RU2001119425A

RU2001119425A - Individual cryptographic complex Craiff

Info

Publication number: RU2001119425A
Application number: RU2001119425/09A
Authority: RU
Inventors: Дмитрий Александрович Гертнер
Original assignee: Ооо "Крейф"
Filing date: 2001-07-16
Publication date: 2003-06-10

Claims

1. The system is an individual cryptographic protection complex kreif containing a code carrier, with which cryptographic information is protected, a user identification device, as well as various terminals using a code carrier for performing various operations using the mentioned code, characterized in that the code carrier is a special kreyf - a cassette containing an integrated circuit on which an “electronic cliché” is written, which includes the mother code, code conversion unit, conversion synchronization unit, the integrity control unit of the protective shell of the cassette cartridge, which destroys the mother code in case of violation of the integrity of the protective shell, the individual number of the crack code and the operation control unit, which is responsible for complying with cryptographic protocols and the correct execution of financial transactions and electronic transactions, which is automatically selects certain information with special service characters that determine its reliability, hashes the encrypted information and verifies The reliability and non-distortion of the received information by hash comparison, which is not controlled or reprogrammable from the outside, which performs a limited set of user commands and certain commands from another operation control unit with which a cryptographic communication session is established, and making sure that a cryptographic communication session is established only with an object containing a similar cassette cassette with a similar control unit through which operations are performed between users, moreover, the cassette cassettes differ m a forward only individual numbers kreyf code sewn chip and control blocks used to perform certain operations, and the mother code based on which a communication session is established kriptozaschitny absolutely identical in all cassettes kreyf and not known to anybody.

2. The system according to claim 1, characterized in that the "electronic cliche" containing the mother code recorded in a volatile memory of the CMOS type, a code conversion unit, a conversion synchronization unit, a containment integrity unit, an operation control unit and an individual coding code number “Stitched” into the memory of the cassette with special recording devices that work offline, which cannot be accessed from the outside, and the mother code is generated using the true random number generator directly to the central Mr. recorder.

3. The system according to claim 1, characterized in that the special service characters by which the operation control unit automatically selects certain information, which may contain commands for another operation control unit, electronic signatures and other attributes of electronic documents, cannot be entered by the user, and they are inserted into the text only by the operation control unit, after which the given text is encrypted, and information enclosed between these characters is inserted into the text by the operation control unit taking into account the received commands from the user and from another control unit of operations received during the cryptoprotective communication session and is reproduced in standard form, which cannot be changed by the user.

4. The system according to claim 1, characterized in that the operation control unit identifies an object with which communication is established by establishing a crypto-communication session with the object, and identifies the user by exchanging one-time passwords or a dynamic password stored in memory with the user's crab bracelet user's bracelet crave.

5. The system according to claim 1, characterized in that the cassette has a closed memory in which passwords, keys, financial information are stored and which can only be accessed using the crab bracelet and main password, and an open memory in which in particular, user data may be recorded.

6. The system according to claim 1, characterized in that the portable terminal for the kraft cartridge must have a lockable compartment for using and storing the kraft cartridge, a micro antenna for wireless communication with the kraft bracelet, a port for connecting the lead of the kraft bracelet, a symmetric port for docking with another terminal containing a similar cassette cassette, and a power source.

7. The system is a bracelet for user access to objects that are protected from unauthorized access and equipped with special electronic locks, comprising a device configured to wirelessly communicate with an access object, including a microchip containing one-time passwords and dynamic passwords that allow user access to objects, characterized in that this system is made in the form of a bracelet worn on the user's wrist, containing special latches that act as a switch in case of their the connection, bringing the system into a state of shutdown and ignoring the requests of the access object, moreover, to activate the system, it is necessary to fix the latches of the bracelet, and then enter the main access password, which can be entered using the additional terminal connected to the bracelet with a special leash, which serves as for loading the main password and one-time passwords into the microchip of the kraft bracelet, and to supply the kraft bracelet with energy.

8. The system according to claim 7, characterized in that the terminal used to enter the main password can be used as one of the access objects.

9. The system of claim 7 is characterized in that the leash used to supply the energy to the kraft bracelet can be equipped with a device for automatically replacing the batteries of the kraft bracelet while connecting the kraft bracelet to the terminal using it.

10. The system according to claim 7 is characterized in that for the exchange of access codes and passwords between the bracelet and access objects, a short-range wireless communication is used, limited to the elbow of the hand with the center near the button of the electronic lock of the access object.

11. A cassette-cartridge system for protecting and storing confidential and cryptographic information containing a crystal, on which there are components for storing and processing information, characterized in that the crystal includes a microprocessor with the ability to suppress and mask micro-emissions and capable of creating false micro-emissions, volatile memory containing a built-in battery, in which the most secret information is recorded, and the protective shell of the crystal consists of three layers, of which the internal the first and the outer are made of reflective material and are facing each other with a mirror surface, between which there is a transparent layer, and on the inner layer there are micro-LEDs and microphotoelements facing the outer shell, the operation of which is controlled by the integrity of the protective shell, adjusting the frequency and dose of LED radiation, measuring the energy absorbed by the photocells and comparing the obtained values with the reference ones, and in the case of a significant discrepancy, the integrity block of the protective shell zvedet blackout volatile memory, which will lead to the destruction of the stored information in it.

12. The system of claim 11 is characterized in that the microprocessor performing encryption and decryption operations has the property of suppressing and masking micro-emissions by using compensating signals on parallel crystal paths, and also has the ability to generate false micro-emissions in the same frequency range based on a true generator random numbers.

13. The cryptographic encryption system related to symmetric encryption systems consists of a scan and reprogrammable integrated microcircuit containing a random number generator, a built-in clock, RAM, non-volatile ROM, and volatile ROM, in which, in particular, a code is destroyed that is destroyed in case of an attempt to scan the microcircuit, and the encrypted information is presented in the binary system and is grouped into 8 or 9-bit bytes, which are then replaced by other cryptogram bytes, characterized in that the encryption and decryption algorithm contains a code conversion unit and a synchronization unit and is not available for making any changes to its program, and the code is unknown to anyone, and is a mother code containing many random numbers, based on which, using the temporary key of the communication session, the unit transformation generates a dynamic daughter code of the communication session, which during the communication session is constantly converted using the said conversion unit and under the control of the synchronization unit, and the mentioned time This key of the communication session is generated by the conversion unit based on exchange numbers, which the conversion units exchange among themselves in the form of electrical signals before the start of the crypto-communication session, and each of the conversion units participating in this communication should receive one exchange number using its own random number generator , and if the encrypted message is an email, then the sender conversion unit is used as another requested exchange number t is the individual number of the destination code that the user enters into the cassette through the terminal.

14. The method of encryption with a dynamic code that streams encrypts and decrypts information by replacing bytes and transforms according to a specific algorithm, characterized in that the dynamic child code is a virtual table written to the 16 × 16 crash cassette RAM, consisting of 256 cells , or 8 × 8 × 8, consisting of 512 cells, depending on whether 8 or 9 bit bytes of information are presented, where each cell is indicated by a specific byte and contains a pseudo-random number obtained using of the temporary key of the communication session and the mother code, and it is converted during the communication session at a certain frequency, regulated by the synchronization unit, and the conversion of this code is a mixing of cells in a small table, based on the relative positions of cells in a small table containing in addition to a byte one pseudorandom the number and proper coordinates of the cell, by acting on the pseudorandom numbers of neighboring cells and the coordinates of the own cell in a small table in order to obtain cell coordinates for the large table, moving the cells to the large table based on the new coordinates, and then moving the cells back to the small table in the order of the cells in the large table, after which the cycle repeats, and the pseudorandom numbers are changed to new ones, obtained as a result of arithmetic actions between pseudo-random numbers of neighboring cells.

15. The method according to 14, characterized in that the information is encrypted and decrypted by comparing the coordinates of the bytes of the source information or its cryptogram of one small table with the same coordinates by another and replacing them with bytes corresponding to these coordinates, the process of converting a child code and the encryption-decryption process can occur simultaneously, in addition, the operation control unit adjusts the encryption speed relative to the frequency of change of the child code, depending on the required strength cryptographic protection of this or that information.

16. The method according to 14, characterized in that the combinations of bytes in the table of the dynamic child code are recorded in RAM, and the number of such combinations in RAM must be at least two, and after the conversion unit generates a new combination of bytes in the small table, this the combination is written to RAM instead of the earliest combination.

17. The method of encryption using the crash code, namely, that the conversion unit generates a dynamic daughter code from the mother code using exchange numbers, the conversion algorithm and the synchronization unit is different in that the way the mother and daughter codes are converted is the way the numbers are combined by the conversion unit starting from random numbers of the mother code, to carry out arithmetic operations on them, after which the conversion block, using the method of cutting fragments from the resulting results number of digits, which can be irrational numbers, selects several digits or bits according to a given algorithm, of which a new number is used, with which the conversion unit performs subsequent combinations, and the conversion unit sets the initial combination of random numbers using a one-time number obtained from the numbers exchange, at least one of which is random.

18. The method according to claim 17 is characterized in that the one-time key of the communication session is generated by the conversion unit by performing certain arithmetic operations on the exchange numbers, after which, with the resulting resulting number, with all random numbers of the mother code and with the numbers obtained, the conversion unit sequentially performs arithmetic operations , cutting out a specific fragment from each received number, and the number of received fragments should be less than the number of random numbers, after which the block pre Brazovia groups numbers according to its fragments and selects the largest group, or several groups in which the largest number of numbers matches, and then performs certain arithmetic operations on these numbers, obtaining as a result one number from which a fragment of a certain bit depth can be cut, which becomes a one-time session key.

19. The method according to 17 is characterized in that the dynamic daughter code of the communication session is generated by the conversion unit by sequentially performing arithmetic operations between the disposable communication session key, all numbers obtained from the mother code, as well as newly obtained numbers and using the cutting method, the conversion unit one byte from each number and groups all newly received numbers into 256 groups, where each group corresponds to a specific 8-bit byte or into 512 groups, where each group corresponds to a single 9-bit byte, while in one group there must be at least two numbers, after which it performs arithmetic operations between the given numbers in its groups and assigns to each byte the received pseudo-random number, as well as performs the initial placement of the bytes in a large and then in small table.

20. The method according to claim 17 is characterized in that the combination of the arrangement of the bytes in the small table is changed by the conversion unit based on the relative positions of the cells in the small table containing, in addition to the byte, one pseudorandom number and the cell’s own coordinates, by performing arithmetic operations between pseudorandom numbers of opposite cells and using its own coordinates and using the cutting method, extracts two-digit numbers from the results, the values of which are assigned to the transformed cell as coordinates for the large table, and the cells are converted back to the small table by the transformation unit by decomposing the cells into a linear sequence according to the seniority of the coordinates and filling the small table one by one with cells.

21. The method of encrypting information using a cryptographic protection complex is a cryptographic system, which means that the encrypted information is hashed using certain hash functions to confirm the undistortedness of the received information is different in that the information encrypted by the crack code is divided by the operation control unit into packets, and each the information packet is hashed by two hash functions: recovery and verification, while the verification hash function hashes the original information and the received hash is transmitted in encrypted form, and restore The hash function hashes the transmitted cryptogram, including the cryptogram of the verification hash and the resulting recovery hash is transmitted in the clear, and the recovery hash function is used for the initial reconstruction of partially distorted or lost data by reversing the hash and generating all possible combinations of the missing cryptogram data, after why the operations control unit decrypts cryptograms to select the original version and verify the authenticity of the received information rmatsii by checking the verification hash with the decrypted hash transformation information, and only in case of coincidence of the hash operations control unit will give the user the decoded text data of the packet, excluding the verification hash.

22. The method of organizing a crypto-secure communication session using the crypto-defense complex real-time cryptographic complex, which means that the communication subscriber's cassette conversion blocks generate random numbers of a certain size, write them into the RAM of their cassette cassette, and then exchange them with each other by a communication channel, after which a common one-time session key is generated for stream encryption and decryption of information, characterized in that the operation control units control the number of random numbers with which the conversion blocks exchange among themselves, based on the number set by the subscribers, which should correspond to the number of subscribers participating in this communication session, after which the conversion blocks simultaneously with the formation of the said communication session key form a one-time password for confirming the establishment of a cryptographic communication session, which must coincide with subscribers of this communication session, in addition, to further confirm the reliability of the established confidential communication, subscribers can exchange electronic business cards containing in the service part the individual number of the kreif-code and user data under which the mentioned kreif-code is registered in the public database, moreover, the user data is entered into the permanent non-writable memory of the kreif-cassette only by the official registrar simultaneously with their registration in the database data.

23. The method according to p. 22, characterized in that the generated password confirming the establishment of a cryptoprotective communication session can be expressed in verbal form for ease of perception by subscribers in the case of password verification by audio.

24. The way to encrypt a message for a recipient with whom there is no direct connection using a cryptographic complex, the crack is that the sender of the message enters through the terminal an individual number of the recipient's crack code, which the conversion unit uses together with its generated random number to generate a one-time key to encrypt the message and sends the recipient an encrypted message and a random number to decrypt it, and only the addressee can decrypt this message using the corresponding existing cassette cassette after having entered into it through the terminal the aforementioned random number.

25. The way to create electronic documents and transactions using the crypto-security complex crypt is that the text of an electronic document or transaction is encrypted with a kraft code and authenticated with electronic signatures encrypted with the same one-time key, highlighted with special service characters, and the resulting cryptogram of an electronic document or transaction can stored on any information carrier, characterized in that the electronic signature is formed by the operations control unit and is presented in the form of an individual cr IF code, user data (including his digital photo) under which the number of the code is officially registered and, accordingly, whose identity is verified by the electronic signature, the date and time of signing the text of the electronic document or transaction, which are inserted into the electronic signature by the operation control unit automatically based on the readings the built-in clock, and to decrypt the text of the said electronic document or transaction, the decryption password is used, with which, as well as the random numbers used in order to receive a one-time key for the encryption session, and any cassette cartridge, you can get the source code of the cryptogram of the electronic document or transaction in full, including special service characters, electronic signatures and other service attributes of the electronic transaction or electronic document, if any, in addition, electronic documents can be of two types: copyable, which can be freely distributed and multiplied during a cryptoprotective communication session, and not copyable, which, after transmission from the first crack, The second crate cassette cannot be played back by the first cassette, since the operation control unit will delete the non-copied electronic document from the memory of the cassette.

26. The method according to claim 25, characterized in that the decryption password is a random number indicated by special service characters and inserted at the beginning of the text of an electronic document or transaction, and to decrypt the text, you must enter the mentioned random number into any crash cassette, which is decryption password, its cryptogram taken from the text and random numbers that the control units exchanged before encrypting the electronic document or transaction, after which the control unit for operations is craiff cash the set used to read the cryptogram will generate a one-time key of the communication session, encrypt the decryption password using it, verify its received cryptogram with the entered one and, if it matches, give permission to use the generated key to decrypt the entire text of the electronic document or transaction; if an electronic document is encrypted unilaterally using one cassette, the conversion unit uses one random number to generate a one-time key, which becomes the decryption password of this electronic document, but in both cases the ability to decrypt using passwords will not allow you to enter any changes to the text of the electronic document or transaction, except as otherwise specified in the service part of the electronic document itself, in addition, the user can set be in the overhead portion of the date decryption only with the onset of which will be possible to decrypt the electronic document.

27. The method according to claim 25, characterized in that if it is necessary to simultaneously exchange electronic signatures and passwords, the electronic transaction control units of the participants in the electronic transaction will reproduce signatures or passwords only if all participants have confirmed the electronic signature or password has been transmitted and only after they are simultaneously loaded into the crate -cassettes of participants, and loading can be carried out simultaneously in different frequency ranges.

28. The way to disclose secret encrypted information “notification email” is that the addressee can read the “notification email” only if the sender is provided with a counter legal or financial guarantee, characterized in that the control units of the sender and receiver must simultaneously exchange information signals containing the decryption password of the email from the sender and the information specified by the conditions from the recipient electrons letters.

29. The way to remotely manage bank accounts and obtain information on accounts using the crypto-security complex crawl consists in the fact that the device for managing accounts contains a medium containing user identifying information, generates and sends information to the bank containing the user identification data in encrypted form, characterized in that, with the help of the cryptographic protection complex, the crack available to the bank and the user establishes a cryptographic security session via the communication channel Communication between the user and the bank, after which the subscriber data are exchanged electronic business cards that identify users kriptozaschitnogo session, and each sent or received on the disposal of operations control unit automatically confirms the electronic signature, and then a copy of the order signed by both parties is sent for storage in an electronic archive.

30. The method according to clause 29 is characterized in that the bank transfers all the information on the client’s account to the client during the cryptographic communication session, which guarantees its confidentiality.

31. The way to make payments in electronic cash using a crypto-security cryptographic complex is to use terminals to carry out these calculations, which allow you to make payments both “hand-to-hand” and through any communication channels, and in which there are electronic cash carriers of money, which is a record of the currency and value of electronic money, characterized in that the carrier of electronic cash is a cassette, and the process of transferring money begins with the establishment of cryptosis a communication session, after which the payer’s operations control unit executes his command to transfer a certain currency and amount, and the recipient’s operations control unit can receive electronic cash only during a crypto-security communication session, which excludes the possibility of copying electronic money, since the communication session key It is disposable and cannot be reused.

32. The method according to p. 31 is characterized in that due to the inability to reuse electronic cash transferred using the crypto-security complex crypt, they can be presented in the form of ordinary entries in the balance of income and expense and there is no need to write down their old data on electronic cash owners, and the reliability of cryptographic protection allows you to use funds unlimited in amount and time for calculations and break them into any parts.

33. The way to make payments in electronic cash using a crypto-security cryptographic complex is to use terminals to carry out these calculations, which allow you to make payments both “hand-to-hand” and through any communication channels, and in which there are electronic cash carriers money, which is a record of the currency and value of electronic money, characterized in that to prevent the loss of electronic cash during the transfer due to premature disconnection the withdrawal is carried out in three stages, in the first of which the recipient’s operations control unit blocks the amount received, then the second stage sends the payer’s operations control unit a confirmation of receipt of this amount, and the third stage, the payer’s operations control unit, on the basis of the received confirmation, issues the user with a transfer confirmation request money and at the additional command of the payer must write off this amount from his balance and send the recipient a password to confirm the payment, with which b the recipient’s control lock unlocks the received amount and writes it to its balance, and if the payer doesn’t send it and the recipient doesn’t receive the payment confirmation password within a certain time, the payer’s operations control unit will restore this amount to its balance, and the recipient’s operations control unit will erase this unblocked memory amount; in addition, all three stages can be carried out both in the process of one, and in the process of various crypto-protection communication sessions with any time intervals.

34. The method of transferring electronic money in the form of electronic bills using the crypto-security complex kreif consists in the fact that for the safe storage of money, the bank issues to the user electronic registered bills of exchange with a certain repayment period, which contain the data of the bank that issued the bill, the data of the user to whom the bill was issued , the currency and face value of the bill, as well as the maturity date of the bill, after which the bank unlocks the remaining security deposit amount in the user’s account, which can be ahead of schedule They are distributed to the bearer of the electronic bill of exchange upon request, it differs in that the electronic bill of exchange is stored in the memory of the cassette only during the cryptographic communication session and can be transferred from user to user an unlimited number of times without changing the accompanying notes and can be divided into any parts, and the process of transferring bills It is carried out in three stages, in the first of which the receiver’s operations control unit blocks the received amount of bills, and then the second stage sends the operation to the control unit confirmation of receipt of this amount of bills, and by the third step, the payer’s operations control unit, on the basis of the confirmation received, issues a request to the user to confirm the transfer of bills and, upon an additional command from the payer, must write off this amount from its balance sheet and send the payment confirmation password to the recipient, using which the block control of the recipient unlocks the received amount of bills and writes it to your balance, and in case of non-sending by the payer and non-receipt of the floor ents password confirmation of payment within a certain time unit controls operations of the payer recover this amount in its balance sheet, and the control unit of the recipient will erase from memory this nerazblokirovannuyu amount of electronic bills of exchange; in addition, all three stages can be carried out both in the process of one, and in the process of various crypto-protection communication sessions with any time intervals.

35. The method of payment for an electronic letter of credit using the crypto-security complex kreif consists in the fact that the electronic letter of credit is a blocked amount of electronic cash or electronic bills, the unlocking of which is carried out on certain conditions of the payer, if the beneficiary fails to use this amount, it differs in that the payment confirmation password can be transmitted during another crypto-security communication session by a certain person whose data is indicated in the username the letter of credit, which is an accompanying record in the form of certain commands generated by the payer’s operations control unit, and the electronic letter of credit can be split into any parts that can be transmitted unlimitedly from one user to another user during a cryptographic communication session, and if after the expiration of the term if the letter of credit is unlocked, if it or its parts are unblocked, the payer will be able to restore this amount in the balance of his cassette cartridge.

36. The method according to clause 35, characterized in that if the letter of credit is unblocked by a third party and is not bill of exchange, then to recover unblocked amounts by the payer's cassette control unit, he must receive information about this amount during the crypto communication session or from the third person, or from an independent clearing center through which operations with these letters of credit can be carried out.

37. The method of payment of an electronic multiplier letter of credit using the cryptographic security complex kreif consists in the fact that the electronic multiplier letter of credit is a blocked amount of electronic cash or electronic bills, the unlocking of which is carried out on certain conditions of the payer, if the beneficiary fails to use this amount, the difference that the payer can propagate and transfer the same multiplier letter of credit or parts of it the number of users since the control unit of the person with the payment confirmation password controls the amount within which multiplier letters of credit or parts thereof can be unlocked.

38. The method of converting electronic cash and electronic bills recorded in a cassette into electronic money of incompatible payment systems is that the user has a special terminal equipped with a card reader for transferring electronic money of various payment systems to the corresponding smart cards, and the user’s bank having access to these payment systems issues a loan to the user in the form of electronic money of payment systems, selected by the user, the validity of which will occur at the time of the payment transaction by electronic money, characterized in that the electronic money is transferred by the bank to the user during the cryptographic communication session in the form of special records in the user's cassette, from which the user can transfer incompatible payment electronic money systems for plastic smart cards corresponding to these systems, but only subject to the availability of electronic cash in the user's cassette it, which the operation control unit will block or its electronic bills, which the operation control unit will write off during the transfer of electronic money of another payment system to a plastic card, and the amount and currency of blocked electronic cash must comply with the bank loan terms recorded by the user operation control unit in the form certain teams at the time the user receives this loan, and this blocked amount can only be used to repay the loan, and The amount and currency of debited electronic bills must fully correspond to the amount and currency of electronic money transferred to the plastic card, and this amount is debited by the bank from the security deposit in the user's account during the payment transaction.

39. The way to use the cassette cassette as a universal electronic key to protect computer programs from copying is that the computer program is encrypted with the help of a kreif code, and the random number of a certain length is the number based on which the encryption and decryption key is formed, differs by the fact that this key number can be used by the cassette to decrypt the program only provided that this number is recorded by the operations control unit in a special section of the constant rewritable memory of the cassette, to which the conversion unit accesses during the decryption operation of the program, this key number being transferred from one cassette to another cassette during a cryptographic communication session or by means of an encrypted email, the cassette is automatically deleted from the memory , with which the number was transmitted, in addition, the decrypted fragment of the program is recorded in the additional RAM memory of the cassette, and a certain part of the program prog The frames are executed in an additional microprocessor of the cassette cartridge, compatible with the microprocessor of the computer.

40. The method according to claim 39, characterized in that the distributor of the computer program encrypted using the cryptographic complex cryptography can limit the validity period of the key number by including this time limit in its cryptogram or by the number of program use in the form of service commands for the operation control unit the user, at the same time, the control unit of the operation of the cassette of the distributor of the program will not delete the key number from the memory of the cassette, but only block it for a certain period of time.