WO2002013454A1 - A method and apparatus for encrypting and decrypting data - Google Patents

A method and apparatus for encrypting and decrypting data Download PDF

Info

Publication number
WO2002013454A1
WO2002013454A1 PCT/GB2001/003017 GB0103017W WO0213454A1 WO 2002013454 A1 WO2002013454 A1 WO 2002013454A1 GB 0103017 W GB0103017 W GB 0103017W WO 0213454 A1 WO0213454 A1 WO 0213454A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
key
packet
encrypted
information
Prior art date
Application number
PCT/GB2001/003017
Other languages
French (fr)
Inventor
Peter Terence Roux
Original Assignee
Preventon Technologies Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Preventon Technologies Limited filed Critical Preventon Technologies Limited
Priority to AU2001267748A priority Critical patent/AU2001267748A1/en
Publication of WO2002013454A1 publication Critical patent/WO2002013454A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/34Encoding or coding, e.g. Huffman coding or error correction

Definitions

  • the present invention generally relates to a method and apparatus for encrypting and decrypting data. More particularly the present invention relates to a method and apparatus for encrypting and decrypting data packets.
  • the encryption of data in a secure manner has become particularly important for ensuring privacy of information in data processing systems. This is particularly the case for the data processing systems in which data is transmitted over a communication network to which an authorised personnel may be able to gain access.
  • public networks such as the Internet
  • the secure encryption of data passing between processing apparatuses over the public network has become of paramount importance.
  • a method of encrypting data in which data is divided into packets and the packets of data are encrypted using a modified key which is a modification of the key used for encrypting a previous packet.
  • Information on the modified key used for encrypting a packet is added to the encrypted packet in dependence upon the key for encrypting a previous packet.
  • the information on the modified key which is added to the encrypted packet can be added in any convenient way.
  • the addition of the information can take the form of a further encryption of the encrypted packet by encrypting the packet using the key which was used for the primary encryption of a previous packet.
  • the information on the key modification can be added to the encrypted packet at a position in the packet determined in dependence upon the key used for encrypting a previous packet.
  • the key is simply inserted in the data packet at a position which will change and will thus be difficult for an unauthorised person to identify.
  • an initial packet is encrypted using an initial key which is shared with data decryption apparatus used for decrypting the packets.
  • This sharing of an initial key provides for "synchronisation" of the sequential encryption of packets of data thereafter.
  • the encryption used for packets can be sequentially changed based on the key used for encrypting the previous packet.
  • Information on the modification made each time is included in the encrypted packet enabling the decryption to take place by extracting the information to enable the key to be used for decryption to be determined.
  • information on the modified key is first extracted and then used to determine a key to be used for the decryption process.
  • the key used for the decryption process need not be the same as the key used for the encryption process.
  • an asymmetric encryption technique can be used wherein the decryption key is determined from information related to the encryption key.
  • the intial key used for synchronising the encryption and decryption process can be determined by exchanging information between the data encryption apparatus and the data decryption apparatus. This information can be related to the encryption apparatus and the decryption apparatus. Alternatively the initial key can be determined using information related to the data encrption apparatus only. If the initial key is generated only at the data encryption apparatus, it must be transmitted to the data decryption apparatus so that it can be shared. This can be achieved using a secure initial communication.
  • the information on the modified key which is added to the encrypted packet of data can either comprise the modified key itself or some other information i.e. only a key modifier. If the information is only a key modifier, this must be used together with stored information on the previous key in order to generate the key to be used for decrypting the packet.
  • the present invention operates on data packets, the present invention is particularly suited to the encryption of data for transmission to a decryption apparatus. Because of the nature of the change in the key used for each packet, the encrypted data is secure and will be very difficult to decrypt if intercepted when transmitted over a public network. Thus the present invention is particularly suited for encryption of data transmitted over a public network such as the internet. The present invention is however not limited to the transmission of data over a network. The present invention is applicable to the generation of encrypted data which is simply stored (a form of transmission) on a hard disk. If the data that were to be accessed which was stored on a hard disk (analogous to interception of a transmission over a network) it would be difficult for an unauthorised person to decrypt it. It would thus be clear that the present invention can be embodied as a single apparatus incorporating both encryption and decryption means e.g. a suitably programmed general purpose computer.
  • the present invention can be embodied as a computer programmed carried by a suitable carrier medium such as a storage medium (e.g. floppy disk, CD Rom, solid state storage device or magnetic tape), or a transient medium (e.g. an electronic, optical, or microwave signal).
  • a suitable carrier medium such as a storage medium (e.g. floppy disk, CD Rom, solid state storage device or magnetic tape), or a transient medium (e.g. an electronic, optical, or microwave signal).
  • the programme can control any suitable data processing apparatus (e.g. a general purpose computer) to implement the encryption and/or decryption process.
  • Figure 1 is a schematic diagram of a data encryption and decryption system for the secured transmission of data over a communications line
  • Figure 2 is a flow diagram illustrating the encryption method implemented by computer
  • FIG. 3 is a flow diagram illustrating the decryption method implemented by computer
  • Figure 4a is a schematic illustration of an initial encrypted data packet transmitted from computer A to computer B in the embodiment of Figure 1
  • Figure 4b is a schematic illustration of a subsequent encrypted data packet transmitted from computer A to computer B in the embodiment of Figure 1.
  • computer A includes a data source 10 which holds data to be securely transmitted to computer B over a transmission medium 200.
  • the data source 10 can comprise any form of data store such as a hard disk drive or CD Rom, or it can be a device allowing data to be is input into computer A from a remote device.
  • Computer A is provided with an encryption engine 20 for encrypting the data based on a key provided by a key generator 30.
  • a key used for encrypting the data is inserted into the data at a position dependent upon a key previously used for encryption which is stored in the key store 40.
  • the encryption engine 20 encrypts data in packets using a different key for each packet as will be described in more detail hereinafter.
  • Each encrypted data packet is output to a transmission packet former 50 which adds a header and error correction check codes (CRC codes) to the packet to form a transmission packet.
  • CRC codes error correction check codes
  • a communication application 70 for receiving the transmission packets.
  • the transmission packets are passed to an error checker 80 which checks the error correction codes to determine whether a transmission error has occurred and if errors are present which can be corrected, these are corrected using the error correction codes. If there is an error in the data which cannot be corrected, retransmission of the packet can be requested.
  • the encrypted data packet is then passed from the error checker 80 to a decryption engine 90.
  • the decryption engine 90 receives a key used for encrypting a previous packet from a key store 100 to enable it to extract the key used for encrypting the current packet from the encrypted packet of data.
  • the decryption engine uses the extracted information on the key to decrypt the data packet and output it to the data destination 110.
  • the data destination can comprise a storage device within the computer B, a display device such as the computer screen, or some other form of output device such an output device to other processing equipment.
  • a key generator 120 is used for generating a local key by receiving date and time information from an operating system checker 130.
  • the key generator 120 in computer B operates in a similar manner as the key generator 30 in computer A, which also includes an operating system checker 135, for the initial exchange of local keys to generate an initial key to be used for encrypting an inital packet. This will be described in more detail hereinafter with reference to the flow diagrams of Figures 2 and 3.
  • the modules illustrated in the computers A and B are purely functional and can be implemented by any modular or single block of code in a suitably programmed processing apparatus.
  • the illustration of the modules separately is given purely for illustrative purposes and in practice only code structures can be used which will perform the functions.
  • FIG 2 is a flow diagram illustrating the encryption process implemented by computer A
  • computer A sets up a communication channel to computer B.
  • Such communication channel can comprise a conventional point communication channel as is well known in the art.
  • Such a communication channel can be a direct modem to modem communication channel over public switched telephone network (PSTN) or it could be a communication channel connecting computer A and computer B over the Internet wherein the higher level communication protocol TCPIP is used to establish a communication channel.
  • PSTN public switched telephone network
  • TCPIP the higher level communication protocol
  • step S2 computer A and computer B both use a respective operating system checkers 35 and 130 to determine respective system dates and times. Where computer A and computer B are in different time zones, these can be quite different.
  • the respective key generators 30 and 130 use the retrieved dates and time to generate respective keys AK and BK.
  • the respective keys are stored in the respective key stores 40 and 120 and also exchanged over the transmission medium 200 so that the key stores 40 and 100 respectively store both keys AK and BK.
  • step S3 respective key generators 30 and 120 in computer A and computer B combine the keys AK and BK to generate the initial encryption key IXK. This is stored in the respective key stores 40 and 100.
  • the encryption engine 20 in computer A then retrieves the first packet of data from the data source 10 in step S5. This initial packet of data is encrypted by the encryption engine 20 using the initial key IXK read from the key store 40 in step S6.
  • the encrypted initial packet is then output to the transmission packet former 50 in computer A to form the encrypted data packet into a transmission packet. This is then transmitted to the communication application 60 to computer B in step S7.
  • the operating system checker 35 then retrieves the date and time in the system of computer A and generates a new key NK using this.
  • the difference between the new key NK and old key AK is determine as a different key DK in step S8 by the key generator 30.
  • the key generator 30 then combines the new key NK with the key BK to generate the next encryption key NXK in step S9.
  • the encryption engine 20 in computer A then retrieves the next packet of data from the data source 10 in step S10 and in step SI 1 the encryption engine the next packet of data is encrypted using the next encryption key NXK.
  • the encryption engine 20 stores the difference key DK output from the key generator 30 in the encrypted data at a position determined by the encryption key IXK or NXK from the previous packet read from the key store 40 in step SI 2.
  • the encrypted data packet is then output to the transmission packet former 50 in computer A and the transmission packet former 50 forms the encrypted packet data into a transmission packet by adding a header and error checking and correction codes.
  • the communications application 60 then transmits the packet to computer B over the transmission medium 200 in step SI 3.
  • step S 14 the encryption engine 20 in computer A determines whether there is any more data to be transmitted from the data source 10. If not the process ends in step S 15 otherwise the process returns to step S8 to generate a new key NK and encrypt the next packet of data using the new key NK.
  • the encryption engine will not wait for a packet to be transmitted before reading the next packet of data from the data source. Data streams through from the data source to the transmission medium a in pipeline manner.
  • Figure 4a is an illustration of the transmission packet for an initial packet.
  • a header H is added at the front of the packet as a packet identifier.
  • Error checking and correction codes (CRC codes) are added at the end of the packet for error checking and correction purposes.
  • the data within the packet comprises the encrypted data.
  • the transmission packet can be 8k bytes long.
  • the header need only be one byte and the error correction codes need only be a few bytes thereby leaving most of the packet free for carrying data.
  • Figure 4b illustrates a transmission packet for a subsequent encrypted packet.
  • This transmission packet differs from initial transmission packet in that in the encrypted data there is positioned a key K.
  • the key comprises the difference DK which is positioned within the encrypted data at a position determined by the key used for encrypting the previous data packet. Because a different key is used, the data requirement is only one byte thus detracting little from the data carrying capacity of the transmission packet. If the full new key NK were to be transmitted instead, this would be a longer key requiring more bytes, thus reducing the data carrying capacity of the transmission packet.
  • Figure 2 is a flow diagram illustrating the process carried out by computer B.
  • step S20 a communication channel is set up by the communication application 70 of computer B following the request for a communication channel from computer A in step S20.
  • computer A and computer B determine dates and times and generate respective keys AK and BK in step S21.
  • computer A and computer B exchange respective keys AK and BK as described for step S3 in Figure 2.
  • step S23 computer A and computer B each combine the keys of AK and BK to generate the initial encryption key IXK as described for step S4 of Figure 2.
  • step S24 the key generator 120 stores the keys AK, BK and IXK in the key store 100. Computer B is thus ready to receive the first packet of data from computer A.
  • step S26 the error checker 80 in computer B performs a CRC error check on the transmitted packet and extracts the encrypted data packet in step S26.
  • the encrypted data packet is received by the encryption engine 90 and in step S27 the decryption engine 90 decrypts the data packet using the stored initial encryption key IXK and then outputs the data to the data destination 10 in step S27.
  • the communication application 70 in computer B then receives the next transmitted packet from computer A in step S28 and in step S29 the error checker 80 in computer B performs a CRC check on the packet and extracts the encrypted data packet.
  • the encrypted data packet is then passed to the decryption engine 90 which, in step S30 extracts the difference key DK from a position in the data packet is determined using the encryption key IXK or NXK for the previous packet read from the key store 100 in step S30.
  • the decryption engine 90 then adds the difference key DK to the stored key AK stored in the key store 100 to determine a new key AK.
  • the encryption key NXK is then determined for a received data packet by combining the new key AK with the stored key BK in step S31.
  • the decryption engine 90 then decrypts the data packet using the determining encryption key NXK and outputs the data to the data destination 110 in step S32.
  • step S33 the communication application 70 determines whether any more data is received from computer A. If not the process terminates in step S34. If all data is received, the process returns to step S28 where the next transmitted packet is received by the communication application 70 from computer A.
  • the encryption used for encrypting the data packet can comprise any conventional encryption technique which uses a key. Such encryption techniques are well known in the art and will be apparent to a skilled person in the art.
  • the transmission medium 200 used can comprise not just a telecommunications channel and but any type of transmission medium which can include a storage medium such as a hard disk drive.
  • computer A and computer B are shown as separate computers, it will be apparent to a skilled person in the art that the functionality of computer A and computer B can be implemented by a single computer wherein the transmission medium comprises a storage medium.
  • the communication applications 60 and 70 may comprise an I/O device.
  • the present invention can be implemented by dedicated hardware or by software on a standard computing apparatus.
  • the present invention is intended to encompass computer readable programme code provided on a readable medium such as a storage medium (e.g. floppy disk drive, CD Rom, programmable memory device, or magnetic tape device) or a transient medium (e.g. an electrical signal, optical signal, or microwave signal).
  • a computer programme can be provided by any such carrier medium to a conventional general purpose computer in order to configure the general purpose computer to implement the process of the present invention.
  • the initial key is determined and shared using information obtained from both computers. This process has the benefit that only part of the key e.g. AK and BK is transmitted from each computer. This makes it harder for an unauthorised person to get hold of the initial key.
  • the present invention is however not limited to the use of such a split initial key system.
  • the initial key could be generated within either computer and transmitted to another computer over an initial secure communication link.
  • the initial key can be randomly generated e.g. using a random number generator and similarly randomly modified for subsequent data packets.
  • the information on the modified key which is inserted within the packets of data comprises the difference between the old key AK and new key NK.
  • the present invention is however not limited to the transmission of such a partial key.
  • the present invention encompassed the transmission of the complete modified key within the encrypted data packet.
  • the key used for decryption is the same as that used for encryption.
  • the present invention is however not limited to such a symmetric encryption technique and can encompass an asymmetric technique.
  • the information on the key used for encryption can be used by computer B in order to generate the necessary key for decryption which is different to the key used for encryption. This provides for additional security since even if an unauthorised person gains access to the key used for encryption, it requires further effort in order to determine how to modify that key to generate the decryption key to enable the encrypted data to be decrypted.

Abstract

A method of encrypting data which comprises dividing the data into packets, encrypting the packet using a modified key which is a modification of the key used for encrypting the previous packet, and adding information on the modified key used for encrypting a packet to the encrypted packet in dependence upon the key used for encrypting a previous packet. When decrypting the encrypted data, the information on the modified key is extracted from the encrypted packet in dependence upon the key used for decrypting the previous packet and the extracted key is used for decrypting the encrypted data packets.

Description

A METHOD AND APPARATUS FOR ENCRYPTING AND DECRYPTING DATA
The present invention generally relates to a method and apparatus for encrypting and decrypting data. More particularly the present invention relates to a method and apparatus for encrypting and decrypting data packets.
The encryption of data in a secure manner has become particularly important for ensuring privacy of information in data processing systems. This is particularly the case for the data processing systems in which data is transmitted over a communication network to which an authorised personnel may be able to gain access. With the prominent use of public networks such as the Internet, the secure encryption of data passing between processing apparatuses over the public network has become of paramount importance.
It is an object of the present invention to provide a secure encryption of data.
In accordance with the first aspect of the present invention, there is provided a method of encrypting data in which data is divided into packets and the packets of data are encrypted using a modified key which is a modification of the key used for encrypting a previous packet. Information on the modified key used for encrypting a packet is added to the encrypted packet in dependence upon the key for encrypting a previous packet. Thus in this way the encryption used for each packet changes. This makes it very difficult for unauthorised persons gaining access to the data packets to be able to decrypt the data.
The information on the modified key which is added to the encrypted packet can be added in any convenient way. For example, the addition of the information can take the form of a further encryption of the encrypted packet by encrypting the packet using the key which was used for the primary encryption of a previous packet. As an alternative to this "secondary level of encryption", more conveniently, the information on the key modification can be added to the encrypted packet at a position in the packet determined in dependence upon the key used for encrypting a previous packet. Thus in this preferred technique the key is simply inserted in the data packet at a position which will change and will thus be difficult for an unauthorised person to identify.
In an exemplary embodiment, an initial packet is encrypted using an initial key which is shared with data decryption apparatus used for decrypting the packets. This sharing of an initial key provides for "synchronisation" of the sequential encryption of packets of data thereafter. Once both parties have the intial key, the encryption used for packets can be sequentially changed based on the key used for encrypting the previous packet. Information on the modification made each time is included in the encrypted packet enabling the decryption to take place by extracting the information to enable the key to be used for decryption to be determined.
Thus in order to decrypt the encrypted packets, information on the modified key is first extracted and then used to determine a key to be used for the decryption process.
The key used for the decryption process need not be the same as the key used for the encryption process. Thus an asymmetric encryption technique can be used wherein the decryption key is determined from information related to the encryption key.
The intial key used for synchronising the encryption and decryption process can be determined by exchanging information between the data encryption apparatus and the data decryption apparatus. This information can be related to the encryption apparatus and the decryption apparatus. Alternatively the initial key can be determined using information related to the data encrption apparatus only. If the initial key is generated only at the data encryption apparatus, it must be transmitted to the data decryption apparatus so that it can be shared. This can be achieved using a secure initial communication.
The information on the modified key which is added to the encrypted packet of data can either comprise the modified key itself or some other information i.e. only a key modifier. If the information is only a key modifier, this must be used together with stored information on the previous key in order to generate the key to be used for decrypting the packet.
Because the present invention operates on data packets, the present invention is particularly suited to the encryption of data for transmission to a decryption apparatus. Because of the nature of the change in the key used for each packet, the encrypted data is secure and will be very difficult to decrypt if intercepted when transmitted over a public network. Thus the present invention is particularly suited for encryption of data transmitted over a public network such as the internet. The present invention is however not limited to the transmission of data over a network. The present invention is applicable to the generation of encrypted data which is simply stored (a form of transmission) on a hard disk. If the data that were to be accessed which was stored on a hard disk (analogous to interception of a transmission over a network) it would be difficult for an unauthorised person to decrypt it. It would thus be clear that the present invention can be embodied as a single apparatus incorporating both encryption and decryption means e.g. a suitably programmed general purpose computer.
The present invention can be embodied as a computer programmed carried by a suitable carrier medium such as a storage medium (e.g. floppy disk, CD Rom, solid state storage device or magnetic tape), or a transient medium (e.g. an electronic, optical, or microwave signal). The programme can control any suitable data processing apparatus (e.g. a general purpose computer) to implement the encryption and/or decryption process.
An embodiment of the present invention will now be described with reference to the accompanying drawing, in which:
Figure 1 is a schematic diagram of a data encryption and decryption system for the secured transmission of data over a communications line,
Figure 2 is a flow diagram illustrating the encryption method implemented by computer
A in the embodiment of Figure 1,
Figure 3 is a flow diagram illustrating the decryption method implemented by computer
B in the embodiment of Figure 1, Figure 4a is a schematic illustration of an initial encrypted data packet transmitted from computer A to computer B in the embodiment of Figure 1, and Figure 4b is a schematic illustration of a subsequent encrypted data packet transmitted from computer A to computer B in the embodiment of Figure 1.
Referring to Figure 1, computer A includes a data source 10 which holds data to be securely transmitted to computer B over a transmission medium 200. The data source 10 can comprise any form of data store such as a hard disk drive or CD Rom, or it can be a device allowing data to be is input into computer A from a remote device.
Computer A is provided with an encryption engine 20 for encrypting the data based on a key provided by a key generator 30. A key used for encrypting the data is inserted into the data at a position dependent upon a key previously used for encryption which is stored in the key store 40.
The encryption engine 20 encrypts data in packets using a different key for each packet as will be described in more detail hereinafter. Each encrypted data packet is output to a transmission packet former 50 which adds a header and error correction check codes (CRC codes) to the packet to form a transmission packet. This is passed to a communication application 60 for transmission of the data packets over the transmission medium 200.
In the computer B there is provided a communication application 70 for receiving the transmission packets. The transmission packets are passed to an error checker 80 which checks the error correction codes to determine whether a transmission error has occurred and if errors are present which can be corrected, these are corrected using the error correction codes. If there is an error in the data which cannot be corrected, retransmission of the packet can be requested. The encrypted data packet is then passed from the error checker 80 to a decryption engine 90. The decryption engine 90 receives a key used for encrypting a previous packet from a key store 100 to enable it to extract the key used for encrypting the current packet from the encrypted packet of data. The decryption engine uses the extracted information on the key to decrypt the data packet and output it to the data destination 110. The data destination can comprise a storage device within the computer B, a display device such as the computer screen, or some other form of output device such an output device to other processing equipment.
Also within the computer B there is provided a key generator 120. The key generator 120 is used for generating a local key by receiving date and time information from an operating system checker 130. The key generator 120 in computer B operates in a similar manner as the key generator 30 in computer A, which also includes an operating system checker 135, for the initial exchange of local keys to generate an initial key to be used for encrypting an inital packet. This will be described in more detail hereinafter with reference to the flow diagrams of Figures 2 and 3.
The modules illustrated in the computers A and B are purely functional and can be implemented by any modular or single block of code in a suitably programmed processing apparatus. The illustration of the modules separately is given purely for illustrative purposes and in practice only code structures can be used which will perform the functions.
Referring now to Figure 2, which is a flow diagram illustrating the encryption process implemented by computer A, in step SI computer A sets up a communication channel to computer B. Such communication channel can comprise a conventional point communication channel as is well known in the art. Such a communication channel can be a direct modem to modem communication channel over public switched telephone network (PSTN) or it could be a communication channel connecting computer A and computer B over the Internet wherein the higher level communication protocol TCPIP is used to establish a communication channel. The channel is established by the communications applications 60 and 70 in the respective computers.
Once the communication channel has been set up in step SI, in step S2 computer A and computer B both use a respective operating system checkers 35 and 130 to determine respective system dates and times. Where computer A and computer B are in different time zones, these can be quite different. The respective key generators 30 and 130 use the retrieved dates and time to generate respective keys AK and BK. The respective keys are stored in the respective key stores 40 and 120 and also exchanged over the transmission medium 200 so that the key stores 40 and 100 respectively store both keys AK and BK.
In step S3 respective key generators 30 and 120 in computer A and computer B combine the keys AK and BK to generate the initial encryption key IXK. This is stored in the respective key stores 40 and 100. The encryption engine 20 in computer A then retrieves the first packet of data from the data source 10 in step S5. This initial packet of data is encrypted by the encryption engine 20 using the initial key IXK read from the key store 40 in step S6. The encrypted initial packet is then output to the transmission packet former 50 in computer A to form the encrypted data packet into a transmission packet. This is then transmitted to the communication application 60 to computer B in step S7.
The operating system checker 35 then retrieves the date and time in the system of computer A and generates a new key NK using this. The difference between the new key NK and old key AK is determine as a different key DK in step S8 by the key generator 30. The key generator 30 then combines the new key NK with the key BK to generate the next encryption key NXK in step S9. The encryption engine 20 in computer A then retrieves the next packet of data from the data source 10 in step S10 and in step SI 1 the encryption engine the next packet of data is encrypted using the next encryption key NXK. Also the encryption engine 20 stores the difference key DK output from the key generator 30 in the encrypted data at a position determined by the encryption key IXK or NXK from the previous packet read from the key store 40 in step SI 2. The encrypted data packet is then output to the transmission packet former 50 in computer A and the transmission packet former 50 forms the encrypted packet data into a transmission packet by adding a header and error checking and correction codes. The communications application 60 then transmits the packet to computer B over the transmission medium 200 in step SI 3.
In step S 14 the encryption engine 20 in computer A determines whether there is any more data to be transmitted from the data source 10. If not the process ends in step S 15 otherwise the process returns to step S8 to generate a new key NK and encrypt the next packet of data using the new key NK. Although in this flow diagram, for illustrative purposes it has been shown that each data packet is read encrypted and transmitted without overlap, in practice, in computer A, the encryption engine will not wait for a packet to be transmitted before reading the next packet of data from the data source. Data streams through from the data source to the transmission medium a in pipeline manner.
Figure 4a is an illustration of the transmission packet for an initial packet. A header H is added at the front of the packet as a packet identifier. Error checking and correction codes (CRC codes) are added at the end of the packet for error checking and correction purposes. The data within the packet comprises the encrypted data. Conveniently, the transmission packet can be 8k bytes long. The header need only be one byte and the error correction codes need only be a few bytes thereby leaving most of the packet free for carrying data.
Figure 4b illustrates a transmission packet for a subsequent encrypted packet. This transmission packet differs from initial transmission packet in that in the encrypted data there is positioned a key K. The key comprises the difference DK which is positioned within the encrypted data at a position determined by the key used for encrypting the previous data packet. Because a different key is used, the data requirement is only one byte thus detracting little from the data carrying capacity of the transmission packet. If the full new key NK were to be transmitted instead, this would be a longer key requiring more bytes, thus reducing the data carrying capacity of the transmission packet.
Figure 2 is a flow diagram illustrating the process carried out by computer B.
In step S20 a communication channel is set up by the communication application 70 of computer B following the request for a communication channel from computer A in step S20. As in step S2 of Figure 2, computer A and computer B determine dates and times and generate respective keys AK and BK in step S21. In step S22 computer A and computer B exchange respective keys AK and BK as described for step S3 in Figure 2. In step S23 computer A and computer B each combine the keys of AK and BK to generate the initial encryption key IXK as described for step S4 of Figure 2. In step S24 the key generator 120 stores the keys AK, BK and IXK in the key store 100. Computer B is thus ready to receive the first packet of data from computer A. When the communication application 70 in computer B receives the first transmitted packet from computer A in step S25, in step S26 the error checker 80 in computer B performs a CRC error check on the transmitted packet and extracts the encrypted data packet in step S26. The encrypted data packet is received by the encryption engine 90 and in step S27 the decryption engine 90 decrypts the data packet using the stored initial encryption key IXK and then outputs the data to the data destination 10 in step S27. The communication application 70 in computer B then receives the next transmitted packet from computer A in step S28 and in step S29 the error checker 80 in computer B performs a CRC check on the packet and extracts the encrypted data packet. The encrypted data packet is then passed to the decryption engine 90 which, in step S30 extracts the difference key DK from a position in the data packet is determined using the encryption key IXK or NXK for the previous packet read from the key store 100 in step S30. The decryption engine 90 then adds the difference key DK to the stored key AK stored in the key store 100 to determine a new key AK. The encryption key NXK is then determined for a received data packet by combining the new key AK with the stored key BK in step S31. The decryption engine 90 then decrypts the data packet using the determining encryption key NXK and outputs the data to the data destination 110 in step S32.
In step S33 the communication application 70 determines whether any more data is received from computer A. If not the process terminates in step S34. If all data is received, the process returns to step S28 where the next transmitted packet is received by the communication application 70 from computer A.
Although in the flow diagram of Figure 3, the sequential reception, error checking and decryption of each encrypted packet is described discreetly, in practice, the packets will be streamed through the communication application 70, the error checker 80 and the decryption engine 90 such that there is some parallel processing in that the communication engine 70 will not wait for the decryption engine 90 to have finished decryption before receiving the next encrypted packet. The encryption used for encrypting the data packet can comprise any conventional encryption technique which uses a key. Such encryption techniques are well known in the art and will be apparent to a skilled person in the art. The transmission medium 200 used can comprise not just a telecommunications channel and but any type of transmission medium which can include a storage medium such as a hard disk drive. Although in this embodiment computer A and computer B are shown as separate computers, it will be apparent to a skilled person in the art that the functionality of computer A and computer B can be implemented by a single computer wherein the transmission medium comprises a storage medium. In such an application the communication applications 60 and 70 may comprise an I/O device.
It will be clear to a skilled person in the art that the present invention can be implemented by dedicated hardware or by software on a standard computing apparatus. Thus the present invention is intended to encompass computer readable programme code provided on a readable medium such as a storage medium (e.g. floppy disk drive, CD Rom, programmable memory device, or magnetic tape device) or a transient medium (e.g. an electrical signal, optical signal, or microwave signal). Thus a computer programme can be provided by any such carrier medium to a conventional general purpose computer in order to configure the general purpose computer to implement the process of the present invention.
In the embodiment of the present invention, the initial key is determined and shared using information obtained from both computers. This process has the benefit that only part of the key e.g. AK and BK is transmitted from each computer. This makes it harder for an unauthorised person to get hold of the initial key. The present invention is however not limited to the use of such a split initial key system. The initial key could be generated within either computer and transmitted to another computer over an initial secure communication link. The initial key can be randomly generated e.g. using a random number generator and similarly randomly modified for subsequent data packets.
In the embodiment described hereinabove, the information on the modified key which is inserted within the packets of data comprises the difference between the old key AK and new key NK. The present invention is however not limited to the transmission of such a partial key. The present invention encompassed the transmission of the complete modified key within the encrypted data packet.
In the embodiment described hereinabove, the key used for decryption is the same as that used for encryption. The present invention is however not limited to such a symmetric encryption technique and can encompass an asymmetric technique. In such an asymmetric technique, the information on the key used for encryption can be used by computer B in order to generate the necessary key for decryption which is different to the key used for encryption. This provides for additional security since even if an unauthorised person gains access to the key used for encryption, it requires further effort in order to determine how to modify that key to generate the decryption key to enable the encrypted data to be decrypted.
It will be apparent to a skilled person in the art that modifications to the described embodiments lie within the spirit and scope of the present invention.

Claims

CLAIMS:
1. A method of encrypting data in a data encryption apparatus, the method comprising: dividing the data into packets; encrypting packets using a modified key which is a modification of the key used for encrypting a previous packet; and adding information on the modified key used for encrypting a packet to the encrypted packet in dependence upon the key used for encrypting a previous packet.
2. A method according to claim 1 wherein the information on the key modification is added to the encrypted packet at a position in the packet determined in dependence upon the key used for encrypting a previous packet.
3. A method according to claim 1 or claim 2 wherein an initial packet is encrypted using an initial key which is shared with data decryption apparatus used for decrypting the packet.
4. A method according to claim 3 wherein the initial key is determined using information exchanged between the data encryption apparatus and the data decryption apparatus.
5. A method according to claim 3 wherein the initial key is determined using information related to the data encryption apparatus.
6. A method according to claim 4 wherein the initial key is determined using information related to the data encryption apparatus and the data decryption apparatus.
7. A method according to any preceding claim wherein the information on the modified key which is added to the encrypted packet comprises the modified key.
8. A method according to any one of claims 1 to 6 wherein the information on the key modification which is added to the encrypted data comprises a key modifier.
9. A method according to claim 3 wherein the initial key is determined by the data encryption apparatus and sent to the data decryption apparatus.
10. A method of transmitting data comprising the encryption method of any preceding claim, and transmitting the encrypted packets.
11. A method according to claim 10 including adding a header and check codes to each encrypted packet.
12. A method of decrypting encrypted data in a data encryption apparatus, the method comprising: receiving encrypted data packets; extracting information on a modified key used for encrypting a packet from the encrypted packet in dependence upon the key used for decrypting a previous packet; and decrypting the encrypted data packets using the modified key which is a modification of the key used for decrypting a previous packet.
13. A method according to claim 12 wherein the information on the key modification is extracted from the encrypted packet from a position in the packet determined in dependence upon the key used for decrypting a previous packet.
14. A method according to claim 12 or claim 13 wherein an initial encrypted packet is decrypted using an initial key which is shared with data encryption apparatus used to encrypt the packets.
15. A method according to claim 14 wherein the initial key is determined using information exchanged between the data encryption apparatus and the data decryption apparatus.
16. A method according to claim 14 wherein the initial key is received from the data encryption apparatus.
17. A method according to claim 14 wherein the initial key is determined using information related to the data encryption apparatus and the data decryption apparatus.
18. A method according to any one of claims 12 to 17 wherein the information on the modified key which is extracted from the encrypted packet comprises the modified key.
19. A method according to any one of claims 12 to 18 wherein the information on the modified key which is extracted from the encrypted packet comprises a key modifier, the key used for decrypting a previous packet is stored, and the modified key is determined using the stored key and the key modifier.
20. A method of receiving data comprising receiving encrypted patent of data, and the method of any one of claims 12 to 19.
21. A method according to claim 20 wherein the encrypted packets of data include error correction codes, the method including carrying out error correction checks on the received encrypted packets.
22. Data encryption apparatus for encrypting data, the apparatus comprising: dividing means for dividing the data into packets; encrypting means for encrypting packets using a modified key which is a modification of the key used for encrypting a previous packet; and information adding means for adding information on the modified key used for encrypting a packet to the encrypted packet in dependence upon the key used for encrypting the previous packet.
23. Data encryption apparatus according to claim 22 wherein the information adding means is adapted to add information on the key modification to the encrypted packet at a position in the packet determined in dependence upon the key used for encrypting a previous packet.
24. Data encryption apparatus according to claim 22 or claim 23 wherein said encrypting means is adapted to encrypt an initial packet using an initial key which is shared with data decryption apparatus used for decrypting the packets.
25. Data encyption apparatus according to claim 24 wherein said encrypting means is adapted to determine the initial key using information exchange between the data encryption apparatus and the data decryption apparatus.
26. Data encrytion apparatus according to claim 24 wherein said encrypting means is adapted to determine the initial key using information related to the data encryption apparatus.
27. Data encryption apparatus according to claim 25 wherein said encrypting means is adapted to determine the initial key using information related to the data encryption apparatus and the data encryption apparatus.
28. Data encryption apparatus according to any one of claims 22 to 27 wherein said information adding means is adapted to add the modified key as said information on the modified key.
29. Data encryption apparatus according to any one of claims 1 to 27 wherein said information adding means is adapted to add a key modifier to the encryption data as the information on the key modification.
30. Data encryption apparatus according to claim 24 wherein said encrypting means is adapted to determine the initial key and send the initial key to the data decryption apparatus.
31. Data transmission apparatus comprising the data encryption apparatus of any preceding claim and transmission means for transmitting the encrypted packets.
32. Data transmission apparatus according to claim 31 including means for adding a header and check codes to each encrypted packet.
33. Data decryption apparatus for decrypting encrypted data, the apparatus comprising: receiving means for receiving encrypted data packets; extracting means for extracting information on a modified key used for encrypting a packet from the encrypted packet in dependence upon the key used for decrypting a previous packet; and decrypting means for decrypting the encrypted packets using the modified key which is a modification of the key used for decrypting previous packet.
34. Data decrypting apparatus according to claim 33 wherein said extracting means is adapted to extract information on the key modification from the encrypted packet from a position in the packet determined in dependence upon the key used for decrypting a previous packet.
35. Data decryption apparatus according to claim 33 or claim 34 wherein said decrypting means is adapted to decrypt an initial encrypted packet using an initial key which is shared with data encrypting apparatus used to encrypt the packets.
36. Data decryption apparatus according to claim 35 wherein said decrypting means is adapted to determine the initial key using information exchanged between the data encryption apparatus and the data decryption apparatus.
37. Data decryption apparatus according to claim 35 wherein said receiving means is adapted to receive the initial key from the data encryption apparatus.
38. Data decryption apparatus according to claim 35 wherein said decrypting means is adapted to determine the initial key using information related to the data encryption apparatus and the data decryption apparatus.
39. Data decryption apparatus according to any one or claims 33 to 38 wherein said extracting means is adapted to extract information on the modified key as the modified key.
40. Data decryption apparatus according to any one of claims 33 to 39 wherein said extracting means is adapted to extract information on the modified key as a key modifier, the apparatus including storage means for storing a key used for decrypting a previous packet, and means for determing the modified key using the stored key and key modifier.
41. Data reception apparatus comprising receiving means for receiving encypted packets of data, and the data decryption apparatus for any one of claims 33 to 40.
42. The data reception apparatus according to claim 41 wherein the encrypted packets of data include error correction codes, the apparatus including means for carrying out error correction checks on received encrypted packets.
43. Data encryption apparatus for encrypting data comprising: a memory storing processor readable instructions; and a processor for implementing the instructions; wherein the stored instructions comprise: instructions for dividing the data into packets; instructions for encrypting packets using a modified key which is a modification of the key used for encrypting a previous packet; and instructions for adding information on the modified key used for encrypting a packet to the encrypted packet in dependence upon the key used for encrypting a previous packet.
44. Data encryption apparatus according to claim 43 wherein the stored instructions include instructions for adding the information on the key modification to the encrypted packet at a position in the packet determined in dependence upon the key used for encrypting a previous packet.
45. Data encryption apparatus according to claim 43 or claim 44 wherein the stored instructions include instructions for encrypting an initial packet using an initial key which is shared with data decrypting apparatus used for decrypting the packets.
46. Data encryption apparatus according to claim 45 wherein the stored instructions include instructions for determing the initial key using information exchange between the data encryption apparatus and the data decryption apparatus.
47. Data encryption apparatus according to claim 45 wherein the stored instructions include instructions for determining the initial key using information related to the data encryption apparatus.
48. Data encryption apparatus according to claim 46 wherein the stored instructions include instructions for determining the initial key using information relating to the data encryption apparatus and the data decryption apparatus.
49. Data encyption apparatus according to any one of claims 43 to 48 wherein the stored instructions include instructions for adding the information on the modified key to the encrypted packet as the modified key.
50. Data encryption apparatus according to any one of claims 43 to 48 wherein the stored instructions include instructions for adding the information on the key modification to the encrypted data as a key modifier.
51. Data encryption apparatus according to claim 45 wherein the stored instructions include instructions for determining the initial key and sending the initial key to the data decryption apparatus.
52. Data transmission apparatus for transmitting data comprising: the data encryption apparatus according to any one of claims 43 to 51, and a transmitter for transmitting the encrypted packets.
53. Data transmission apparatus according to claim 52 wherein the stored instructions include instructions for adding a header and check codes to each encrypted packet.
54. Data decryption apparatus for decrypting encrypted data, the apparatus comprising: a memory storing instructions for controlling a processor, and a processor for implementing the stored instructions, wherein the stored instructions comprise: instructions for receiving encrypted data packets; instructions for extracting information on a modified key used for encrypting a packet from the encrypted packet in dependence upon the key used for decrypting a previous packet; and instructions for decrypting the encrypted data packets using a modified key which is a modification of the key used for decrypting a previous packet.
55. Data decryption apparatus according to claim 54 wherein the stored instructions include instructions for extracting information on the key modification from the encrypted packet from a position in the packet determined in dependence upon the key used for decrypting a previous packet.
56. Data decryption apparatus according to claim 54 or claim 55 wherein the stored instructions include instructions for decrypting an initial encrypted packet using an initial key which is shared with data encrypting apparatus used to encrypt the packet.
57. Data decryption apparatus according to claim 56 wherein the stored instructions include instructions for determining the initial key using information exchange between the data encryption apparatus and the data decryption apparatus .
58. Data decryption apparatus according to claim 56 wherein the stored instructions include instructions for receiving the initial key from the data encryption apparatus.
59. Data decryption apparatus according to claim 56 wherein the stored instructions include instructions for determining the initial key using information related to the data encryption apparatus and the data decryption apparatus.
60. Data decryption apparatus according to any one of claims 12 to 59 wherein the stored instructions include instructions to extract the information on the modified key from the encrypted packet as the modified key.
61. Data decryption apparatus according to any one of claims 54 to 60 wherein the stored instructions include instructions for extracting the information on the modified key from the encrypted packet as a key modifier; instructions for storing the key used for decrypting a previous packet; and instructions for determining the modified key using the stored key and the key modifier.
62. Data reception apparatus comprising a receiver for receiving encrypted packets of data, and the data decryption apparatus of any one of claims 54 to 61.
63. The data reception apparatus according to claim 62 wherein the encrypted packets of data include error correction codes, the stored instructions including instructions for carrying out error correction checks on the received encrypted packets.
64. A processor readable instructions for controlling a processor in a data encryption apparatus to carry out the method of any one of claims 1 to 9.
65. A processor readable instructions for controlling a processor in a data decryption apparatus to carry out the method of any one of claims 12 to 19.
66. A processor readable instructions for controlling a processor in a data transmission apparatus to carry out the method of claim 10 or claim 11.
67. A processor readable instructions for controlling a processor in a data reception apparatus to carry out the method of claim 20 or claim 21.
68. A processor readable carrier medium carrying the processor readable instructions according to any one of claims 64 to 67.
PCT/GB2001/003017 2000-08-04 2001-07-06 A method and apparatus for encrypting and decrypting data WO2002013454A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001267748A AU2001267748A1 (en) 2000-08-04 2001-07-06 A method and apparatus for encrypting and decrypting data

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB0019286.4 2000-08-04
GB0019286A GB2365719B (en) 2000-08-04 2000-08-04 A method and apparatus for encrypting and decrypting data

Publications (1)

Publication Number Publication Date
WO2002013454A1 true WO2002013454A1 (en) 2002-02-14

Family

ID=9897072

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2001/003017 WO2002013454A1 (en) 2000-08-04 2001-07-06 A method and apparatus for encrypting and decrypting data

Country Status (3)

Country Link
AU (1) AU2001267748A1 (en)
GB (1) GB2365719B (en)
WO (1) WO2002013454A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5659615A (en) * 1994-11-14 1997-08-19 Hughes Electronics Secure satellite receive-only local area network with address filter
EP0874503A2 (en) * 1997-04-23 1998-10-28 Sony Corporation Data transmitting and/or receiving apparatus, methods and systems for preventint illegal use of data

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5319712A (en) * 1993-08-26 1994-06-07 Motorola, Inc. Method and apparatus for providing cryptographic protection of a data stream in a communication system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5659615A (en) * 1994-11-14 1997-08-19 Hughes Electronics Secure satellite receive-only local area network with address filter
EP0874503A2 (en) * 1997-04-23 1998-10-28 Sony Corporation Data transmitting and/or receiving apparatus, methods and systems for preventint illegal use of data

Also Published As

Publication number Publication date
GB2365719A (en) 2002-02-20
AU2001267748A1 (en) 2002-02-18
GB0019286D0 (en) 2000-09-27
GB2365719B (en) 2003-09-03

Similar Documents

Publication Publication Date Title
EP0438154B1 (en) Multimedia network system
US8249255B2 (en) System and method for securing communications between devices
US6289451B1 (en) System and method for efficiently implementing an authenticated communications channel that facilitates tamper detection
EP0998799B1 (en) Security method and system for transmissions in telecommunication networks
EP0651533B1 (en) Method and apparatus for privacy and authentication in a mobile wireless network
US5297208A (en) Secure file transfer system and method
US8396218B2 (en) Cryptographic module distribution system, apparatus, and program
US6504930B2 (en) Encryption and decryption method and apparatus using a work key which is generated by executing a decryption algorithm
US20080031458A1 (en) System, methods, and apparatus for simplified encryption
US20030084292A1 (en) Using atomic messaging to increase the security of transferring data across a network
MXPA06009235A (en) Method and apparatus for cryptographically processing data.
US20070237332A1 (en) Method and system for encrypting and decrypting data using an external agent
US6944762B1 (en) System and method for encrypting data messages
JPH06266670A (en) Ciphering virtual terminal initialization device
NO306890B1 (en) Procedure for establishing secure communication
JPH1056448A (en) Information transmission method, communication equipment, and storage medium
KR102619383B1 (en) End-to-end double ratchet encryption using epoch key exchange
CN102088441B (en) Data encryption transmission method and system for message-oriented middleware
EP3476078B1 (en) Systems and methods for authenticating communications using a single message exchange and symmetric key
JPS625544B2 (en)
US7894608B2 (en) Secure approach to send data from one system to another
JPH0934356A (en) High-bandwidth cryptographic system with low-bandwidth cryptographic module
CN102088352B (en) Data encryption transmission method and system for message-oriented middleware
JP2002237812A (en) Method of communicating secret data
US20020021804A1 (en) System and method for data encryption

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP