MXPA98008403A - Security processor with external memory that uses blocking and block reordering - Google Patents

Abstract

An encoded data transmission is decoded by communicating the encrypted program information and authentication information between an external storage device and block buffers of a secure circuit. The program information is communicated in block chains to reduce the overload of the authentication information. Program information is communicated one block at a time or even one string at a time, and is temporarily stored in block buffers and a temporary storage memory, then a CPU is provided, which it will process. The blocks can be stored in the external storage device according to the address signal coded with bytes, blocks and strings that can be randomly reordered and communicate to the block buffers in a non-sequential manner to obfuscate the processing sequence of the block. program information. The program information can also be communicated from the secure circuit to the external memory. The program information does not need to be encrypted but only authenticated by security.

Description

SECURITY PROCESSOR WITH EXTERNAL MEMORY THAT USES BLOCKING AND BLOCK REORDERING BACKGROUND OF THE INVENTION The present invention relates to an apparatus for securely and efficiently transferring blocks of program information between a secure circuit and an external storage device. The program information is communicated in block chains for the most rigid encryption, obfuscation of the execution and to reduce the overload of the authentication data. In one embodiment, the program information is optionally encrypted and authenticated in encrypted block chains. In another embodiment, the program information is authenticated and optionally encrypted in block chains. Block chains greatly reduce the overload of authentication data. Address coding can be used to increase security. The reordering of fields such as blocks or bytes within each chain, as well as between complete chains, can be used additionally to provide even more security. In another mode, blocks of program information are provided to the secure circuit to generate a P1635 / 98MX key. The key can be used to decrypt a data transmission. The invention is particularly suitable for discouraging the copying and deranged handling of privately owned program algorithms, and for securing cryptographic applications such as the decoding of pay television programs, or the like. The following definitions are provided: Secure Circuit: A secure circuit is an integrated, cryptographic (IC) circuit in the nobody, not even the owner, has access to the internal common bars, registers and other set of circuits contained within the IC. The IC can hold a sensitive key, identification and other data, but the secure circuit does not have to be the perimeter of an IC. It can be a personal computer (PC), by way of example, on a network computer running a program from a shared storage device that has been accessed over a network. The network computer can access a server to run applications in real time. The portions of the applications are communicated piece by piece to the network computers. The network can allow multiple computers to access the same application at the same time P1635 / 98MX time. With a PC, the owner could have access to the program information received, decrypted and / or authenticated and / or reordered. In addition, a secure circuit could process the unencrypted, but authenticated data.

Storage Device: A storage device is a discrete, memory component, such as an IC, of various types. However, like the PC example described above, the storage device can be a mass storage device, such as a hard disk drive located locally or remotely. If it is located remotely, the data could be communicated between that storage device and the secure circuit over a network such as Ethernet, or for example, according to the IEEE 1394 standard. Local access to the mass storage device, by example, it can be about the common ISA data bar; VESA, or PCI of a PC, or could be even through a SCSI interface, in series or parallel. The mass storage device can be accessed by other network computers, or by secure circuits. The storage device may also be a Jazz (MR) tape drive, CD-ROM, DVD, personal computer memory card (PCMCIA) card interface adapter Intelligent P1635 / 98MX, or any other type of mass storage device. For example it is possible, in the case of the network computer, that the program information that is read only has access over the network. A local storage device, for example, memory, that allows read / write capability can be used, which is safe for external storage purposes. Therefore, the storage device can be any combination of device types, in the case of a network storage device, the program information can be copied piece by piece to a local memory faster than a dynamic, synchronous memory .

Program Information: Program information refers generically to any information that is used by the secure circuit in the execution of a program. This may include instructions such as operational codes (op-code) in the machine code, or pseudo-code or interpreted code, such as Java (MR) may include query tables, stored keys and various temporal data such as calculations intermediates and the state of the safe circuit.

P1635 / 98MX You can still include some or all of the initialization vectors and keys used to encrypt / decrypt or verify / authenticate the rest of the program information in the blockchain. This may allow the same vector or key information to be encrypted under different keys so that different secure circuits individually or as selected groups may gain access to the same program information, have derived or distributed different keys. The information could include the key information and the data you have to do it with the nature of how the bytes of a block, the blocks of a string, and the strings are stored in the storage device. This could include the order permutation information of the various fields of a chain or chain sequences, which are described in more detail below.

Key Calculation: Key calculation does not strictly denote a unidirectional function. Although a strict unidirectional function is a possibility, the function can be reversible under a secret key, or a unidirectional, trap door function or be a very simple function such as an XOR operation.

P1635 / 98MX Data Transmission and Cryptographic Processing: Data transmission is used for text, message, video and audio signals of all types. These include, but are not limited to, broadcast and interactive television text, messages, video and audio, and radio, program guides, news services, and interactive message traffic over communication channels. The encoded data transmission may be sent in various ways, for example, via a broadcast, satellite, cable, telephone or other link, or from a removable mass storage medium, such as a digital video disc, tape, disk compact (CD), floppy disk, or other secure circuit, and be received by a decoding receiver, for example, a decoder such as an adjustment decoder, player or a personal computer in the consumer's home. The data transmission may simply be a response to a stimulus. The stimulus causes the secure circuit to transform the stimulus information with some kind of cryptographic processing to create an output that verifies that the secure circuit actually holds certain secret or private keys. You can increase or decrease the internal records in the secure circuit. These values can be computed just with secret or private keys to P1635 / 98MX calculate the value at the output. These stimulus and response techniques are typically used to authenticate the presence of the valid secure circuit before a service is granted.

Cryptographic Processing: This processing performed by a secure circuit that typically results in the generation of a key. The key can be used for many things. Coding and decoding of a data transmission, identity verification by a client or guest, etc. The key does not have to be always self-contained within the secure circuit. For example, it can be sent outside the secure circuit for verification reasons. Now several problems are faced with the prior art schemes.

Problems: Several privately owned algorithms can be stolen. The logical program carefully developed to a greater degree can be copied superfluously from external storage devices. The problem is exacerbated by open networks such as the Internet that can allow the rapid and widespread distribution of pirated code.

P16-.5 / 98MX With the increasing speeds of general-purpose processor circuits, there is a tendency to perform many processing tasks that were once done on the physical equipment in the program. The program communicates through the use of discrete memory components / storage devices that include mass storage devices. This can allow rapid reconfiguration of the processing system for different applications by simply running different programs. But that tendency is impeded by the fact that the program can easily be copied, deconfigured, handled transiently and subsequently distributed, thereby stripping the developer and / or inventor of the benefit of this intellectual property. Also, with the increasing speed and reliability of the networks, for example, Ethernet that goes from 10 megabits per second to 100 megabits per second and so on, it is real to implement systems by which the program can be executed in real time on a net. The so-called network computers will always have access to the latest revision of an application loaded on a network-based server. Any application in the files of this server could be accessed quickly. But these servers can P16--5 / 98MX be susceptible to some download and storage of the entire application, thus stripping the service provider of the ongoing revenue. Once downloaded, the program could easily be shared with others. Therefore, it would be desirable to make the analysis and deranged management of the program more difficult, as well as the copying of the program and reuse by general-purpose processors.

Problem: Cryptographic key generator. Cryptographic applications typically comprise the generation / derivation of a key based on the secret or private key information. A typical cryptographic key generator performs cryptographic processing on data transmissions. The coding of data transmissions becomes increasingly important due to the need to stop unauthorized persons (eg pirates) from gaining access to data transmissions. No matter how data is transmitted or distributed, cryptographic processing is present to ensure that data providers, for example, encoding issuers, obtain payment for the intellectual property they are transmitting. In the case of a communications network, messages can be encoded to P16--5 / 98MX ensure the privacy of the messages and to authenticate both the sender and the recipient. You can allow non-repudiation, to prevent a recipient from subsequently claiming that you did not order the data. Non-repudiation is important for providers because it gives them a greater chance of obtaining payment. Nobody has the necessary cryptographic keys to authenticate messages comparable to the authentic buyer. The data transmission is cryptographically processed, for example, encoded, before transmission under one or more secret encoding keys. The cryptographically processed data transmission is received by a cryptographic processor (decoding receiver) such as an adjustment decoder, media player, or personal computer in the consumer's home. Typically, cryptographic processing such as what is done by a decoding receiver is done in a secure circuit. The secure circuit is provided with the required keys at the time of the manufacture or installation of the application and initialization, and performs a type of processing to grant access to the data transmission. If access is allowed, then the decryption key is distributed. When the decryption key is used in conjunction with the P1635 / 98MX associated physical equipment or program decryption module, the data transmission is decoded, for example, it becomes visible or otherwise suitable for the user. The physical equipment or decoding program may be included in a secure circuit such as an IC, specific to the application (ASIC). Likewise, the encoding issuer, for example, a PC in the home of someone who decodes the information, such as credit card numbers, for distribution to a merchant over the Internet, uses the required keys loaded at the time of writing. manufacture or installation or initialization of the application, to distribute a key to decode the sensitive data for the transmission. In the PC example, coding can be done in a program module, but coding may not really take place in what is considered to be the secure circuit. The distributed key in any case (for encoding and decoding) can be transferred from the secure circuit to the decoding / encoding module of the hardware or program, or it can hold the key internally to the secure circuit, with the decryption module internal to the secure circuit . Preferably, the key is retained and P1635 / 98MX performs encoding / decoding internally to the secure circuit. If the key is transferred from the secure circuit, it can be changed very quickly, even several times in a second, thus making the knowledge of the key only useful for a short time. The module of the physical equipment or coding / decoding program of the physical equipment can be located far away from the secure circuit which distributed the key to encode / decode the data transmission. For a PC executing the instructions on a network, the secure circuit can be the PC itself, and the decoding unit can simply be a program module that receives a duration and an indicator, for example, for a message in external memory or internal, together with the appropriate key and the cryptographic function identifier. The function performed by the cryptographic processing in the secure circuit could involve the calculation of message key, signaling and signature authentication using publicly known key calculation algorithms and public key cryptography. In both, the ASIC case and the PC case, above, a microprocessor is typically used to P1635 / 98MX implement access control, perform key calculation, signature verification, signaling and authentication functions. This processing verifies that the secure circuit is actually authorized to decrypt the data transmission. If authorized, the microprocessor then derives the decoding key for data transmission. The secure circuit typically has an internal storage device, for example, memory, for storing decoding program information for use by the microprocessor, storage for storing the decoding key data and decoder status, and a auxiliary work memory to store intermediate calculations and temporary data. The state of the decoding receiver, for example the decoder, can indicate, for example, whether the decoder is set to a particular channel and the channel identifier. The state of the decoding receiver can also store if it is authorized to receive the channel, and if a tuned program, for example, is a pay-per-view or video-on-demand subscription. Therefore, it would be desirable to make pirate attacks against cryptographic key generators running with external memory more difficult.

P1635 / 98MX Problem: Inflexibility to use the internal ROM and analysis of the RAM capacity. For an ASIC, the internal memory used by the IC to store the program information can be created from the read-only memory (ROM), a read-only, programmable, erasable memory (EPROM), a read-only memory , programmable, electrically erasable (EEPROM), instant memory, or a random access memory, backed up with battery. Typically, training processes to manufacture ASICs, with smaller geometries and faster circuits are initially developed and characterized by ROM and RAM-based technology. The capacity of EEPROM and instant memory comes at the last moment. Therefore, a performance advantage over other technologies can be obtained by designing the ASIC to use ROM and RAM-based technology. Also, it is easier for VLSI trainers to build devices with ROM and RAM than with EEPROM or flash memory, due to their simpler design. Therefore, the designer can realize a lower manufacturing cost with designs based on ROM and RAM. The creation of an internal memory completely outside of RAM backed up with battery is generally impractical because a RAM cell, with its ability to allow reading and writing of data, contains P16-S5 / 98MX much more gates and is typically a larger structure than a ROM cell, that only allows the reading of data. Therefore, this RAM memory stores much less programming information than a ROM memory of equal physical size. However, there are disadvantages to storing the programming information in internal ROM because the complete ASIC must be replaced to change the program information. This may be necessary or desirable, for example, to fix a program problem (for example, unforeseen failure), or to provide new features or features tailored for different clients. To achieve this, a new circuit must be manufactured with the change in the program information. This can be very expensive and laborious. Also, it does not matter how much storage of any type is constituted in the secure circuit, for example, an ASIC, there may be too much or not for any given application. If the storage is larger than what is required, the price of the safe circuit is higher than necessary. If the storage is smaller than required, then it is either unsuitable for the task, or characteristics to adjust the program should be omitted. Only the storage size is correct.

P163S / 98MX Accordingly, it would be desirable to provide a scheme for modifying the capacity of a storage device, for example, the amount of memory and for easily and inexpensively updating the program information of a secure circuit such as a cryptographic circuit. The system should store the program information in a storage device that is external to the secure circuit and provide an efficient and secure transfer of program information between the storage device and the secure circuit. The transfer of program information must be fast enough, even over a network, to satisfy the code execution requirements. However, the amount of internal storage, for example, the memory required to operate the secure circuit, must be limited. The system can use a limited amount of program information, internal, quickly accessible, which could initiate the secure circuit, inspect the error conditions, interpret the pseudo code, or handle the processing events in real time. However, this program information, internal, if stored in an inflexible form, for example, ROM or read-only CD-ROM, can not be changed as easily as the program information, stored externally. P1S35 / 98MX Problem: Secure external storage-authentication overload. In the past, several encryption techniques have been used in bytes and blocks. But pirates have used a variety of "attacks" to break the security of the system. An attack proposes to obtain the safe circuit to read the encrypted memory and write it out to a clear area where it can be captured and then analyze the program information. An attack of this type actually uses the set of decryption circuits itself to decrypt the program information, excluding the need for more extensive analysis. Another attack attempts to break the security of the application itself, by changing the execution of the application in order to make the circuit secure, in this case, in the decoding receiver, decoding the premium services without paying the appropriate subscription rates. To achieve these and other attacks, the pirates try to modify the contents of the external storage device, for example, the memory. To achieve this, one technique used is "trial and error", where the program information in the external storage device is manipulated in a trial and error methodology. The pirate does not know what key or secret keys are used to encrypt the program information, but P1635 / 98MX attempts to manipulate the program information on the external storage device until a convenient result is obtained. To prevent these and other attacks from being successful, either authentication, more rigid encryption, rearrangement of the chain fields, or any combination of the above can be used. Authentication can be used to verify the source of program information. In a system that uses authentication, the secure circuit will not process the program information that is not accompanied by the correct authentication information. The strong authentication of the prior art is expensive. However, the amount of authentication information must be large enough to provide an adequate level of security. In conventional memory encryption schemes, which use byte encryption or block encryption, authentication information will be necessary with each byte or block that the circuit takes from the external storage device. For an individual byte of program information, two bytes of authentication information will be required to prevent the score. In other words, the byte will need to be expanded to include additional authentication information. If an eight-bit byte of information Program P1635 / 98MX were widened to include only 8 additional bits of authentication information, the authentication information could be easily determined by testing because, with eight bits per byte, there are only 28 = 256 possible trial combinations. To provide a level of security comparable to the data encryption standard (DES), 56 bits (feel bytes) could be used to provide 256 = 7.2 x 1016 possible combinations of authentication information. For the authentication information in this way would represent (7 / (1 + 7)) or 87% of the complete storage. This amount of overload data is very inefficient. With the block encryption, several bytes of data are grouped and authenticated in a block. For example, a block size of 8 bytes of data can be used. Then, with eight bytes of authentication information, the overhead is still very high at (7 / (7 + 8)) or 47% of the total storage. This excessive overload data can severely affect the cost of the entire system by requiring a significantly larger storage device just to handle the authentication information. This is unacceptable with consumer electronic devices such as portable games, cell phones, and television decoders that must be manufactured at Program P1635 / 98MX were widened to include only 8 additional bits of authentication information, the authentication information could be easily determined by testing because, with eight bits per byte, there are only 28 = 256 possible trial combinations. To provide a level of security comparable to the data encryption standard (DES), 56 bits (feel bytes) could be used to provide 26 = 7.2 x 1016 possible combinations of authentication information. For the authentication information in this way would represent (7 / (1 + 7)) or 87% of the complete storage. This amount of overload data is very inefficient. With the block encryption, several bytes of data are grouped and authenticated in a block. For example, a block size of 8 bytes of data can be used. Then, with eight bytes of authentication information, the overhead is still very high at (7 / (7 + 8)) or 47% of the total storage. This excessive overload data can severely affect the cost of the entire system by requiring a significantly larger storage device just to handle the authentication information. This is unacceptable with consumer electronic devices such as portable games, cell phones, and television decoders that must be manufactured at P1635 / 98MX The scoring attacks of an encrypted, individual block of program information is a bit more difficult but still manageable. The small, general-purpose, large instruction set (RISC) computation processor, for example, has instructions that are 64 bits long. Assuming a block of bytes and eight bits per byte, it is relatively easy for a pirate to alter a block of program information and perform only one instruction. Even with half-size instruction widths, for example, 32 bits, only two instructions are affected. The so-called complex instruction set (CISC) processors are equally a risk for attack. And the CISC processors described as "8-bit processors" are not really 8 bits because they typically require taking one, two, or three operands of the program information which makes any instruction have between 8 and 32 bits, with an average of approximately 20 bits, but this depends on the choice of the instruction used by the program. Therefore, testing an 8-byte block of the encryption values for the so-called "8-bit" instructions could only perform three instructions. Therefore, it would be desirable to have a more rigid encryption algorithm to communicate from P1635 / 98MX securely program information.

Problem: Execution, even encrypted is observable. Even when blocks of program information can be encrypted or authenticated, someone observing the data traffic in a communication medium, for example, a common bar or network, can learn about the function and design of the program information. The more information a pirate can acquire about the program's information, the more ways he will have to alter the execution of the program. An internal storage circuit such as a temporary storage memory may obfuscate some of the function and design by referencing the data that is either decrypted only, decrypted and authenticated or simply authenticated from the internal storage circuit, instead of having to take externally the information of the program. However, a problem arises because the original communication sequence can be observed, the one that loads the program information into the temporary storage memory for the first time. A system without a temporary storage memory is even easier to analyze due to the recursive code, for example, cycles, can be seen in the external interface. It would look easily P16-.5 / 98MX the same program information, encrypted, encrypted and authenticated, or simply authenticated, which is communicated again and again. A temporary storage memory will hide this operation when making internal communication to the temporary storage memory and not visible to the communication means. However, a more astute pirate might notice that external communication is not occurring and thus conclude that some kind of internal operation is taking place. In principle, it is not desirable to have a pirate learn something about the algorithm being executed. This includes the complete structure such as the association of the sequence of information from byte to block, from block to chain, or from string to program, the sequence of processing such as whenever the particular information of the program is executed at the start, and the organization of the program information such as the organization of the data table. Therefore, it would be desirable to have techniques to obfuscate the execution of encrypted, authenticated chains, or any chain of program information. It would be desirable to communicate the program information in a manner that is outside the sequence of the true sequence of execution by the secure circuit. The sequence may be obfuscated within a sequence of program, block or string information.

P1635 / 98MX That is, it would be desirable to obfuscate the sequencing of the bytes that make up a block, the blocks that make up a string, and the strings that constitute a sequence of program information. The permutation of the sequences can be set and still be different on a byte-by-byte basis, block by block, chain by chain, or program information sequence. It would be desirable to extend the obfuscation of the sequence to be of greater depth, that is, greater than a block, for example, more than two blocks or for that matter a complete chain. The same would be desirable for all different fields.

Problem: You can discover the permutation algorithm of the sequence. You can discover any sequence permutation algorithm implemented in the physical equipment, by a pirate who tests the VLSI or another analysis. The permutation function can be coded and dependent both on the address and on the unit. However, this does not prevent a particular pirate from discovering what the key and dependencies are. Therefore, it would also be desirable to make the way to make the analysis and the disordered handling of the sequence permutation more difficult.

P1635 / 98 X Problem: Underlying sequence does not change - address location always the same. Even with the sequence permutation, a pirate can observe every communication between the storage device and know which bytes correspond to which blocks, and which blocks correspond to which chains. That is, a particular address location in the storage device is associated with a particular byte, block or string sequence. The address location will always contain the same information. The pirate can not know what exact positional information is due to the obfuscation of the sequence, but he knows that his association with the other bytes, blocks or chains is fixed. The pirate does not need to know what the value of the program information is, stored in a particular location. The pirate can try a value in that storage location. The pirate can do this systematically by going through all the values even when the storage location is accessed at varying times due to the sequence permutation techniques. Therefore, it would be desirable to make a scheme to dynamically change the address location on the storage device where the data representing a byte, block, or string sequence, P1635 / 98MX, are located or located on the storage device to prevent someone from systematically testing the code.

Problem: Each communication is relevant. A pirate can observe each communication of the program information between the storage device and know what is being encrypted, authenticated, permuted sequence or all of the above. For additional obfuscation, it would be desirable to communicate "false" or not necessarily necessary information with the information of the communicated program.

Problem: Writing and bidirectional reading required. The storage device may be read only, but there may be many reasons why the storage device must also be writable. Different applications of private property, cryptographic and not yet cryptographic, have variable requirements for data storage. Modern cryptographic applications often employ public-key cryptography, which generally requires keys larger than secret-key cryptography. The coding transmitter or decoding receiver can perform some kind of P1635 / 98MX cryptographic application that can be interconnected in an open network such as the Internet, which may require the storage of a number of several public keys, for example, from a root authority, or certified authority. Also, with pay-TV decoders, public keys for the access control system and / or decoder manufacturer attend. Over time, many public keys may need to be stored as a result of the interaction on the network. Some of these keys are meant to be active for a long time, and for example, if the public keys can be 2048, 4096 bits, or larger. Accordingly, a large capacity storage device, for example, large amount of read / write storage may be required to store the keys and other related information to effect a viable cryptographic application. The same can be said for many privately owned applications. The tendency is to process more and more data. It is desirable to have greater flexibility with the type and amount of storage for writing and later retrieval of the program information as it exists for the read-only program information. Therefore, it would be desirable to have a secure bidirectional communication between a P1635 / 98MX external storage and a secure circuit, where it has the flexibility to adjust to the growing requirements for the additional storage of the program information without requiring a change of the safe circuit design. Also, the security of the total implementation can not be diminished.

Problem: Communication with the outside world not safe and alternative security modes. The secure circuit may have to interconnect with display devices, peripheral products or computers that do not have a means of decryption. This is important where interactivity with a human being is understood. For example, if a customer enters a wrong code of the personal identification number (PIN) it may be necessary for the secure circuit to inform the customer of the problem so that the PIN can be reintroduced. This may involve communication with the host device of an error condition or of an error message that may be displayed properly on a screen. There may be a lack of PINs, communication ports, or common bars that can be dedicated to external communication. The execution of some program information may have latency or waiting requirements P1635 / 98MX execution, reduced, requiring an alternative mode of communication different from the chains. Also, the secure circuit may need to be interoperated with other devices that have different security schemes. It would also be desirable to provide a clear mode with the condition, by which encryption / decryption, generation / verification of authentication, or permutation of sequence of program information is not performed. In this clear, conditional way, not only will it allow a possible circuit to debug the installation, but it will also allow the secure circuit to send and receive clear data, with the world to large devices, such as display devices, other computers, and the like , thus allowing the means of communication to be used for more than the transmission of program information. This would reduce the number of PINs, communication ports, and common bars used for external communication. It would also be desirable to switch encryption / decryption of the chain, generation / verification of authentication, or permutation of sequence of program information, in favor of a different type of encryption / decryption, authentication / verification, or permutation of sequence that P16-S5 / 98MX is not based on strings. For example, instead of a string, processing by bytes or blocks can be used.

Problem: Detection of chain lengths. A hacker may be able to analyze the execution of program information to determine what program information corresponds to a particular chain. That knowledge could allow a pirate to probe the program's information in a more selective way. In principle, it is a good idea to prevent a potential pirate from learning something about how the program information is running. Therefore, it would be desirable to communicate blocks of program information with varying chain lengths, in the random sequence from one chain to the next without particular consideration given to the information of the program being executed.

Problem: Different latency or wait requirements. Real-time interrupt subroutines have different latency or wait-for-execution requirements than maintenance background routines. There is a natural tendency for the designer to make shorter strings for all program information to more simply handle the requirements of P1635 / 98MX execution faster interruption subroutines in real time. But reducing the lengths of the string for all program information can unnecessarily increase the storage capacity of the storage device to accommodate the increased amount of authentication information. Therefore, it would be desirable to communicate blocks of program information and associated authentication information in block chains, where different lengths of strings can be used to communicate different types of program information with different latency or wait requirements. Routines placed at lower address locations may have lower latency, while those at a higher address location on a storage device may have higher latency requirements.

Problem: General communication / storage latency requirements. While certain routines may have special considerations of latency or wait for execution, the latency may still be too much for certain applications. Consequently, a means must be explored to allow more efficient communication and more efficient storage of 1 program information.

P1635 / 98MX It would be desirable to design certain features in the architecture of the communication medium, and the secure circuit in order to help reduce the latency of program information to help speed up execution.

Problem: Authentication / erification latency requirements. While certain routines may have special considerations of latency or wait for execution, the latency due to authentication / verification may still be too much for certain applications. Consequently, a means must be explored to allow more efficient authentication / verification. Therefore, it would be desirable to design certain features in the authentication / verification function to help reduce the latency of program information execution.

Problem: Latency requirements of encryption / decryption. While certain routines may have special considerations of latency or wait for execution, latency due to P16-.5 / 98MX encryption / decryption may still be too much for certain applications. Consequently, a means must be explored to allow more efficient encryption / decryption. Therefore, it would be desirable to design certain features in the encryption / decryption function to help reduce the latency of program information execution. The present invention provides a system having the above and other advantages.

SÜM &RIQ OF THE INVENTION In accordance with the present invention, an apparatus for securely communicating encrypted blocks of program information between a storage device and a secure processing circuit in encoded block chains is presented. An apparatus for securely communicating authenticated blocks of program information between a storage device and a secure processing circuit in block chains is presented. An apparatus for securely communicating reordered fields of program information between a storage device and a secure chain processing circuit is presented. P1635 / 98MX The present invention further provides an apparatus for cryptographically generating a key, whereby the key can be used to gain access to a data transmission or the like. In one aspect of the present invention, an apparatus for securely communicating blocks of program information between a storage device and a secure circuit includes a means for providing at least one block of program information that includes a particular block. which comprises a plurality of bytes having a first sequence of bytes. A block buffer sized to store a block of data is all that is concerned for a minimum implementation because the data can be processed serially, one block at a time. A means, such as an address generator, is provided to store the block (s) of the program information in the storage device. The chaining of encrypted blocks is a strong encryption algorithm, because a change in a block will cascade to other blocks making it difficult for a pirate to make a simple change to the program information.

P1635 / 98MX The chaining of encrypted blocks can be used, both to calculate in cable and encrypt for privacy. The last block of clear text can be subjected to an exclusive OR operation in the encrypted authentication block to provide a dependency of the entire chain of blocks, encrypted, in the decryption of the authentication block. For example, program information and authentication information can be carried in two or more blocks of eight bytes. Block chaining is efficient due to the relatively low overhead of the authentication information in relation to the authenticated data. The authentication information is subjected to an exclusive OR operation with the last block of clear data (eg, program information) and optionally decrypted and to produce a verification value. The value is compared to a value that is known by the physical equipment to verify that the authentication data is correct. The value can be different for different chains or can be set for all chains. To provide additional separation between keys, the key used to decrypt the authentication information may be different from that used to decrypt the authenticated information. Also, with each decryption operation, the key can be modified P1635 / 98MX with address to provide address dependency of each block within a chain. For stronger security, the chaining of encrypted blocks can be used, just with another key calculation algorithm. There is no additional latency penalty or wait to do this, since each block must be processed in a serial manner. When the first block is decrypted, not only is it subjected to an exclusive OR operation with the ciphertext of the second block, but it is also presented to the authentication circuit. The last block is the authentication bits, and does not require submission to the authentication circuit, it is simply decrypted and a value maintained in the physical equipment is compared. A first communication path such as a common bar is provided to communicate blocks in the program information and authentication information between the external storage device and one or more buffers of blocks in a chain. A block buffer sized to store a block of data is all that is required for a minimal implementation since the data can be processed in earnest, one block at a time. The authentication information is read, in and verified by the authentication circuit. The program information is decrypted, if it is P1S35 / 98MX required, in a decryption circuit that is associated with the authentication circuit. The data of the cryptographic key of an associated storage device can be used for this purpose. If a pirate changes any data in the preceding blocks in the chain for the score, the computed key calculation data, which is compared with the authentication information, will be incorrect, and the resulting verification value will not be the same. The secure circuit, such as an ASIC or PC, will then know that an alteration has occurred and can take a countermeasure. There are a number of ways in which the authentication operation can be implemented. The key calculation can be keyed in, for example, using a secret key with clear authentication information, or the key calculation can not be encrypted and encrypted in the authentication information, or for a security stronger, the key calculation is keyed and the authentication information is encrypted. Different keys can be used to calculate in code and decrypt. The key of the key calculation can be a secret key, while the authentication information can be encrypted under a public key. The same key used to encrypt the authentication information can be used to encrypt the program information that P16-.5 / 98MX is authenticated. That has the benefit of the authentication information that is treated in a similar way as the program information. However, the use of a separate key will add another level of security. In an alternative mode, block encryption is used for privacy. When the blocks are decrypted, they are authenticated. The authentication technique used can be a key calculation that might require a strict order of calculation in code, for example, block # 1 calculated in key, then block # 2 calculated in key, with the calculation output in key of block # 1, and so on. Known algorithms such as MD% and SHA can be used for that type of strict key calculation. Although this key calculation can be used, the key calculation can introduce a latency or wait due to the serial nature of the operation. A simplified key-counting function can be provided, which performs an XOR of all clear blocks. That key calculation value can be verified with the authentication information. In reality, the authentication information may be submitted to an exclusive OR operation as a block together with the program information. This technique improves the latency of the execution of program information, which is important for P16-.5 / 98MX systems that operate in real time. Here, each block of data can not only be decrypted independently as in the electronic code book as it is called by FIPS, but also be subjected to an exclusive OR operation independently while calculating the code in code for the entire chain. This technique, which is called "single block chaining", emphasizes the reduction in the execution latency. The detection of illegal op-codes (codes of operation) or orders of interpreted codes, illegal, can be used as a form of authentication. Upon receipt of an illegal order code op-code, the system can decide how to respond, for example, readjust, increase a counter, or some other option. The creation of an illegal op-code by a pirate depends on the set of instructions of a given processor. Some instruction sets are fully developed and have few instruction sets, while other sets of instruction are reduced and have more undefined or illegal op-codes. If a set of instructions, for example, has 20% undefined or illegal op-codes, then that means that a pirate has an 80% chance to randomly create a legal op-code. This is not to say that the pirate generated a particular op-code instead of P1635 / 98MX one legal. But a legal, random op-code, different from the proposed one, could constitute a successful pirate attack. For example, this could be the case without the simple nullification of the original op-code outside the target. With 80% inequality in favor of a pirate, this method of simply detecting op-codes illegally leaves much to be desired. The detection of illegal op-codes as a form of authentication is more effective with the chaining of encrypted blocks, because the inequalities of a pirate creating a legal op-code are increased as each subsequent block in a particular chain will be affected. For example, if there are 16 blocks of instructions in a string then the inequalities of a pirate to exist if the pirate alters the first blocks of the chain is as follows: (.8) 16 = 0.028. The situation has changed, the pirate now has approximately 97% chance to fail. The chaining of encrypted blocks is a more rigid encryption method for this reason, this implicit authentication through the detection of illegal op-codes. But the chaining of encrypted blocks is also better because it makes it more difficult for a pirate to probe the encryption of the program information to isolate any changes made to an individual block, P163S / 98MX thus increasing the inequalities of creating op-codes not proposed with unwanted side effects. One problem is that the external storage device stores more than the op-codes. Only op-codes can be verified by the set of instruction decoding circuits of the CPU. Stronger security requires explicit authentication. Authentication can be performed by submitting to a unique XOR operation of authentication information with key calculation of the clear text data blocks to produce a verification value that is subsequently compared to a pre-stored value, by authentication information it can be simply compare to the program information, calculated in code. The authentication function may optionally calculate in blocks the blocks of program information that were communicated in clear text to XOR with the decrypted authentication information. In order to prevent a hacker from creating his own authenticated program information, using a known key calculation algorithm, a cryptographic key must be used. This can be done in two ways, by entering the password in code or authentication coding or both. The chaining of simple blocks a technique P1635 / 98MX alternative that deals with the problems of latency, uses a block encryption, singular, of each block of the program information. In this way, each block is encrypted and decrypted independently, so processing can occur in parallel. In addition, the entire chain, or group, of blocks is authenticated. One method for calculating in code is to subject the program information blocks together and with the authentication information to an exclusive OR operation. This can be done all at once. A more complicated key calculation can be used for stronger security, but these methods can introduce a serious dependency, so one block may need to be calculated in code or in front of another block. The chaining of simple blocks using the encryption and authentication process described above, reduces the overload of authentication bits, as with the chaining of encrypted blocks, but can avoid the latency problems of the chaining of encrypted blocks, when the set of blocks is used. deciphered circuits, parallel. If only a single block buffer is used, then the latency is the same for the chaining of encrypted blocks, and the chaining of single blocks is the only difference that is the output of a decryption in P1635 / 98MX blocks is subjected to an exclusive OR operation with the output of the next decryption (with the chaining of single blocks), instead of the next decryption entry (with the chaining of encrypted blocks). The simple block chaining method that decrypts and authenticates using the XOR of the key blocks suffers from the problem that any of the blocks can be reordered out of sequence and the authentication will still match. While some of the decryption and authentication operations can be done in parallel, a potential problem has been introduced. The encryption, with dependency of the address, must be used with the chaining of simple blocks using the key calculation function by XOR, simple. That is, the key used with each block in the chain will be different with the key that is a function of the address of the specific block. If DES encryption was used, changing any of the program information of a block for the score would cause about half of the bits in the decrypted output to change, causing the authentication verification to not match. Without the knowledge of the key, it would be difficult for a pitara to find out how to compensate for the appropriate authentication information.

P1635 / 98MX In an attempt to reduce the latency of execution of program information, authentication can be performed on encrypted text data, using either a key calculation or encryption of authentication information. Decryption and authentication can operate simultaneously, and not authentication after encryption. For simple block chaining, this has a problem that decryption dependent on the address will not be made in the program information, possibly making it vulnerable to being submitted to the decryptor outside of the sequence. The random permutation of the sequence of fields within a chain can be used during communication between the external storage device and the secure circuit. A means, such as a common data bus or network, is provided to communicate the program information with the secure circuit. A means associated with the secure circuit is provided for reordering the reordered fields of the string to retrieve the fields in the first field sequence. A chain of program information can be sorted in two or more fields, reordering can be provided. That is, the blocks can communicate between the external storage device and the memories P1S35 / 98MX intermediate blocks in a non-sequential, random sequence that does not reflect the sequence of real execution of the blocks by the secure circuit. In addition, reordering can occur by bytes within one or more blocks, or by full strings. You can reorder any field. This non-sequential transmission is effective in deterring a pirate from guessing the structure of the program information, sequence, and organization that runs on the secure circuit. By reordering any field within a string or chains, or the relative position of the complete chains in a sequence of program information, or multiple sequences of program information, a pirate is deterred from detecting the information with respect to the sequence of execution of the program information in the processing circuit. With reordering, a pirate can then be discouraged from easily learning the correct clear text or encrypted text of the program's information making it more difficult to achieve certain cryptographic attacks. Preferably, the program information is encrypted for an increased difficulty of analysis. An alternative mode of this apparatus communicates blocks of program information from the storage device to the secure circuit while P1635 / 98MX is substantially randomly rearranged to fields in a sequence of program information. A new one is used to communicate the fields from the secure circuit back to the storage device, thereby changing the field associated with a particular storage location in the storage device. A means is provided internally to the secure circuit for storing the new "true" sequence of the program information in the storage device. The new underlying sequence order for the fields of a sequence of program information are then stored in the secure device so that future communications to the same blocks will allow correct reordering based on the new sequence in the secure circuit. A means, such as a common data bus or network, is provided to communicate the program information with the secure processing circuit. While the bytes can be reordered when communicating between the storage device and the secure circuit using the above safe reordering techniques, each byte of the program information is still associated with a particular location of •storage. For example, the first byte of the first block of the first string of an information sequence Program P1635 / 98MX is always located in a particular storage location even though the pirate may have problems in guessing that it was actually the first byte of the first block due to reordering. The pirate can then still probe the value at that particular storage location (eg, address) in a systematic and organized manner. Changing the location of the underlying storage of the data on the storage device prevents a pirate from testing the stored program information at a particular location on the storage device. By dynamically changing the location of the program information on a storage device after each use, a hacker who tries out the program information at a particular location on the storage device will not deal precisely with the same program information each time . Therefore, the attack becomes intractable. In a further aspect of the present invention, the data subfields, bytes, blocks, strings and sequences of the program information can be set and not be random. The sequence may be different for each byte, block, string or sequence of program information, which is accessed. This is a permutation that is done differently in appropriate fields in the P1635 / 98MX incoming program information. Advantageously, this permutation function can be easily implemented in the physical equipment since it is not randomized. In a particular implementation, the secure circuit uses the program information to generate a cryptographic key. The program information is encrypted using the chaining of encrypted blocks, and optionally authenticated and / or reordered. In another embodiment, the program information is authenticated and optionally encrypted and / or reordered using block chaining. In another embodiment, the program information is authenticated and optionally encrypted and / or reordered using block chaining. The key can be used in the logic program to decrypt or decode a data transmission. By authenticating the instructions, a pirate is discouraged from providing false program information to the secure circuit that decodes the data transmission. In another aspect of the present invention, a secure circuit uses the program information to generate a cryptographic key. The key can be used to decode a data transmission on the physical equipment. Depending on the division of the secure circuit, the decoding can be done internally or P16--5 / 98MX externally. The key can be generated and managed by a logic program module to decode the data transmission. The logic program module can be internal to the secure circuit or external to the secure circuit. In both previous cases, the secure circuit may consist of an integrated circuit (IC) having an authentication circuit, a central processing unit (CPU) and one or more block buffers that are adapted to store one or more blocks of the program information. The external storage device can be an instantaneous memory, a read-only, programmable, erasable memory (EPROM), a read-only memory, programmable, electrically erasable (EEPROM) a random access memory, backed up with battery (RAM), RAM, or a combination of the above. It can also be a hard drive, a CD-ROM or any type of mass storage device. The external storage device also stores the authentication information (e.g., verifies the verification bits) to authenticate the program information when it is received in the secure circuit. In some implementations, it is desirable that the contents of the storage device be copied to a device of P1635 / 98MX faster storage such as synchronous dynamic memory so that the secure circuit can take the program information from the storage device faster, for example, dynamic memory, instead of the slower storage device with its latencies or waits associated For example, a network computer can copy the server's program information over the network. The fastest storage device can be local, while the slowest storage can be far, in the case of the network computer, accessed over the network. To reduce the total latency of executing the execution code in real time, the first communication path can have a sufficient bandwidth so that two or more of the series, one or more blocks, or one or more chains are communicated, to block buffers substantially at the same time. The common program information bar is typically no wider than the instruction width because there is a bottleneck problem. The CPU is not only running at a particular speed. The program information should be stored somewhere. However, when there is latency associated with other processing, encryption or authentication, this can help reduce latency or total wait.

P1635 / 98MX For example, the secure circuit can read more than one block of the program information in an essentially concurrent manner, where a block buffer is used to store the additional blocks, for example, one buffer per block. In the secure circuit, the authentication circuit receives the program information and authentication information from one or more block buffers for use in the authentication of the program information. In a second communication path in the IC, the authenticated program information of the authentication circuit is provided to the CPU to be executed, thereby decrypting the encoded data transmission. The program information may include a plurality of instruction sets, such as lines of the computer code, or sequence of related data, which will be processed in succession by the CPU. A temporary storage memory can be arranged in the second communication path to temporarily store the program information, authenticated, before it is provided to the CPU. The temporary storage memory can store at least one of the series of the program information so that at least two of the series of the program information can be stored.

P1635 / 98MX provide the CPU in a substantially concurrent manner (for example, the stored series and the last authenticated and decrypted series). In this way, the program information is communicated efficiently to the CPU. The advantage of a temporary storage memory is that the CPU can already take the authenticated program information from the temporary storage memory instead of using a communication means of the external storage device, for example, common bar or network, comprising several latencies or waits. When a first chain and a second subsequent chain are communicated, from the external storage device to one or more block buffers, the authentication circuit authenticates the first and second blocks of blocks, encrypted, to provide the program information, authenticated , correspondent. Additionally, the CPU can process at least a portion of the authenticated program information of the first string, while the authentication circuit is authenticating at least a portion of the program information of the second string. The decryption of the program information when required can be performed in a similar manner in an overlapped manner. An alternative modality of this apparatus communicates the fields of the program information between the P1635 / 98MX storage device and the safe circuit while communicating the fields that are not used by the immediate sequence, for example, next stream, of the program information, processed by the secure circuit. This obfuscation technique uses false data fields that can simply be snooped, for example, never used by the secure circuit during any execution of the program information, or they can be part of other sequences of program information that are simply not being processed. between the safe circuit and the storage device. A means associated with the secure circuit is provided, to eliminate the false bytes of the particular blocks to recover the bytes in the first sequence of bytes, and the subsequent sequences of bytes of the remaining blocks. False bytes can optionally be used during decryption and / or self-indication before deletion after they are received through the secure circuit. Additionally, the blocks and chains that can be eliminated in the same way are provided. The chaining of encrypted blocks, or the chaining of simple blocks, can be used, as described herein both for code calculation and privacy encryption. For example, program information and authentication information can be carried P1635 / 98MX in two or more blocks of eight bytes. block chaining is efficient due to the relatively low overload of the authentication information in relation to the authenticated data. The authentication information is subjected to an exclusive OR operation with the last clear data (for example, program information) and is optionally decrypted and produces a verification value. The value is compared to a value that is known by the physical equipment to verify that the authentication data is correct. The value can be different for different chains or can be set for all chains. The use of encrypted block chaining, both to encrypt and to calculate in clear, is a way to reduce the amount of physical equipment associated with the security function. Only a buffer is needed since all blocks by necessity are processed in a serial manner. The function of submitting to an exclusive OR operation is stronger than the chaining of simple blocks, because it is difficult to make a change in any block and be able to compensate it when changing another block. Since the exclusive OR operation is done before a decryption step, it is more difficult to manipulate a block to cancel any changes made. However, it is required P1635 / 98MX serial processing.

BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 is a cryptographic key generator / decoding receiver apparatus, according to the present invention. Figure 2 is a schematic representation of an encryption scheme for encrypted block chaining, according to the present invention. Figure 3 is a schematic representation of a decryption scheme for chaining of encrypted blocks, according to the present invention. Figure 4 is a schematic representation of a simple block chaining encryption scheme, according to the present invention. Figure 5 is a schematic representation of a single block chaining decryption scheme, according to the present invention. Figure 6 is a schematic diagram of a cryptographic key generator / decoding receiver apparatus according to the present invention.

DETAILED DESCRIPTION OF THE INVENTION An apparatus for a security processor is presented. The modality emphasizes safety.

P1635 / 98MX The encrypted blocks, authenticated and permuted by sequence of program information and false data, communicate securely between an external memory and a cryptographic ASIC in block strings, encrypted. The processing of program information allows the ASIC to derive a key that is used to decrypt the digital video and audio packages for subscription television. Figure 1 is a schematic diagram of a decoding receiver cryptographic key generating apparatus according to the present invention. The decoding receiver, generally shown at 100, includes the secure circuit, e.g., an integrated circuit (IC) 105 such as an ASIC, and a storage device, e.g., memory 110, which is external to ASIC 105 The memory 110 is external to the ASIC 105 since the memory 110 is not embedded within the ASIC packet. For example, memory 110 and ASIC 105 may be provided as separate packets in a decoder motherboard. In any case, the memory 110 may be increased or reduced by removing or replacing the memory IC, without interfering with, or modifying, the secure circuit 105. In addition, the new program information such as the correction code may be P1635 / 98MX download to external memory 110, via a telephone line, satellite link, or cable TV link, as an example. Alternatively, the program information may be installed locally on the decoding receiver such as via a smart card, or it may be connected by a plug or soldered to the same card. Or the memory 110, by itself could be located or located on a smart card, in which case a new smart card could be provided at a relatively low cost to update a decoder. Advantageously, this arrangement provides substantial benefits by allowing program information (e.g., logical program or physical instructions) to be stored in external storage device 110, easily updated or modified to provide new features or fix the problems of the logical program. For example, the external storage device 110 can be easily replaced or modified to provide customized features for businesses or individuals, or to provide specific characteristics to groups according to factors such as demographic profile, geographical location, time use, and the like. In contrast, if the memory 110 was in ROM and P1635 / 98MX internal to ASIC 105, the ASIC would have to be replaced together, thereby resulting in significant costs and delays. The ASIC could be integrated using advanced VLSI processes that use RAM and ROM technology to achieve high processing and high bit rates, not only for the transfer of program information between the ASIC and the external memory but for the execution internal out of temporary storage memory, and for the decoding of digital video and audio packages. The ASIC created between the RAM and ROM technology can decrypt a high bit rate of the packet data that an ASIC created among the alternative technologies. The external memory thus provides the ASIC with greater flexibility. The external storage device 110 can be a flash memory, a read-only, programmable, erasable memory (EPROM), an electrically erasable EPROM (EEPROM), or a volatile battery-backed memory such as a random access memory (RAM) . Alternatively, a conventional read-only (ROM) memory can be used. An EPROM allows memory programming to be reversed by exposure to intense ultraviolet light. You can easily store a new code in P1635 / 98MX the EPROM in a process known as memory re-programming. An EEPROM is alterable by using a large electric current to readjust internal memory cells. By using EEPROM or battery-backed RAM, external memory can also be used to store data in the short-term and long-term. The memory space could also be divided to provide different physical devices so that different types of memory can be used together. On power-up, non-volatile memory can be copied to a much faster memory such as a synchronous dynamic memory. This can reduce the latency or wait in the read / write operations of the external memory. The external storage device 110 can be encrypted using the blocks of encrypted blocks, using block chains, simple, it can be authenticated and optionally, encrypted. Program information can be used by ASIC 105 to decode an encoded data transmission. The program information may comprise lines (e.g., series) of code that are to be executed by a central processing unit (CPU) 170 in ASIC 105. Each line refers to an order or executable data used by the program. The code can be adjusted to a reduced instruction set (RISC) computer architecture, where each line of code P163S / 98MX can be executed in the individual clock cycle of the individual circuit. The program information is processed using block chaining, encryption. The method of block encryption is triple DES. Three keys are available for use. A key is used with high-order address lines. Another key is used with the low order address lines. This provides decryption dependent on the address. The third key can be dependent on the unit. The key calculation algorithm may use a double predictive correction calculation (DFFH), for example, as described in US Patent Application Serial No. 08/577/922, filed on December 22, 1995. The calculation it is written in code. The key can be an exclusive OR operation of the address and the unit key to provide both address dependency and unit authentication. Different key calculation algorithms can be used, so keys can be appended together instead of being submitted by an exclusive OR operation. In the preferred embodiment, the op-codes (operational codes) generated are processed by an instruction decoder 172. The illegal op-codes may be indicated by an op-code detector 174.

P1635 / 98MX illegal in encoder 172 of the instruction decoder with the appropriate action taken. For example, the CPU can send a signal to an alarm circuit 162, which in turn sends an annihilation (erasure) signal to a storage device 150 that can store the initialization vectors, decryption keys, and authentication key. . With the chaining of encrypted blocks any score of the program information will cause each subsequent block to be decrypted in a different way. In addition, the address lines of the external storage device may be encoded such that the sequential blocks of the program information are stored in a non-sequential manner. That is, the bytes, which can each include eight bits, for example, can be stored in non-sequential storage address locations. In this way, the external storage device 110 will be a coded memory. You can use a key here as well. A key can be different on a group or unit basis. The storage device 110 also stores the authentication information for use in securely communicating the information of the P1635 / 98MX program buffers 130, 132 and 134 of blocks of the ASIC 105 via a common bar 115. The authentication information, also known as the check bits, is communicated to a block buffer 136, of check bits, of the ASIC 105. Authentication is the data that is appended to a message, for example, the string of program information, to allow a recipient to verify that the message should be accepted as authentic. The authentication information is a function of the contents of the message (e.g., string), such as when a key calculation value or a cryptographic checksum is used. A key calculation value is a fixed length value that is obtained by correlating a data string of any length with a public function. In the preferred embodiment, the key calculation is keyed, and the authentication information is encrypted to a different key. The program information of the storage device 110 is communicated via a common bar 115 to one or a number N of block buffers, including, for example, block buffers 130, 132 and 134. As long as it is displayed in a plurality of block buffers, a minimum is required P1635 / 98MX of one. The encryption / decryption circuit 120 is provided to encrypt or decrypt the blocks. Circuit 120 may also provide encryption, for example, when clear text data is received by block buffers or other source, and it is desired to encrypt clear text data. The encrypted data can subsequently be transmitted via the buffers to the external storage device. An authentication circuit 125 calculates the clear text blocks of the program information, using, for example, the DFFH function, mentioned above. Authentication can be performed in a serial, current manner, as the blocks are decrypted. When decrypting block 1, the key can be calculated. When block 2 is decrypted, the key can be calculated with the calculation output of the first block, and so on. The key calculation of the data is written in such a key that only the knowledge of a public secret key can generate the correct calculation. Alternatively, as mentioned above, decryption occurs for the authentication information, for example, the verification bits that, when subjected to an exclusive OR operation with the authenticated data (e.g.

P1635 / 98MX program information), results in a known value that can be verified by the physical equipment. The authentication circuit 125 and the encryption / decryption circuit 120 can communicate with each other, and can share the common set of circuits. The chaining of encrypted blocks can be used for the chain of blocks communicating from the external storage device to the secure circuit 105. The chaining of encrypted blocks in Stallings, Network and Internet Security, IEEE Press, Englewood Cliffs, New is discussed Jersey, USA, pp. 59-61, 1995, incorporated herein by reference. The chaining of encrypted blocks can be used for both encryption and key calculation, but in a preferred embodiment, it is simply used for strong encryption. A separate calculation portion is used. The block encryption algorithm used with the chaining of ciphered blocks is triple DES. The lengths of the chains can vary between 16 and 32 blocks. The length is varied from the chain in a chain based on the string according to the parameters of the address key. The order of the sequence that the blocks are communicated between the memory and the ASIC is random. A random number generator associated with the generator Address P1635 / 98MX accesses the appropriate storage locations of blocks in memory. The authentication information is sent as one of 16 to 32 blocks communicated. It can communicate in any sequence. When decrypted, it is compared to the key calculation value. For example, N = 16 blocks can be used in the block of encrypted blocks, with each block having eight bytes of data. With the chaining of encrypted blocks each encrypted block of data depends on the clear text data of the current block, as well as the clear text data of all the preceding blocks. Block chaining improves security since the same clear text entry will produce different encrypted data depending on the other clear text blocks. Additionally, the overload data that is assigned to the authentication information is significantly reduced. If one of the 16 blocks is dedicated to the authentication information, then it represents only 1/16 = .0625 or 6.25% of the program information. If N = 32, then the figure will be 1/32 = .03125 or 3.13%. In the preferred embodiment, the size of the chain can vary between 16 and 32, so on average the figure will be 1/24 = .0417 or 4.17%. That is, only 4.17% of the program information is authentication information.

P1635 / 98MX For example, this could vary if two blocks were provided instead of one block of authentication information. There are many possibilities. But, chaining dramatically decreases the storage capacity required, necessary only for authentication. The chaining also allows the use of smaller memory components, which greatly reduce the cost of the system, and / or increase the performance of the system because the amount of authentication information that is accessed from the storage device is reduced. The chaining of encrypted blocks is also discussed later in conjunction with Figures 2 and 3. A potential disadvantage of encrypted block chaining is the latency or wait in the execution of the instruction when a new code segment has not been decrypted and authenticated , after the time, and maybe, stored in the temporary storage memory, it needs to be accessed. The blocks must be decrypted in series, since it is not possible to start the decryption of a block until the previous block is decrypted. The more sophisticated key calculation functions, such as digesting the message (MD) 5, the P1635 / 98MX Secure Calculation Algorithm (SHA), and you could still use block chaining, encryption. The DFFH was chosen because DES was used. It is possible to use the same physical equipment as the description did to do the authentication as well. The inputs to the DES machine can be controlled to maximize the use of the physical equipment. Although unidirectional functions are desirable, there is no mandatory because, if the verification algorithm uses a secret key, a unidirectional function is not much better a reversible algorithm such as the chaining of encrypted blocks since someone with knowledge of the secret key will be able to compute the appropriate authentication information to go along with the program information that can be provided. Authentication using public key cryptography is better because of the knowledge of the private description key of the secure circuit that does not allow a pirate to know how to encrypt the key calculation in the first place. The public encryption key must be known. With any scheme, common bar 115 can be sized to have a bandwidth that allows at least two lines of instructions, or program information, grouped, to be transported or ported at the same time. Alternatively, common bar 115 can be sized to carry a complete block (e.g., eight bytes) of P1635 / 98MX the chain, or even two or more complete blocks. The common bar 115 can also be sized to carry one or more complete chains at a time. A sequence of blocks that are either authenticated and optionally, encrypted instructions, for example, blocks Blf B2, ..., BN.lf 0 or an encrypted, encrypted and optionally authenticated block. The encrypted blocks are used with the chaining of ciphered blocks but are optional with the chaining of blocks, simple. The authentication information is included in the communication of the program information in a block of the verification bits, for example, block BN. You can see as follows the savings in the data of overloading with the chaining of blocks encrypted or the chaining of blocks, simple, while maintaining a desired level of security. The average number of tests to break the authentication is 2n_1, where the authentication is n bits long. To provide a sufficient level of security, an authentication must reflect some degree of length of the keys used to encrypt the instructions, otherwise, the hackers will attack the weaker component of the system, which could be the authentication information itself. This is, instead of feeling the key to discover what key of the P1635 / 98MX program information is encrypted, a pirate would test the authentication information and cause the CPU to process the synthesized program information. If the encryption uses a key of at least seven bytes for DES, then preferably seven or eight bytes, they should be used for the authentication information. For example, with authentication information that is seven bytes long (for example, n = 56 bits long), 255 attempts are required on average, which is similar in difficulty to breaking the DES key. When an eight-byte block of authentication information is attached to an eight-byte message block, the overload of the authentication information is 50% (for example, 8 / (8 + 8)). However, when chaining blocks according to the present invention is used, and a seven-byte block is attached to a string of 16 to 32 eight-byte blocks, for example, the overhead as discussed above is only about 4.17%, with a strong security. Accordingly, block chaining provides a substantial reduction in the overload of the authentication information while maintaining a desirable level of security. In a further aspect of the present invention, the rearrangement of the chain that is communicated from the P1635 / 98MX storage device external to ASIC 105 is provided. This rearrangement is used in addition to the coded storage of the blocks in the storage device, discussed later, but it is possible to use the reordering itself. By randomly reordering the blocks in the chain, a pirate is deterred from detecting the information with respect to the sequence of execution of the program information in the processing circuit. As with reordering per byte and string level, the reordering of blocks can be done randomly such that the repeated execution of the same code will take the data from the external memory in different sequences each time. For example, with reordering to a byte level if there are eight bytes per block, there are 81 = 40,320 different sequences in which the bytes can be sorted. Similarly, for the reordering of blocks, if there are 16 blocks per string, there are 16! = 2.09xl013 different sequences in which the blocks can be sorted. For the reordering of strings, if there are 4 strings per sequence of program information, there are 4! = 24 different sequences in which the chains can be ordered. And, it is possible to use all three together. The total number of possible permutations would then be 40.320 x 2.09xl013 x 24 = 2.02 x 1019.

P1635 / 98MX It is important to realize that any field can be the basis for reordering and that the bytes blocks and strings are arbitrary units for the bits. The fields that are reordered could be readable. Also, the bytes should not be eight bits, nor the blocks of 8 bytes, etc. With this in mind, the reordering operation could allow the bytes to be reordered through two or more blocks, the blocks through two or more strings, and the strings through two or more sequences of program information. Here, you get a different result. For example, with reordering in the byte domain, if there are eight bytes per reordered block on two blocks, there are 16! = 2.09 x 1013 different sequences in which the bytes can be sorted. If the chaining of ciphered blocks in conjunction with reordering is used, where serial processing of the blocks is required, multiple block buffers are required to store all the related fields before deciphering. Furthermore, as discussed further in conjunction with Figure 6, if the rearrangement occurs through two or more chains, then two or more values of the block buffers will be triggered. Reordering through the program information sequences will require even more P1635 / 98MX block buffers. Deciphering can be delayed until the associated fields of the last block sequence are read because, when rearranged internally, the last elided block can be the first block of the string sequence. With the chaining of encrypted blocks, security is emphasized. However, simple block chaining, as described with the key calculation function of an exclusive OR operation in Figure 3, avoids latency problems and can be used with the rearrangement of strings, blocks, bytes or any countryside. Despite the order of the string, block or byte or field, all bytes in a block are available for authentication. Additionally, when decryption is required, each block is decrypted independently. The redirection data provided to the external storage device may randomly select the fields, bytes, blocks, or strings for communication to the ASIC 105. A block reordering circuit multiplexer 112 may be provided which communicates with the common bus 115 to reverse the reordering as necessary for the encryption / decryption circuit 120 and the authentication circuit 125 to perform its functions. The multiplexer P1635 / 98MX 112 of block reordering circuit, address generator 160, and address encoder 164 can communicate with each other, and with CPU 170 as required, to coordinate reordering steps. The address generator 160 may be responsive to a random number generator 166. The random number generator 166 may provide sequence, random or pseudorandom permutations for the fields of a string or chains that do not need to conform to any algorithm incorporated in the equipment. physical. The coding of sequence in the field of chain, block, byte and field, is in general usually applicable to any scheme where the blocks of data are communicated from a memory, to a safe circuit for processing. As mentioned above, encoding the order of bytes or subfields within each block does not affect the description latency since all bytes must be incorporated before authentication and decryption can begin. However, reordering confuses a pirate as to which encrypted text corresponds to which instruction or other block of data. It also confuses a pirate regarding the structure, sequence and organization of the program information on the storage device. In the preferred embodiment, a block is read P1635 / 98MX full eight bytes by the secure circuit 105, the order in which the first byte is read in relation to the other bytes will change from block to block and could change randomly each time the storage device is accessed. But when it is rearranged within the secure circuit, there is only one sequence appropriate for a block that must be submitted to decryption. For the chaining of ciphered blocks this has the advantage of not requiring more than one block buffer, since it has the bytes of an individual block and are rearranged, but limits the obfuscation to an even smaller period of time. The external storage device can be rearranged or sorted before the loading of the individual bytes in the block buffer. In a further aspect of the present invention, the blocks of a string are written back to the storage device in a new pattern. Each random reading of the storage device is followed by a corresponding writing of the return data in a different, random sequence. Associated with each chain is a memory device that stores the ordering sequence, underlying, current, of the chain, the rearrangement can be random. False data may also be communicated between the storage device 110 and the secure circuit 105.

P1635 / 98MX False data may be erroneous, which is stored by storage device 110. That is, data that is never processed by the secure circuit, but can optionally be used as a filler, and optionally decrypted and authenticated by the safe circuit. The false is easy general. One simply performs a branching or bifurcation operation immediately preceding the false. If it is not called, the ramifications or bifurcations, are always made to that location where the false is, then that false will never be executed. The false data can be real program information for other chains and instruction sequences that can be accessed at a later time and under different situations. Similar to the false, these data can optionally be used as a filler, and are decrypted and optionally authenticated with the other program information. But these data are not processed by the secure circuit. The superfluous data confuses the pirate who tries to analyze the program information, authenticated. One of the best ways to communicate false data is through variable length chains. The actual number of communicated blocks could remain the same while the number of false blocks changes. With the reordering of the blocks, it would be difficult for a pirate to determine which blocks could be false. The blocks False P1635 / 98MX in the preferred mode will actually be data that is never processed. The external storage device 110 can be encrypted such that the blocks of the program information, and the authentication information are stored in a non-sequential address location in the storage device. It would be preferable to include the high order address bits in the storage device encryption, so that some block of the program information can be located anywhere in the memory space. Substitution tables (S-table) can be used to eliminate regularity and add non-linearity in address encryption. Specifically, the external storage device, with block strings, authenticated, is encrypted so that the execution of cryptographic code can be hidden from a pirate who is observing the storage device accesses in communication path 113. it can prevent a pirate from learning about the privately owned algorithms that are running. The encryption can therefore prevent a pirate from ascertaining the contents of the storage device and systematically attack the secure circuit 105 through other means with the physical equipment. The encryption of the storage device P1S35 / 98MX prevents the pirate from knowing exactly that the encrypted program information is probably the target for the attack. By knowing exactly what program information could make the system vulnerable to a security breach, the pirate could make a mistake in redirecting the processing of that program information. If only the address coding and the data encryption and authentication were used, for example, without the reordering of the data, only a block buffer is required in a minimum implementation. Coding can be achieved by using an address generator that is associated with the secure circuit 105 to provide addressing information to the external storage device. A number, possibly a random number, may be provided to change the sequence in which the program information is communicated. The sequence information is used to multiplex the appropriate field, byte or block buffer to communicate with the appropriate block or byte in. the right moment The individual series of subfields, bytes or data blocks of the external storage device are then transferred to the block buffers and in a desired sequence of P163S / 98MX according to the addressing information. The addressing information is provided to the authentication and deciphering circuits to allow these circuits to decode the data to function accordingly. Several block encryption algorithms, such as triple DES, can be used. In addition, the coding algorithm can use the same substitution box tables (S-box) as DES but with few cycles. The number of cycles can be selected for different applications, such as an application that requires less security uses fewer cycles, while one that requires more security could use the entire 17 cycles that the DES calls. Reducing the number of cycles reduces the latency or wait for the decryption operation. Decryption and authentication dependent on the address of the program information may prevent a pirate from otherwise properly moving the block, encrypted and authenticated chains around the storage device to obtain the decoder to process the program information out of the sequence. This processing out of sequence could cause the decoding receiver to inappropriately grant access to and decode a data transmission.

P1635 / 98MX If possible, the key used for encryption and decryption / authentication must have both address-dependent coding and dependence on the unit key. The unit key is a key that is unique to each decoder and may depend, for example, on the decoder serial number that is provided at the time of manufacture. In this way, it is desirable that the key depends on individual units, or groups of individual units. Otherwise, it would be possible for a pirate to read the encrypted key data in a unit's internal storage device, and then place that same encoded key in another external storage device of another unit. This could be a way for a pirate to clone authorization to services between units and should be prevented. The address-dependent coding and dependency of the unit key also prevents knowledge of a key used to authenticate and / or encode a block of program information in a decoder to be used in another decoder. For example, without unit dependency, if this secret key is discovered through the VLSI test, for example, then it can be used to correctly authenticate and decrypt program information for others P1635 / 98MX decoders. In other words, if a key or keys will be useful for more than one unit, a pirate might be able to use the key or keys obtained from a unit to either encrypt and authenticate, or authenticate the program information to another unit. To achieve unit-dependent encoding, a download process can be used using an optional circuit-encryption circuit to load the external flash memory, the EPROM, battery-backed RAM, or the mass storage device in the time of the creation of the unit. This encryption circuit could be the same as that used to allow bidirectional read / write capability between the secure circuit and the storage device. An alternative would be to have these external storage devices loaded by the configuration system at the time of creation of the unit using the knowledge of the key or secret or private keys of the unit. Figure 2 is a schematic representation of an encryption scheme with chaining of encrypted blocks according to the present invention. Blocks of clear text program information becomes a string comprising blocks of program information, encrypted, which includes authentication information. In the example shown, each block P1635 / 98MX encryption of the program information depends on the clear text program information of the current block, as well as the clear text program information of a previous block. An authentication circuit 203 and an encryption circuit 200 are shown. Specifically, authentication circuit 203 includes key calculation functions 204, 206 and 208, and an adder 214. Functions 204, 206 and 208 may use the DFFH function discussed above or virtually any key calculation function. A key is successfully calculated in the mergers 204, 206 and 208 to provide a calculation value to the adder 214. The adder 214 also receives a zero or other value that is known by the hardware to provide an output value to the encryption circuit 200, which may include a triple encryption fusion DES represented by the encryption functions 218, 222 and 224. The encryption function 218 receives a secret key which is an exclusive OR operation of the lower order address bits and a Dk6 key. while the encryption function 222 receives a secret key which is an exclusive OR operation of the higher order address bits and a key Dk5 and the encryption function 224 receives a secret key which is an OR operation P1635 / 98MX exclusive of a drive key and a Dk6 key. An adder 226 receives an output of the encryption function 224 together with the clear text block Rn_1 and provides the encrypted text authentication block BN. The adder 226 essentially calculates the clear text data. The clear text blocks Ax, ... ^ -, which may include the program information for decoding a data transmission, are received by the respective triple-key encryption functions and are also provided for submitting to an exclusive OR operation of the block of encrypted, subsequent texts. For example, Ax is processed by the encryption functions 228 and 232 234 which are each sensitive to the keys as shown. An adder 236 receives the output of the encryption function 234 together with an initialization vector (IV) to provide the encrypted text block B1. A2 is processed by the encryption functions 242, 244 and 246, which are each sensitive to the keys as shown. An adder 228 receives the output of the encryption function 246 together with the clear text block A1 to provide the block B2 of encrypted text. In this way, B2 is a function of both A1 and A2. Likewise, AN_1 is processed by the encryption functions 252, 254 and 256 which are each sensitive to the keys as shown. An adder 258 receives the P1635 / 98MX output the encryption function 256 together with the clear text block AN_2 to provide the block ^ of encrypted text. The IV may be zero, or a function of the address data or unit key that is provided to the block reordering circuit 112 or other scrambling function. A block size of eight bytes is assumed for this example. In addition, although a triple DES is illustrated, which uses three different keys for each DES operation, fewer or more keys can be used. More keys can be entered in a DES operation by dividing the cycles to use different keys instead of an individual key. Additional keys can be used for the encryption functions, and additional and / or alternative encryption steps can be taken. Preferably, each of the encryption functions of encrypted text blocks uses the same encryption algorithm, although this is not required. The N encrypted blocks, from Bx to BN, can be provided to an additional encryption function, such as the block reordering circuit 112 of Figure 1, which performs a block-like encoding of the N blocks of according to an address data signal. For example, with N equal to eight P1635 / 98MX blocks, the blocks can be stored in sequential directions of the external storage device 110 in the order: Bl B3, B2, B5, B4, B6, B8, B7. The blocks are said to be stored in a random or non-sequential manner since they are not stored in successive directions of the storage device. With the temporal reordering scheme discussed above, the blocks can subsequently be transmitted to the block buffers in another sequence, for example, B5, B3, B2, B6, B4, B7, B8, Bx which differs so much from the order with the that the blocks were provided to the reordering circuit 112 as well as the storage sequence. The authentication and encryption functions and the associated elements do not need to be placed with the external storage device 110. That is, encryption circuit 200 can be located in a broadband coaxial system of cable television systems, or a link by satellite, while the storage device is separated from a decoding receiver in the consumer's house. The authenticated / encrypted program information may be provided to the memory 110 via any convenient channel, for example, via a telephone, satellite, cable television link, or computer network. The P1635 / 98MX authenticated / encrypted program information can also be installed locally via a smart card, or the storage device 110 itself can be preloaded with the encrypted program information before installation and initialization on the decoding receiver. Referring again to the decoding receiver 10 of Figure 1, the address data used by the address decoder 164 can be stored in an address generator 160 of the ASIC 105. The address data is provided to the external memory 110 via a route 165, so that the encoded blocks of the encrypted instructions can be read in a desired sequence (for example, Bl f B2, ..., BN). In particular, the blocks comprising a string can be read non-sequentially from the memory 110 to provide the blocks in the uncoded sequence via the line 113. Optionally, the blocks can be transmitted from the external storage device 110, the secure circuit 105, in the random or coded time sequence and decoded in ASIC 105 using the block reordering circuit multiplexer 112. The address data may also be used by the storage device 110, to transmit different block chains in a coded manner.

P1635 / 98MX (for example, non-sequential order). The address data and the encrypted blocks Bx to BN of the successive encrypted block chains are provided to the encryption / decryption circuit 120 and the authentication circuit 125 of the ASIC 105. The encryption / decryption circuit 120 uses the data address to decode as required the sequences of the encrypted block chains. The reordering can also occur in the multiplexer 112 of the block reordering circuit. The encryption / decryption circuit 120 also receives the secret decryption key from a decryption key memory 150 of the ASIC 105, and performs a decryption algorithm that is the inverse of that used to provide the encrypted blocks. The decryption process is discussed immediately below and also in conjunction with Figure 3. With the block chaining scheme, blocks Bx through BN of each chain must be decrypted in their session. That is, B- is decrypted first, then the result is used in the decryption of B2, and so on. Once you have decrypted from Bj to BN_lf the authentication block, BN, you can decrypt, and the authentication information (for P1635 / 98MX example, checksum or key calculation) can be calculated by the authentication circuit 125 to authenticate the string. The correct authentication information can be pre-stored within the authentication circuit 125 and compared to the authentication information calculated to provide the necessary verification. Finally, lines of clear text program information (e.g., decrypt) is obtained and provided to the temporary storage memory 140. For secure communication between a storage device 110, and the secure circuit 105, the information of Outgoing program from the secure circuit to the storage device must also be authenticated and / or encrypted. In this way, to change a byte or series of data in the external storage device 110, the complete block and the block chain must be read in the ASIC, the change is made, and then the appropriate information can be calculated from authentication. After the authentication information is calculated, the information of the newly encrypted block and the changed authentication information are written, for example, using a simple, block chaining. The program information can be written back to the storage device in an underlying sequence, P1635 / 98MX different, from which it was taken. Unmodified blocks do not need to be written unless the storage location has changed. With the chaining of coded blocks the change of a block can change the subsequent blocks in a chain. Those changed blocks will need to be written as well. There are cases when the secure circuit needs to communicate with the outside world in clear mode, for example, for printers, error messages, display purposes and the like. Therefore, the encryption / decryption circuit 120 and / or the verification / authentication circuit 125 must have a disabling mode whereby the program information can be communicated and derived conditionally. In this mode, program information can not be communicated in any block or chain because there will be no requirement for encryption and authentication. This mode can also be useful for debugging and testing the system. Different chain lengths can be used to communicate different types of program information from the storage device. Program information that requires less latency or wait may have shorter string lengths. The program information that can tolerate more latency may have a length of P1635 / 98MX longer string, thus saving storage of the corresponding authentication information. In this way, the length of each chain can be adjusted according to the latency of processing the program information of the respective chains. For example, it may be possible to have only two blocks of the program information in the chain, one for the data and one for the authentication information. Although a complete chain of program information must be taken and decrypted first to change even an individual byte, a change in the data does not have to be written immediately on the external storage device. The data may be stored internally, such as in the temporary storage memory 140, until such time as the external storage device needs to be updated. At that time, the ASIC must write the entire string with the modification back to the external storage device. Referring again to the encryption / decryption circuit 120, the decrypted program information is provided to a temporary storage memory 140 for temporary storage, and to a CPU 170 for execution. The program information can be used to decode a coded data transmission using the physical equipment of P1635 / 98MX additional processing or logic program and steps that are not shown, but are well known in the art. The temporary storage memory 140 is a RAM that provides an intermediate storage capacity with relatively high speed access and can be sized to store a substantial amount of data. The temporary storage memory 140 can store thousands of bytes, which correspond to the size of the instructions and the operation data of many block chains. The CPU can execute the program information of the first block of encrypted blocks, while the encryption / decryption circuit 120 is decrypting the blocks from a second, subsequently encrypted block chain. The second chain can follow directly to the first chain, or it can be separated from the first chain by one or more intermediate chains. In this way, the performance of the system can be improved due to the overlapping activity of the authentication circuit, the decryption circuit and the CPU. In general, although the execution time of the program information in the CPU will typically be faster than the decryption time in the encryption / decryption circuit 120, efficiencies can be achieved by coordinating the decryption and execution activities, and P1635 / 98MX optimizing the number of runs used in the encryption / decryption algorithm. Additional efficiencies can be made by writing the program information, for example, instructions, which are executed by the CPU according to the blockchain transfer scheme. In particular, the amount of program information in lines of the instructions can be adjusted to the size of the block and the number of blocks in a chain. For example, the instruction lines must be completely carried in a chain of blocks instead of being divided into two chains to avoid waiting for a second chain of blocks to be decoded to recover the rest of a line. An instruction is typically only a few bytes long (for example, 1-4 bytes). Thus a chain of blocks will typically include several instructions. The temporary storage memory 14Ov may optionally receive a signal from the address generator 160 to coordinate the storage and transfer of the program information to the CPU 170. For example, the signal may inform the temporary storage memory 140 that the additional blocks are being sent to the buffers, the auto-indication circuit 125 and the encryption / decryption circuit 120, so that it will be received by P1635 / 98MX temporary storage memory 140 program information, executable, additional. One or more registers 180 may be provided which interconnect with the temporary storage memory 140 and the CPU 170. Also, a small internal ROM may be used to store the boot information or other program information, which may be required in ASIC 105. Figure 3 is a schematic representation of a decryption scheme, of chaining of encrypted blocks according to the present invention. The scheme is the counterpart of the encryption scheme of Figure 2. Reordering is performed when it is required to obtain the fields in the desired sequence for decryption. An authentication circuit 303 and decryption circuit 300 are provided. In the decryption circuit, each of the blocks of the ciphertext B? . . . , BN are decrypted. First, the respective ciphertext blocks are subjected to an exclusive OR operation with the clear, decrypted, previous text block, or an initialization vector. Specifically, the B? and the IV used during encryption are received in a 320 adder to provide a saline to a triple DES decryption function, including decryption functions P1635 / 98MX 322, 324, 326. The clear text block A1 is transferred from the decryption function 326 and an adder 330 and a key calculation function 304 are provided. In the key calculation function 304, A1 is calculated and a key to provide an output to the successive calculation functions 306 and 308, and an adder 310. The adder 330 receives A1 and B2 to provide an output to the decryption functions 332, 334 and 336 to provide the clear text block A2. . Similarly, an adder 340 receives AN_2 and BN_X to provide an output to the decryption functions 342, 344 and 346 to provide the clear text block AM-I- An adder 350 receives the authentication block Bn as well as Alf_1 to provide a value to the decryption functions 352, 354 and 356. The output of the decryption function 356 is provided to an adder 310 together with a key calculation value of the key calculation function 308 to produce an output of either one or zero If the salt is zero, then the authentication value is valid since it equals the calculation value, and an enable signal is set to allow processing to continue. However, if the output of the adder 310 is one, then the authentication value is not valid, and an alarm state can be initiated in the alarm circuit 162 to provide a signal of annihilation.

P1635 / 98MX (erased) for the partial or complete erasure of the contents of the key storage device 150. When the block reordering is used, a hacker may try to probe the program information and the value of the authentication information will probably create op-codes invalid. The invalid op-codes are hexadecimal data instructions for which there is no corresponding ation. There are several options to handle an authentication value or op-code that does not match. One possibility is to perform a reset of the secure circuit, which will require the pirate to reconfigure and reinitialize the ASIC for another attack. Another possibility is to make the processor in the ASIC bifurcate to an infinite cycle of "no operation" (NOP). This is a state where the ASIC performs a non-substantial operation, requiring the pirate to first detect the NOP operation, then force itself a reset, and reconfigure, and reinitialize the ASIC for another attack. Or, the number of inequalities between the pre-stored value and the decrypted value can be counted such that one or all stored keys are erased when a threshold number of inequalities is detected. These keys could be sensitive keys, so that knowledge in the outside world may present a branch of greater security. Its erasure would cause a P163S / 98MX permanent faulty operation of a otherwise good unit. Another possible countermeasure is to erase a temporary key, such as one of the distributed keys, instead of a key that is loaded at the initialization of the unit, or creation time. This forces the pirate to contact the network service provider for reauthorization, potentially exposing the pirate in this way. In the preferred mode that emphasizes security, all keys are erased. Figure 4 is a schematic representation of a simple block chaining encryption scheme according to the present invention. As discussed above, this configuration can avoid latency problems or expect them to be characteristic of the encryption block chaining technique of Figures 2 and 3. Encryption of all clear text blocks can be carried out independently and substantially in parallel. The encryption and decryption of the authentication information depends on the clear text blocks. The simple block encryption technique may have greater susceptibility to some trial attacks by pirates, however, because the modifications of one block will not affect other blocks, different from the authentication information.

P16-.5 / 98MX It is provided in an authentication circuit 403 and the encryption circuit 400. The blocks of the clear text program information Al r A2,. . . , AN are processed to provide the corresponding blocks of the ciphertext, Bl f B2, ... BN, respectively. one of the encrypted text blocks, designated generically as Blf is an authentication block, and can assume any position among the other encrypted text blocks (e.g., l <i> N). In the encryption circuit 400, the block Ax is encrypted in a function 402 to provide the block Bl f the block A2 is encrypted in a function 404 to provide the block B2, the block AN_X is encrypted in a function 408 to provide the block BN.lf and block AN is encrypted in a function 410 to provide block BN. Additionally, each of the clear text blocks is provided to an adder 412 in the authentication circuit 403 to provide a value to an encryption function 406 to produce an encrypted text authentication block, Bi. The Bi can be the first block of Bl the last block BN, or any block between them. The adder 412 also receives a zero or other value that is known by the physical equipment. Each of the encryption functions for non-authentication blocks, for example, functions P16-J5 / 98MX 402, 404, 408 and 410, can operate under the same key P ^, which is obtained by submitting an exclusive OR operation to a unit key, the higher-order address bits, a secret key of Kx and the lower order address bits The encryption function for the encryption block, for example, the function 406 can operate under a different key, K2, which is obtained using a secret key D? 2. The encrypted blocks can be provided to the block reordering circuit, as discussed previously. In accordance with the present invention, the authentication information is derived from the clear text blocks by providing an adder 412 that takes the exclusive OR operation of the clear text blocks A? r A2, ..., AN and optionally, a pre-stored value. The output of the adder 412 is subsequently encrypted in the function 406 to provide the encrypted authentication block Bi. Virtually any key calculation function can be used in place of, or in addition to, the adder 412. In addition, it is not necessary for each clear text block to be inserted into the adder 412. Figure 5 is a schematic representation of a block diagram. block chaining decryption, simple, according to the present invention. The decryptor is the counterpart of the encryptor of the P16-J5 / 98MX Figure 4. Reordering is performed when it is required to obtain the blocks in the desired sequence for decryption. A decryption circuit 500 and an authentication circuit 503 are provided. The decryption functions, 502, 504, 508 and 510 use a Kx key as shown to decrypt the encrypted block texts Bi, B2, BN_i and BN, respectively, to provide clear text blocks, A? r A2, N_i and AN. The encrypted text authentication block, Bi, is decrypted in a 506 function using a different key. The outputs of each of the decryption functions are provided with an adder 512 to provide a key calculation value which, in turn, is summed in an adder 514 with a pre-stored value of the hardware. If the output of the adder 514 is zero, then the key calculation value and the value of the physical equipment are the same, and the authentication data is verified and subsequent processing is allowed. However, if the output of the adder 514 is one, then the key calculation value and the value of the physical equipment are different, and the authentication data is not verified, thus establishing an alarm state. Figure 6 is a schematic diagram of a cryptographic key generator / receiver apparatusP16-.5 / 98MX decoding according to the present invention. Numbers of equal numbering correspond to the elements of Figure 1. The receiver, generally shown at 600, includes the buffers of chain blocks 130, 132 and 134 which are used for the first, second and nth blocks, respectively, of a first chain, and block buffers 630, 632, and 634 that are used for the first, second, and nth blocks, respectively, of a second chain. With this scheme, two or more blocks (one of each string) can be communicated on line 113 at the same time. In addition, additional block buffers can be provided to store the data for more than two chains. Each one can have the same or different lengths. The encryption / decryption circuit 120 and the authentication circuit 125 processes the string 1, while the encryption / decryption circuit 620 and the authentication circuit 625 processes the string 2. The data of the key storage storage device 150 is processed. can provide circuits 120, 125, 620 and 625 as required for each of the chains. In addition, although they are shown as separate elements, the authentication circuit 125 and the encryption / decryption circuit 120 may share a set P1635 / 98MX common circuits with authentication circuit 625 and encryption / decryption circuit 620. The modality of Figure 6 allows rearrangement through two or more chains when a block chaining is used, encryption. As discussed, when chaining encrypted blocks each block in a chain must be stored temporarily to retrieve the authentication block. The receiver 600 can therefore provide parallel processing of two or more encrypted block chains, rearrangement as strings, or block-like reordering, through two or more strings. Accordingly, it can be seen that the present invention provides an apparatus for decoding an encoded data transmission by transferring the program information, auto-indicated and optionally, encrypted, from an external storage device to a secure circuit in a chain of blocks, simple . The encrypted and optionally authenticated program information is also transferred from the external storage device to the secure circuit in the encrypted block chain. The scheme shows the updates and other changes to the decoding instructions to make it easier without modification of the secure circuit. Additionally, the use of the chain of P163S / 98MX blocks improves system performance and reduces system cost by reducing the overload of authentication information. Additional efficiency is obtained by providing a storage memory for transferring two or more lines of the described or authenticated program information to the CPU, in a single clock cycle, and by handling block decryption synchronization with the transfer of the blocks. decrypted data to the temporary storage memory and the CPU. An alternative embodiment of the invention uses simple block encryption instead of block routing. With this scheme, the blocks of the chain are authenticated when using a large authentication field as with block chaining, encryption. However, block chains can be decrypted and authenticated substantially in parallel instead of serially. The reordering of the blockchain using any field such as at the level of bytes, blocks and / or strings is also provided, in addition to the storage and address encoded in the external storage device. Additionally, a bidirectional capability can be provided to allow program information to be transferred from the secure circuit to the external storage device. The information of P1635 / 98MX program does not need to be encrypted but only authenticated for security. Although the invention has been described in conjunction with various specific embodiments, those skilled in the art will appreciate that numerous adaptations and modifications may be made to the present without departing from the spirit and scope of the invention as set forth in the claims. For example, the invention is particularly suitable for discouraging the copying and disordered handling of proprietary software algorithms and for securing cryptographic applications such as the decoding of data transmissions such as pay television programs to prevent unauthorized users receive television broadcasts. The invention is equally useful in other applications, including terminals and smart cards for electronic fund transactions, access control of premises, electronic games, facilities and stored data used by merchants, data that is transferred via the Internet or other computer networks , and so on. In addition, the invention is compatible with alternative encryption schemes such as a stream cipher, or a combination of both a cipher and a cipher.

P1635 / 98MX streams as a chain of encrypted blocks such as the Common Coding Algorithm (CSA). Another scheme is public key encryption. Because each block and string is relatively small compared to the sizes of the RSA public key system module that has sizes of 2048 bits (256 bytes of eight bits), it is possible to use RSA to encrypt one i more strings of information from Program. If the public key system RSA was used, then it may be preferable to use an uncompensated exponent pair, whereby the private decryption exponent will be small, for example, equal to three. This will decrease the latency or wait for the program information. After decryption, the authentication information could be verified as in the block encryption techniques described above and decrypt and verify, or simply verify. This makes it difficult to set the decrypted authentication value and, as mentioned above, a combination of a secret key and a public key can be used.

P1635 / 98MX

Claims (50)

1. NOVELTY OF THE INVENTION Having described the present invention, it is considered as a novelty and, therefore, the content of the following CLAIMS is claimed as property: 1. An apparatus for processing program information, comprising: a secure circuit comprising a central processing unit (CPU) and at least one block buffer to store at least one block of the program information; an external storage device that is adapted to store the program information external to the secure circuit; a first communication path that is adapted to communicate a group of blocks of program information from the external storage device to at least one block buffer in a first block chain; and a second communication path that is adapted to communicate the program communication from at least one block buffer to the CPU for processing therein 2. The apparatus according to claim 1, wherein: P1635 / 98MX the secure circuit comprises an authentication circuit to authenticate the program information. 3. The apparatus according to claim 2, wherein: the block chain is a simple chain of blocks, such that the group of blocks in the first block chain are processed substantially in parallel by the authentication circuit. The apparatus according to claim 2 or 3, wherein: the first block chain and a second subsequent chain of program information blocks communicate between the external storage device and at least one block buffer; and the authentication circuit is adapted to communicate at least a portion of program information of one of the first block chain while at least a portion of the second block chain is being communicated on the first communication path. The apparatus according to one of claims 2 to 4, wherein: the first communication path is adapted to communicate blocks of program information from the storage device to at least one buffer in a second chain; Y P1635 / 98MX the authentication circuit is adapted to authenticate the program information from at least a portion of the first block chain and at least a portion of the second chain substantially concurrently. The apparatus according to one of claims 2 to 5, further comprising: a temporary storage memory arranged in the second communication path that is adapted to temporarily store the authenticated program information, before the authenticated program information is stored. Provide the CPU. The apparatus according to one of the preceding claims, further comprising: means for detecting an illegal, operational code in the information program. The apparatus according to one of the preceding claims, further comprising: at least part of the program information is calculated in code to provide the block chain. The apparatus according to one of the preceding claims, further comprising: an address generation means for providing the addressing information to the external storage device for communicating the P1635 / 98MX program address blocks from the external storage device to at least one external block memory in a desired sequence. The apparatus according to one of the preceding claims, wherein the program information comprises a plurality of series that are to be processed in succession by the CPU. The apparatus according to one of the preceding claims, wherein: the blocks of the program information are stored in the external storage device in coded storage locations. The apparatus according to one of the preceding claims, wherein: the strings of the program information with substantially randomly varying lengths are communicated from the external storage device to at least one block buffer. 13. The apparatus according to claim 12, further comprising: an address generation means for providing the addressing information to the external storage device for communicating blocks of program information from the external storage device to at least one memory P1635 / 98MX intermediate block, in a desired sequence, where: the substantially randomly varying lengths are determined according to the addressing information. The apparatus according to one of the preceding claims, wherein: means for providing a substantially random block-like rearrannt of the first block chain and substantially random reordering of a block of the first block chain, for communicating a reordered string from the external storage device to at least one block buffer. The apparatus according to one of the preceding claims, wherein: the units of the program information communicate from the external storage device to at least one block buffer using randomly variable sequences. 16. The apparatus according to claim 15, wherein the units of the program information comprise block chains. The apparatus according to one of the preceding claims, wherein: a plurality of program information is P1635 / 98MX communicates from the external storage device to the secure circuit in units of variable length; and the length of each unit is determined according to a processing latency of the associated program information of the respective units. The apparatus according to one of the preceding claims, wherein: the program information comprises false data that is not processed by the CPU. 19. The apparatus according to one of the preceding claims, wherein: the program information stored in the external storage device is encrypted; the secure circuit comprises a decryption circuit that is responsive to at least one block buffer to decrypt the encrypted program information; the second communication path is adapted to communicate the decrypted program information, from the decryption circuit to the CPU for processing therein. The apparatus according to claim 19, wherein: the first chain of blocks and a second chain, subsequent blocks of the information of P1635 / 98MX program communicate between the external storage device and at least one block buffer; and the decryption circuit is adapted to decrypt at least a portion of the program information of the first blockchain, while some portion of the second blockchain is being communicated on the first communication path. The apparatus according to claim 19 or 20, wherein: the first communication path is adapted to communicate blocks of program information from the storage device to at least one buffer in a second chain; and the decryption circuit is adapted to decrypt the program information from at least a portion of the first block chain and at least a portion of the second chain substantially concurrently. 22. The apparatus according to one of the claims 19-21, additionally comprise: a temporary storage memory arranged in the second communication path that is adapted to temporarily store the program information, decrypted, before the program information P1635 / 98MX decrypted is provided to the CPU. 23. The apparatus according to one of claims 19 to 22, wherein: the first block chain is an encrypted block chain. The apparatus according to one of the preceding claims, further comprising: a communication path that is adapted to communicate the group of program information blocks from secure circuit to the external storage device in a second block chain 25. The apparatus according to claim 24, further comprising: an encryption circuit for encrypting the program information for the second block chain. 26. The apparatus according to claim 25, wherein the encryption circuit is conditionally sensitive to the address information to allow a clear mode for the program information for the second block chain. 27. The apparatus according to one of claims 24 to 26, further comprising: an authentication circuit for authenticating the program information for the second block chain. 28. The apparatus according to claim 27, in P1635 / 98MX where the authentication circuit is conditionally sensitive to the address information to allow a clear mode for the program information for the second block chain. 29. The apparatus according to one of the claims 24-28, further comprising: a re-sequencing circuit for the random reordering of the program information for the second blockchain. 30. The apparatus according to one of the claims 24-29, further comprising: a length determining circuit for randomly determining the length of the units of the program information for the second block chain. 31. The apparatus according to one of the claims 24 to 30, further comprising: a false data insertion circuit for adding false data to the program information for the second block chain. The apparatus according to one of the preceding claims, wherein a plurality of the program information strings are communicated from the external storage device to the secure circuit in a substantially randomly variable sequence. 33. An apparatus for communicating information of P1635 / 98 X program, comprising: a secure circuit to provide the program information; an external storage device that is adapted to store the program information external to the secure circuit; and a first communication path that is adapted to communicate a group of blocks of program information from the secure circuit to the external storage device in a first block chain. 34. The apparatus according to claim 33, wherein: the program information comprises authentication data; and the secure circuit comprises an authentication circuit for providing the authentication data. 35. The apparatus according to claim 34, wherein: the block chain is a simple block chain, such that the group of blocks in the first block chain is processed substantially in parallel by the authentication circuit to provide the data of authentication. 36. The apparatus according to claims 34 or 35, wherein: P1635 / 98MX The authentication circuit calculates in key at least part of the program information to provide the authentication data. 37. The apparatus according to one of claims 33 to 36, further comprising: an address generation means for providing addressing information to the external storage device for communicating blocks of program information from the secure circuit to the storage device external in a desired sequence. 38. The apparatus according to one of claims 33 to 37, wherein: the blocks of the program information are stored in the external storage device in external storage locations in coded storage locations. 39. The apparatus according to one of claims 33 to 38, wherein: the units of the program information with lengths varying substantially randomly are communicated from the secure circuit to the external storage device. 40. The apparatus according to one of claims 33 to 39, wherein a plurality of chains of the P1635 / 98MX program information is communicated from the secure circuit to the external storage device in a substantially randomly variable sequence. 41. The apparatus according to one of claims 33 to 40, further comprising: means for providing at least one of (a) rearrangement in the manner of substantially random blocks of the first block chain, and (b) substantially random rearrangement of a block of the first block chain to communicate a reordered string from the secure circuit to the external storage device. 42. The apparatus according to one of claims 33 to 41, wherein: the units of the program information are communicated from the secure circuit to the external storage device using substantially variable sequences in a random manner. 43. The apparatus according to one of claims 33 to 42, wherein: the units of the program information communicate from the secure circuit to the external storage device using substantially variable lengths in a random manner. 44. The apparatus according to one of the claims P1635 / 98MX 33 to 43, where: the program information comprises false data that was not processed by the CPU. 45. The apparatus according to one of claims 33 to 44, wherein the program information is provided in block chains. 46. The apparatus according to one of claims 33 to 45, wherein: the secure circuit comprises an encryption circuit for encrypting the program information; and the first communication path is adapted to communicate the program information, encrypted, from the encryption circuit to the external storage device. 47. The apparatus according to claim 46, wherein: the block chain is an encrypted block chain. 48. The apparatus according to one of claims 33 to 47, further comprising: a communication path that is adapted to communicate a group of blocks of program information from the external storage device to the secure circuit in a second block chain . 49. The apparatus according to claim 48, in P1635 / 98MX where the program information stored in the external storage device is encrypted, the secure circuit further comprising: a decryption circuit for decrypting the encrypted program information in the second block chain. 50. An apparatus for processing encrypted program information, comprising: a secure circuit including at least one of an encryption and decryption circuit, a central processing unit (CPU), and at least one block buffer for storing at least one block of program information; an external storage device that is adapted to store the program information external to the secure circuit; a first communication path that is adapted to communicate a group of blocks of program information between the external storage device and at least one block buffer in a first chain of encrypted blocks; at least one encryption and decryption circuit that is responsive to at least one block buffer to respectively encrypt or decrypt the program information; Y P16-.5 / 98MX a second communication path that adapts to communicate the program information between at least one decryption and encryption circuit and the CPU. P1635 / 98MX