case. Similarly, access to keys may vary depending on system parameters other than the type of instruction. For example, in the first period, system A
such as activating the key at System B and activating the key at System B at a second period.

The period and links with instructions, systems, users, etc.
It can be seen that this can be done in various ways. These methods are not particularly defined by the present invention, but are constructed based on the basic concept of incorporating time information into a control vector in some form. Incorporating time information into the control vector is useful for applications that require a very high level of security or where you want to allow the use of a key only during a certain period of time (e.g., when a user has access to certain system resources). This is particularly effective in cases where you want to know the content of the application and be able to operate it to some extent, but do not allow all functions to be used until you reserve or purchase it.

FIG. 18 of the present invention shows a system having time information in the control vector. As shown in FIG. 18, the control vector stored in the cryptographic key storage 22 with the associated encrypted cryptographic key has time interval fields that include a start date and time, and an end date and time. It has one or more time intervals that describe. (Vt, mechanism 4, m
Having a real-time clock 3/I connected to line 12 allows control vector tester 14 to read the clock value on bus 12. Although not shown in FIG. 18, there is also a device that sets the initial value of the real-time clock for completeness. For example, in a system that includes a handheld key entry device connected to a secure front panel input board with a physical key activation key switch for master key entry (see related patent application (L) by Matthias et al., supra). (in a similar manner to initializing the master key 18 as described)
Real time clock 34 is initialized. Two switches can be used to input clock values into real-time clock register 34 using the same handheld key input device. Other techniques may also be used to initialize clock values.

Other components in FIG. 18 are similar to those in FIG. 16. Even when time information is incorporated into the control vector and the cryptographic device has a real-time clock (FIG. 18), the processing of the cryptographic provision request is performed in the same manner as described above. (With the exceptions mentioned below.) According to FIG. 18 of the present invention, when a request to provide a cipher is made and it uses a key with a control vector having the time interval field, the process is as follows. . Control vector testing proceeds as described above, except that additional testing is performed depending on the saved time information. (A control vector may or may not have a password, but that level of control key management is unchanged by the time interval tests described here.) Regarding Figures 18 and 20,
Control vector tester 14 accesses the current real-time clock value from clock 34 and a test is performed to determine whether the clock value is within the time interval described in the control vector. . 1 in control vector
If more time intervals exist, the clock value must occur sometime within these time intervals. (However, it does not need to be within an interval of 1 or more.) If the test and the test of the remaining part of the control vector pass, in response, the control vector tester 14 uses the UI 120 to check the cryptographic processing device 1.64. , issues a permission signal indicating that the cryptographic key regeneration operation is permitted. Cryptographic processing unit 16 is responsive to the authorization signal on line 20 to receive an encrypted cryptographic key from cryptographic key storage 22 and to receive a stored key (associated control vector and master key stored in master key storage 18 ).・Decrypt it based on the logical operation result of the key).

As shown in FIG. 21, the control vector inspection device 14
The real time clock 34 is accessed to compare the actual time and the period described by the control vector Ct. The control vector checking device also checks whether the control vector C may be used as specified by the input of the cryptographic provision request. If both tests pass, a permission signal is issued on line 20, and the arbitrary length control vector C becomes input data to the hash function processor 92, where it is converted to an N-bit hash value C''. The hash value C° is exclusive-ORed with the N-bit key encryption key KEK in an exclusive-OR 46 to reproduce a value that is an N-bit calculated value and serves as a key to the non-encryption device 47. (If the non-encrypting device 47 and the encrypting device 41 are replaced in FIG. 21,
Hf5 encoding can also be performed using the same procedure. ) FIG. 19 is a further refinement of the time interval field of FIG. In particular, Figure 19(a) shows the start date/
Indicates a time interval field in which there are one or more time intervals consisting of a time and an ending date/time. The method of encoding these fields and time units (hours, minutes, seconds, etc.) is not covered by this invention. In the method shown in FIG. 19(b), since the time interval is associated with a specific instruction,
Key processing is subordinate to the instruction that requests it. 19th
In the method shown in Figure (c), key processing is dependent on the system in which the key is used, as the time interval is associated with a particular system. Therefore, the device No. 138 must provide the system ID of the control vector checking device 14ε. System [D, not shown in Figure 18, is stored entirely within the cryptographic mechanism and accessed as needed. The system ID is initialized into the cryptographic mechanism in a manner similar to how the master key and real-time clock values are initialized (described above). Also not specifically shown, the time interval field is implemented in a manner similar to the password field shown in FIG. In other words,
The time interval can be a positional dependent field and the tag positioning can be a field in the control vector, and can be performed by any of the methods shown in the fJJl-5 diagram. (Except when the password field is replaced by the time interval field.) In the above embodiment, the 118 encryptor 41 and the decryptor 47 use the ANSI data encryption algorithm (DE
A) is adopted. This is a standard cryptographic algorithm for commercial data protection products and is a standard ANSI
X2.92 (1981), "Data Encryption Algorithms". DBA is a symmetric block ciphertext algorithm that encrypts 64-bit plaintext with a 56-bit secret key to form 64-bit ciphertext. DEA keys are typically one per byte.
It has two parity bits, forming a 64-bit key. DEA is the International Bureau of Standards.
Federal Data Encryption Standard (Bureau of 5 Standards)
It is also called DES because it is the basis of Cryption Standard. However, the encryption device 4
1 and other embodiments of the non-encrypting device 47 are adapted to suit more specific application programs.

Other encryption algorithms with different keys and block sizes than DEA can also be used.

The public one-way hash function executed by the hash function processor 92 of the embodiment described above is based on the modified search code (MD
C) Calculation algorithm is used, but according to the present invention, another hash function is used to set the arbitrary length control vector of the storage register 90 to a different length that makes it easy to perform exclusive OR with the key. It can also be converted to a hash value. To perform an exclusive OR in accordance with the present invention, if the key length is 64 bits, the hash value must also be 64 bits. If the key length is 128 bits, the hash value must also be 128 bits. In order to XOR a hash value and a key in exclusive OR 46 in accordance with the present invention, if an alternate key value length is used, an alternate hash value of equal length must be used. . Part of the hash value is exclusive-ORed with part (or all) of the key having the same bit length.

In another embodiment of the invention, a clear key may be stored in the cryptographic mechanism for immediate cryptographic processing.

In the example of FIG. 22, the working storage area 24 and the clear key are stored. In the first method, each key and associated control vector pair is stored in random access memory (RAM) or working storage 24 of the cryptographic device. During routine operations to access a key, the associated control vector is first accessed and control vector checking is performed as described above to ensure that key use is authorized. If authorized, the key is accessed from working storage and used for operations within the cryptographic mechanism. In the second method, the result of the exclusive OR of the hash value of the key and its associated control vector is stored in working storage in the cryptographic mechanism. The arbitrary length control vector itself is either stored in working storage with the result of the key and hash value operation, or passed to the input path 8. During routine operations to access a key, the associated arbitrary-length control vector is first accessed from working storage or first received on input path 8-F to ensure that key use is authorized. To do this, a control vector check is performed as described above. If permitted, the arbitrary length control vector is processed through a hash function processor 92 which generates a hash value.

The result of the exclusive OR of the hash value of the key and its associated control vector is then accessed from working storage;
It is exclusive ORed with the hash value calculated by the hash function processing device 92 to generate a key used in the requested cryptographic operation. A third method for 128-bit keys and 128-bit hash values is that the left half of the key is XORed with the left half of the hash value and stored in working storage, and the right half of the key is XORed with the left half of the hash value. It is exclusive-ORed with the right half and stored in working storage. In a fourth method, if the key is a 64-bit key and the hash value is a 128-bit hash value, the 64-beat key is exclusive-ORed with the left half of the hash value and stored in working storage; It is exclusive-ORed with the right half and stored in working storage. Both of these methods speed up processing because key encryption/decryption operations do not need to be coupled to key regeneration (as long as the key is stored in plaintext within the security boundary of the cryptographic mechanism). do. Logical operations other than exclusive OR may be used to combine the control vector hash value and the associated key and store them in working storage 24.

DETAILED DESCRIPTION OF THE E6 INVENTION According to the present invention, the technique of cryptographic key management is improved.

[Brief explanation of drawings]

FIG. 1 is an explanatory diagram of the first embodiment of the present invention, in which a 64-bit encryption key K is converted into a 128-bit encryption key KK.
(Left half 64-bit KKI- and right half 64-bit KK
K), and a 128-bit control vector C (consisting of 64-bit CL on the left half and 64-bit CR on the right half).
This shows a system that encrypts using FIG. 2 is an explanatory diagram of the first embodiment of the present invention, in which a 128-bit control vector and a 128-bit
A system for decrypting a 64-bit encryption key K encrypted with a key encryption key is shown. FIG. 3 is a diagram of a network of cryptographic devices coupled via cryptographic distribution channels. FIG. 4 is a diagram of the basic components of the cryptographic device. FIG. 5 is a diagram showing the processing order within the cryptographic device components that generate the processable key K. K is encrypted with master key KM and control vector C and stored in key storage ε. An application accesses a processable key K through an index or label that is linked to the key in storage. FIG. 6 is a diagram illustrating the general procedure for implementing cryptographic instructions within the CF. FIG. 7 is a diagram of a system in which a 64-bit encryption key K is encrypted by a 128-bit key encryption key KK (consisting of a left half 64-bit KKL and a right half 64-bit KKR) and a 64-bit control vector C. . FIG. 8 shows a 4-bit encryption key K encrypted using the procedure shown in FIG.
- a diagram of a system for decrypting with a bit control vector C; FIG. 9 is an explanatory diagram of the second embodiment of the present invention, in which a 64-bit encryption key K is converted into a 128-bit key encryption key KK.
(Left half 64-bit KKL and right half 64-bit KKR
) and an arbitrary length control vector C1nf. FIG. 10 is an explanatory diagram of the second embodiment of the present invention, and FIG.
1 shows a system for decrypting a 64-bit encryption key K that has been encrypted using an arbitrary length control vector and a 128-bit key encryption key using the method shown in the figure. FIG. 11 is an explanatory diagram of the modified search code operation (Ml)COP). MDCOP is used for two to four encryptions per block of the Modified Search Code (MDC) algorithm. In the drawings, the MDCOP algorithm is illustrated in text and diagrammatically. Figure 12 shows the modified search code (MDC) algorithm 1.
If each block is encrypted twice, Figure 13 shows the modified search code (MDC) algorithm 1.
This section explains the case where each block is encrypted four times. Figure 17'1 shows the three CV right way 64 bit CV, 1
28 is a diagram illustrating a method of separating 28-bit C2, arbitrary length C2) in cryptographic processing. Key encryption key K K L
, , K K R for each method. Fixed bit fields in the write vector are defined according to the specific coding used to separate the three methods. Figure 15 is classified into (a) to (f),
The data structure of an arbitrary length control vector is shown. FIG. 16 is a diagram illustrating a cryptographic processing system that incorporates a security password into a control vector. FIG. 17 shows the password control vector data 4i'l
This figure shows some examples of how it can be incorporated into a building. FIG. 18 is a diagram showing a cryptographic processing system that incorporates time information into a control vector. FIG. 19 illustrates several examples of incorporating time information into a control vector data structure. FIG. 20 is a diagram showing encryption using an arbitrary length control vector incorporating a password. FIG. 21 is a diagram illustrating time interval checking and non-encryption using an arbitrary length control vector. FIG. 22 is a diagram showing a cryptographic mechanism for arbitrary length control vectors. Applicant International Business Machines Corporation Representative Patent Attorney Takashi Tonmiya (1 other person)

Claims (1)

Claims: A cryptographic apparatus in a data processing system that executes a program that outputs cryptographic service requests with a cryptographic key associated with a control vector, comprising: (a) a given length associated with a cryptographic key of N bits; (b) an input connected to said control vector input and an input for receiving a cryptographic service request, wherein said control vector is a cryptographic service request requested by said cryptographic service request; (c) having an input connected to said control vector input and an N-bit output, said control vector being a hash value of N bits; (d) a key input for receiving the N-bit cryptographic key; (e) a first input connected to the N-bit output of the hash function generating means and the key; (f) logic means for receiving input information, having a second input connected to the input, and outputting a calculated key value that is a product of the N-bit key and the N-bit hash value; cryptographic conversion means having a key value input connected to a first input and an output of the logic means, and generating output information by converting the input information using the calculated key value; The encryption conversion means is connected to the energizing signal output of the control vector checking means, and prohibits conversion to the output information when the control vector checking means determines that the requested cryptographic function is not permitted by the control vector. A cryptographic device characterized by: