WO2009059991A1 - Digital-encryption hardware accelerator - Google Patents

Digital-encryption hardware accelerator Download PDF

Info

Publication number
WO2009059991A1
WO2009059991A1 PCT/EP2008/064981 EP2008064981W WO2009059991A1 WO 2009059991 A1 WO2009059991 A1 WO 2009059991A1 EP 2008064981 W EP2008064981 W EP 2008064981W WO 2009059991 A1 WO2009059991 A1 WO 2009059991A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
processing stage
encryption
block
des
Prior art date
Application number
PCT/EP2008/064981
Other languages
French (fr)
Inventor
Ami Ingimundarson
Adolf Baumann
Original Assignee
Texas Instruments Deutschland Gmbh
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from DE102007052656A external-priority patent/DE102007052656B4/en
Application filed by Texas Instruments Deutschland Gmbh filed Critical Texas Instruments Deutschland Gmbh
Publication of WO2009059991A1 publication Critical patent/WO2009059991A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0637Modes of operation, e.g. cipher block chaining [CBC], electronic codebook [ECB] or Galois/counter mode [GCM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0625Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/125Parallelization or pipelining, e.g. for accelerating processing of cryptographic operations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/20Manipulating the length of blocks of bits, e.g. padding or block truncation

Definitions

  • the present invention relates to an electronic device for encrypting and decrypting data, more specifically, the present invention relates to an electronic device for performing symmetrical cryptographical operations on 8 byte-size data blocks according to the Digital-Encryption Standard (DES).
  • DES Digital-Encryption Standard
  • the ISO/IEC 7816-4 Secure Messaging Protocol requires a double-length key triple-DES data encryption and a double-length key triple-DES based message authentication code (MAC).
  • the conventional implementation of this protocol requires the encrypted message to be calculated first and then the computation of the message authentication code on the encrypted message data to be calculated afterwards.
  • the two-step encryption and decryption is conventionally sequentially implemented. This requires a substantial amount of time as the data blocks are first encrypted or decrypted and the message authentication code is subsequently encrypted or decrypted over the whole message length. Further, extra processing time is required for a key exchange, since encryption and MAC are using different keys. Furthermore, extra storage capacities and data paths for handling the encrypted or decrypted data and calculating interim results is required.
  • an electronic device for encrypting and decrypting data blocks of a message having n data blocks in accordance with the data encryption standard (DES as defined in the ISO/IEC 7816-4 Secure Messaging Protocol).
  • the electronic device comprises a first data processing channel, which includes a first processing stage for performing encryption and decryption of data blocks of a predefined length. Further, there is a first input data buffer coupled to a data input and to the first processing stage. In a second data processing channel, there is a second processing stage for performing encryption and decryption of data blocks in accordance with the DES standard. Further, there is a second data input buffer coupled to an output of the first processing stage and to the second processing stage.
  • DES data encryption standard
  • the electronic device further comprises a control stage for controlling the first processing stage and the second processing stage, in a manner so as to perform an encryption or decryption step with the second processing stage on an encrypted or decrypted data block output from the first processing stage.
  • the control stage is adapted to control the first processing stage to perform data encryption or decryption according to the data encryption standard on each block and to control the second processing stage to compute a message authentication code over the encrypted or decrypted message received from the first processing stage block-by-block.
  • the aspect of the present invention provides a solution, which is based on pipelined and parallel architecture using two processing stages.
  • the processing stage is typically a processor unit dedicated to perform encryption or decryption in accordance with the DES standard. Therefore, the processing stage is also referred to as crypto core.
  • the processing stages or crypto cores allow the execution of two DES operations in parallel.
  • Each crypto core is capable of performing symmetrical cryptographical operations on 8 byte size data blocks according to the DES Standard.
  • Each core can handle single- and triple-DES operations.
  • a single-DES operation encrypts or decrypts a 64 bit wide data block using a 64 bit (i.e.
  • a triple-DES operation consists of three successive rounds of single-DES operations. Before an encrypt or decrypt operation can be started, the crypto key must be loaded into the corresponding key register.
  • K : K A
  • a triple-DES encryption operation is defined as follows:
  • DES means a single-DES encryption
  • DES "1 a single-DES decryption P a plain text block and C a cipher text block.
  • the data can be written to the input data buffer.
  • the DES operation can be started manually or, if so configured, it is started automatically when the last (8 th ) byte of the block is written into the data buffer.
  • An interrupt can be generated upon completion of the operation.
  • the control stage is adapted to control the first processing stage to perform data encryption according to the data encryption standard on each block and to control the second processing stage to compute a message authentication code over the encrypted message received from the first processing stage (DES crypto core) block-by-block.
  • DES crypto core first processing stage
  • This is in accordance with the DES Standard and the two processing stages of the electronic device according to the present invention are specifically adapted and controlled to perform data encryption or decryption block-by-block, wherein the encrypted or decrypted blocks are further computed in the processing stage (DES crypto core), so as to retrieve or to apply the message authentication code over the whole message, i.e. all blocks of the message, but on a block-by-block basis.
  • the electronic device comprises a first key register for storing a first encryption or decryption key to be used by the first processing stage, and a second key register for storing a second encryption or decryption key to be used by the second processing stage.
  • This aspect of the present invention allows the encryption or decryption operations to be performed by the two processing stages basically independently from each other. An exchange of keys in the registers is not necessary.
  • the second input data buffer should advantageously have twice the size of the first data buffer. Having a data buffer of double size is particularly helpful for a pipelined operation, as consecutive results and header information for the second crypto core have to be stored in the second channel.
  • the computation of the message authentication code in the second channel requires feeding alternately encrypted or decrypted data blocks output from the first channel to the second processing stage. Therefore, a double size input data buffer improves throughput and speed.
  • the first processing stage and the second processing stage are both adapted to perform single-DES and triple-DES operations.
  • the first and second encryption keys have a maximum length of 128 bit. Accordingly, the first and second key registers can be restricted to this maximum bit length. This allows the storage capacity to be limited.
  • the first channel is preferably adapted to perform ECB mode and CBC mode for encryption and decryption and the second channel is advantageously adapted to perform ECB for encryption and decryption and CBC mode for encryption only.
  • the blocks can either be operated independently of each other or the result of an operation can be used to influence the next one.
  • ECB Electronic Codebook mode
  • each block is encrypted and decrypted independently of the other blocks of a message.
  • P n is a block n in plain text.
  • C n refers to a cipher block.
  • Figure 2 shows encryption and decryption according to the cipher block chaining mode (CBC).
  • CBC cipher block chaining mode
  • the plain input data block P 1 is first buffered and XORed with the results of the previous operation before it is encrypted.
  • an initial cipher vector Co is used for the first operation.
  • the left-hand side of Figure 2 shows the corresponding decryption operation.
  • DES data output of the crypto core (3)DES "1 must be XORed with the previous ciphered input block before the plain data can be read.
  • the same initial vector C 0 must be used for the encryption.
  • the channels of the electronic device are adapted to perform ECB mode and CBC mode.
  • the second channel can be simplified in that only CBC mode is provided for encryption. This reduces complexity of the circuits.
  • a data block preferably has a bit length of 64 bit.
  • An aspect of the present invention also relates to a method for encrypting a message having n data blocks.
  • a data block is encrypted in a first processing stage in accordance with a single-DES or triple-DES operation.
  • the encrypted data block is passed to a second processing stage (crypto core).
  • the encrypted data block is further encrypted in accordance with a single-DES or triple-DES operation.
  • the first encryption step performs data encryption on each block and the second encryption step performs computation of a message authentication code over the encrypted message block in a block-by-block manner.
  • a method for decrypting a message having n encrypted data blocks and a message authentication code is provided.
  • the encrypted data block is decrypted in a first processing stage in accordance with a single-DES or triple-DES operation.
  • the decrypted data block is passed to a second processing stage, where the decrypted data block is further decrypted in accordance with a single-DES or triple-DES operation.
  • the first decrypting step performs data decryption on each block and the second decrypting step retrieves the message authentication code over n blocks. In this way, it is possible to compute the whole encryption in a partially parallel manner using a pipelined structure, which incorporates two independent processing stages (crypto cores).
  • Figure 1 shows a simplified block diagram illustrating ECB mode
  • Figure 2 is a simplified block diagram illustrating CBC mode
  • Figure 3 is a simplified block diagram of an embodiment of the present invention
  • Figure 4 shows a diagram illustrating the general steps of data encryption according to the DES Standard
  • Figure 5 shows a diagram illustrating the decryption steps according to the DES Standard
  • Figure 6 is a flow chart illustrating the data flow in an electronic device according to the present invention for encryption.
  • Figure 7 is a flow chart illustrating the data flow in an electronic device according to the present invention for decryption.
  • FIG. 3 shows a simplified block diagram of a preferred embodiment of the present invention.
  • the first crypto core DES/(3)DES core 1 is coupled to an input data buffer 1 , which is 8 bytes long, corresponding to 64 bit of a data block of a message to be encrypted or decrypted.
  • a first key register Key Reg 1 is also coupled to the first core DES/(3)DES core 1 in order to provide the respective secret key for encryption or decryption.
  • the output buffer in the first channel CH 1 is only optional. Data can be directly fed to the second input data buffer 2 of the second channel CH2.
  • the second channel CH2 is dedicated to perform the necessary encryption steps for computing the message authentication code.
  • the second data buffer data buffer 2 has twice the size of the first data buffer in order to store consecutive encrypted or decrypted data blocks from the first channel or to store header information and a data block output from the first channel.
  • the output buffer of the second channel is also just optional and can be omitted if data can be transferred immediately after computation.
  • the control stage can be implemented as a finite state machine FSM.
  • a control register Control Regs provides control information to the control stage FSM.
  • the finite state machine FSM controls two separate DES encryption or decryption channels CH1 and CH2, which are both capable of performing single-DES as well as triple-DES operations. Both channels support the ECB mode for encryption and decryption.
  • the first channel supports both encryption and decryption in CBC mode
  • the second channel CH2 supports CBC mode for encryption only.
  • the two channels CH 1 and CH can be configured to work together to enhance throughput while data is encrypted or decrypted according to the secure messaging format as defined by the ISO/IEC 7816-4 specification (DES Standard).
  • DES Standard DES Standard
  • one channel is used to encrypt or decrypt the data while the other channel calculates the cryptographic signature of the data block's output from the first channel CH1 simultaneously.
  • the first channel CH1 includes multiplexers MUX1 , and MUX2 as well as XOR gates XOR, for performing the respective CBC or EBC operations.
  • multiplexers MUX4 and MUX5 and XOR gates XOR provide the necessary operations for ECB or CBC mode.
  • the multiplexer MUX3 selectively inputs the data block's output from the first channel CH 1 or input data received through input DATA_IN.
  • Multiplexer MUX6 is adapted to selectively output data from the first channel, the second channel or from the control registers to output DATAjDUT.
  • FIG 4 shows a diagram illustrating data encryption according to a secure messaging protocol (e.g. the ISO/IEC 7816-4 Secure Messaging Protocol).
  • a secure messaging protocol e.g. the ISO/IEC 7816-4 Secure Messaging Protocol
  • This protocol defines that the data has to be encrypted and a cryptographical signature should be appended to it before it is sent over any unsecured path.
  • the plain data to be sent is referred to as "uplink data”. Additional status information can be transmitted, which is not encrypted. If a block of the uplink data is smaller than 64 bit, additional bits are added to the uplink data in order to complete 64 bit.
  • the uplink data and the optional padding data are encrypted in a crypto core according to a single-DES or triple-DES operation. The result is the encrypted data. Further, a data header information and an epilog information is appended to the encrypted data.
  • the status information is passed through.
  • the header, the epilog, the encrypted data and additional padding bits are encrypted in a second step in order to include the message authentication code, the result of which is the calculated MAC value.
  • the data to be sent is then the data header, encrypted data plus status information, the MAC header, the calculated MAC value, and status information.
  • DO data objects
  • the following data objects (DO) correspond to the previously defined data packets: DO'97: data header, DO'97: separator, DO'8E: MAC header, DO'99: epilog.
  • the decryption procedure is illustrated in Figure 5.
  • the received data includes a command header CmdHdr, a portion Lc, the encrypted data including data header, encrypted data, additional data header information as well as the MAC header, and optional zero bits.
  • the command header CmdHdr, the padding bits, the data header and encrypted data, a separator and additional padding bits are passed to a crypto core for performing the triple-DES operation in order to retrieve the message authentication code MAC.
  • the retrieved and calculated MAC value is compared to the received MAC value in order to check the authentication of the message.
  • the data header information and the encrypted data including any optional padding bits is then decrypted in a triple-DES operation in order to receive the plain data and any pad ding bits.
  • the double core DES3DES module according to the present invention is designed to enhance throughput when data is to be sent or to be received according to the secure messaging scheme. Since the message authentication code MAC is calculated over the encrypted data, which at some point is either written to the module for decryption or to read from it after encryption, the electronic device according to the present invention is preferably designed to automatically use this data as input into the MAC channel (CH2). This data must therefore not be moved separately into the second channel CH2 in order to calculate the MAC.
  • CH2 MAC channel
  • FIG. 6 shows a diagram illustrating a data flow according to the present invention.
  • the MAC channel is set up to perform the necessary operations on the data that is read from the encryption channel (CH 1 in Figure 3) and to start synchronously to the encryption channel (CH 1 in Figure 3). Accordingly, the following operation and data flow can be observed after the electronic device according to the present invention has been set up:
  • the input data stream from the encryption block is split into a 7 byte data portion which is to be combined in the second DES path with the data header (1 byte, e.g. DO'87, according to the ISO/I EC 7816-4). Therefore, the last byte of the 8 byte output from the encryption block is passed to the next DES core and combined with the first 7 bytes of the respective output from the second block of the encryption stage.
  • the epilog can be the DO'99 data object of the ISO/I EC 7816-4 Secure Messaging Protocol. This data splitting due to the necessary inclusion of the data header information is the reason for the double-size input buffer in the MAC stage shown in Figure 3 (2 times 8 byte input data buffer Data Buffer 2 in CH2).
  • FIG. 7 illustrates a data flow for a decryption operation of the electronic device according to the present invention.
  • the second channel (MAC) has to perform two steps in advance for decrypting the send sequence counter and the command header CmdHdr plus padding information.
  • a DES block in the MAC channel consecutively receives two blocks of encrypted data.
  • the crypto core of the second channel can perform more operations in the time period the first crypto core needs for a decryption according to the triple-DES decryption.
  • the data and key registers in the module are preferably implemented as a kind of a left-shift register.
  • the first byte or word that is written to these registers is written to the far left of the register.
  • the following bytes or words are then always written to the right of the previous data. This allows the content of the registers to be viewed in lexical order (from left to right) which complies with many protocol specifications.
  • the first byte of 8 bytes written into the data registers is therefore the leftmost byte of the 8 bytes.
  • An example for a single DES operation looks as follows (all numbers are hexadecimal):
  • the first word of the key written to the key register is 0123 followed by 4567 and the last word CDEF. (The key must always be written word-wise into the key register.) The same applies to the data where the first byte is CA and the last byte CD. Then, the first result byte read is 3E and the last byte 62.
  • the data stream from the decryption stage is split into two data paths.
  • the separator added in the last 3DES stage of the MAC stage shown in Figure 7 can be the DO'99 data packet of the ISOI/IEC 7816-4 Secure Messaging Protocol.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

An electronic device for encrypting and decrypting data blocks of a message having n data blocks in accordance with the data encryption standard (DES) is provided. The electronic device has a first data processing channel having a first processing stage for performing encryption and decryption of data blocks of a predefined length, and a first input data buffer coupled to a data input and to the first processing stage, and a second data processing channel having a second processing stage for performing encryption and decryption of data blocks, a second data input buffer coupled to an output of the first processing stage and to the second processing stage. The electronic device also has a control stage (FSM) for controlling the first processing stage and the second processing stage, so as to perform an encryption or decryption step with the second processing stage on an encrypted/decrypted data block output from the first processing stage. The control stage is adapted to control the first processing stage to perform data encryption or decryption according to the data encryption standard on each block and to control the second processing stage to compute a message authentication code over the encrypted or decrypted message received from the first processing stage block-by-block.

Description

DIGITAL-ENCRYPTION HARDWARE ACCELERATOR
FIELD OF THE INVENTION
[0001] The present invention relates to an electronic device for encrypting and decrypting data, more specifically, the present invention relates to an electronic device for performing symmetrical cryptographical operations on 8 byte-size data blocks according to the Digital-Encryption Standard (DES).
BACKGROUND OF THE INVENTION
[0002] The ISO/IEC 7816-4 Secure Messaging Protocol requires a double-length key triple-DES data encryption and a double-length key triple-DES based message authentication code (MAC). The conventional implementation of this protocol requires the encrypted message to be calculated first and then the computation of the message authentication code on the encrypted message data to be calculated afterwards. The two-step encryption and decryption is conventionally sequentially implemented. This requires a substantial amount of time as the data blocks are first encrypted or decrypted and the message authentication code is subsequently encrypted or decrypted over the whole message length. Further, extra processing time is required for a key exchange, since encryption and MAC are using different keys. Furthermore, extra storage capacities and data paths for handling the encrypted or decrypted data and calculating interim results is required.
SUMMARY OF THE INVENTION
[0003] It is a general object of the present invention to provide an electronic device adapted to perform the necessary decryption and encryption steps in accordance with the DES standard, which is more efficient and less complex than the conventional solution.
[0004] According to an aspect of the present invention, an electronic device is provided for encrypting and decrypting data blocks of a message having n data blocks in accordance with the data encryption standard (DES as defined in the ISO/IEC 7816-4 Secure Messaging Protocol). The electronic device comprises a first data processing channel, which includes a first processing stage for performing encryption and decryption of data blocks of a predefined length. Further, there is a first input data buffer coupled to a data input and to the first processing stage. In a second data processing channel, there is a second processing stage for performing encryption and decryption of data blocks in accordance with the DES standard. Further, there is a second data input buffer coupled to an output of the first processing stage and to the second processing stage. The electronic device further comprises a control stage for controlling the first processing stage and the second processing stage, in a manner so as to perform an encryption or decryption step with the second processing stage on an encrypted or decrypted data block output from the first processing stage. The control stage is adapted to control the first processing stage to perform data encryption or decryption according to the data encryption standard on each block and to control the second processing stage to compute a message authentication code over the encrypted or decrypted message received from the first processing stage block-by-block.
[0005] Accordingly, the aspect of the present invention provides a solution, which is based on pipelined and parallel architecture using two processing stages. The processing stage is typically a processor unit dedicated to perform encryption or decryption in accordance with the DES standard. Therefore, the processing stage is also referred to as crypto core. The processing stages or crypto cores allow the execution of two DES operations in parallel. Each crypto core is capable of performing symmetrical cryptographical operations on 8 byte size data blocks according to the DES Standard. Each core can handle single- and triple-DES operations. A single-DES operation encrypts or decrypts a 64 bit wide data block using a 64 bit (i.e. 56 bit plus 8 parity bits in accordance with the DES Standard) key while a 128 bit key is used for triple-DES operations. A triple-DES operation consists of three successive rounds of single-DES operations. Before an encrypt or decrypt operation can be started, the crypto key must be loaded into the corresponding key register.
[0006] For triple-DES a single 128 bit key K is defined and has two 64 bit keys KA and K6 concatenated together:
[0007] K := KA || KB
[0008] A triple-DES encryption operation is defined as follows:
[0009] 1 ) C := DES(KA, P)
[0010] 2) C" := DES-1(KB, C)
[0011] 3) C := DES(KA, C")
[0012] And a triple-DES decryption operation is defined as follows:
[0013] 4) P' := DES-1(KA, C) 5) P" := DES(K6, P')
[0014] 6) P := DES-1(KA, P")
[0015] where DES means a single-DES encryption, DES"1 a single-DES decryption, P a plain text block and C a cipher text block. [0016] After the desired mode for the channel has been configured, the data can be written to the input data buffer. When an 8 byte block of data has been written to the buffer, the DES operation can be started manually or, if so configured, it is started automatically when the last (8th) byte of the block is written into the data buffer. An interrupt can be generated upon completion of the operation.
[0017] The control stage is adapted to control the first processing stage to perform data encryption according to the data encryption standard on each block and to control the second processing stage to compute a message authentication code over the encrypted message received from the first processing stage (DES crypto core) block-by-block. This is in accordance with the DES Standard and the two processing stages of the electronic device according to the present invention are specifically adapted and controlled to perform data encryption or decryption block-by-block, wherein the encrypted or decrypted blocks are further computed in the processing stage (DES crypto core), so as to retrieve or to apply the message authentication code over the whole message, i.e. all blocks of the message, but on a block-by-block basis.
[0018] According to an aspect of the present invention, the electronic device comprises a first key register for storing a first encryption or decryption key to be used by the first processing stage, and a second key register for storing a second encryption or decryption key to be used by the second processing stage. This aspect of the present invention allows the encryption or decryption operations to be performed by the two processing stages basically independently from each other. An exchange of keys in the registers is not necessary.
[0019] In order to implement a real pipelined, partially parallel architecture, the second input data buffer should advantageously have twice the size of the first data buffer. Having a data buffer of double size is particularly helpful for a pipelined operation, as consecutive results and header information for the second crypto core have to be stored in the second channel. In fact, the computation of the message authentication code in the second channel requires feeding alternately encrypted or decrypted data blocks output from the first channel to the second processing stage. Therefore, a double size input data buffer improves throughput and speed. The first processing stage and the second processing stage are both adapted to perform single-DES and triple-DES operations. The first and second encryption keys have a maximum length of 128 bit. Accordingly, the first and second key registers can be restricted to this maximum bit length. This allows the storage capacity to be limited.
[0020] According to an aspect of the present invention, the first channel is preferably adapted to perform ECB mode and CBC mode for encryption and decryption and the second channel is advantageously adapted to perform ECB for encryption and decryption and CBC mode for encryption only. When encrypting or decrypting multiple blocks of data, the blocks can either be operated independently of each other or the result of an operation can be used to influence the next one. In an encryption and decryption according to the Electronic Codebook mode (ECB), each block is encrypted and decrypted independently of the other blocks of a message. This basic encryption and decryption configuration is shown in Figure 1. Pn is a block n in plain text. Cn refers to a cipher block. Figure 2 shows encryption and decryption according to the cipher block chaining mode (CBC). On the left-hand side a cipher block chaining mode for encryption is illustrated. The plain input data block P1 is first buffered and XORed with the results of the previous operation before it is encrypted. For the first operation an initial cipher vector Co is used. The left-hand side of Figure 2 shows the corresponding decryption operation. During decryption the data output of the crypto core (3)DES"1 must be XORed with the previous ciphered input block before the plain data can be read. For the first operation and the decryption the same initial vector C0 must be used for the encryption. According to this aspect of the present invention, the channels of the electronic device are adapted to perform ECB mode and CBC mode. However, the second channel can be simplified in that only CBC mode is provided for encryption. This reduces complexity of the circuits. For the present invention, a data block preferably has a bit length of 64 bit.
[0021] An aspect of the present invention also relates to a method for encrypting a message having n data blocks. A data block is encrypted in a first processing stage in accordance with a single-DES or triple-DES operation. The encrypted data block is passed to a second processing stage (crypto core). In this second processing stage the encrypted data block is further encrypted in accordance with a single-DES or triple-DES operation. The first encryption step performs data encryption on each block and the second encryption step performs computation of a message authentication code over the encrypted message block in a block-by-block manner. Likewise, a method for decrypting a message having n encrypted data blocks and a message authentication code is provided. The encrypted data block is decrypted in a first processing stage in accordance with a single-DES or triple-DES operation. The decrypted data block is passed to a second processing stage, where the decrypted data block is further decrypted in accordance with a single-DES or triple-DES operation. The first decrypting step performs data decryption on each block and the second decrypting step retrieves the message authentication code over n blocks. In this way, it is possible to compute the whole encryption in a partially parallel manner using a pipelined structure, which incorporates two independent processing stages (crypto cores).
BRIEF DESCRIPTION OF THE DRAWINGS
[0022] Further aspects of the present invention will ensue from the description hereinbelow of the preferred embodiments, with reference to the accompanying drawings, in which:
[0023] Figure 1 shows a simplified block diagram illustrating ECB mode; [0024] Figure 2 is a simplified block diagram illustrating CBC mode; [0025] Figure 3 is a simplified block diagram of an embodiment of the present invention;
[0026] Figure 4 shows a diagram illustrating the general steps of data encryption according to the DES Standard;
[0027] Figure 5 shows a diagram illustrating the decryption steps according to the DES Standard;
[0028] Figure 6 is a flow chart illustrating the data flow in an electronic device according to the present invention for encryption; and
[0029] Figure 7 is a flow chart illustrating the data flow in an electronic device according to the present invention for decryption.
DETAILED DESCRIPTION OF THE INVENTION
[0030] Figure 3 shows a simplified block diagram of a preferred embodiment of the present invention. There are two processing stages (crypto cores) DES/(3)DES core 1 and the DES/(3)DES core 2. The first crypto core DES/(3)DES core 1 is coupled to an input data buffer 1 , which is 8 bytes long, corresponding to 64 bit of a data block of a message to be encrypted or decrypted. A first key register Key Reg 1 is also coupled to the first core DES/(3)DES core 1 in order to provide the respective secret key for encryption or decryption. The output buffer in the first channel CH 1 is only optional. Data can be directly fed to the second input data buffer 2 of the second channel CH2. The second channel CH2 is dedicated to perform the necessary encryption steps for computing the message authentication code. The second data buffer data buffer 2 has twice the size of the first data buffer in order to store consecutive encrypted or decrypted data blocks from the first channel or to store header information and a data block output from the first channel. The output buffer of the second channel is also just optional and can be omitted if data can be transferred immediately after computation. The control stage can be implemented as a finite state machine FSM. A control register Control Regs provides control information to the control stage FSM. The finite state machine FSM controls two separate DES encryption or decryption channels CH1 and CH2, which are both capable of performing single-DES as well as triple-DES operations. Both channels support the ECB mode for encryption and decryption. The first channel supports both encryption and decryption in CBC mode, the second channel CH2 supports CBC mode for encryption only. The two channels CH 1 and CH can be configured to work together to enhance throughput while data is encrypted or decrypted according to the secure messaging format as defined by the ISO/IEC 7816-4 specification (DES Standard). In the preferred mode of using the preferred embodiment shown in Figure 3, one channel is used to encrypt or decrypt the data while the other channel calculates the cryptographic signature of the data block's output from the first channel CH1 simultaneously. The first channel CH1 includes multiplexers MUX1 , and MUX2 as well as XOR gates XOR, for performing the respective CBC or EBC operations. The same applies for the second channel CH2, where multiplexers MUX4 and MUX5 and XOR gates XOR provide the necessary operations for ECB or CBC mode. The multiplexer MUX3 selectively inputs the data block's output from the first channel CH 1 or input data received through input DATA_IN. Multiplexer MUX6 is adapted to selectively output data from the first channel, the second channel or from the control registers to output DATAjDUT.
[0031] Figure 4 shows a diagram illustrating data encryption according to a secure messaging protocol (e.g. the ISO/IEC 7816-4 Secure Messaging Protocol). This protocol defines that the data has to be encrypted and a cryptographical signature should be appended to it before it is sent over any unsecured path. The plain data to be sent is referred to as "uplink data". Additional status information can be transmitted, which is not encrypted. If a block of the uplink data is smaller than 64 bit, additional bits are added to the uplink data in order to complete 64 bit. The uplink data and the optional padding data are encrypted in a crypto core according to a single-DES or triple-DES operation. The result is the encrypted data. Further, a data header information and an epilog information is appended to the encrypted data. The status information is passed through. The header, the epilog, the encrypted data and additional padding bits are encrypted in a second step in order to include the message authentication code, the result of which is the calculated MAC value. The data to be sent is then the data header, encrypted data plus status information, the MAC header, the calculated MAC value, and status information. According to the ISO/IEC 7816-4 Secure Messaging Protocol, the following data objects (DO) correspond to the previously defined data packets: DO'97: data header, DO'97: separator, DO'8E: MAC header, DO'99: epilog.
[0032] The decryption procedure is illustrated in Figure 5. The received data includes a command header CmdHdr, a portion Lc, the encrypted data including data header, encrypted data, additional data header information as well as the MAC header, and optional zero bits. The command header CmdHdr, the padding bits, the data header and encrypted data, a separator and additional padding bits are passed to a crypto core for performing the triple-DES operation in order to retrieve the message authentication code MAC. The retrieved and calculated MAC value is compared to the received MAC value in order to check the authentication of the message. The data header information and the encrypted data including any optional padding bits is then decrypted in a triple-DES operation in order to receive the plain data and any pad ding bits. In terms of the ISO/IEC 7816-4 Secure Messaging Protocol, DO'87 is the separator, DO'87 is the data header, D0Ε8 is the MAC header. [0033] The double core DES3DES module according to the present invention is designed to enhance throughput when data is to be sent or to be received according to the secure messaging scheme. Since the message authentication code MAC is calculated over the encrypted data, which at some point is either written to the module for decryption or to read from it after encryption, the electronic device according to the present invention is preferably designed to automatically use this data as input into the MAC channel (CH2). This data must therefore not be moved separately into the second channel CH2 in order to calculate the MAC.
[0034] Figure 6 shows a diagram illustrating a data flow according to the present invention. The MAC channel is set up to perform the necessary operations on the data that is read from the encryption channel (CH 1 in Figure 3) and to start synchronously to the encryption channel (CH 1 in Figure 3). Accordingly, the following operation and data flow can be observed after the electronic device according to the present invention has been set up:
1. Write Send Sequence Counter to MAC channel.
2. Write 1st data block to encryption channel (DES core is started when the 8th data byte is written to the encryption channel).
3. Write Data header (e.g. DO'87) into MAC channel.
4. Read 1st encryption results (this data is automatically written to the MAC channel).
5. Write 2nd, 3rd, ..,nth data block into encryption channel and read the results after each operation.
6. After the last data block has been read, initiate one MAC operation manually.
7. At this point the MAC channel must be configured to do a triple DES encryption for the final operation.
8. Write epilog (e.g Data Object '99 header) and necessary padding into MAC channel and start the last MACing operation.
9. Read the cryptographic signature from the MAC channel.
[0035] The input data stream from the encryption block is split into a 7 byte data portion which is to be combined in the second DES path with the data header (1 byte, e.g. DO'87, according to the ISO/I EC 7816-4). Therefore, the last byte of the 8 byte output from the encryption block is passed to the next DES core and combined with the first 7 bytes of the respective output from the second block of the encryption stage. The epilog can be the DO'99 data object of the ISO/I EC 7816-4 Secure Messaging Protocol. This data splitting due to the necessary inclusion of the data header information is the reason for the double-size input buffer in the MAC stage shown in Figure 3 (2 times 8 byte input data buffer Data Buffer 2 in CH2).
[0036] Figure 7 illustrates a data flow for a decryption operation of the electronic device according to the present invention. Again vertically aligned DES blocks indicate that the two crypto cores work in parallel. For decryption, the second channel (MAC) has to perform two steps in advance for decrypting the send sequence counter and the command header CmdHdr plus padding information. A DES block in the MAC channel consecutively receives two blocks of encrypted data. As only a single DES operation is performed, the crypto core of the second channel can perform more operations in the time period the first crypto core needs for a decryption according to the triple-DES decryption.
[0037] The data and key registers in the module are preferably implemented as a kind of a left-shift register. The first byte or word that is written to these registers is written to the far left of the register. The following bytes or words are then always written to the right of the previous data. This allows the content of the registers to be viewed in lexical order (from left to right) which complies with many protocol specifications. The first byte of 8 bytes written into the data registers is therefore the leftmost byte of the 8 bytes. An example for a single DES operation looks as follows (all numbers are hexadecimal):
[0038] Key = 0123 4567 89AB CDEF [0039] Plain = CAFE ABBA 1234 ABCD [0040] Cyphered = 3E3B 1 B17 F395 6E62
[0041] The first word of the key written to the key register is 0123 followed by 4567 and the last word CDEF. (The key must always be written word-wise into the key register.) The same applies to the data where the first byte is CA and the last byte CD. Then, the first result byte read is 3E and the last byte 62.
[0042] Only DES channel 1 (CH 1 ) has a dedicated output register. The results from channel 2 (CH2 or MAC channel) are read directly from the registers in the DES core. It is therefore not possible to read any results from channel 2 while the DES core is running. This is only possible (or meaningful) for channel 1 when using ECB mode and when encrypting in CBC mode.
[0043] Again, the data stream from the decryption stage is split into two data paths. One receiving the first seven bits of the first block output from the decryption stage and the data header (1 byte), which can be the DO'87 of the ISO/IEC 7816-4 Secure Messaging Protocol. The separator added in the last 3DES stage of the MAC stage shown in Figure 7 can be the DO'99 data packet of the ISOI/IEC 7816-4 Secure Messaging Protocol. [0044] Although the present invention has been described with reference to a specific embodiment, it is not limited to this embodiment and no doubt alternatives will occur to the skilled person that lie within the scope of the invention as claimed.

Claims

Claims
1. An electronic device for encrypting or decrypting data blocks of a message having n data blocks in accordance with the data encryption standard (DES), the electronic device comprising: a first data processing channel comprising a first processing stage for performing encryption or decryption of data blocks of a predefined length, and a first input data buffer coupled to a data input and to the first processing stage; and a second data processing channel comprising a second processing stage for performing encryption or decryption of data blocks, a second data input buffer coupled to an output of the first processing stage; and to the second processing stage; the electronic device further comprising a control stage (FSM) for controlling the first processing stage and the second processing stage, so as to perform an encryption or decryption step with the second processing stage on an encrypted/decrypted data block output from the first processing stage, wherein the control stage is adapted to control the first processing stage to perform data encryption or decryption according to the data encryption standard on each block and to control the second processing stage to compute a message authentication code over the encrypted/decrypted message received from the first processing stage block-by-block.
2. The electronic device according to claim 1 , further comprising a first key register for storing a first encryption or decryption key to be used by the first processing stage, and a second key register for storing a second encryption or decryption key to be used by the second processing stage.
3. The electronic device according to claim 1 or claim 2, wherein the second input data buffer has twice the size of the first data buffer.
4. The electronic device according to any preceding claim, wherein the first processing stage and the second processing stage are both adapted to perform single-DES and triple-DES operations.
5. The electronic device according to claim 3 or claim 4, wherein the first and the second encryption and/or decryption key has a maximum length of 128 Bit.
6. The electronic device according to any preceding claim, wherein the first channel is adapted to perform ECB mode and CBC mode for encryption and decryption and the second channel is adapted to perform ECB for encryption and decryption and CBC mode for encryption only.
7. The electronic device according to any preceding claim, wherein a data block has a length of 64 Bit.
8. A method for encrypting a message having n data blocks, the method comprising: encrypting a data block in a first processing stage in accordance with a single-DES or triple-DES operation, passing the encrypted data block to a second processing stage, and encrypting the encrypted data block in the second processing stage in accordance with a single-DES or triple-DES operation, wherein the first encrypting step performs data encryption on each block and the second encrypting step performs computation of a message authentication code over the encrypted message block-by-block.
9. A method for decrypting a message having n encrypted data blocks and a message authentication code, the method comprising: decrypting a data block in a first processing stage in accordance with a single-DES or triple-DES operation, passing the decrypted data block to a second processing stage, decrypting the decrypted data block in the second processing stage in accordance with a single-DES or triple-DES operation, wherein the first decrypting step performs data decryption on each block and the second decrypting step retrieves the message authentication code from n blocks.
10. A method of encrypting or decrypting data blocks of a message having n data blocks in accordance with the data encryption standard (DES), the method comprising: performing encryption or decryption of data blocks of a predefined length in a first data processing channel comprising a first processing stage and a first input data buffer coupled to a data input and to the first processing stage; and performing encryption or decryption of data blocks in a second data processing channel comprising a second processing stage and a second data input buffer coupled to an output of the first processing stage; and to the second processing stage; the method further comprising controlling the first processing stage and the second processing stage, so as to perform an encryption or decryption step with the second processing stage on an encrypted/decrypted data block output from the first processing stage and controlling the first processing stage to perform data encryption or decryption according to the data encryption standard on each block and controlling the second processing stage to compute a message authentication code over the encrypted/decrypted message received from the first processing stage block-by-block.
1 1. The subject matter of the statements of invention characterized by the features recited therein.
PCT/EP2008/064981 2007-11-05 2008-11-05 Digital-encryption hardware accelerator WO2009059991A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
DE102007052656.5 2007-11-05
DE102007052656A DE102007052656B4 (en) 2007-11-05 2007-11-05 Digital encryption hardware accelerator
US12/264,782 2008-11-04
US12/264,782 US20090147947A1 (en) 2007-11-05 2008-11-04 Digital-encryption hardware accelerator

Publications (1)

Publication Number Publication Date
WO2009059991A1 true WO2009059991A1 (en) 2009-05-14

Family

ID=40352188

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2008/064981 WO2009059991A1 (en) 2007-11-05 2008-11-05 Digital-encryption hardware accelerator

Country Status (1)

Country Link
WO (1) WO2009059991A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090147947A1 (en) * 2007-11-05 2009-06-11 Texas Instruments Deutschland Gmbh Digital-encryption hardware accelerator

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5671283A (en) * 1995-06-08 1997-09-23 Wave Systems Corp. Secure communication system with cross linked cryptographic codes

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5671283A (en) * 1995-06-08 1997-09-23 Wave Systems Corp. Secure communication system with cross linked cryptographic codes

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
GUENDOUZ H ET AL: "Rapid prototype of a fast data encryption standard with integrity processing for cryptographic applications", CIRCUITS AND SYSTEMS, 1998. ISCAS '98. PROCEEDINGS OF THE 1998 IEEE IN TERNATIONAL SYMPOSIUM ON MONTEREY, CA, USA 31 MAY-3 JUNE 1998, NEW YORK, NY, USA,IEEE, US, vol. 6, 31 May 1998 (1998-05-31), pages 434 - 437, XP010289722, ISBN: 978-0-7803-4455-6 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090147947A1 (en) * 2007-11-05 2009-06-11 Texas Instruments Deutschland Gmbh Digital-encryption hardware accelerator

Similar Documents

Publication Publication Date Title
US20090147947A1 (en) Digital-encryption hardware accelerator
US8879727B2 (en) Method and apparatus for hardware-accelerated encryption/decryption
CN102334307B (en) Key recovery mechanism for cryptographic systems
JP4684550B2 (en) Cryptographic device that supports multiple modes of operation
EP1440535B1 (en) Memory encrytion system and method
TWI399663B (en) Cryptography system and cryptography method
US7336783B2 (en) Cryptographic systems and methods supporting multiple modes
US8594321B2 (en) Apparatus and method for operating a symmetric cipher engine in cipher-block chaining mode
JP2012090286A (en) Memory system having encryption/decryption function of in stream data
GB2443244A (en) Authenticated Encryption Method and Apparatus
US8707051B2 (en) Method and system for embedded high performance reconfigurable firmware cipher
CN105897406A (en) AES encryption and decryption device having equal-length plaintexts and ciphertexts
KR101297760B1 (en) Memory System with In-Stream Data Encryption/Decryption
JP2004240427A (en) Design method of optimum encrypting function in mobile communication system and optimum encrypting device
KR100949538B1 (en) Apparatus and method for improving rate encryption and decryption using aes rijndael algorithm
WO2009059991A1 (en) Digital-encryption hardware accelerator
JP4395527B2 (en) Information processing device
KR20050002103A (en) Portable storing apparatus having encryption processor
JP4117095B2 (en) Encryption method
KR100546777B1 (en) Apparatus and method for SEED Encryption/Decryption, and F function processor therefor
KR20040045517A (en) Real time block data encryption/decryption processor using Rijndael block cipher and method therefor
KR100528890B1 (en) High-speed block cipher with multi-interfaces and method of operating the same
KR200279546Y1 (en) Device for coding/decoding document
JP5178269B2 (en) Decoding device and program
JPH027080A (en) Variable enciphering device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08847736

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08847736

Country of ref document: EP

Kind code of ref document: A1