WO2016028140A1 - System and method for adaptive protocol data unit management for secure network communication - Google Patents

System and method for adaptive protocol data unit management for secure network communication Download PDF

Info

Publication number
WO2016028140A1
WO2016028140A1 PCT/MY2015/050083 MY2015050083W WO2016028140A1 WO 2016028140 A1 WO2016028140 A1 WO 2016028140A1 MY 2015050083 W MY2015050083 W MY 2015050083W WO 2016028140 A1 WO2016028140 A1 WO 2016028140A1
Authority
WO
WIPO (PCT)
Prior art keywords
cipher
pdu
key
code
encrypted
Prior art date
Application number
PCT/MY2015/050083
Other languages
French (fr)
Inventor
Mohd Aminudin Mohd Khalid
Ahmad Raif Mohamed Noor Beg
Muhammad Reza Z'ABA
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Berhad filed Critical Mimos Berhad
Publication of WO2016028140A1 publication Critical patent/WO2016028140A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • H04L9/16Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/36Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols with means for detecting characters not meant for transmission
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/24Key scheduling, i.e. generating round keys or sub-keys for block encryption

Definitions

  • the present invention relates generally to arrangement and method for data encryption and decryption in a computer network. More particularly, the present invention relates to an improved system for managing a protocol data unit (PDU) for secure network communication between a transmitter and a receiver and to the method thereof.
  • PDU protocol data unit
  • Protocol data unit or simply known as PDU is a basic unit that defines a single data format that can be exchanged in telecommunication protocol. This is the basic format that must be agreed between communication parties and typically used for identification of the beginning part and the ending part of a single unit of information. PDU is mostly transmitted in plain text form. Nonetheless, since safeguarding communication and authenticating data has become more and more important, PDU and cryptology research has become more necessary and urgent that it can be encrypted for confidentiality.
  • Cryptography mainly deais with the investigation of methods for securing communications and authenticating data.
  • cryptography referred almost exclusively to encryption, which is the process of converting ordinary information called plain text into unintei!igible text called cipher text.
  • Decryption is the reverse, in other words, moving from the unintelligible cipher text back to plaintext.
  • a cipher can be a pair of algorithms that create the encryption and the reversing decryption.
  • the detailed operation of a cipher is controlled both by the algorithm and in each instance by a key which is a secret ideally known only to the communicants, usuaiiy a short string of characters, which is needed to decrypt the cipher text.
  • VPN Virtual Private Network
  • VPN Client Agent usually monitors the packet of interest and encrypts the same using a fixed algorithm.
  • VPN Server Agent upon receiving the encrypted PDU performs decryption operation that follows the mentioned principle using the fixed algorithm,
  • IP Internet Protocol
  • PDU protocol data unit
  • the present invention provides a system for managing a protocol data unit (PDU) for secure network communication between a transmitter and a receiver.
  • the system comprises a key scheduler and a cipher processing unit in communication with the key scheduler.
  • the key scheduler can be configured for receiving a master key and for generating a set of round sub-keys based on the master key received thereto.
  • the cipher processing unit can be configured for encrypting or decrypting a PDU stream using a cipher module that upon receiving the set of round sub-keys from the key scheduler.
  • the system of the present invention can be characterized by the key scheduler that includes at least two biock ciphers each comprising cipher modules, a cipher table comprising cipher identifier codes assigned to the cipher modules, and a cipher code key, and the cipher processing unit that further comprises an encryption-decryption processor in communication with an encryption unit and a decryption unit.
  • the encryption unit can be configured for encrypting each of a plurality of PDU segments of the PDU stream using the cipher module with selection based on transmitter status information supplied thereto, and for encrypting a cipher code constructed from the cipher identifier codes of the corresponding cipher moduies using the cipher code key.
  • the decryption unit can be configured for decrypting encrypted cipher code using the cipher code key, and for decrypting each of encrypted PDU segments using the cipher module embedded in the cipher code decrypted therefrom.
  • the encryption unit comprises a PDU processor that can be configured to segment the PDU stream into the plurality of PDU segments.
  • the at least two block ciphers can be selected from the group comprising general-purpose (GP) block cipher and lightweight (LW) block cipher.
  • the key scheduler can assign a combination of the at least two block ciphers to each of the plurality of PDU segments.
  • the transmitter status information can include battery level, transmitter location and processing load.
  • the cipher code comprises three cipher identifier codes that can be arranged sequentially in a row.
  • the encryption unit can encapsulate the encrypted PDU segments and the encrypted cipher code.
  • the present invention provides a method of managing a protocol data unit (PDU) for secure network communication between a transmitter and a receiver. The method comprises initializing a PDU stream comprising source address, destination address and data to transfer over the network communication; and obtaining a master key to encrypt or decrypt the PDU stream.
  • PDU protocol data unit
  • the method further comprises the steps of establishing at least two block ciphers each comprising cipher modules to encrypt or decrypt the PDU stream; upon receiving the master key, generating a cipher table comprising cipher identifier codes assigned to the cipher modules, a set of round sub-keys and a cipher code key.
  • the method can be characterized by the steps of encryption and decryption.
  • the PDU stream requires encryption, segmenting the PDU stream into a plurality of PDU segments including header, payload and tail; assigning at least one of the at least two block ciphers to each of the plurality of PDU segments; obtaining transmitter status information, wherein the transmitter status information including battery level, transmitter location and processing load; selecting, based on the transmitter status information, a cipher module for each of the plurality of PDU segments from among the cipher modules in the respective block ciphers; constructing a cipher code by sequentially connecting the cipher identifier codes of the cipher modules selected for the pluraiity of PDU segments; encrypting each of the plurality of PDU segments using the cipher module to thereby form encrypted PDU segments; encrypting the cipher code using the cipher code key to thereby form an encrypted cipher code; and encapsulating the encrypted PDU segments and the encrypted cipher code.
  • FIG. 1 is a block diagram showing the system for managing a protocol data unit (PDU) for secure network communication in respect to PDU stream encryption according to an embodiment of the present invention
