SK2892002A3 - Multiple module encryption method - Google Patents

Abstract

When an encrypting-decrypting module is being used, there are various methods for determining the key or keys used by said module by analysing the module input or output data. To remedy this inconvenience, the inventive multiple module method is characterised in that the downstream module starts its encrypting-decrypting operations as soon as part of the results of the upstream module is available.

Description

The invention relates to data encryption and decryption. In particular, the invention relates to the protection of data by encryption from unauthorized persons or devices in the pay-TV field.

BACKGROUND OF THE INVENTION

In pay-TV systems, data is encrypted in a secure environment in which sufficient computing power is available, called a coding subsystem. From there, the data is sent in a known manner to at least one remote subsystem where it is decrypted, usually in an integrated receiver / decoder (IRD) using a smart card. An unauthorized person may have virtually unrestricted access to both the card and the remote subsystem that interacts with the card.

It is known to the person skilled in the art to chain (serial order) various encryption means in encryption systems and decryption means in decryption systems. In the following, the term encryption / decryption will be understood to mean the operation of any encryption / decryption means used in an extensive encryption / decryption system.

The performance of such systems is optimized in terms of three parameters: speed, memory requirements and security level. Speed refers to the time it takes to decrypt the received data.

Encryption / decryption systems operating with symmetric keys are known to those skilled in the art. Their safety level can be assessed according to several criteria.

e e e e r e

The first criterion is physical security, which means the ease or effort of removing one element of the system and replacing it with another. The function of the replacement element is to inform the unauthorized person of the nature and manner of operation of the encryption / decryption system. The replacement element shall be selected in such a way that it is undetectable by the rest of the system or is very difficult to detect.

The second criterion is system security, in which a mathematical analysis attack is considered. Such attacks are usually carried out using high-performance computers that try to break the encryption algorithm.

Examples of symmetric key encryption are DES (Data Encryption Standard) systems. These systems, now considered obsolete, provide only average physical and system security. Symmetric key encryption is usually performed in specialized electronic circuits and the level of security depends on the key length.

Another strategy for attacking a cipher is called Simple Power Analysis and Timing Analysis. A simple performance analysis utilizes the fact that the microprocessor that performs the encryption / decryption algorithm is connected to a voltage source (usually 5 volts). When idle, the microprocessor draws a steady current. In the active state, the current drawn depends not only on the processed data but also on the encryption algorithm. A simple power analysis consists of sensing the current as a function of time from which it is possible to derive the type of algorithm being executed.

The timing analysis consists of measuring the time required to process the sample passed to the encryption module. From the dependencies between the uploaded samples and the time needed to process them, it is possible to deduce unknown parameters of the encryption module, such as a key. Such a system is described, for example, in Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems, Paul Kocher, Cryptography Research, 870 Market St, Suite 1088, San Francisco, California, USA.

Systems with asymmetric keys have been developed to improve the security of encryption systems, e.g. RSA (Rivest, Shamir, Adleman) system. In these systems, pairs of matching keys are generated, one of which is public and used to encrypt (or decrypt) the data, the other is private and serves to decrypt (or encrypt) it. Such systems have a high level of security, both physical and systemic, but on the other hand they are relatively slow, especially in decryption.

The newest way of attacking ciphers is so-called. DPA, or Differential Power Analysis. The method is based on the assumption that with a large number of attempts it is possible to ascertain whether there is 0 or 1 at a particular location of the encryption key. An attack by this method is difficult to detect because it is almost non-destructive. The use of this method requires the use of both a physical and an analytical component. The DPA method of operation is reminiscent of oilfield exploration techniques when responses are triggered by the explosion of known force, sensed by probes located at different distances and depths below the surface from the epicenter of the explosion. From wines reflected from the edges of the sedimentation layers, it is possible to conclude on the underground structure of the field without having to carry out test drilling. DPA attacks are described in detail in § 2.1. published on February 1, 1999 by Suresh Chari, Charanjit Jutla, Josyula R. Rao, and Pankaj Rohatgi of IBM

T.J. Watson Research Center, Yorktown Heights, New York.

Resistance to DPA attacks can be ensured by whitening jamming systems, either at the input data stream or at the output i

from the encryption algorithm. The bleaching technique is described in Section 3.5 of that document.

However, the greatest problem remains the limited computing power in the peripheral subsystem of the pay-TV system. According to the state of the art, the question of secure data transmission has not yet been resolved in such systems.

r r r e e r

SUMMARY OF THE INVENTION

It is an object of the present invention to provide an encryption and decryption method that is resistant to modern attacks, examples of which have been described above.

The object of the invention is achieved by the method according to the characterizing part of claim 1.

A particular feature of the method according to the invention is that the computational means does not start working after receiving the result from the previous means, but already when it has at least part of the data. It is therefore impossible for the outside observer to determine the input and output conditions of the device.

Since in the peripheral system the decryption takes place in a chip card which has a limited computational power compared to the encryption (central) system, it is advantageous to use a relatively fast public asymmetric key for the last decryption steps. This maintains the robustness of the output side of the system, and the computing power required to encrypt data using a private key can be concentrated on the broadcast side.

It has been found that additional levels of security can be achieved by chaining, or partially interleaving, two encryption means that operate in series connection. By concatenation or partial interleaving is meant such data processing when the second encryption means commences data processing before the same data is completely processed by the first encryption means. This masks the form that the data would have after processing in the first and before the second.

The chaining can already be started when at the output of the first means at least part of the data is available for processing in the second means.

The invention enables protection against the above-mentioned attacks by combining different encryption / decryption means in the encryption / decryption system and using chaining or partial interleaving in the way these connected means work.

rr _r .. 'rrcr * Γ ce or r <· rr <

à ^r ' ^rcr '' ^r , ·:

r c r r r r.

In one embodiment, the encryption / decryption system comprises a coding subsystem in which three algorithms are used in succession:

a) Asymmetric Al algorithm with private key dl. This algorithm encodes the open data represented by the message m and creates the first cryptogram 'I ¹ ''

Cl. Mathematically, the algorithm A1 can be expressed by the equation C1 - m exponent dl, modulo nl. In the formula, n1 is the public key portion of the asymmetric Al algorithm, modulo (mod) is a mathematical operator known to those skilled in the art, and dl is the private key of the Al algorithm.

(b) symmetric algorithm S with secret key k. This algorithm converts the cryptogram C1 to the cryptogram C2.

c) asymmetric algorithm A2 with private key d2. This algorithm converts the cryptogram C2 to cryptogram C3 using the equation that corresponds to the above: C3 - C2 exponent d2, mod n2, where n2 is the public key part of the asymmetric algorithm A2 and d2 is the private key of the algorithm A2.

Cryptogram C3 leaves the coding subsystem and is transmitted to the peripheral subsystem in a manner known to those skilled in the art. In the pay-TV program, this can be both video data and news.

In the peripheral subsystem, the data is decoded in reverse order by three algorithms A2 ', S' and A1 '. These three algorithms form part of the three encryption / decryption means Α1-ΑΓ, S-S 'and A2-A2', which are divided between the encryption subsystem and the decentralized subsystem and together constitute an encryption / decryption system.

d) the algorithm A2 'performs a mathematical operation on C3 and restores C2: C2 = C3 exponent e2 mod n2. The set consisting of e2 and n2 is the public key of the asymmetric algorithm A2-A2 '.

e) a symmetric algorithm S 'with a secret key for cryptogram C1 recovery.

f) the asymmetric algorithm A1 'with the public key el, nl restores m by the operation m = Cl exponent el mod nl.

The chaining in the peripheral system consists in that the decoding step e) is started before the entire C2 is obtained in step d) and the decoding step f) is started before the entire C1 is obtained in step e). Such a procedure will make it impossible to at least hinder an attack in the peripheral subsystem aimed at obtaining the cryptogram C1 at the end of step e). The cryptogram C1 could be compared to the open data m, and then using C1 and m to determine the algorithm A1 'and backwards the whole coding string.

Chaining is not necessary in coding subsystems located in physically secured locations. On the other hand, it is very advantageous in peripheral subsystems. In the case of a pay per program, the receiver-decoder (IRD) is part of the subscriber's device and can be attacked as described above.

Obviously, an attack on a combination of the three concatenated decryption algorithms A1, S 'and A2' has a much lower chance of success than would be the case if the cryptograms C1 and C2 were completely reconstructed between steps d), e) and f). In addition, since the algorithms A1 'and A2' use the public keys e1, n1 and e2, n2, the requirements for computing resources required in the peripheral subsystem are several times smaller compared to the coding subsystem.

For the better part, steps a) and c), i. the steps of encrypting the data with private keys are, for example, about 20 times longer than the decryption steps d) and f) with the public keys.

In an alternative derived embodiment of the invention, the algorithms A1 and A2 and their inverse algorithms A1 'and A2' are identical.

In another alternative derived embodiment of the invention, the public key e2, n2 of the asymmetric algorithm A2 is used in step c) and in step d) the cryptogram C3 is decrypted by the private key d2 of this algorithm. This embodiment is used, for example, when the resources of computing power in the peripheral subsystem are sufficient.

. · * E * - ´ cr r *> Γ r c yy yy - f yy-yy

Λ rr, · S Γ · Γ ^r ' ^r yy ^r '

Although smart cards are primarily used for decrypting data, there are also cards that have sufficient capacity for encryption operations. In this case, it is also necessary to count on attacks on encryption cards that work outside a protected location, such as the administrative center. However, the invention can also be fully utilized for serial encryption operations; that the downstream module starts the encryption operation before the previous information processing module completes. The method of the invention allows interleaving between different encryption modules and always ensures that the result of the operation of the previous (in series) module is never available in its entirety. Thus, the downstream module processes only parts of the information, so it is difficult to judge how the module operates from a known input or known output.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will become more apparent from the following detailed description of exemplary embodiments of the invention with reference to the accompanying drawings, in which:

In FIG. 1 shows encryption operations;

In FIG. 2 shows the decryption operations;

In FIG. 3 shows encryption operations of an alternative embodiment;

and

In FIG. 4 shows the decrypting operations of an alternative embodiment

In FIG. 1, data m is entered into the encryption chain. The first encryption string module A1 performs encryption using so-called encryption. private key, which consists of exponent d1 and module nl. The result of the operation performed in module c · «t · crcrrr» orrcec ^r re OP r-nrr tt rc · 'r. r '

C 9 r. oetrc _r -c or r. r. · 8

A1 is C1. Depending on the mode of operation of the method according to the invention, the downstream module can start operation when part C1 is already available. Another module S works with the secret key k. As soon as a portion of the results of C2 is available at the output of module S, module A2 executes the third encryption operation using a private key consisting of exponent d2 and module n2. The final result C3 is transmitted to the receivers by known methods by air or cable.

In FIG. 2 shows a decryption system that includes three decryption modules A1S 'and A2' that correspond to the encryption modules of FIG. 1, but are connected in reverse order. The data C3 enters module A2 \ which decrypts it using a public key consisting of exponent e2 and module n2. As with data encryption, when decrypting, the module S 'is started when at least part of the C2 data is available. The decryption is completed in module A1 'using a public key consisting of exponent e1 and module n1.

In one embodiment of the invention, the keys of modules A1 and A2 may be the same, i. has the side of encryption holds dl = d2 and nl = n2. Similarly, on the decryption side there must be e1 = e2 and n1 = n2. In this case, the private key d, n and the public key e, n are considered.

In an alternative embodiment of the invention shown in FIG. 3 and 4, public key e2, n2 is used for encryption in module A2 and private key d2, n2 for decryption in module A2 '. While such an arrangement places greater demands on the decryption side of computing power, the use of a private key increases the level of data processing security in module A2 '.

The example shown in FIG. 3 and 4 is not the only alternative to possible combinations of keys and encryption methods in individual modules. For example, it is possible for module A1 to encrypt with the public key and decrypt with the private key.

e e «r r (» f Γ r r)

In another embodiment, module S having a secret key can be replaced by an asymmetric key module similar to module AJ and A2.

Claims (8)

PATENT CLAIMS A method of encrypting and decrypting by means of several encryption / decryption modules connected in series, characterized in that the subsequent encryption / decryption module starts its operation when a part of the result of the previous encryption / decryption module is available. Method according to claim 1, characterized in that the subsequent decryption module starts its decryption operation already when part of the result from the previous decryption module is available. Method according to claim 1, characterized in that the downstream cryptographic module starts its cryptographic operation as soon as part of the result from the previous module is available. Method according to one of claims 1 to 3, characterized in that it uses three modules (A1, S, A2), wherein the central module (S) is of the secret symmetric key type (k). Method according to claim 4, characterized in that the first module (A1) and the last module (A2) on the encryption side and the first module (A2) and the last module (A1) on the decryption side are of the RSA type with an asymmetric key; with a private key and a public key. ce _r - _r , r PC ^r rr. r r C r '· - r - C c - -' <r · ', r c c * r i' Method according to claim 5, characterized in that the two modules (A1, A2) use the so-called private key (d, n; d1, n1; d2, n2) for encryption and the so-called public key (e, n; el). , n1; e2, n2) for decryption. Method according to claim 6, characterized in that the two modules (A1, A2) use the same sets of private keys (d, n) and public keys (e, n). Method according to claim 6, characterized in that the two modules (A1, A2) use different sets of private keys (d1, n1; d2, n2) and public keys (e1, n1; e2, n2). Method according to claim 5, characterized in that in encryption the last module (A2) uses a so-called public key (e2, n2) and in decryption the first module (A1) uses a so-called private key (d2, n2). Method according to one of claims 1 to 3, characterized in that it uses three encryption / decryption modules (A1, S, A2) with asymmetric keys.