KR20230016408A - Mobile portable device and method using cryptographic module validation program - Google Patents

Abstract

The present invention relates to a wireless portable device equipped with a verified cryptographic module and an encryption method thereof. A security communication method in the wireless portable device equipped with a verified cryptographic module comprises the following steps of: transmitting, by a control unit, an encryption preparation state request message for initialization to an encryption generating unit; initializing a security parameter by the encryption generating unit; checking whether the verified cryptographic module is malfunctioning by the encryption generating unit; transmitting, by the control unit, a ciphertext table generation start request message to the encryption generating unit; generating an encryption key by the encryption generating unit; transmitting, by the control unit, a ciphertext table transmission request message to the encryption generating unit; and transmitting a generated ciphertext table to the control unit. Therefore, the method has advantages of high-level security processing and low-power operation.

Description

Mobile portable device and method using cryptographic module validation program}

The present invention relates to a small wireless portable device equipped with a verified cryptographic module and operating at minimum power without an operating system, and an operation method thereof, which is not a cellular-based communication terminal operating in a licensed band, but is used for military or underground construction sites. It relates to a small wireless portable device of an unlicensed band that provides high-level secure communication even in special circumstances and an operation method thereof.

Generally, verified cryptography uses state-developed cryptography, and cryptographic algorithms and cryptographic keys are privately developed and include physical protection measures.

The Korea Cryptographic Module Validation Program (KCMVP) refers to cryptographic devices and information protection systems developed by the Director of the National Intelligence Service or verified for safety in Article 56 of the [Electronic Government Act] and Article 69 of the Enforcement Decree of the same Act. It means that the third party country certifies the safety and implementation suitability of the password.

In addition, the cryptographic module to be verified can be implemented in the form of software, hardware, firmware, or a combination thereof, and the KS XISO/IEC 19790 cryptographic module verification criteria must be followed.

Existing small wireless portable devices applied security algorithms such as the US standard AES or the international standard IDEA method, and were used in conjunction with equipment equipped with a separate KCMVP verified cryptographic module to large devices or communication devices.

Recently, there is an increasing demand for installing a KCMVP verified cryptographic module in a small portable wireless device, and it satisfies safety, dependability, and interoperability while maintaining original communication due to security algorithm processing. Alternatively, demand for minimizing delay for data security performance is also increasing.

As a prior art, Korean Patent Registration No. 10-0994161 discloses an invention related to a data security device and method in a small ad hoc radio, or secures stability and reliability of security through a security key that can be used only for a limited period of time There are problems with not being able to do it.

Japanese Patent Laid-open Publication No. 2014-002351 relates to a low-power block encryption device and method for mobile devices, but has a problem in that practical low-power consumption is not realized because an encryption key generation and a separate encryption/decryption step are not designed to be separated.

Korean Patent Registration No. 10-0994161 (2010.11.8.) Japanese Patent Laid-Open No. 2014-002351 (2014.1.9.)

Existing verified cryptographic modules have complex encryption algorithms and are mainly applied to large devices or systems based on operating systems, and require basic delay time and system stabilization time during booting due to interlocking with operating systems.

Recently, a portable wireless device without an operating system has begun to require the application of an encryption algorithm to enhance security.

However, portable wireless devices suffer from difficulties in applying internal encryption algorithms because communication functions are delayed due to encryption processing or use time is reduced due to additional power consumption.

Therefore, the present invention encrypts and decrypts voice or data by applying a verified cryptographic module to a portable device or wireless device without an operating system. Therefore, delay in voice or data transmission is minimized, smooth operation is possible, and operation time is extended by consuming minimum power.

In order to achieve the above object, as a secure communication method in a wireless portable device having a verified cryptographic module according to the present invention, when a control unit transmits an encryption preparation state request message for initializing the cryptographic module to the cryptographic generator, the encryption is performed based on this. Initialize the security parameters in the module, check the power application test, integrity and status information of the cryptographic module, check if the cryptographic module is malfunctioning, and if there is no malfunction, change it to the active state, and the cryptographic generator is the control unit, and the encryption is ready send response message

When the control unit transmits a message requesting the start of generation of a ciphertext table for the encryption generation code, the encryption generation unit stores a plurality of encryption keys generated through the verified encryption module in the encryption table, and receives a ciphertext table transmission request message from the control unit. Characterized in that the encrypted text table is transmitted.

In order to achieve the above object, a wireless portable device having a verified cryptographic module according to the present invention includes an input/output unit for receiving or outputting voice or data; a password for managing a verified cryptographic module, managing an encryption key, and returning an encryption key. A control unit that requests encryption key generation from the generation unit and the encryption generation unit, receives the return encryption key, generates encryption result values and decryption result values, and XOR-operates data related to encryption and decryption, and transmits and receives encrypted and decrypted data wirelessly It is characterized in that it includes; wireless communication unit.

The present invention is a method proposed to operate in a wireless portable device by miniaturizing a nationally verified cryptographic module, which is mainly used in large equipment, and has the advantages of high-level security processing and low power consumption.

In addition, in existing large-sized devices, since the encryption and decryption of voice and data is based on the operating system, the power of the security module is always applied for security at all times, which consumes a lot of power. When the initial process of the encryption key generation and return of the encryption key is completed in the encryption generation unit, the encryption generation unit ends, and from then on, the management of the encryption key and the operation method of the encryption module are carried out by the control unit, so the processing time generated in the encryption unit It has the advantage of reducing power consumption by shortening .

In addition, it is possible to deliver reliable wireless communication data while maintaining stability and suitability for implementation in the process of managing cryptographic modules and cryptographic keys in the process of encryption/decryption.

1 is a diagram showing the internal configuration and operation flow of a wireless portable device.
2 is a diagram illustrating a control signal procedure between a control unit and an encryption generator.
3 is a diagram showing a data format structure of a control signal between a control unit and an encryption generator.
4 is a diagram illustrating a procedure for initializing and managing a verified cryptographic module in an activated state in a cryptographic generator.
5 illustrates a process of generating an encryption key using a random number in an encryption generator.
6 is a diagram illustrating a process of encrypting with a block cipher.
7 is a diagram illustrating a process of decryption using a block cipher.

Hereinafter, an embodiment in which a person skilled in the art can easily practice the present invention will be described in detail with reference to the accompanying drawings.

The present invention may make various changes, and may have various embodiments, and is not intended to be limited to specific embodiments, including all changes, equivalents or substitutes included in the spirit and scope of the present invention should be understood as

However, in the detailed description of the operating principle of the preferred embodiment of the present invention, if it is determined that a detailed description of a related known function or configuration may unnecessarily obscure the subject matter of the present invention, the detailed description will be omitted.

Hereinafter, the technical features and configuration of the present invention will be described in detail with reference to the drawings.

1 is a diagram showing the configuration of a wireless portable device according to the present invention.

As shown in FIG. 1, the wireless portable device of the present invention includes an input/output unit 100 that receives voice and data or outputs decoded voice and data, and a control unit that encrypts/decrypts voice and data and controls a password generation unit ( 200), an encryption generator 300 including a verified cryptographic module, and a communication processing unit 400 in charge of wireless transmission and reception functions.

In the case of voice, the input/output unit 100 provides a function of converting an analog voice signal input through a microphone into a digital signal, converting the decoded digital voice signal into an analog signal, and outputting the analog signal to a speaker.

The control unit 200, which operates without a separate operating system, has a function to control through the initialization or operation status check of the verified cryptographic module included in the encryption generator unit, and encrypts or blocks digital signals input and output from the input/output unit or wireless communication unit. It performs the function of XOR operation for decryption and the function of managing the ciphertext table input from the encryption generator.

In particular, the control unit 200 is designed to minimize power consumption in a miniaturized portable device by efficiently controlling the state and operation of the installed verified cryptographic module in conjunction with the encryption generator 300.

In the present invention, the cryptographic generator 300 controls the actual cryptographic means such as initialization of the verified cryptographic module, power popularity test, and random number generation by controlling the verified cryptographic module as a main operation, and finally, for block encryption. It is responsible for generating an encryption key table and transmitting it to the control unit.

In addition, the encryption generator 300 operates only in the initial process of generating an encryption key for encryption and decryption, thereby minimizing the effect of communication delay and reducing the internal processing load of the control unit 200.

The wireless communication unit 400 is responsible for transmitting and receiving encrypted data wirelessly, and in the present invention, it is designed to be optimized for a radio frequency of an unlicensed band, but is not limited thereto.

In one embodiment, the wireless portable device of the present invention can be used not only as a general two-way radio, but also as a wireless portable communication device with a communication security level required by the military and government agencies dealing with confidentiality.

In FIG. 2, when the power of the wireless portable terminal is turned on, the control unit is activated, and the control unit issues an operation command to the encryption generator to generate an encryption key for encryption at the same time. You can control it.

First, the control unit transmits an encryption readiness state request message for initialization to the encryption generator, and the encryption generator receiving this message initializes security parameters in the verified encryption module for password generation, power-on test, integrity and Check the cryptographic module status information.

In this process, the encryption generator checks whether there is a malfunction, and if there is no malfunction, changes to an active state and transmits an encryption preparation completion response message to the control unit.

Upon receiving the response message, the control unit transmits a ciphertext table creation start request message requesting an encryption table for block cipher to the encryption generator.

In addition, when the control unit receives the response message to the ciphertext table generation start request message, it transmits and receives the ciphertext table generation status request and response message, and may selectively exclude the ciphertext table generation request message.

When the control unit determines that the state of the encryption generator is activated, it transmits a message requesting transmission of a cipher text table to the encryption generator, is placed in a standby state until the corresponding cipher texts are received, and receives a plurality of cipher texts generated by the encryption generator , it is stored in a separate encryption table.

Finally, when the control unit stores the encryption keys in the cipher text table, it is ready for encryption and can start encrypting/decrypting the input/output data immediately, and minimizes power consumption by leaving the encryption generator in an inactive state.

3 defines the format of a message transmitted and received between the control unit and the encryption generator, and a certain standard between them can be defined as a protocol and standardized for additional control and management as needed.

In particular, in order to receive a plurality of cipher texts to be stored in the cipher text table from the cryptographic module, an additional CRC-based transmission error detection means is also provided to minimize the length of the cipher text and transmission errors in the transmission process.

4 is a diagram showing a procedure for initializing and managing a verified cryptographic module in an activated state in a cryptographic generator, in which the cryptographic generator initializes key security parameters for cryptographic key generation and performs a power-on test Initialization is performed (S200).

After initialization, the integrity check and status are checked, and if an error occurs, the initialization process is repeated (S201). Depending on the security parameters are also updated.

In the process of periodically checking the operating state, if a malfunction occurs, it is changed to inactive, the key security parameters are zeroed, and the power is turned on to report that the control unit is recognized, and all cryptographic functions except initialization of the cryptographic module are performed. This can be prevented from happening, and this can be notified to the counterpart mobile device that wants to communicate.

5 is a diagram showing a process of generating an encryption key. In order to prevent accurate decryption based on the generated encryption key and decryption of information stolen in an intermediate step, the source of the encryption key is collected (S300), and at the same time, the encryption key A step of uniformizing the prescribed bits and reflecting the CTR (Counter) function for generating an encryption key (S301) is performed.

Here, CTR is a representative encryption block cipher method that converts a block cipher into a stream cipher. After obtaining consecutive random numbers from the current block cipher for each block, an XOR operation is performed with a string to be encrypted.

If the conditions for uniformization of the specified bits and the reflection of the CTR function are satisfied at the same time, the random number generator is operated.

In particular, to generate CTR, random number generation is essential, and the operation of the random number generator for this purpose (S302) proceeds with the initialization process of the random number generator, processes the length of the random number to be generated as an input coefficient, and operates the generated random number as an output coefficient. When a random number is generated, the operation of the random number generator is terminated.

In addition, the state of the random number generator is output, and the source of the collected encryption key is zeroed (S303) to ensure the stability of the output random number, and continuous encryption key management is performed.

6 is a process of encrypting with a block cipher, the actual encryption processing function is performed by the control unit, and the data (digitally converted voice signal or data) input from the input unit is based on the secret key and initial vector data generated by the encryption generator. to perform block cipher encryption.

As a data input process for performing encryption, after checking the input data itself and length (S400), the data and length of the secret key and the initial vector data and length are checked (S401 and S402).

In order to perform block cipher encryption based on the input data, secret key data, and initial vector data, a block cipher algorithm selected from among several types of block cipher methods is input (S403), and the block cipher operation mode takes into consideration the encryption time and segmentation performance conditions. Enter (S404).

The input algorithm and operation mode are ANDed to determine whether block cipher encryption is performed (S405), and if encryption is successful, block cipher encryption is terminated (S408). After checking the error code, it is output (S406). In order to restart the block cipher encryption, the encryption module is initialized (S407), and the input data, secret key data, and initial vector data confirmation process is performed again.

When the encryption of the block cipher is completed, encrypted cipher data is generated and transmitted to the wireless communication unit 400 .

7 is a process of decryption using block encryption. The actual decryption processing function is performed by the control unit, and block encryption and decryption is performed based on encrypted encryption data, secret key, and initial vector data received from the wireless communication unit.

As a data input process for performing decryption, the length of encryption data is checked (S500), the data length of the secret key is checked (S501), and the initial vector data length is checked (S502).

In order to decrypt based on the entered encryption data, secret key data, and initial vector data, a block cipher algorithm selected from among several types of block cipher methods is input (S503), and the block cipher operation mode is selected in consideration of the decryption time and segmentation performance conditions. Input (S504).

The input algorithm and operation mode are ANDed to determine whether block encryption is decrypted (S505), and if decryption is successful, block encryption and decryption is terminated (S508). After confirming the error code, it is output (S506).

In order to restart the block encryption/decryption, the encryption module is initialized (S507), and the input encryption data, secret key data, and initial vector data verification process is performed again.

After transferring the decoded output data to the input/output unit, in the case of a voice signal, it is reproduced and output as an analog signal.

In the above process, the encryption generator 300 is designed to stop its operation after delivering the encryption key necessary for encryption and decryption to the control unit 200, thereby minimizing power consumption of the wireless portable device.

Although the above has been described with reference to preferred embodiments of the present invention, those skilled in the art can variously modify or modify the present invention within the scope not departing from the spirit and scope of the present invention described in the claims below. You will understand that it can be changed.

The present invention relates to a data encryption and decryption processing algorithm for applying a verified cryptographic module to a small and portable wireless device without an operating system, and is a nationally recognized encryption and decryption method for public, military, or industrial use, providing security without a separate verification procedure. It can be applied to various fields for reinforcement.

The present invention can be installed and operated in the form of an algorithm and protocol inside an existing small and portable wireless device.

In particular, when applied to communication equipment requiring security while power supply is limited, it can be used by minimizing power consumption while enhancing security.

Claims (6)

In a wireless portable device capable of secure communication,
transmitting, by the controller, an encryption preparation state request message for initialization to the encryption generator;
the step of initializing the security parameters by the cryptographic generator, testing power supply, verifying integrity and state information of the cryptographic module that has been verified;
checking whether the cryptographic module has malfunctioned, and if there is no malfunction, changing the encryption module to an active state and transmitting an encryption preparation completion response message to the control unit;
transmitting, by the control unit, a ciphertext table creation start request message to the encryption generator;
generating an encryption key and storing the generated encryption keys in a cipher text table;
transmitting, by the controller, a ciphertext table transmission request message to the encryption generator;
A secure communication method in a wireless portable device having a verified cryptographic module, including transmitting the cryptogram table generated by the cryptographic generator to the controller. According to claim 1,
The encryption key generation of the encryption generator unit collects encryption key sources, uniformizes prescribed bits of the encryption key, and determines a CTR function for generation and processing of the encryption key;
generating a random number and zeroing the source of the collected cryptographic key to ensure the stability of the output random number when the conditions for uniformization of the specified bits and the reflection of the CTR function are satisfied at the same time; A method of secure communication in a wireless handheld device According to claim 1,
After receiving and storing the generated ciphertext table by the control unit, when data is received from the input/output unit, the control unit checking the received data, secret key, and initial vector data;
Entering a block cipher operation mode in consideration of the decision of the block cipher method and the conditions for encrypting time and subdivision;
Encrypting with a block cipher;
A secure communication method in a wireless portable device having a verified cryptographic module, including generating a resultant value and transmitting it to a wireless communication unit when the block encryption is terminated. According to claim 1,
After receiving and storing the generated ciphertext table by the control unit, when encrypted data is received from the wireless communication unit, the control unit checking input data, secret key, and initial vector data;
Entering a block cipher operation mode in consideration of the decision of the block cipher method and the conditions for encrypting time and subdivision;
Decrypting the block cipher;
A secure communication method in a wireless portable device having a verified cryptographic module, including transmitting the decrypted data to an input/output unit. A computer readable non-transitory storage medium storing a program for performing each step of the method of any one of claims 1 to 4. A wireless portable device including a memory, a processor, a wireless communication means, and a verified cryptographic module,
Wireless portable device characterized in that performing the method of any one of claims 1 to 4

Images