  • Figure 2 is a bock diagram showing the system for managing a protocol data unit (PDU) for secure network communication in respect to PDU stream decryption according to an embodiment of the present invention
  • Figure 3 is a flow diagram depicting the step of reading and expanding the master key at the key scheduler according to an embodiment of the present invention
  • Figure 4 is a flow diagram depicting the step of PDU stream encryption according to an embodiment of the present invention
  • Figure 5 is a flow diagram depicting the step of PDU stream decryption according to an embodiment of the present invention
  • Figure 6 is a flow diagram depicting the encryption operation in respect to battery level based on the transmitter status information according to one exemplary embodiment of the present invention.
  • Figure 7 is a flow diagram depicting the encryption operation in respect to transmitter location based on the transmitter status information according to one exemplary embodiment of the present invention
  • PDU protocol data unit
  • the present Invention employs different types of block cipher that are switchabie to adapt to any device conditions.
  • the system for managing a PDU that migrates between a transmitter and a receiver for secure network communication comprises a key scheduler 100 and a cipher processing unit 101 , as shown in Figures 1 and 2.
  • the key scheduler 100 may be configured to receive a master key that is transmitted by an administrator from a secure location to authorize encryption and decryption of a PDU stream in the system.
  • the PDU stream preferably comprises source address, destination address and data to transfer over the network communication, each of which can be imposed or embedded in its respective PDU segments, namely header, payload and tail
  • the PDU stream may be initialized by the administrator,
  • the master key can include public master key and private master key and may be stored in any known volatile key apparatus. Based on a key value designated for the master key, the key scheduler 1D0 expands and generates a set of round sub-keys.
  • the cipher processing unit 101 which is coupled to the key scheduler 100 can be configured to encrypt or decrypt the PDU stream using a cipher module upon receiving the set of round sub-keys.
  • the key scheduler 100 may include a plurality of block ciphers of different types, each of which comprising cipher modules.
  • the key scheduler 100 can be configured to output a cipher table comprising cipher identifier codes assigned to the cipher modules, and a cipher code key.
  • the key scheduler 100 is configured to output, based on the master key received from the administrator, the cipher table, the set of round sub- keys and the cipher code key that can next be forwarded as an input to the cipher processing unit 101.
  • the key scheduler 100 may comprise a cipher code key generator (not shown) that can be configured to generate a cipher code key, randomly or orderly.
  • step 200 the key scheduler 100 reads the master key as supplied by the administrator. Subsequently, the key scheduler 100 generates, based on the key value, cipher identifier codes for cipher modules, set of round sub-keys for encryption-decryption algorithms, and cipher code key as shown in steps 201 , 202 and 203 respectively.
  • Every block cipher can operate on fixed length b-bit input to produce b-bit cipher text at any mode of operation.
  • the block ciphers may be selected from the group comprising general-purpose (GP) block cipher and lightweight (LW) block cipher.
  • GP block cipher can be used for any encryption-decryption environment.
  • LW block cipher is configured so as to fit into highly constrained environments.
  • GP block cipher preferably comprises cipher modules implementing encryption-decryption algorithms that may be selected from the group consisting of AES finalists including AES128, AES192, AES256, Serpent and TwoFisb.
  • LW block cipher preferably comprises cipher modules implementing encryption-decryption algorithms that may be selected from the group consisting of PRESENT and LBIock.
  • the set of round sub-keys expanded from the master key by the key scheduler 100 can be assigned to the encryption-decryption algorithms of the cipher modules allocated in every block cipher.
  • a block cipher executes its cipher operation based on number of rounds, wherein each round of operation requires a round sub-key. For instance, N number of round sub-keys is required if the block cipher has N number of rounds.
  • the key scheduler 100 may also be a single universal generic key scheduler for generating all sub-keys required by the cipher modules.
  • the cipher table of the present invention comprises cipher module column charting cipher modules and cipher identifier code column charting cipher identifier codes.
  • the key scheduler 100 generates two cipher table each for GP block cipher and LW block cipher. Every cipher module allocated in the cipher module column has its corresponding cipher identifier code assigned thereto.
  • the cipher identifier code is essentially derived based on the key value of the master key. It is more essential that, besides among them, the cipher identifier code is also exclusive for a specified encryption-decryption operation.
  • a cipher identifier code for a cipher module may differ if a different master key is inputted at the key scheduler 100.
  • Example of cipher table for GP block cipher and LW block cipher is shown in Tables 1 and 2.
  • the system of the present invention can comprise a PDU table.
  • the PDU tabie may be utilized so as to specify a type of block cipher to use for the PDU stream (or every PDU segment).
  • the PDU tabie is preferably predefined prior to the encryption-decryption operation.
  • the PDU segments including header, payioad and tail can be assigned with at least one of the block ciphers, namely GP block cipher and LW block cipher.
  • a PDU segment may be assigned with both the block ciphers that the selection of it can be made upon receiving transmitter status information.
  • not every PDU segment requires a block cipher, in that the said PDU segment does not necessarily be encrypted or decrypted.
  • Example of PDU tabie is shown in Table 3.
  • the cipher code key generated based on the master key may be used to encrypt and decrypt a cipher code.
  • the cipher code is a code purposely created so as to identify the cipher modules selected for every PDU segment.
  • the cipher code contains a number of portions that is equivalent to a number of the PDU segments.
  • the cipher code has three portions reflecting three PDU segments, namely header payioad and tail. Each of the three portions can be represented by symbol ' ⁇ PDU segment>'.
  • the cipher code is preferably constructed by sequentially connecting or arranging the cipher identifier codes of the selected cipher modules according to the PDU segments in a row.
  • a cipher code may be ⁇ 10> ⁇ 01 1 > ⁇ 01 >, where the first portion, i.e. ⁇ 10> represents header to encrypt or decrypt by PRESENT of LW block cipher, the second portion, i.e. ⁇ 011> represents pay!oad to encrypt or decrypt by SERPENT of GP biock cipher, and the third portion, i.e. ⁇ 01> represents taii to encrypt or decrypt by PRESENT of LW biock cipher.
  • the cipher code can randomly seiecf any cipher module for the PDU segments as initially established in the PDU table. Besides the cipher code key, the cipher code may also be encrypted and decrypted using a default cipher code key.
  • the cipher processing unit 101 comprises an encryption-decryption processor 101a embedded therein in communication with an encryption unit 101b and a decryption unit 101c.
  • the encryption-decryption processor 101a comprises a computer readable recording medium that stores a program for causing a computer including a memory to perform the encryption and decryption operation at any mode of operation as shown in Figures 4 and 5.
  • the encryption unit 101 b and the encryption-decryption processor 101a through its program causes the computer to seiecf a cipher module from among the cipher modules of the respective block ciphers in the PDU table for each of the PDU segments (that are derived from the PDU stream in step 303) based on the transmitter status information in steps 304 and 305. It is important to note that the PDU table, the cipher table and the set of round sub-keys must be obtained and prepared prior to the encryption and decryption operation at the encryption- decryption processor 101a as depicted in steps 300, 301 and 302 to ensure a smooth encryption operation.
  • the system can further comprise a PDU processor 102 that may be configured to segment the PDU stream into (a plurality of) PDU segments that contain, for example, source address, destination address and data.
  • the PDU processor 102 preferably segments or divides the PDU stream into PDU segments with a predefined size.
  • the PDU processor 102 may also segments or divides the PDU segments into PDU sub-segments with a predefined size.
  • the PDU processor 102 can be positioned along the PDU stream before or in the cipher processing unit 101.
  • the transmitter status information can inciude information on battery level, transmitter location, processing load and other suitable status information.
  • the transmitter status information may be supplied by the transmitter itself through any suitable module that will not be discussed in detail herein.
  • the encryption- decryption processor 101a may also select no cipher module for any PDU segment depending on various circumstances.
  • the encryption unit 101b constructs a cipher code that signifies the cipher modules selected for every PDU segment.
  • Each of the PDU segments is next encrypted in step 30? using the respective designated cipher modules to form encrypted PDU segments.
  • the cipher code is next encrypted using a cipher code key or a default cipher code key to form an encrypted cipher code, as in step 30S.
  • the encrypted PDU segments and the encrypted cipher code Prior to transmission from the transmitter to the receiver, are encapsulated to form an encapsulated PDU stream in step 309.
  • the encapsulation may include appending related information such as size of the PDU segments.
  • Figures 6 and 7 each illustrates an example in respect to different transmitter status information.
  • Figure 6 depicts the encryption operation at the cipher processing unit 101 in respect to battery level of the transmitter.
  • the cipher processing unit 101 through the encryption unit 101b checks whether the transmitter powered by a battery, if no battery at the transmitter, cipher modules mostly from GP block cipher are selected and its cipher code is constructed accordingly. Upon that, the PDU segments and the cipher code are next encrypted and encapsulated for transmission to the receiver.
  • the cipher processing unit 101 selects cipher modules from the respective designated block ciphers to construct its cipher code according to different categories of battery power level.
  • the battery power level for example, can be pre-categorized into three categories, namely low, average and high.
  • low battery power level indicates about 1 to 30% battery life
  • average battery power ievel indicates about 31 to 60% battery life
  • high battery power ievel indicates about 61 to 100% battery life
  • the cipher code is constructed such that every PDU segment is encrypted using LW block cipher
  • the battery power Ievel is average
  • the cipher code is constructed such that header and tail in the PDU segments are encrypted using LW block cipher and payioad is encrypted using GP block cipher.
  • the battery power Ievel is high, the cipher code is constructed such that header and payioad in the PDU segments are encrypted using GP block cipher and tail is encrypted using LW block cipher.
  • Figure 7 depicts the encryption operation at the cipher processing unit 101 in respect to transmitter location.
  • the cipher processing unit 101 through the encryption unit 101b checks whether the transmitter located outside of a building. If the transmitter is not located outside of the building, a cipher code is constructed such that every PDU segment is encrypted using LW block cipher. If the transmitter is located outside of the building, a cipher code is constructed such that header and tail in the PDU segments are encrypted using LW block cipher and payioad is encrypted using GP block cipher.
  • the system of the present invention allows for the decryption operation if the PDU stream requires the same.
  • the decryption operation is illustrated with reference to Figures 2 and 5.
  • the key scheduler 100 of the receiver Upon receiving the encapsulated PDU stream from the transmitter, the key scheduler 100 of the receiver reads the master key as supplied by the administrator. Subsequently, the key scheduler 10Q generates, based on the key value of the master key, cipher identifier codes for cipher modules, set of round sub-keys for encryption-decryption algorithms, and cipher code key as shown in step 401 and in steps 200, 201 , 202 and 203 of Figure 3 respectively.
  • the key scheduler 100 at the transmitter and the receiver must be identical when the encryption-decryption operation is performed.
  • the cipher processing unit 101 through the encryption-decryption processor 101a and the decryption unit 101c decrypts the encrypted cipher code using the cipher code key retrieved from the master key or the default cipher code key so as to obtain a cipher code, as in step 402.
  • the step 402 is preferably to execute after de-capsuiating the encapsulated PDU stream.
  • the cipher code is essentially the same as utilized during the encryption operation.
  • the cipher code is processed and the cipher modules embedded therein are identified. Subsequently in step 4D3, the encrypted PDU segments in the encapsulated PDU stream each is decrypted using the identified cipher modules so as to recover a (decrypted) PDU stream, i.e. the original PDU sirem.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to an improved system for managing a protocol data unit (PDU) for secure network communication between a transmitter and a receiver and to the method thereof. The present invention can adaptively and selectively perform PDU encryption using different types of block ciphers selection of which depends upon transmitter status information. The system of the present invention comprises a key scheduler (100) and a cipher processing unit (101). Preferably, the key scheduler (100) can be configured for receiving a master key and for generating a set of round sub-keys, at least two block ciphers each comprising cipher modules, a cipher table comprising cipher identifier codes assigned to the cipher modules, and a cipher code key. The cipher processing unit (101) comprises an encryption unit (101 b) and a decryption unit (101c) through an encryption-decryption processor (101 a) can be configured for encrypting or decrypting a PDU stream using the cipher modules selected based on the transmitter status information supplied thereto.

Description

SYSTEM AND METHOD FOR ADAPTIVE PROTOCOL DATA UNIT MANAGEMENT FOR SECURE NETWORK COMMUNICATION
FIELD OF THE INVENTION
The present invention relates generally to arrangement and method for data encryption and decryption in a computer network. More particularly, the present invention relates to an improved system for managing a protocol data unit (PDU) for secure network communication between a transmitter and a receiver and to the method thereof.
BACKGROUND OF THE INVENTION
Protocol data unit or simply known as PDU is a basic unit that defines a single data format that can be exchanged in telecommunication protocol. This is the basic format that must be agreed between communication parties and typically used for identification of the beginning part and the ending part of a single unit of information. PDU is mostly transmitted in plain text form. Nonetheless, since safeguarding communication and authenticating data has become more and more important, PDU and cryptology research has become more necessary and urgent that it can be encrypted for confidentiality.
Cryptography mainly deais with the investigation of methods for securing communications and authenticating data. Until modern times cryptography referred almost exclusively to encryption, which is the process of converting ordinary information called plain text into unintei!igible text called cipher text. Decryption is the reverse, in other words, moving from the unintelligible cipher text back to plaintext. A cipher can be a pair of algorithms that create the encryption and the reversing decryption. The detailed operation of a cipher is controlled both by the algorithm and in each instance by a key which is a secret ideally known only to the communicants, usuaiiy a short string of characters, which is needed to decrypt the cipher text.
One of the conventional technique is to employ Virtual Private Network (VPN) in which PDU is encrypted at sender side and decrypted at receiver side. VPN Client Agent usually monitors the packet of interest and encrypts the same using a fixed algorithm. VPN Server Agent upon receiving the encrypted PDU performs decryption operation that follows the mentioned principle using the fixed algorithm,
A problem with the known technique is that such encryption-decryption operation with one fixed algorithm can be very vulnerable to the state of art cryptanalysis attack as the VPN uses a fixed b!ock cipher to encrypt and decrypt every Internet Protocol (IP) datagrams.
Another problem of the known technique is that the encryption operation is in fact non-adaptive to any device current condition, and it is where switching between the block ciphers during encryption is not favorable and disallowed. Therefore, a need exists for an improved system for managing a protocol data unit (PDU) for secure network communication between a transmitter and a receiver and for an improved method thereof.
SUMMARY OF THE INVENTION
The following presents a simplified summary of the invention in order to provide a basic understanding of some aspects of the invention. This summary is not an extensive overview of the invention, its sole purpose is to present some concepts of the invention in a simplified form as a prelude to the more detailed description that is presented later.
Accordingly, the present invention provides a system for managing a protocol data unit (PDU) for secure network communication between a transmitter and a receiver. The system comprises a key scheduler and a cipher processing unit in communication with the key scheduler. The key scheduler can be configured for receiving a master key and for generating a set of round sub-keys based on the master key received thereto. The cipher processing unit can be configured for encrypting or decrypting a PDU stream using a cipher module that upon receiving the set of round sub-keys from the key scheduler. The system of the present invention can be characterized by the key scheduler that includes at least two biock ciphers each comprising cipher modules, a cipher table comprising cipher identifier codes assigned to the cipher modules, and a cipher code key, and the cipher processing unit that further comprises an encryption-decryption processor in communication with an encryption unit and a decryption unit.
The encryption unit can be configured for encrypting each of a plurality of PDU segments of the PDU stream using the cipher module with selection based on transmitter status information supplied thereto, and for encrypting a cipher code constructed from the cipher identifier codes of the corresponding cipher moduies using the cipher code key. The decryption unit can be configured for decrypting encrypted cipher code using the cipher code key, and for decrypting each of encrypted PDU segments using the cipher module embedded in the cipher code decrypted therefrom.
Preferably, the encryption unit comprises a PDU processor that can be configured to segment the PDU stream into the plurality of PDU segments. Preferably, the at least two block ciphers can be selected from the group comprising general-purpose (GP) block cipher and lightweight (LW) block cipher.
Preferably, the key scheduler can assign a combination of the at least two block ciphers to each of the plurality of PDU segments.
Preferably, the transmitter status information can include battery level, transmitter location and processing load.
Preferably, the cipher code comprises three cipher identifier codes that can be arranged sequentially in a row.
Preferably, the encryption unit can encapsulate the encrypted PDU segments and the encrypted cipher code. In accordance with another aspect, the present invention provides a method of managing a protocol data unit (PDU) for secure network communication between a transmitter and a receiver. The method comprises initializing a PDU stream comprising source address, destination address and data to transfer over the network communication; and obtaining a master key to encrypt or decrypt the PDU stream.
The method further comprises the steps of establishing at least two block ciphers each comprising cipher modules to encrypt or decrypt the PDU stream; upon receiving the master key, generating a cipher table comprising cipher identifier codes assigned to the cipher modules, a set of round sub-keys and a cipher code key.
The method can be characterized by the steps of encryption and decryption.
If the PDU stream requires encryption, segmenting the PDU stream into a plurality of PDU segments including header, payload and tail; assigning at least one of the at least two block ciphers to each of the plurality of PDU segments; obtaining transmitter status information, wherein the transmitter status information including battery level, transmitter location and processing load; selecting, based on the transmitter status information, a cipher module for each of the plurality of PDU segments from among the cipher modules in the respective block ciphers; constructing a cipher code by sequentially connecting the cipher identifier codes of the cipher modules selected for the pluraiity of PDU segments; encrypting each of the plurality of PDU segments using the cipher module to thereby form encrypted PDU segments; encrypting the cipher code using the cipher code key to thereby form an encrypted cipher code; and encapsulating the encrypted PDU segments and the encrypted cipher code. if the PDU stream requires decryption, decrypting the encrypted cipher code using the cipher code key; and decrypting each of the encrypted PDU segments using the cipher module embedded in the cipher code to recover the PDU stream. it is therefore an advantage of the present invention that can perform PDU encryption using different types of block ciphers and each sub-segment of PDU may be encrypted using different block cipher algorithms selection of which depends upon the secret master key and device conditions.
It is therefore another advantage of the present invention that allows adaptive PDU encryption where every type of block ciphers is switchabie to suit current device conditions. The foregoing and other objects, features, aspects and advantages of the present invention will become better understood from a careful reading of a detailed description provided herein below with appropriate reference to the accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
A more complete appreciation of the invention and many of the attendant advantages thereof will be readily as the same becomes better understood by reference to the following detailed description when considered in connection with the accompanying drawings, wherein:
Figure 1 is a block diagram showing the system for managing a protocol data unit (PDU) for secure network communication in respect to PDU stream encryption according to an embodiment of the present invention;
Figure 2 is a bock diagram showing the system for managing a protocol data unit (PDU) for secure network communication in respect to PDU stream decryption according to an embodiment of the present invention; Figure 3 is a flow diagram depicting the step of reading and expanding the master key at the key scheduler according to an embodiment of the present invention;
Figure 4 is a flow diagram depicting the step of PDU stream encryption according to an embodiment of the present invention; Figure 5 is a flow diagram depicting the step of PDU stream decryption according to an embodiment of the present invention;
Figure 6 is a flow diagram depicting the encryption operation in respect to battery level based on the transmitter status information according to one exemplary embodiment of the present invention; and
Figure 7 is a flow diagram depicting the encryption operation in respect to transmitter location based on the transmitter status information according to one exemplary embodiment of the present invention;
It is noted that the drawings may not be to scale. The drawings are intended to depict only typical aspects of the invention, and therefore should not be considered as limiting the scope of the invention.
DETAILED DESCRIPTION OF THE INVENTION
It is an object of the present invention to provide a system and method for managing a protocol data unit (PDU) for secure network communication between a transmitter and a receiver that can adaptively and selectively perform PDU encryption using different types of block ciphers and each sub-segment of PDU may be encrypted using different block cipher algorithms selection of which depends upon the secret master key and device conditions. Advantageously, the present Invention employs different types of block cipher that are switchabie to adapt to any device conditions.
Accordingly, the system for managing a PDU that migrates between a transmitter and a receiver for secure network communication comprises a key scheduler 100 and a cipher processing unit 101 , as shown in Figures 1 and 2. The key scheduler 100 may be configured to receive a master key that is transmitted by an administrator from a secure location to authorize encryption and decryption of a PDU stream in the system. The PDU stream preferably comprises source address, destination address and data to transfer over the network communication, each of which can be imposed or embedded in its respective PDU segments, namely header, payload and tail The PDU stream may be initialized by the administrator,
The master key can include public master key and private master key and may be stored in any known volatile key apparatus. Based on a key value designated for the master key, the key scheduler 1D0 expands and generates a set of round sub-keys. The cipher processing unit 101 which is coupled to the key scheduler 100 can be configured to encrypt or decrypt the PDU stream using a cipher module upon receiving the set of round sub-keys.
The key scheduler 100, in one preferred embodiment, may include a plurality of block ciphers of different types, each of which comprising cipher modules. The key scheduler 100 can be configured to output a cipher table comprising cipher identifier codes assigned to the cipher modules, and a cipher code key. Essentially, the key scheduler 100 is configured to output, based on the master key received from the administrator, the cipher table, the set of round sub- keys and the cipher code key that can next be forwarded as an input to the cipher processing unit 101. The key scheduler 100 may comprise a cipher code key generator (not shown) that can be configured to generate a cipher code key, randomly or orderly.
The step of reading and expanding the master key by the key scheduler 100 is illustrated in flow diagram of Figure 3. Sn step 200, the key scheduler 100 reads the master key as supplied by the administrator. Subsequently, the key scheduler 100 generates, based on the key value, cipher identifier codes for cipher modules, set of round sub-keys for encryption-decryption algorithms, and cipher code key as shown in steps 201 , 202 and 203 respectively.
Every block cipher can operate on fixed length b-bit input to produce b-bit cipher text at any mode of operation. The block ciphers may be selected from the group comprising general-purpose (GP) block cipher and lightweight (LW) block cipher. GP block cipher can be used for any encryption-decryption environment. LW block cipher, on the other hand, is configured so as to fit into highly constrained environments. GP block cipher preferably comprises cipher modules implementing encryption-decryption algorithms that may be selected from the group consisting of AES finalists including AES128, AES192, AES256, Serpent and TwoFisb. LW block cipher preferably comprises cipher modules implementing encryption-decryption algorithms that may be selected from the group consisting of PRESENT and LBIock.
The set of round sub-keys expanded from the master key by the key scheduler 100 can be assigned to the encryption-decryption algorithms of the cipher modules allocated in every block cipher. A block cipher executes its cipher operation based on number of rounds, wherein each round of operation requires a round sub-key. For instance, N number of round sub-keys is required if the block cipher has N number of rounds. According to one embodiment of the present invention, the key scheduler 100 may also be a single universal generic key scheduler for generating all sub-keys required by the cipher modules. The cipher table of the present invention comprises cipher module column charting cipher modules and cipher identifier code column charting cipher identifier codes. Preferably, the key scheduler 100 generates two cipher table each for GP block cipher and LW block cipher. Every cipher module allocated in the cipher module column has its corresponding cipher identifier code assigned thereto. The cipher identifier code is essentially derived based on the key value of the master key. It is more essential that, besides among them, the cipher identifier code is also exclusive for a specified encryption-decryption operation. A cipher identifier code for a cipher module may differ if a different master key is inputted at the key scheduler 100. Example of cipher table for GP block cipher and LW block cipher is shown in Tables 1 and 2.
Figure imgf000010_0001
Figure imgf000011_0001
The system of the present invention can comprise a PDU table. The PDU tabie may be utilized so as to specify a type of block cipher to use for the PDU stream (or every PDU segment). The PDU tabie is preferably predefined prior to the encryption-decryption operation. For example, the PDU segments including header, payioad and tail can be assigned with at least one of the block ciphers, namely GP block cipher and LW block cipher. A PDU segment may be assigned with both the block ciphers that the selection of it can be made upon receiving transmitter status information. In one embodiment of the present invention, not every PDU segment requires a block cipher, in that the said PDU segment does not necessarily be encrypted or decrypted. Example of PDU tabie is shown in Table 3.
Figure imgf000011_0002
The cipher code key generated based on the master key may be used to encrypt and decrypt a cipher code. The cipher code is a code purposely created so as to identify the cipher modules selected for every PDU segment. Preferably, the cipher code contains a number of portions that is equivalent to a number of the PDU segments. For example, the cipher code has three portions reflecting three PDU segments, namely header payioad and tail. Each of the three portions can be represented by symbol '<PDU segment>'. The cipher code is preferably constructed by sequentially connecting or arranging the cipher identifier codes of the selected cipher modules according to the PDU segments in a row. A cipher code, for example, may be <10><01 1 ><01 >, where the first portion, i.e. <10> represents header to encrypt or decrypt by PRESENT of LW block cipher, the second portion, i.e. <011> represents pay!oad to encrypt or decrypt by SERPENT of GP biock cipher, and the third portion, i.e. <01> represents taii to encrypt or decrypt by PRESENT of LW biock cipher. The cipher code can randomly seiecf any cipher module for the PDU segments as initially established in the PDU table. Besides the cipher code key, the cipher code may also be encrypted and decrypted using a default cipher code key.
According to one preferred embodiment of the present invention, the cipher processing unit 101 comprises an encryption-decryption processor 101a embedded therein in communication with an encryption unit 101b and a decryption unit 101c. The encryption-decryption processor 101a comprises a computer readable recording medium that stores a program for causing a computer including a memory to perform the encryption and decryption operation at any mode of operation as shown in Figures 4 and 5.
With reference to Figure 4, if the PDU stream requires encryption, the encryption unit 101 b and the encryption-decryption processor 101a through its program causes the computer to seiecf a cipher module from among the cipher modules of the respective block ciphers in the PDU table for each of the PDU segments (that are derived from the PDU stream in step 303) based on the transmitter status information in steps 304 and 305. It is important to note that the PDU table, the cipher table and the set of round sub-keys must be obtained and prepared prior to the encryption and decryption operation at the encryption- decryption processor 101a as depicted in steps 300, 301 and 302 to ensure a smooth encryption operation.
To facilitate segmentation of the PDU stream using the encryption unit 101b, the system can further comprise a PDU processor 102 that may be configured to segment the PDU stream into (a plurality of) PDU segments that contain, for example, source address, destination address and data. The PDU processor 102 preferably segments or divides the PDU stream into PDU segments with a predefined size. The PDU processor 102 may also segments or divides the PDU segments into PDU sub-segments with a predefined size. The PDU processor 102 can be positioned along the PDU stream before or in the cipher processing unit 101. The transmitter status information can inciude information on battery level, transmitter location, processing load and other suitable status information. The transmitter status information may be supplied by the transmitter itself through any suitable module that will not be discussed in detail herein. The encryption- decryption processor 101a may also select no cipher module for any PDU segment depending on various circumstances.
Once the cipher module for every PDU segment has been identified, in step 308, the encryption unit 101b constructs a cipher code that signifies the cipher modules selected for every PDU segment. Each of the PDU segments is next encrypted in step 30? using the respective designated cipher modules to form encrypted PDU segments. The cipher code is next encrypted using a cipher code key or a default cipher code key to form an encrypted cipher code, as in step 30S. Prior to transmission from the transmitter to the receiver, the encrypted PDU segments and the encrypted cipher code are encapsulated to form an encapsulated PDU stream in step 309. The encapsulation may include appending related information such as size of the PDU segments.
To appreciate the importance of transmitter status information supplied thereto that allows the system of the present invention to adaptively and selectively perform PDU encryption using different types of block ciphers, Figures 6 and 7 each illustrates an example in respect to different transmitter status information. Figure 6 depicts the encryption operation at the cipher processing unit 101 in respect to battery level of the transmitter. Firstly, the cipher processing unit 101 through the encryption unit 101b checks whether the transmitter powered by a battery, if no battery at the transmitter, cipher modules mostly from GP block cipher are selected and its cipher code is constructed accordingly. Upon that, the PDU segments and the cipher code are next encrypted and encapsulated for transmission to the receiver. If the transmitter is battery-powered, power level of the battery is next gauged and the cipher processing unit 101 selects cipher modules from the respective designated block ciphers to construct its cipher code according to different categories of battery power level. The battery power level, for example, can be pre-categorized into three categories, namely low, average and high. Preferably, low battery power level indicates about 1 to 30% battery life, average battery power ievel indicates about 31 to 60% battery life, and high battery power ievel indicates about 61 to 100% battery life, if the battery power ievel is low, the cipher code is constructed such that every PDU segment is encrypted using LW block cipher, if the battery power Ievel is average, the cipher code is constructed such that header and tail in the PDU segments are encrypted using LW block cipher and payioad is encrypted using GP block cipher. If the battery power Ievel is high, the cipher code is constructed such that header and payioad in the PDU segments are encrypted using GP block cipher and tail is encrypted using LW block cipher.
Figure 7 depicts the encryption operation at the cipher processing unit 101 in respect to transmitter location. Firstly, the cipher processing unit 101 through the encryption unit 101b checks whether the transmitter located outside of a building. If the transmitter is not located outside of the building, a cipher code is constructed such that every PDU segment is encrypted using LW block cipher. If the transmitter is located outside of the building, a cipher code is constructed such that header and tail in the PDU segments are encrypted using LW block cipher and payioad is encrypted using GP block cipher.
According to one preferred embodiment, the system of the present invention allows for the decryption operation if the PDU stream requires the same. The decryption operation is illustrated with reference to Figures 2 and 5. Upon receiving the encapsulated PDU stream from the transmitter, the key scheduler 100 of the receiver reads the master key as supplied by the administrator. Subsequently, the key scheduler 10Q generates, based on the key value of the master key, cipher identifier codes for cipher modules, set of round sub-keys for encryption-decryption algorithms, and cipher code key as shown in step 401 and in steps 200, 201 , 202 and 203 of Figure 3 respectively. It is important to note that the key scheduler 100 at the transmitter and the receiver must be identical when the encryption-decryption operation is performed. Having the encapsulated PDU stream and the cipher table, the set of round sub-keys, and the cipher code key as its inputs, the cipher processing unit 101 through the encryption-decryption processor 101a and the decryption unit 101c decrypts the encrypted cipher code using the cipher code key retrieved from the master key or the default cipher code key so as to obtain a cipher code, as in step 402. The step 402 is preferably to execute after de-capsuiating the encapsulated PDU stream. The cipher code is essentially the same as utilized during the encryption operation. The cipher code is processed and the cipher modules embedded therein are identified. Subsequently in step 4D3, the encrypted PDU segments in the encapsulated PDU stream each is decrypted using the identified cipher modules so as to recover a (decrypted) PDU stream, i.e. the original PDU sirem.
Throughout the description and claims of the present invention, the singular encompasses the plural unless the context otherwise requires. In particular, where the indefinite article is used, the specification is to be understood as contemplating plurality as well as singularity, unless the context requires otherwise. While this invention has been particularly shown and described with reference to the exemplary embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the scope of the invention as defined by the appended claims.

Claims
CLAIMS 1. A system for managing a protocol data unit (PDU) for secure network communication between a transmitter and a receiver, comprising:
a key scheduler (100) configured for receiving a master key and for generating a set of round sub-keys based on the master key; and
a cipher processing unit (101 ) coupied to the key scheduler (100) configured for encrypting or decrypting a PDU stream using a cipher module upon receiving the set of round sub-keys;
characterized in that,
the key scheduler (100) including at least two block ciphers each comprising cipher modules, a cipher table comprising cipher identifier codes assigned to the cipher modules, and a cipher code key; and
the cipher processing unit (101 ) comprising an encryption-decryption processor (101a) in communication with an encryption unit (101 b) configured for encrypting each of a plurality of PDU segments of the PDU stream using the cipher module with selection based on transmitter status information supplied thereto, and for encrypting a cipher code constructed from the cipher identifier codes of the corresponding cipher modules using the cipher code key; and a decryption unit (101 c) configured for decrypting encrypted cipher code using the cipher code key, and for decrypting each of encrypted PDU segments using the cipher module embedded in the cipher code decrypted therefrom. 2. The system according to Claim 1 , wherein the encryption unit (101 b) comprises a PDU processor (102) configured to segment the PDU stream into the plurality of PDU segments.
The system according to Claim 1 , wherein the at least two block ciphers are 3.
selected from the group comprising general-purpose (GP) block cipher and lightweight (LW) block cipher.
The system according to Claim 1 , the key scheduler (100) assigns a 4.
combination of the at least two block ciphers to each of the plurality of PDU segments.
5. The system according to Claim 1 , wherein the transmitter status information including battery level, transmitter location and processing load.
6. The system according to Claim 1 , wherein the encryption unit (101 b) encapsulates the encrypted PDU segments and the encrypted cipher code.
7. A method of managing a protocol data unit (PDU) for secure network communication between a transmitter and a receiver, comprising:
initializing a PDU stream comprising source address, destination address and data to transfer over the network communication; and
obtaining a master key to encrypt or decrypt the PDU stream using a cipher module;
characterized its that,
the method further comprising the steps of:
establishing at least two block ciphers each comprising cipher modules to encrypt or decrypt the PDU stream;
upon receiving the master key, generating a cipher table comprising cipher identifier codes assigned to the cipher modules, a set of round sub-keys and a cipher code key;
wherein if the PDU stream requires encryption,
segmenting the PDU stream into a plurality of PDU segments including header, payload and tail;
assigning at least one of the at least two block ciphers to each of the plurality of PDU segments;
obtaining transmitter status information, wherein the transmitter status information including battery level, transmitter location and processing load; selecting, based on the transmitter status information, a cipher module for each of the plurality of PDU segmenis from among the cipher modules in the respective block ciphers;
constructing a cipher code by sequentialiy connecting the cipher identifier codes of the cipher modules selected for the plurality of PDU segments;
encrypting each of the plurality of PDU segments using the cipher module to thereby form encrypted PDU segments;
encrypting the cipher code using the cipher code key to thereby form an encrypted cipher code; and encapsuSaiing the encrypted PDU segments and the encrypted cipher code;
wherein if the PDU stream requires decryption,
decrypting the encrypted cipher code using the cipher code key; and decrypting each of the encrypted PDU segments using the cipher module embedded in the cipher code to recover the PDU stream.
PCT/MY2015/050083 2014-08-18 2015-08-10 System and method for adaptive protocol data unit management for secure network communication WO2016028140A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI2014702284 2014-08-18
MYPI2014702284 2014-08-18

Publications (1)

Publication Number Publication Date
WO2016028140A1 true WO2016028140A1 (en) 2016-02-25

Family

ID=55351001

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2015/050083 WO2016028140A1 (en) 2014-08-18 2015-08-10 System and method for adaptive protocol data unit management for secure network communication

Country Status (1)

Country Link
WO (1) WO2016028140A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110557846A (en) * 2018-05-31 2019-12-10 华为技术有限公司 data transmission method, terminal equipment and network equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002190798A (en) * 2000-12-20 2002-07-05 Nec Corp Ciphering device and deciphering device
JP2004064652A (en) * 2002-07-31 2004-02-26 Sharp Corp Communication equipment
JP2005117232A (en) * 2003-10-06 2005-04-28 Matsushita Electric Ind Co Ltd Data communication apparatus, data communication method, data converter, and conversion selection method
JP2012010254A (en) * 2010-06-28 2012-01-12 Fujitsu Ltd Communication device, communication method and communication system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002190798A (en) * 2000-12-20 2002-07-05 Nec Corp Ciphering device and deciphering device
JP2004064652A (en) * 2002-07-31 2004-02-26 Sharp Corp Communication equipment
JP2005117232A (en) * 2003-10-06 2005-04-28 Matsushita Electric Ind Co Ltd Data communication apparatus, data communication method, data converter, and conversion selection method
JP2012010254A (en) * 2010-06-28 2012-01-12 Fujitsu Ltd Communication device, communication method and communication system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110557846A (en) * 2018-05-31 2019-12-10 华为技术有限公司 data transmission method, terminal equipment and network equipment
CN110557846B (en) * 2018-05-31 2021-06-29 华为技术有限公司 Data transmission method, terminal equipment and network equipment
US11431807B2 (en) 2018-05-31 2022-08-30 Huawei Technologies Co., Ltd. Data transmission method, terminal device, and network device

Similar Documents

Publication Publication Date Title
US8983061B2 (en) Method and apparatus for cryptographically processing data
EP1803244B1 (en) Enciphering method
JP5402632B2 (en) Common key block encryption apparatus, common key block encryption method, and program
CN101103586B (en) Apparatus and method for ciphering/deciphering a signal in a communication system
JP5526747B2 (en) Decryption device, encryption device, decryption method, encryption method, and communication system
CN112398651B (en) Quantum secret communication method and device, electronic equipment and storage medium
EP1161811B1 (en) Method and apparatus for encrypting and decrypting data
JP2020513117A (en) Method and system for improved authenticated encryption in a counter-based cryptosystem
US20150229621A1 (en) One-time-pad data encryption in communication channels
JP2008104040A (en) Common key producing device, and common key producing method
CN1801693A (en) Short block processing method in block encryption algorithm
EP3909196B1 (en) One-time pads encryption hub
CN111835509A (en) Anti-loss one-way encryption method and device based on hash function and password
CN114567427B (en) Block chain hidden data segmented transmission method
WO2019225735A1 (en) Data processing device, method, and computer program
CN112738037B (en) Data encryption communication method
KP et al. Embedded light-weight cryptography technique to preserve privacy of healthcare wearable IoT device data
Knudsen Dynamic encryption
WO2016028140A1 (en) System and method for adaptive protocol data unit management for secure network communication
EP1456997B1 (en) System and method for symmetrical cryptography
Dulla et al. A unique message encryption technique based on enhanced blowfish algorithm
JP4664692B2 (en) ENCRYPTION METHOD, DECRYPTION METHOD, ENCRYPTION DEVICE, DECRYPTION DEVICE, ENCRYPTION DEVICE, AND PROGRAM
Reddy et al. GUI implementation of image encryption and decryption using Open CV-Python script on secured TFTP protocol
Tripathi et al. The hybrid cryptography for enhancing the data security in fog computing
CN112333204B (en) 5G network transmission security device based on TCP IP protocol disorder feature code

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15833602

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15833602

Country of ref document: EP

Kind code of ref document: A1