JPH0816825B2 - Cryptographic apparatus and method - Google Patents

Description

DETAILED DESCRIPTION OF THE INVENTION A. Field of Industrial Application The present invention relates generally to data processing technology, and more particularly to cryptographic processing application in data processing.

B. Prior Art and Problems Thereof The following related patent applications relating to the present invention are listed as references.

(A) B. Brachel et al., US Pat. No. 4850017, "Controlling cryptographic keys by a generator for establishing control values".

(B) U.S. Pat. No. 4,491,176 by S. Machias et al.

(C) U.S. Pat. No. 4,918,728 by S. Mathias et al., "Cryptographic processing of data with control vectors."

(D) U.S. Pat. No. 4,924,514 by S. Mathias et al., "PIN processing with control vector".

(E) U.S. Pat. No. 4,908,861 by B. Brachel et al., "Data Confirmation with Modified Search Code Based on Public One-Way Cryptographic Functions".

Control Vector Concept: A control vector is a simple data structure that defines cryptographic key usage attributes and controls the transmission of cryptographic keys from one network device to another. The control vector is bound to the key by an encryption procedure to form a cipher, which decrypts the key only if the control vector is correctly applied to the cryptographic hardware.

FIG. 7 is a system for cryptographically coupling a 64-bit control vector to a 128-bit cryptographic key and is described in the aforementioned related patent application (Bratchell et al. And Mathias et al.). For simplicity, the procedure for encrypting the plaintext X with the key K is written as eK (X) = Y. (Y indicates the resulting ciphertext.) On the contrary, the procedure of deciphering the ciphertext Y with the key K and reproducing the plaintext X is written as dK (Y) = X. A procedure for encrypting a 64-bit key K with a 128-bit key encryption key KK (consisting of 64 bits on the left half named KKL and 64 bits on the right half named KKR) and a 64-bit control vector C in register 40 '. Is the above-mentioned "key security management by control vector" (Machias et al.)
It is an application of multiple encryption described in, but this is eKKL +
It is written as C (dKKR + C (eKKL + C (K))).
"+" Means exclusive OR. The encryption is performed by the following procedure. First, the exclusive OR device 46 calculates the exclusive OR of the 64-bit control vector C and the KKL and KKR of the register 42, respectively. Instead, in the encryption device 41,
K of the register 44 is encrypted by KKL + C, the result is non-encrypted (also referred to as decryption) by KKR + C in the non-encryption device 43, and the result is encrypted by the encryption device 45.
At KKL + C. eKKL + C (dKKR +
Since writing C (eKKL + C (K))) is complicated, an exclusive OR operation, that is, KK (more accurately, KKL and KKR respectively)
The operation for obtaining the exclusive OR of and is written as KK.C. *
Writing KK indicates that the key is 128 bits instead of 64 bits. That is, KK is a 128-bit key with an asterisk and a 64-bit key without an asterisk. e * KK.C (K) means to encrypt K by the 128-bit key KK which is the exclusive OR result of C and the left and right halves of KK.

The encrypted value K (Y = e * KK.C) is shown in FIG.
(K)) is a system in which the key KK and the control vector C are used for non-encryption. This is done by the following procedure.
First, as described above, the exclusive OR of C, KKL, and KKR is obtained. Instead, in the non-encryption device 47, the encrypted value K is non-encrypted by KKL + C, and the result is encrypted by the encryption device 4
It is encrypted with KKR + C at 8 and the result is not encrypted with KKL + C at the decryption device 49. According to FIG. 8, KK, C, and eKKL + C (dKKR + C (eKKL + C
(K))) can be reproduced only when it is correctly specified, and if one bit of C is incorrectly specified, it can be judged that an indeterminate and unexpected value appears.

(To be more precise, if an arbitrary length control vector C'and KK that is not equal to C is used, the ciphertext eKKL + C (dKKR + C
(EKKL + C (K)))) is not encrypted, but K
The probability that a plaintext equal to is reproduced is 1 in 2 ** 64, which does not affect the cryptographic processing. An intruder may accidentally find the value of K by performing cryptographic analysis using a simple method called direct search, or decrypt the ciphertext with any key until the desired plaintext appears. Even then, a considerable number of encryption / decryption procedures are required. ) As described in ANSI X3.92 (1981), the Data Encryption Algorithm (DEA) uses the encrypted / unencrypted schemes described in Figures 7 and 8 to operate on control vectors. It is an example of a possible encryption algorithm. It will be appreciated that the control vector concept can be applied to any similar ciphertext by specifying a control vector equal to the key length, and to multiple ciphertexts using multiple cryptography.

Network Configuration of Cryptographic Device: FIG. 3 shows the network connection (host, control device, workstation, etc.) of the cryptographic device. This is the first encryption device 100 of the data processing device 2 and the encryption distribution channel 1.
It is composed of other cryptographic devices 200, 300 ... Connected through 000, and can exchange ciphers. That is, the transmitting device performs encryption and the receiving device performs non-encryption, whereby each device can perform secret communication. Each device confirms the data transmission by adding the message confirmation code to the prepared message in the transmitting device, and confirms the message and the message confirmation code in the receiving device. Then, each device securely generates and encrypts the key in the encryption device,
It is transmitted to the encrypted key receiving device. Within the receiving device is a key data set (for later use in encrypting and verifying the data, or for other key management operations) in which the keys are stored in an appropriate manner. Such key management procedures, protocols and methods are largely described in the related patent applications (b), (c) and (d) of Mathias et al.

FIG. 4 is an enlarged view of the encryption device 100 shown in FIG. Each cryptographic device comprises a cryptographic mechanism (CF) 4, which creates a set of cryptographic instructions 52, a key storage device 22, a cryptographic mechanism access program (CFAP) 54, and a user application program 55. The CF includes a register 18 corresponding to a 128-bit master key KM, and the KM consists of a left half 64 bits (KML) and a right half 64 bits (KMR). (The encryption algorithm executed by CF is the data encryption algorithm (DEA)
Suppose ) All keys stored outside the CF are encrypted under the master key and control vector as described in FIG. 7 and stored in the key store 22. The key in the key storage device 22 encrypted by the master key is called a processable key because it is in a form that can be processed by the CF. Another key (key encryption key or KEK)
The key encrypted by is stored in a form convenient for being distributed to another device, that is, for transmitting to another device or receiving from another device. (Note: The key is generated and encrypted, sometimes in the receiving form, and can be re-received by the same device that generated it.) Typically 1
Each device in the set shares the following two KEKs. a) The key is encrypted and transmitted from the first device to the second device. first
KEK (KEK1). b) A second KEK (denoted as KEK2) that encrypts the key and transmits it from the second device to the first device. In the first device, KEK1 is shown as the KEK transmit key through the control vector (because it encrypts the key for transmission to the second device), while KEK2 (for reception from the second device). It is shown as the KEK receive key through the control vector (since the key is unencrypted).
In the second device, the roles of KEK1 and KEK2 are reversed, ie KEK1 is the KEK receive key and KEK2 is the KEK send key. The cryptographic mechanism 4 also includes a random number generator 26 that generates a 64-bit random number. The output result of the random number generator can only be read by the CF. The cryptographic mechanism also has a port for connection to the security front panel interface 58 and the portable key input device 60.
Including 59. There is a key activation physical switch 61 on the front panel, which enables the input of keys including the master key through the key input device 60. (The cryptographic components corresponding to the cryptographic device 100 are detailed in the related patent applications (b), (c) and (d) of Matthias et al.). Returning to FIG. Cryptographic instruction set 52 supports key management and data encryption / confirmation functions, and performs financial transaction processing based on personal identification number (PIN) confirmation.
It consists of several cryptographic instructions. Related patent applications (b), (c) and (d) of Mathias et al. Detail three examples of cryptographic processing applications. Typically, the user application program 55 is activated by a ciphertext presentation request. Follow the steps necessary to meet your requirements. For example
At 62, a request is made to the CFAP in the form of a macro call and one or more parameters (unencrypted data, encrypted data, key and ciphertext, at 65 the encryption key in the keystore 22). Key to access
It is assumed that the CFAP 54 can execute the requested operation. Or 64 to execute one or more cryptographic instructions, as needed (to generate new cryptographic keys and ciphertexts, or to encrypt, de-encrypt or re-encrypt data or keys, and CFAP may also call CF 4 (eg to output in encrypted or unencrypted form). The result may be that the CFAP stores the newly created encryption key in the key store 22 at 65 and / or returns one or more values at the request of the application program at 66, or both. CF to CFAP at 64
To the application program at 66 and a status code from CFAP to the application program indicate a normal or abnormal status (indicating whether the requested operation has been performed).

Operable Key Management with Control Vectors: Key attributes are usually public, not secret (ie system
The control vector is defined as a public or unsecured value, as it can be known or inferred by the user. On the other hand, the cryptographic keys defined in the system must be kept secret so that the keys must not be exposed when "linking" a control vector to the key. (Note: The present invention also relates to the technique of incorporating a secret password into a control vector.) FIG. 5 illustrates a link of a control vector to a key. In this example, the key generation instruction KGEN is used, which causes the key to be generated by the cryptographic mechanism. I will follow this procedure. In step 71, application A calls CFAP for key generation. Before executing the KGEN instruction, in step 72, CFAP generates a 64-bit control vector that specifies the attributes of the generated key. Control vector C is a procedure
At 73, passed to CF as part of KGEN instruction. On the other hand, in step 75, the CF generates a 64-bit random number (using a random number generator readable only by CF), which is odd parity. This represents the generated key K. K
Is encrypted by the exclusive OR mechanism of the control vector C passed in step 73, and the master key KM is accessed by the encryption rule described in FIG. e * KM.C (K)
The encryption key written as is returned to CFAP in step 76.
(Note: e * KM.C (K) is a simple expression of multiple encryption using various keys such as KML + C, KMR + C, etc.) In some cases, CFAP uses encryption key e * instead. K
Whether MC (K) and the control vector C of step 77 are stored in the key storage device 22 in step 78 (in this case, the key label of step 79 is returned to the application program in step 80),
Or the value is returned to the requesting application program in step 80. In any case, the key generation procedure of the present invention and the procedure of "linking" the control vector to the generated key by encryption ensure the openness and non-confidentiality of the control vector, and further, generate the key outside the cryptographic mechanism. It will be judged that this is not an obvious one.

The control vector is not sensitive, but must be supplied, specified, and provided as input to the cryptographic mechanism whenever the key to which it is linked is used. Every bit in the control vector must be the same as that specified when the key was generated and encrypted. If C is not specified correctly, an unexpected key value will occur. The encryption key and control vector are CFAP
To CF in a large procedure that is treated as a parameter of the cryptographic instructions issued, the control vector regenerates the key previously encrypted (ie the key is not encrypted).
There is always. The cryptographic mechanism thus examines the control vector to ensure that the key is used as an input parameter of the requesting cryptographic instruction. This preliminary inspection of the control vector is called CV inspection. If one or more encryption keys and control vectors are provided as parameters to the cipher command, CV
The inspection is not only a coincidence inspection of control vectors, but also a mutual inspection for one control vector and another control as required.
FIG. 6 shows the procedure required by the cryptographic mechanism when processing cryptographic instructions, but each instruction basically has the following three functions. a) CV inspection 81, b) key reproduction 82, c) request command processing 83. The first required operation is CV inspection 81. This consists of a control vector match check and a determination of whether the use of the requested key parameters matches the requested instruction. if
If the CV check cannot be passed, instruction execution is interrupted. In all cases, a status code indicating the status is returned to CFAP. If the CV inspection passes, the process continues. The next requested operation is key regeneration 82, that is, non-encryption of the encrypted key. According to the method of cryptographically combining the control vector and the key, an indeterminate and unpredictable key value is generated even if there is any illegality (changing the bits of the control vector to give an incorrect attribute to the key). In short, the intended cryptographic key is not regenerated by the cryptographic instructions. The last requested operation is the requested cryptographic command process 83. If the control vector and key are specified correctly, the instruction will be processed correctly. However, if an error occurs, the operation result will be an invalid value. The procedures for CV inspection, key regeneration, and command execution are further detailed in the related patent application (b) of Mathias et al.

The degree of key management provided by the control vector is highly related to the number of bits in the control vector. Especially 10 to 50
For short bit control vectors, their use is limited and can only support a small portion of key management.
The related patent applications (b), (c) and (d) of Mathias et al., Mentioned above, describe the use of 64-bit control vectors, which, in some complex cryptosystems, imply key usage and distribution. 64-bit control vectors are useful to manage compared to other control vector types. Thus 64-bit control vectors satisfy many cryptosystem implementations. However, for more advanced key management control, a control vector of 64 bits or more is required.

It is an object of the present invention to provide an improved method of cryptographic key management.

It is also an object of the present invention to provide a method of improving encryption key management which is more applicable than the prior art and has a security function equal to or higher than that of the prior art.

It is also an object of the present invention to provide an improved method of cryptographic key management such that a new and improved cryptographic provision is provided to users of cryptographic systems.

Another object of the present invention is to expand the size of the control vector without increasing the number of encryption / decryption required for control vector processing.

Another object of the present invention is to extend the size of the control vector while making the key reproduction procedure transparent to the cryptographic hardware.

Another object of the present invention is to provide two arbitrary length control vector execution methods. a) One is position definition, where the bits in the control vector are defined according to their relative positions. b) The other is the definition by tag, in which the bit in the control vector is defined according to the field tag definition preceding it.

Another object of the present invention is to significantly separate three types of control vectors, that is, a single-length control vector, a double-length control vector, and an arbitrary-length control vector, so that one control vector may be confused with another species or used incorrectly. It is to be prevented.

It is also an object of the present invention to provide an improved method of key management that allows the key generator to have a certain time interval when the key is available and disables the key at other times. is there.

Another object of the present invention is to link a password that should be correctly specified in advance when using a key.
It is an object of the present invention to provide an improved method of key management in which the key is added when the password is not entered correctly.

C. Means for Solving the Problem The present invention first favors 128-bit control vectors.
Regarding how to extend to bits. This method consists of an exclusive OR of the left half 64 bits of C and the left half 64 bits of KK, and the right half 64 bits of C and the right half 64 bits of KK. In the first place, the 128-bit control vector is
Conceptually equivalent to a 64-bit control vector. But 12
The additional 64 bits of the 8-bit control vector allows doubling the length of the control vector without key management control, especially extra encryption / decryption. In fact, 12
8-bit control vectors are available without increasing computer expense.

The invention then relates to a method of extending a 64-bit control vector to an arbitrary length control vector. However, this requires two to four extra encryption operations for each 64-bit part of the control vector. Therefore, the extra cost increases in proportion to the length of the control vector. Basically, the arbitrary length control vector is first manipulated using a hash function. This gives a control vector C with many bits Nx,
It maps to a hash value C '(Nx is greater than N. N = 128 in our example) with fewer bits N. A particularly useful hash function is the control vector 12
It is a non-classified one-way function, such as a modified search code (MDC) algorithm, that computes an 8-bit hash one-way function. MDC is described in the aforementioned Brachel related patent application (e). This 128-bit result combines with KK to form two KKL and KKR in exactly the same way that a 128-bit control vector combines with KK. To be more precise, M is 128 calculated on the control vector.
To represent bit MDC, the left half 64 bits of M is KK
XORed with the left half of M and the right half of M is KK
Exclusive OR with the right half of. The arbitrary length control vector is conceptually equal to the 128-bit control vector.

Let C represent an arbitrary length control vector. The present invention
Regarding two considerations about the structural specifications of C. One is when the field information of C is a position specification (ie,
The original shape was left half or right half, depending on the position). The other is the case of the tag positioning specification in which the C field consists of tags and data. In this case the fields are in no particular order. Furthermore, only the fields required for key management and control need be specified in the control vector. Since the specification in which the position and the tag position are mixed is conceivable, this is also included in the present invention.

The examination of 128-bit control vectors is the same as that of 64-bit control vectors. However, it includes every 128-bit check, while the latter was at most 64-bit. The inspection of an arbitrary length control vector is similar. This means that the inspection is always based on the control vector, except that the existence of very long control vectors is possible and more control bits and fields need to be checked.
Control vector checking is not performed on one-way functions of 128-bit hashed control vectors. This hash value is
It is calculated only inside the CF and does not appear outside the CF due to encryption as part of the key playback process. (Control vectors and hash functions are usually available, and even if the hash value leaks to the outside, confidentiality is not lost.) Like a 128-bit CV, an arbitrary-length CV specifies key specifications and control parameters. Provides extra space to define or expand. Arbitrary length CVs are particularly easy to support because the tag positioning is arbitrary by itself. More particularly, the present invention provides a method for an arbitrary length CV to support a list of dates and times a key is used. The present invention also provides a method for embedding a security password in a control vector so that the key is not used except when the correct password is entered.

D. Embodiment Double Length Control Vector: In FIGS. 1 and 2 showing the first embodiment of the present invention,
A 64-bit control vector is conveniently extended to a 128-bit control vector. The additional 64-bits of the 128-bit control vector allow the cryptographic system and its users better control of cryptographic keys.

The differences between FIG. 1 and FIG. 7 are as follows. In the system shown in Fig. 1, 46L is CL of register 40L and K is register 42L.
KL is exclusive ORed to become KKL + CL, register at 46R
CR of 40R and KKR of register 42R are exclusive ORed to KKR +
It becomes CR. In FIG. 7, C was XORed with KKL and KKR to become KKL + C and KKR + C. That is, in FIG. 7, the same 64-bit control vector is exclusive-ORed with both the left and right bits of KK, but in FIG.
A separate 64-bit control vector is XOR'ed with each bit part of KK. Other than that, FIGS. 1 and 7 are the same.

For the sake of simplicity, the case of encrypting K with a 64-bit control vector and KK in Fig. 7 is written as e * KK.C64 (K).
The case of encrypting is written as e * KK.C128 (K). The output result Y in FIG. 7 is Y = e * KK.C64 (K). Similarly, the output result Y in FIG. 1 is Y = e * KK.C
It becomes 128 (K).

The differences between the system of FIG. 2 and FIG. 8 are as follows. In the system of Fig. 2, register 46L and register 40L
CL of register 42 and KKL of register 42L are exclusive ORed to KKL + CL
Therefore, register 46R and register 40R CR and register 42R
The exclusive KOR of KKR is KKR + CR. In FIG. 8, C is XORed with KKL and KKR to become KKL + C and KKR + C. That is, the difference between FIG. 2 and FIG. 8 is that separate 64-bit control vectors are exclusive-ORed with each bit part of KK.

7 and 8 only show that C = CL = CR
It can be judged that it is the same as the figure and FIG. In other words, if the method using the 128-bit control vector is reduced, the left half bit part and the right half bit part are equal to C
And a way to use 64-bit control vectors. That is
The 64-bit control vector is a degeneration of the 128 part of C, the 128-bit control vector. 1 and 2
The advantage of the figure is that the control vector can be doubled without extra effort and expense. In fact, the 64-bit control vector definition (Figs. 7 and 8) and the 128-bit control vector definition (Figs. 1 and 2) have structural or practical advantages. Hardware and software that implements 64-bit control vectors can easily support 128-bit control vectors. Both are performed by triple cryptographic operations involving various keys emanating from KKL and KKR. The encryption procedure is exactly the same. New hardware and software implementing 128-bit control vectors will be able to support 64-bit control vectors by simply setting CL = CR at the soft level. As a result, both 64-bit and 128-bit control vectors are transparent to cryptographic hardware.

Arbitrary length control vector: In FIGS. 9 and 10 showing the second embodiment of the present invention,
64-bit control vectors are conveniently extended to arbitrary length control vectors. The myriad of bits provided by this system allows for maximum degree of cryptographic key management control.

FIG. 9 shows the 64-bit encryption key K of the register 44.
To the 128-bit key encryption key KK (KKL
A concatenation of KKR. KK = KKL // KKR) and an arbitrary length (that is, infinite) vector Cinf of the register 90 for encryption. The operation is as follows. First, the hash function processing device 92 calculates a public one-way hash function of Cinf, and outputs a 128-bit hash value composed of the left half 64-bit ML read into the register 94L and the right half 64-bit MR read into the register 94R. It is impossible for the one-way function performed by the processing device 92 to calculate the input data to the function from the output result of the function in terms of computational processing, but it is easy to calculate the output result from the input data. It has a property. One-way functions are detailed in the prior art. W. Diffie et al., "New Directions for Cryptography" (1976, IEEE Report on Information Theory, IT-22,
No. 6, pp. 644 to 654), the strict definition of the one-way function is as follows.

The function f is called a one-way function in the following cases. f
Although y = f (x) can be easily obtained for all x in the region of, even if the value of y and the function of f are used,
F (x) = y for most y in the region
Is a function that cannot be executed at all due to computer processing.
What is important is that this function is defined as not reversible from the point of view of arithmetic processing, which is different from irreversibility which is usually mathematically called. The function is "irreversible" when there are different points x1 and x2 such that the solution at point y is not unique, ie f (x1) = y = f (x2). What is described here is not the difficulty of the back calculation, but rather f (x) = with the value of y and the function of f.
It is much more difficult to calculate x that is y.

The algorithm for calculating the modified search code (see FIGS. 11, 12, and 13) makes the definition of the one-way function more stringent. According to the MDC algorithm, f (x1) = f (x
It is impossible to calculate x1 and x2, which is 2), in terms of computer processing. To meet this stringent requirement, MDC should be at least 128
It must have a bit length. Otherwise, a birthday-type offensive would be sought to find x1 and x2 such that f (x1) = f (x2).

The next operation in FIG. 9 will be further described. The exclusive OR device 46L calculates the exclusive OR of the 64-bit value ML of the register 94L and the 64-bit value KKL of the register 42L, and the exclusive OR device 46R calculates the 64-bit value MR of the register 94R and the register 42R. Finds the exclusive or of the 64-bit value KKR. Instead, in the encryption device 41, the K in the register 44 is encrypted by KKL + ML, by the non-encryption device 43 by KKR + MR, and by the encryption device 45 by KKL + MK. The resulting Y is written as e * KK.Cinf (K). (“+” Indicates an exclusive OR operation.) FIG. 10 shows encryption from the 128-bit key encryption key KK (KKL and KKR) of the register 42 and the arbitrary length control vector Cinf of the register 90. Encryption key K of register 44
It is a system that does not encrypt the 64-bit value Y that is. First
The procedure of FIG. 10 is basically the reverse of that of FIG. First, the hash function processing device 92 calculates the public one-way hash function of Cinf (in the same manner as the public one-way hash function of FIG. 9), and outputs the 128-bit values ML and MR. Then ML and KKL,
The exclusive OR of MR and KKR is calculated and KKL + ML and KKR + MR are issued. Instead, K is non-encrypted by KKL + ML in the non-encryption device 47, encrypted by KKR + MR in the encryption device 48, and non-encrypted by KKL + ML in the non-encryption device 49.
In short, e * KK.Cinf (K) is unencrypted by * KK.Cinf to reproduce K.

The public one-way hash function calculation method in the processing device 92 of the above embodiment uses a modified search code (MDC) calculation algorithm. MDC is described in the above-mentioned related patent application (e). FIG. 11 shows a simple MDC operation, MDCOP. MDC with two different systems here
To calculate. Fig. 12 shows 2 for each 64-bit input data.
The calculation of 128-bit MDC by the method with one encryption operation is shown. Figure 13 shows 4 for each 64-bit input data.
The calculation of 128-bit MDC by the method with one encryption operation is shown. In both methods, it is necessary to divide the plaintext arbitrary-length control vector input data into 64-bit blocks, and a hexadecimal "FF" is embedded in the final block for confirmation. Plain text is processed sequentially by the MDC algorithm until all blocks are completed. The output result of the function is 128-bit MDC.

In the case of Cinf, the control vector is divided into blocks of C1, C2, ..., Cn. Hexadecimal'FF 'is embedded (depending on the number of bytes) in the lowest part of Cn to form 8 bytes. This embedding is done by cryptographic hardware (which is a necessary part of the public one-way hash function itself). The blocks C1, C2, ..., Cn are operated on by the MDC algorithm (encrypted twice or four times per block) to generate a 128-bit MDC. KKL + for the exclusive OR of the left half (ML) of 128-bit MDC and KKL
Issue ML, right half of 128-bit MDC (denoted as MR) and KK
KKR + MR is issued for exclusive OR with R.

It is very important to calculate the 128-bit hash value of the arbitrary length control vector using a strict one-way function like the MDC algorithm in order to perform the strict security protection. This is two different effective control vectors C1
, And C2 (but yielding the same hash value) are required to be discovered. If MDC (C1) = MDC (C
If C1 and C2 are found in 2), the processing integrity is violated. To explain why, as an example
C1 is a control vector that only encrypts data, and C2 is a control vector that only decrypts data. Knowing that the encrypted data key has the control vector C1, an intruder can easily break the security by simply specifying C2 instead of C1. That is, the intruder passes the encrypted data key and C2 to the unencrypted instruction along with the obstructed ciphertext (which the user did not know to have encrypted with the data key). The non-encrypted instruction cannot detect that C2 is invalid, and the correct data
There is no way to prevent the key from being replayed internally in CF, and the data will be unencrypted.

FIG. 22 illustrates how the hash function processing device 92 is connected to the bus 12 by the cryptographic mechanism (CF) 4. Although the hash function processing device 92 is also a part of the cryptographic processing device 16,
It may be separated and connected to the bus bar 12. The hash function processing device 92 executes the above-described public one-way hash function of the control vector.

Cryptographic Separation in Control Vector: It can be determined according to the present invention that cryptographic processing executed only with 64-bit control vector, only 128-bit control vector, and only arbitrary-length control vector is performed safely. However, there are systems where these coexist in the same cryptographic system and where such coexistence is necessary. In this case, the separation of cryptographic processing methods is absolutely essential for cryptographic security. In other words, even if the key is encrypted using one control vector specification method, it is possible to prevent an intruder from cheating on the encryption hardware that can receive the encryption key based on another specification method. I have to For example, let e * KK.C128 (K) represent a key encrypted by a 128-bit control vector. In this case, e * KKC.128 (K) is the key encrypted by the 64-bit control vector by the method in which the cryptographic hardware decrypts e * KK.C128 (K) and reproduces K. I can not say. This is because C128 and C64 may have conflicting uses, such that C128 does not allow the use of certain keys, but C64 does.

One difficulty with the above specifications is clear. In a particular implementation, assume that the left and right halves of a 128-bit control vector are equal (reasonably) and CL represents a valid 64-bit control vector C. Let's deliberately illustrate the problem. Bit 13 of CL, CR and C set = B
'1' and all other bits are set = B'0 '. Bit 13 = B'1 'in CL means that the encrypted cryptographic variable X (X is a key) is used only for data encryption. CR bit 13
Restricts the encryption operation in some way (eg, prompts for password input first, or allows encryption operation only from 8 am to 4 pm). However, the bit 13 of the control vector C (64-bit control vector) is X
Is used for data encryption. Y is CL,
Given the encrypted value of X using CR and KL, KR, the intruder could request the cryptographic device to decrypt Y using C and KL, KR. In the latter case, the intruder can decrypt the data with X.

The cryptographic properties required in this case will be described below. It is assumed that C64, C128, and Cinf are methods of encrypting the key K with KK using a 64-bit control vector, a 128-bit control vector, and an arbitrary length control vector, respectively. Let i be one of these three schemes and Y be the encryption of K by KK using i. If j is one of the three schemes but not i, then the cryptographic hardware must meet the following: When Y and j are passed to the hardware (that is, if the intruder spoofed as j even though the method of i was taken), the cryptographic hardware reliably detected the fraud and interrupted the operation. Or, it must produce an indeterminate value K '(not K) that has no meaning to the intruder.

FIG. 14 shows a method of separating the three control vector definitions in a general manner. This method uses 64 for each control vector.
MDC calculated by bit part and arbitrary length control vector
Use the 2-bit field (bits i and i + 1) of each 64-bit portion of The bits do not overlap the key parity bits. This bit is the same as the encrypted value e * KK.C64 (K) for all C64 and the encrypted value e * KK.C128 (K) for all C128.
It is a value assigned for K and KK, as different from the encrypted value e * KK.Cinf (K) for inf. . This prevents the encrypted K from being unencrypted by one or more control vectors. Using anything other than the correct control vector results in K ', not K.

Control Vector Check: The control vector check for a 128-bit control vector is similar to that for a 64-bit control vector, except that all 128-bit control vectors are subject to check. Therefore, the logic of the 64-bit control vector check described in FIG. 6 is also the case of the 128-bit control vector check except that the 128-bit control vector is used for the input data to the encryption device instead of the 64-bit control vector. Is the same as.

The control vector check for an arbitrary length control vector is similar. The check is vector-based, except that the existence of very long control vectors is possible and therefore more control vector bits and fields are checked. When an arbitrary length control vector is used, control vector checking is based on the control vector itself, rather than the 128-bit hash one-way function of the control vector. The hash value is calculated only inside the encryption device. This does not go out of the encryption device and is passed from the device to the device or from the encryption device to the encryption device, and is not saved and re-entered like a control vector. (Control vectors and hash functions are usually available, and confidentiality is not lost, even if the hash value leaks out. A secret password is embedded in the control vector, as described in another embodiment of the invention. The data structure of the tag position value and the position control vector: As shown in FIG. 15 (a) of the present invention, the arbitrary length control vector C is a continuous fixed position dependent field (example: It may consist of field 1, field 2, ..., Field n). One field has one or more bits, and has a predetermined meaning, interpretation, and fixed usage. The 64-bit control vectors appearing in the aforementioned Mathias et al. Related patent applications (b), (c) and (d) use position dependent field and bit definitions.

As in FIG. 15 (d) of the present invention, the arbitrary length control vector C may consist of a field defined by a field identifier rather than a position in the control vector. Such a tag positioning data structure consists of multiple fields as shown in FIG.
As shown in FIG. 15B, it is composed of a fixed length field identifier, a fixed length field and variable length data.

As in FIG. 15 (e) of the present invention, the arbitrary length control vector C may consist of a field defined by a field identifier (ie, tag), but here the field length is not a length field, Determined by a fixed length field delimiter placed at the end of the data. Such a tag positioning data structure is shown in Fig. 15 (e).
As shown in FIG. 15, it is composed of a plurality of fields. These fields are composed of a fixed length field identifier, variable length data and a fixed length field delimiter as shown in FIG. 15 (c).

As in FIG. 15 (f) of the present invention, the arbitrary length control vector C may consist of both a continuous position dependent field portion and a tag positioning portion. In this example, a fixed length position dependent portion appears first in the control vector, followed by a variable length tag locator portion. The position-dependent field part consists of a 128-bit field definition that corresponds to a 128-bit control vector, and the variable-length tag positioning part consists of a control vector extension that corresponds to the 128-bit fixed part of the control vector. The structure is particularly convenient.

As can be judged up to this point, by using various methods, arbitrary-length control vector execution can be performed structurally easily and with a small storage area and processing, and 64-bit control vector / 128-bit control vector / 128 bits in the same cryptosystem or network or connected device. In a mixture of control vector / arbitrary length control vector execution,
It can be done while maintaining compatibility.

Confidential password and control vector: By incorporating the confidential password in the control vector when using the encryption key, it is possible to perform more detailed control of the encryption key usage. This is particularly useful for applications that require a very high level of security or employ strict control criteria (ie, control of access to cryptographic keys) during cryptographic processing.

FIG. 16 shows an outline of a data processing system having a cryptographic mechanism. In FIG. 16, the data processing system 2 executes the program so that the cryptographic mechanism has access to the program and the application (as shown in FIG. 2 of the related patent application (b) of Mathias et al., Supra). This program issues a processing request for the cryptographic key associated with the control vector. The general form of the control vector is shown in FIG. 10 of the above-referenced related patent application and is modified and extended by the present invention (detailed below). The control vector defines a certain function. The associated key is authorized by the creator of the key to perform that function. According to the related patent application mentioned above, the cryptographic structure defines a system that authenticates the key management functions that the program seeks for cryptographic keys and ensures that they have been authorized by the creator of the key.

As shown in FIG. 16, included in or connected to the data processing system 2 is a cryptographic mechanism 4 having a security boundary 6. The I / O path 8 passes through the security boundary 6 to receive the cipher offering request, the cipher key and the associated control vector from the program. The security boundary 6 includes a cryptographic instruction storage device 10 connected to the input / output path 8 by a bus 12. The control vector checking device 14 leads to the command of the storage device 10, and the cryptographic processing device 16 also leads to the command of the storage device 10. The master key storage device 18
Connect to the cryptographic processing device 16. In response to the provided request received, the cryptographic mechanism 4 creates a secure storage location for performing the key handling operation.

The cipher command storage device 10 receives a cipher provision request on the input / output path 8 to execute a key handling operation with a cipher key. The control vector inspection device 14 has an input / output path 8
Receives the control vector associated with the cryptographic key with input data leading to. The control vector inspection device 14 also
It also has input data to connect to the cryptographic instruction storage device 10 and receives a control signal which initiates a check to see if the control vector permits the key management operation requested by the cryptographic provision request.

The control vector checking device 14 has a permission output 20 connected to the input data of the cryptographic processing device 16 and informs that the key management operation is permitted. When the cryptographic processing device 16 receives the permission output, the handling operation execution requested by the cryptographic key starts. The cryptographic key storage device 22 is connected to the control vector checking device 14 on the input / output path 8. The encryption key is encrypted under the storage key (the associated control vector and the logical operation result of the master key stored in the master key storage device 18), while the encryption key storage device 22 is encrypted. Store the encryption key in the form. The result of this logical operation is written as KM.C. KM is a 128-bit master key, C
Is the control vector. If the cryptographic provision request requires more than one key and control vector, all control vectors must be examined, all discovered correctly, and a grant signal issued to the cryptographic processor 16.

The encryption key is reproduced from the encryption key storage device 22 when, for example, the encryption command storage device 10 receives the encryption provision request for reproducing the encryption key from the encryption key storage device 22 on the input / output path 8. is there. Then control vector inspection device
14 responds, and the line 20 gives the cryptographic processing device 16 a permission signal that the cryptographic key reproducing operation is permitted. The signal processing device 16 receives the encrypted cryptographic key from the cryptographic key storage device 22 in response to the authorization signal on line 20 and stores the storage key (the associated control vector and the saved master of the master key storage device 18). -Decrypt it under the logical operation result of the key).

The storage key is the result of the exclusive-or of the associated control vector and the master key stored in the master key store 18. The result of the logical operation in the above embodiment is also an exclusive OR operation, but this is a different kind of logical operation.

The control vector is stored in the cryptographic key storage device 22 along with the associated cryptographic key. Since all keys are stored in the encryption key storage device 22 under the master key, encryption / decryption of the encryption key is possible under the unified system.

Shown in Figure 16 of the present invention is a system that incorporates a secret password into a control vector. As shown in FIG. 16, the encryption key storage device 22 together with the encrypted key
The control vector stored in has a password field. However, the password is confidential and is not stored in the control vector. The password field in the control vector is set to zero (ie all bits are zero). Therefore, if the length of the password field is 56 bits, 56 zero bits will be set. The confidential password itself is passed through the separated password channel 32 connected to the input / output path 8 to the encryption mechanism 4
Issued to. Therefore, a user who has the right to access the encryption key can obtain a copy of the confidential password in advance. If a cipher provision request is made using a key whose control vector has the password, the user must enter the password in clear text as an additional parameter to the cipher provision request. Thereafter, the control vector inspection is performed as described above, and the control vector inspection device 14 outputs a permission signal on the line 20 to the cryptographic processing device 16 in response to the cryptographic key reproduction operation. The control vector checking device 14 does not check the password field of the control vector. Thereafter, the cryptographic processing unit 16 responds to the permission signal by transmitting the encryption key encrypted from the encryption key storage unit 22 on the line 20 and the separated password channel connected to the input / output path 8 connecting to the bus 12.
Receive a plaintext password through 32. The password is inserted into the control vector to complete the control vector, N
Performed by a hash function generator that produces a bit hash value. Key reproduction is performed as usual. That is, the encrypted key is unencrypted under the storage key. This memory key is N bits of the control vector
It is a logical operation result of the N-bit master key stored in the hash value and master key storage device 18.

The password is not checked as a part of the key reproduction process or the cipher provision request process, but the check is unnecessary. Once the key is generated, it is encrypted under the hash value of the control vector with the embedded password. If the user then inputs a wrong password when the key is regenerated, the encryption key is actually unencrypted under the storage key that is the logical operation result of the fraud control vector and the master key. Is used for cryptographic command processing by reproducing an indeterminate and unexpected key. For cryptographic instructions,
In the related patent application (b) of Matthias et al., Discussed above, cryptographic instructions are discussed when one or more illegal keys are played, and when the output result of the instruction is invalid or valid.

FIG. 17 shows some examples of how to embed a password in the control vector. FIG. 17 (a) shows a case where the password is the position dependent field of the control vector, and FIG. 17 (b) shows a case where the password is the field of the tag positioning structure having the field identifier, the field length and the data. FIG. 17 (c) shows a case where the password is a field of a tag positioning structure having a field identifier, data and a delimiter. Inclusion of the password field in the control vector to allow cryptographic key usage can be conveniently accomplished by these or any other method.

FIG. 20 looks at the cryptographic mechanism 4 from a different perspective, showing encryption with a control vector that incorporates a password (either plaintext or ciphertext). The control vector of register 90 is of arbitrary length and has an empty (all zeros) field as shown in FIGS. In the staging register 91, the empty field is populated with the user password provided from the password input device 32 prior to entering the control vector with the embedded password into the hash function processor 92. The hash function processing device 92 outputs an N-bit hash value having both the control vector and the user password. N-bit hash value is logical
At 46, the N-bit key encryption key KEK is XORed to generate the calculated N-bit key value, which is the input key to the encryption device 41. The ciphertext output from the encryption device 41 is specified by the N-bit hash value that has both the control vector and the password. Similarly, the non-encryption is performed by replacing the encryption device 41 with the non-encryption device 47 of FIG. If the ciphertext is decrypted and the user enters the wrong password and it is given to the control vector, the hash value will not be the correctly calculated key value and the decryptor 47 will Unable to generate plaintext.

Time Interval and Control Vector: By incorporating date and time information in the control vector,
A finer encryption key allows use control. This concept can be implemented in several different ways, but basically, the control vector is one or more time intervals that describe when (in response to the cryptographic provision request) such cryptographic keys are processed. Incorporate. More granularity can be obtained by limiting access to keys by the type and parameters of the instructions in the instruction. For example, code the control vector so that the key can be used in encrypted instructions during the first period, and the key can be used in unencrypted instructions during the second period (not equal to the first). That is the case. Similarly, access to the key can be altered by system parameters other than the type of instruction. For example, activating the key in system A in the first period and activating the key in system B in the second period. It will be appreciated that the linking of the time period with the instructions, the system, the user, etc. can take place in various ways. These methods are not specifically defined in the present invention, and are constructed based on the basic concept of incorporating time information in a control vector in some form. Incorporation of time information into the control vector requires very high levels of security, or applications that want to allow the use of keys only for a certain period of time (eg users with access rights to certain system resources). (If you do not want to use all the functions until you reserve or purchase it, etc.)
It is especially effective.

FIG. 18 of the present invention shows a system having time information in the control vector. As shown in FIG. 18, the control vector stored in the cryptographic key store 22 along with the associated encrypted cryptographic key has a time interval field, which includes a start date and time, and an end date and time. Described as 1
It has the above time interval. Since the encryption mechanism 4 also has the real-time clock 34 connected to the bus 12, the control vector inspection device
14 can read the clock value on bus 12. Although not shown in FIG. 18, some devices set the initial value of the real-time clock for completeness. For example, in a system that includes a portable key input device connected to a secure front panel input port with a physical key activation key switch for master key input (see Related Patent Application (b) above by Mathias et al. The real-time clock 34 is initialized (in the same manner as the initialization of the master key 18). Two switches can be used with the same portable key input device to enter the clock value into the real-time clock register 34. Other techniques are also used to initialize clock values. The other components in FIG. 18 are the same as those in FIG. Even when the time information is incorporated in the control vector and the cryptographic device has a real-time clock (FIG. 18), the processing of the cryptographic provision request is performed in the same manner as the method described above. According to FIG. 18 of the present invention, when a cipher provision request is issued and it uses a key with a control vector having the time interval field, the processing is as follows. . The control vector check proceeds as described above, but with additional checks depending on the stored time information. (The control vector may or may not have a password, but the encryption key management at that level is not changed by the inspection at the time interval described here.) Referring to FIG. 18 and FIG. Device 14 accesses the current real-time clock value provided by clock 34 and a check is made to determine if the clock value is within the time interval described in the control vector. If there is more than one time interval in the control vector, the clock value must be somewhere within these time intervals. (However, it does not have to be within an interval of 1 or more.) When the inspection and the inspection of the remaining part of the control vector are passed, the control vector inspection device 14 responds to the line 20 to the cryptographic processing device 16 by the line 20. , Issues a permission signal that the encryption key reproduction operation is permitted. The cryptographic processing device 16 responds to the authorization signal on line 20 to receive the encrypted cryptographic key from the cryptographic key storage device 22,
Decrypt it under the storage key (the associated control vector and the logical operation result of the master key stored in the master key storage 18).

As shown in FIG. 21, the control vector checking device 14 accesses the real time clock 34 and compares the actual time with the period described in the control vector C. The control vector checking device also checks whether the control vector C may be used as specified by the input of the cipher provision request. If both tests pass, a permission signal is issued on line 20 and the arbitrary length control vector C is transferred to the hash function processor 92.
It becomes the input data to and is converted into the N-bit hash value C '. Next, the N-bit hash value C ′ is exclusive-ORed with the N-bit key encryption key KEK by the exclusive OR 46, and the calculated value of N bits becomes the input key to the non-encryption device 47. Play the value. (By replacing the non-encryption device 47 and the encryption device 41 in FIG. 21, encryption can be performed in the same procedure.) FIG. 19 is a further refinement of the time interval field of FIG. is there. In particular, FIG. 19 (a) shows a time interval field in which there are one or more time intervals consisting of a start date / time and an end date / time. The method of encoding these fields and time units (hours, minutes, seconds, etc.) is beyond the scope of this invention. In the method shown in FIG. 19 (b), since the time interval is associated with a specific instruction, the key processing depends on the instruction requesting the processing. Figure 19 (c)
In the method shown in, the keying is dependent on the system in which the key is used because the time interval is associated with a particular system. Therefore, the cryptographic device must provide the system ID to the control vector checking device 14. System ID is 18th
Although not shown in the figure, it is stored entirely in a cryptographic mechanism and accessed as needed. The system ID is initialized and enters the cryptographic mechanism in a manner similar to that of initializing the master key and real-time clock values (described above). Similarly, although not specifically shown, the time interval field is implemented in a manner similar to the password field shown in FIG. That is, the time interval can be either a fixed position dependent field or a tag positioning field in the control vector and can be implemented by any of the methods shown in FIG. (Except when the password field is replaced with the time interval field.) In the above embodiment, the encryption device 41 and the non-encryption device 47.
Uses the ANSI Data Encryption Algorithm (DEA). This is a standard cryptographic algorithm for practical data protection products, and is standard ANSI X2.92 (1981
Year), "Data Encryption Algorithms". DEA is a symmetric block algorithm ciphertext algorithm that encrypts 64-bit plaintext with a 56-bit secret key to form a 64-bit ciphertext. The DEA key is usually
It has one parity bit per byte, forming a 64-bit key. DEA is the International Bureau of Standards (Nationa
l Bureau of Standards) It is also called DES because it is the basis of the official Federal Data Encryption Standard. However, the other embodiments of the encryption device 41 and the non-encryption device 47 are adapted to a more specific application program. Other encryption algorithms with different keys and block sizes than DEA can also be used.

The public one-way hash function executed by the hash function processing device 92 in the above embodiment is the modified search code (MD) described in the related patent application (e) of Brachel et al.
C) Although the calculation algorithm is used, another hash function is used in accordance with the present invention to set an arbitrary length control vector of the storage register 90 to a length different from that of the exclusive OR with the key. It can also be converted into a hash value. To perform an exclusive OR according to the present invention, if the key length is 64 bits, the hash value must also be 64 bits. If the key length is 128 bits, the hash value must also be 128 bits. In order to obtain the exclusive OR of the hash value and the key with the exclusive OR 46 according to the present invention, if the length of the alternative key value is used,
Alternate hash values of equal length must be used. Part of the hash value is XORed with part (or all) of the keys that have the same bit length.

In another embodiment of the invention, the clear key may be stored in the cryptographic mechanism for immediate cryptographic processing.
In the example of FIG. 22, the clear key is stored in the working storage area 24. In the first method, each key and associated control vector pair is stored in the random access memory (RA) of the cryptographic device.
M) That is, stored in the working storage area 24. During routine operation to access a key, the associated control vector is first accessed and a control vector check is performed as described above to ensure that key usage is permitted.
If authorized, the key is accessed from working storage and used for intra-cryptographic operations. In the second method,
The result of the exclusive OR of the hash value of the key and its associated control vector is stored in working storage in the cryptographic mechanism.
The arbitrary length control vector itself is stored in the working storage area together with the operation result of the key and the hash value, or passed to the input path 8. During routine operation to access a key, the associated arbitrary length control vector is first accessed from working storage or first received on input path 8 to ensure key usage is authorized. Therefore, the control vector inspection is performed as described above. If allowed, the arbitrary length control vector is processed through a hash function processor 92 that produces a hash value. Then, the result of the exclusive OR of the hash value of the key and its associated control vector is accessed from the working storage area and the exclusive OR of the hash value calculated by the hash function processing device 92 is performed, and the requested cryptographic operation is performed. Generate a key used in. A third method for 128-bit keys and 128-bit hash values is to XOR the left half of the key with the left half of the hash value into working storage and the right half of the key with the hash value. XORed with the right half and saved in working storage. In the fourth method, if the key is a 64-bit key and the hash value is a 128-bit hash value, the 64-bit key is XORed with the left half of the hash value and stored in working storage, and XORed with the right half and saved in working storage. Neither of these methods speeds up the process because key encryption / non-encryption operations need not be tied to rekey (as long as the key is stored in plaintext within the security boundary of the cryptographic mechanism). To do. Logical operations other than exclusive-or can also be used to combine the control vector hash value and the associated key and store in working storage 24.

E. Effect of the Invention As described above, according to the present invention, the technique of encryption key management is improved.

[Brief description of drawings]

FIG. 1 is an explanatory view of the first embodiment of the present invention, in which a 64-bit encryption key K is a 128-bit key encryption key KK (consisting of a left half 64-bit KKL and a right half 64-bit KKR), and
A system for encryption with a 128-bit control vector C (consisting of a left half 64-bit CL and a right half 64-bit CR) is shown. FIG. 2 is an explanatory view of the first embodiment of the present invention, in which the 64-bit encryption key K encrypted by the 128-bit control vector and the 128-bit key encryption key by the method of FIG. Shows the system to be converted. FIG. 3 is a diagram of a cryptographic device network coupled via a cryptographic distribution channel. FIG. 4 is a diagram of the basic components of the cryptographic device. FIG. 5 is a diagram showing a processing order in the cryptographic device component that generates the processable key K. K is the master key
Encrypted by KM and control vector C and stored in key store. The application processable key K through an index or label that leads to the key in storage.
To access. FIG. 6 is a diagram showing a general procedure for implementing a cryptographic instruction in the CF. In Fig. 7, the 64-bit encryption key K is converted to the 128-bit key encryption key KK (left half 64-bit KKL and right half 64-bit KKR).
FIG. 4 is a diagram of a system for encryption with a 64-bit control vector C. FIG. 8 is a diagram of a system in which the 4-bit encryption key K encrypted by the procedure of FIG. 7 is unencrypted by the 128-bit key encryption key KK and the 64-bit control vector C. FIG. 9 is an explanatory view of the second embodiment of the present invention, in which a 64-bit encryption key K is a 128-bit key encryption key KK (consisting of a left half 64-bit KKL and a right half 64-bit KKR), and The system which encrypts by arbitrary length control vector Cinf is shown. FIG. 10 is an explanatory diagram of the second embodiment of the present invention, in which the 64-bit encryption key K encrypted by the arbitrary length control vector and the 128-bit key encryption key by the method of FIG. Shows the system to be converted. FIG. 11 is an explanatory diagram of the modified search code operation (MDCOP). MDCOP is used for two to four encryptions per modified search code (MDC) algorithm block. The drawings show the MDCOP algorithm in text and schematic form. FIG. 12 shows the case where the encryption is performed twice for each block of the modified search code (MDC) algorithm, and FIG. 13 shows the encryption performed four times for each block of the modified search code (MDC) algorithm. The case is explained. Figure 14 shows three CV methods (64-bit CV, 128-bit CV,
It is a figure which described the method of isolate | separating arbitrary length CV) by encryption processing. A control vector exclusive-ORed by the key encryption keys KKL and KKR is shown for each method. The fixed bit fields in the write vector are defined according to the particular coding used to separate the three methods. FIG. 15 is classified into (a) to (f) and shows the data structure of the arbitrary length control vector. FIG. 16 is a diagram showing a cryptographic processing system that incorporates a security password into a control vector. FIG. 17 illustrates some examples of incorporating a password into a control vector data structure. FIG. 18 is a diagram showing a cryptographic processing system that incorporates time information into a control vector. FIG. 19 illustrates some examples of incorporating time information into a control vector data structure. FIG. 20 is a diagram showing encryption by an arbitrary length control vector in which a password is incorporated. FIG. 21 is a diagram showing a time interval check and non-encryption by an arbitrary length control vector. FIG. 22 is a diagram showing an encryption mechanism of an arbitrary length control vector.

 ─────────────────────────────────────────────────── ─── Continuation of the front page (72) Inventor William Shy Arnold Mahopatsk, New York, USA, Earl Day 2, Utdland Road (no street number) (72) Inventor Donald Biey Jonsson, Virginia, United States Brantzville Road, Manassas, 9430 (72) Inventor Lameilles Kay Khan, Cohen Ridge Drive, 13613, Henden, Va., USA (72) Inventor Ann Vui Li, South Columbus, Arlington, Va., USA Street 4217 (72) Inventor Lostaslaw Primatsk Fairway, Dumfries, Virginia, United States Drive 15900 (72) Inventor Steve Earl White No. 33 Park Ave New, 33 New York, New York, United States (72) Inventor Jyon Day Wilkins P. O. Boxes, Summerville, Virginia, United States No. 8 (56) References IEICE Technical Report IT86-53 "ID-based key distribution method" Eiji Okamoto

Claims (17)

[Claims] 1. A data processing system for outputting a cryptographic service request for an operation related to a cryptographic key, said cryptographic key being associated with a control vector defining a function permitted to be performed by its creator, And a control vector input for receiving a control vector of a given length associated with an N-bit encryption key, concatenated with the control vector input. And an input for receiving a cryptographic service request, check whether the control vector permits the cryptographic function requested by the cryptographic service request, and if so, The control vector has a means for outputting a permission signal, an input connected to the control vector input, and an N-bit output. A hashing means for mapping, a key input for receiving the N-bit encryption key, a first input connected to the N-bit output of the hashing means, and a second input connected to the key input. Logic means for outputting to the output a calculated key value, which is the result of the logical operation of the N-bit key and the N-bit hash value, and a first input for receiving input information. A key value input coupled to the output of the logic means, the cryptographic conversion means forming cryptographically converted output information of the input information using the calculated key value, The cipher conversion unit is connected to the output of the permission signal from the control vector checking unit, and the control vector checking unit determines that the requested cryptographic function is not permitted by the control vector. If so, the encryption device stops forming the output information. 2. The encryption device according to claim 1, wherein the control vector has a length exceeding N bits. 3. The encryption device according to claim 1, wherein the control vector has a tag definition field that selectively determines the meaning of other fields in the control vector. 4. The control vector has a field that determines a period during which an N-bit encryption key associated with the control vector can be used, and prohibits the use of the encryption key at other times. The cryptographic device according to claim 1, wherein: 5. The control vector of claim 1 having a field for a user password to prevent unauthorized use of the N-bit encryption key associated with it. Cryptographic device. 6. The control vector has a field uniquely representing its length class, and the N-bit hash value generated by said hashing means is N for a second control vector having a different length class. The cryptographic device according to claim 1, wherein the cryptographic device is not equal to the bit hash value. 7. A control vector further comprising a password input, the control vector having an empty field reserved for a password received from the password input, the control vector having the password inserted in the empty field. The cryptographic device according to claim 1, wherein is input to the hashing means. 8. The cryptographic device of claim 7, wherein an empty field of the control vector is identified by an associated field descriptor in the control vector. 9. Further comprising real-time clock means coupled to said control vector checking means for providing a value indicative of time, said control vector having a time interval within which its associated N-bit cryptographic key can be used. Has a designated field, said control vector checking means accessing said value indicative of said time from said real time clock means, said value indicative of said time being within a time interval designated by said control vector The cryptographic device according to claim 1, wherein if the value indicating the time is not within the time interval, the output of the permission signal is prohibited. 10. The cryptographic device of claim 9, wherein the control vector specifies a time interval during which the associated N-bit cryptographic key is available for a designated cryptographic instruction. 11. The cryptographic device of claim 9, wherein the control vector specifies a time interval during which the associated N-bit cryptographic key is available in a designated data processing system. 12. The cryptographic device of claim 9, wherein the control vector specifies a time interval during which the associated N-bit cryptographic key is usable by a designated user. 13. A data processing system for outputting a cryptographic service request for an operation related to a cryptographic key, wherein the cryptographic key is associated with a control vector defining a function permitted to be performed by its creator, and is 2N bits. A cryptographic device enabling the use of a long control vector, said control vector input for receiving a 2N bit long control vector associated with a 2N bit long cryptographic key, said control vector being N The control vector input has a left part CL of bit length and a right part CR of N bit length, and the encryption key has a left part KKL of N bit length and a right part KKR of N bit length. , CL and KKL are received, and first logical block means for calculating KKL + CL, which is the result of the exclusive OR operation as the first key value, and CR and KKR, are received as the second key value. sum First encryption means having a second logic block means for calculating the result KKR + CR, a plaintext input, an input for receiving the first key value, and an output; A non-encryption means having an input connected to the output of the encryption means, an input for receiving the second key value, and an output; an input connected to the non-encryption means; A second encryption means that has a key input for receiving the first key value and an output, and that generates a ciphertext that is a modification of the plaintext text input to the first encryption means. Cryptographic device. 14. A data processing system for outputting a cryptographic service request for an operation related to a cryptographic key, wherein the cryptographic key is associated with a control vector defining a function permitted to be performed by its creator, and is 2N bits. A cryptographic device enabling the use of a long control vector, the control vector input for receiving a 2N bit long control vector associated with a 2N bit long cryptographic key, concatenated to the control vector input. Has an input and an input for receiving a cryptographic service request, checks whether the control vector permits the cryptographic function requested by the cryptographic service request, and if so, sends a permission signal. And a control vector checking means for outputting the control vector, the control vector having a left portion CL having an N-bit length and a right portion CR having an N-bit length, Has a left portion KKL having an N-bit length and a right portion KKR having an N-bit length, and further receives CL and KKL to generate a first key value, which is an exclusive OR operation result KKL + CL. One logic means, a second logic means for receiving CR and KKR and generating a second key value, KKR + CR as a result of an exclusive OR operation, an input for receiving ciphertext, and the first A first non-encrypting means having a key input for receiving the key value and an output; an input connected to the output of the first non-encrypting means; and a second key value for receiving the second key value. An encryption means having a key input and an output; an input connected to the output of the encryption means; a key input for receiving the first key value; and an output, the first non-input A second non-encryption means for generating a plaintext from the ciphertext input to the encryption means. That the cryptographic device. 15. A data processing system for outputting a cryptographic service request for an operation related to a cryptographic key, said cryptographic key being associated with a control vector defining a function permitted to be performed by its creator, A cryptographic method allowing the use of a control vector having a length of: receiving a control vector of a given length associated with an N-bit cryptographic key, said control vector being requested by a cryptographic service request. A control vector checking step for checking whether the specified cryptographic function is permitted, a hashing step for mapping the control vector into an N-bit hash value, and a logic for the N-bit cryptographic key and the N-bit hash value. Forming a calculated key value, which is the result of the operation, and inputting using the calculated key value Cryptographically converting the information into output information; and in the control vector checking step, selectively forming the output information is prohibited if it is determined that the requested cryptographic function is not permitted by the control vector. A cryptographic method including steps and. 16. The cryptographic method of claim 15, further comprising the steps of receiving a password and inserting the password into an empty field of the control vector prior to the mapping step. 17. A step of checking whether a time value is within a time interval specified by the control vector, and forming the output information if the time value is not within a time interval specified by the control vector. 16. The encryption method according to claim 15, further comprising the step of: