HK1081019A - Efficient encryption and authentication for data processing systems - Google Patents
Efficient encryption and authentication for data processing systems Download PDFInfo
- Publication number
- HK1081019A HK1081019A HK06100667.6A HK06100667A HK1081019A HK 1081019 A HK1081019 A HK 1081019A HK 06100667 A HK06100667 A HK 06100667A HK 1081019 A HK1081019 A HK 1081019A
- Authority
- HK
- Hong Kong
- Prior art keywords
- block
- blocks
- ciphertext
- plaintext
- checksum value
- Prior art date
Links
Description
Background
Technical Field
The present invention relates to the field of data processing systems, and more particularly to improving security in data processing systems.
Background
Security is a major concern in many different areas, such as e-commerce, communications and broadcasting. Security measures provide accountability, fairness, accuracy, confidentiality, operability, and other criteria desired for data processing systems and information systems in these areas. Encryption methods that provide such security are generally categorized according to two objectives: encryption and authentication. Encryption is a technique that makes data unreadable by unauthenticated parties. Authentication is a technique to verify the integrity of data. Verifying the integrity of the data involves verifying the identity of the author of the data and/or verifying whether the data has been altered.
Encryption systems are commonly referred to as cryptosystems and have symmetric or asymmetric properties. Symmetric encryption systems use keys to encrypt information and use the same keys to decrypt the encrypted information. An asymmetric encryption system, such as a public key cryptosystem, uses a first key to encrypt information and a different key to decode the encrypted information.
In many symmetric cryptosystems, a key is used for encryption and a separate key is used for authentication. Thus in a data processing system using a symmetric cryptographic system, encryption and authentication are performed as two separate entities. Since authentication requires approximately the same processing power as encryption, the total amount of processing is equal to the amount of processing required to encrypt data twice. In data processing systems operating in a limited power or limited hardware environment, such as cellular telephones, personal digital assistants, or other portable communication devices, it is desirable to have a cryptographic system that can perform encryption and authentication as a single entity, thereby reducing the computational load on the device or increasing the speed at which the device performs encryption and authentication.
In the article "Encryption models with model Free Message Integrity", written by Charanjit Jutla, in the lecture eurocpt 2001 "development of cryptography" in "computer science" volume 2045 of Springer-Verlag 2001, cryptographic systems are proposed that can encrypt messages and authenticate encrypted messages in a manner that requires little processing as separate Encryption. In other words, encryption and authentication may be efficiently performed as a single functional entity. Thus, the amount of processing resources required to provide security is reduced.
The Jutla cryptosystem is designed to encrypt all data to be sent. However, in some applications, the requirement that all data of the message must be encrypted is undesirable. For example, in a communication protocol such as IPSec, it is not effective to encrypt all data. The header of the data must be sent unencrypted for addressing. The principles of IPSec are specified in RFC 1825 entitled "Security Architecture for Internet Protocol", RFC 1826 entitled "IP Authentication Header", and RFC 1827 entitled "IP Encapsulating Security Payload (ESP)", all of which were filed by R.Atkinson at 8.1995.
Accordingly, there is a need for a secure and efficient system for encrypting and authenticating data in which not all data bits of a message need to be encrypted.
Disclosure of Invention
Methods and apparatus are presented herein that address the above-mentioned needs. In particular, methods and apparatus are presented that allow portions of a data message to be sent in the clear, portions of the data message to be sent in the cipher, and a single authentication tag to be used to verify both the clear and the cipher portions of the data message.
In one aspect, a method of encrypting and authenticating data as a single entity is presented, the method comprising: arranging the data into a plurality of plaintext blocks, each plaintext block sized according to a cipher block size; specifying at least one cleartext (cleartext) position for which the at least one ciphertext block is identical to the corresponding plaintext block; determining a plurality of noise blocks using the nonce value and the first key; determining a plurality of intermediate ciphertext blocks, wherein a first intermediate ciphertext block corresponds to the encrypted nonce value and remaining intermediate ciphertexts are iteratively computed by encrypting a plurality of intermediate plaintext blocks with a second key, wherein each intermediate plaintext block is a combination of one of the plurality of plaintext blocks and a previous intermediate ciphertext block; determining a plurality of ciphertext blocks by using a plurality of intermediate ciphertext blocks and a plurality of noise blocks, wherein a first ciphertext block is the same as a first intermediate ciphertext block, and remaining ciphertext blocks are obtained by combining a respective intermediate ciphertext block with a respective noise block; calculating an input checksum value based on the plurality of plaintext blocks and an intermediate ciphertext block corresponding to a previous plaintext block; calculating an output checksum value based on the plurality of ciphertext blocks and a noise block; calculating an authentication token by encrypting the input checksum value with the second key and combining the encrypted input checksum value and the output checksum; replacing each of the plurality of ciphertext blocks specified by the cleartext position with a respective plaintext block; and adding an authentication mark.
In another aspect, a method of decrypting and verifying a plurality of data blocks accompanied by an authentication mark is presented, wherein a set of clear locations is defined, the method comprising: determining a plurality of noise blocks using the nonce value and the first key; combining each of a plurality of data blocks not specified by a cleartext position in the set of cleartext positions with a corresponding noise block to determine a plurality of intermediate ciphertext blocks; designating each of the plurality of blocks of data determined by the cleartext position in the set of cleartext positions as a plaintext block in a plurality of plaintext blocks; for each cleartext position in the set of cleartext positions, combining the respective plaintext block with a previous intermediate ciphertext block to form an intermediate plaintext block, and encrypting the intermediate plaintext block to form an intermediate ciphertext block corresponding to the cleartext position; for each position not in the set of cleartext positions, decrypting the respective intermediate ciphertext block to form an associated intermediate plaintext block, and combining the associated intermediate plaintext block with a previous intermediate ciphertext block to form a plaintext block for each position not in the set of cleartext positions; determining a plurality of secondary ciphertext blocks, wherein each of the plurality of secondary ciphertext blocks corresponds to a cleartext position in the set of cleartext positions and is formed by combining a respective intermediate ciphertext block and a respective noise block; calculating an input checksum value by combining the last intermediate ciphertext block with a plurality of data blocks not specified by a cleartext position in the set of cleartext positions; calculating an output checksum value by combining the noise block and the plurality of secondary ciphertext blocks; and verifying the authentication mark.
In another aspect, a method of secure data transmission is presented; wherein a first portion of the data transmission is sent as plaintext, a second portion of the data transmission is sent as ciphertext, and all of the data transmission is authenticated, the method comprising: generating a set of cleartext positions; encrypting a first portion of the data transmission and a second portion of the data transmission as ciphertext, wherein the first portion of the data transmission is specified by the set of cleartext positions and the second portion of the data transmission is not associated with any of the set of cleartext positions; generating an input checksum value using a data transmission not associated with any of the set of cleartext positions; generating an output checksum value using the ciphertext of the first portion of the data transmission; generating an authentication token using the input checksum value and the output checksum value; and transmitting the plaintext, the ciphertext, and the authentication tag, wherein the plaintext is a first portion of a data transmission specified by the set of cleartext positions.
In another aspect, a method of decrypting and verifying a plurality of received transport blocks is presented, the method comprising: determining whether each of the plurality of received transport blocks is specified by a clear position from a set of clear positions; decoding a plurality of received transport blocks, the decoding comprising: if not specified by the cleartext position, generating a set of intermediate ciphertext blocks, decrypting the set of intermediate ciphertext blocks to generate a set of intermediate plaintext blocks, and generating a set of plaintext blocks; if specified by the cleartext position, combining each of the plurality of received transport blocks specified by the cleartext position with a previous intermediate ciphertext block to generate an intermediate plaintext block, and encrypting the intermediate plaintext block to obtain an intermediate ciphertext block; and validating the plurality of received transport blocks, the validating comprising: forming an input checksum value using the set of plaintext blocks not specified by the cleartext position; forming an output checksum value using a set of secondary ciphertext blocks, wherein the secondary ciphertext blocks are obtained from a set of intermediate ciphertext blocks that are not associated with a cleartext position; and using the input checksum value and the output checksum value for comparison with the authentication indicia.
In another aspect, an apparatus for secure data transfer is presented; wherein a first portion of the data transmission is sent as plaintext, a second portion of the data transmission is sent as ciphertext, and all of the data transmission is authenticated, the method comprising: means for generating a set of cleartext positions; means for encrypting a first portion of the data transmission and a second portion of the data transmission into ciphertext, wherein the first portion of the data transmission is specified by the set of cleartext positions and the second portion of the data transmission is not associated with any of the set of cleartext positions; means for generating an input checksum value using a data transmission not associated with any of the set of cleartext positions; means for generating an output checksum value using the ciphertext of the first portion of the data transmission; means for generating an authentication token using the input checksum value and the output checksum value; and means for transmitting the plaintext, the ciphertext, and the authentication tag, wherein the plaintext is a data transmission of the first portion specified by the set of cleartext positions.
In another aspect, an apparatus for decrypting and verifying a plurality of received transport blocks is presented, the apparatus comprising: means for determining whether each of the plurality of received transport blocks is specified by a clear position from a set of clear positions; means for decoding a plurality of received transport blocks, the decoding comprising: if not specified by the cleartext position, generating a set of intermediate ciphertext blocks, decrypting the set of intermediate ciphertext blocks to generate a set of intermediate plaintext blocks, and generating a set of plaintext blocks; if specified by the cleartext position, combining each of the plurality of received transport blocks specified by the cleartext position with a previous intermediate ciphertext block to generate an intermediate plaintext block, and encrypting the intermediate plaintext block to obtain an intermediate ciphertext block; and means for validating the plurality of received transport blocks by forming an input checksum value using the set of plaintext blocks that is not specified by the cleartext position, and forming an output checksum value using a set of secondary ciphertext blocks, wherein the secondary ciphertext blocks are obtained from a set of intermediate ciphertext blocks that are not associated with the cleartext position; and using the input checksum value and the output checksum value for comparison with the authentication indicia.
Drawings
FIGS. 1A, 1B, and 1C are block diagrams of a basic cryptographic system, a symmetric encryption system, and an asymmetric encryption system, respectively.
Fig. 2A and 2B are block diagrams of a symmetric authentication system and an asymmetric authentication system, respectively.
FIG. 3 is a block diagram of an Integrity Aware (Integrity Aware) cipher Block chaining mode.
FIG. 4A is a block diagram of CBC-IO mode.
FIG. 4B is a block diagram of an apparatus for performing CBC-IO mode.
FIG. 5 is a block diagram of decrypting and verifying messages encrypted and authenticated via CBC-IO mode.
FIG. 6A is a block diagram of an apparatus for performing decryption and verification of messages encrypted and authenticated via CBC-IO mode.
6B, 6C, and 6D are block diagrams of different embodiments for verifying messages encrypted and authenticated via CBC-IO mode.
Detailed Description
Encryption makes the data unreadable by an unauthenticated party. The original data message is referred to as a plaintext message or plaintext. Encrypted is referred to as ciphertext, where encryption encompasses any method of converting plaintext into ciphertext, such as block cipher, hash function, or any other encryption function. Decryption includes any method of converting ciphertext into plaintext, i.e., recovering the original message. Fig. 1A illustrates a basic cryptographic system 10 designed for use as encryption. The plaintext message 11 is operated on by an encryption scheme 12 to form ciphertext 13. Ciphertext 13 is then transmitted over a communication channel (not shown) and is recovered at another site (not shown) by decoding scheme 14 to form plaintext 15. Plaintext and ciphertext may pertain to any data, including audio and video data that appears in digital form.
Cryptanalysis is a technique for breaking the security of a cryptographic system. The entity performing the cryptanalysis is known in the art as an adversary or attacker. The cryptanalysis of the encryption scheme is about decrypting unauthenticated messages. The cryptanalysis of the authentication scheme is directed to synthesizing messages that can be verified as being sent by others.
Cryptographic systems are based on secrets. A group of entities share the secret and cannot obtain the key without spending a lot of resources by entities outside the group. This secret is said to act as a security association for the group of entities.
Typically, a secret contains a key or a set of keys, which are measured in bits. The longer the key, the higher the secret security of the key. Symmetric cryptosystems encrypt messages using the same key as is used to decrypt the message. A symmetric encryption system 20 is illustrated in fig. 1B, where both encryption and decryption use the same private key. The plaintext 21 is operated on by an encryption scheme 22. The key 23 is used in an encryption scheme 22 to form a ciphertext 24. The ciphertext 24 is transmitted over a communication channel (not shown) to another station where the decryption scheme 25 uses the same key 23 to form the plaintext 26.
In contrast, asymmetric cryptography systems use a first key to encrypt a message and a different key to decrypt it. Fig. 1C illustrates an asymmetric encryption system referred to as a public key cryptosystem 30, where a public key is used for encryption and a private key is used for decryption. The public key is public so that any user can use the public key to encrypt any message. However, only a private, unpublished key may be used to decrypt this public key encrypted message. The plaintext 31 is entered into an encryption scheme 32 that uses a public key 33 associated with the specified user and obtained from the publication. The resulting ciphertext 34 may be transmitted over a communication channel (not shown) to the designated user. The designated user converts the ciphertext 34 into plaintext 37 using the key 36 in the decryption scheme 35.
Symmetric encryption is generally much faster than asymmetric encryption. However, sending the key from the sender to the recipient is problematic as it may be intercepted by an adversary. One solution is to use a trusted third party to hold the key, which will only share the key with authenticated users. The embodiments described herein do not address this issue, but rather assume that the sender and recipient share a secret key.
The integrity of the ciphertext generated by the above-described cryptosystems is typically provided to the transmitted ciphertext by appending some authentication data. The authentication data is typically computed as a function of the message content and the integrity key.
In a symmetric authentication system, the authentication data is called a Message Authentication Code (MAC). The MAC is computed as a function of the message content and an integrity key that the sender and the specified destination share. The sender sends the message and attaches the MAC. The message may be plaintext or ciphertext. The recipient recalculates the MAC from the message and approves the integrity of the message only if the recalculated MAC is consistent with the sent MAC. Ideally, only the sender of a message is able to generate a valid signature for the message, and thus for the recipient to authenticate the message.
A symmetric authentication system 40 is illustrated in fig. 2A, where both signing and verification use the same key. The message 41 is acted upon with an authentication scheme 42 using a key 43 to form authentication data 44. The authentication data 44 and the message 41 are then sent to the other party (not shown) over a communication channel (not shown). The message 41 is operated on with a verification scheme 45 using the same key 43 to determine authentication data 46. Authentication data 46 generated by the recipient is compared with authentication data 44 received over the communication channel.
In an asymmetric authentication system, the authentication data is called a data signature. The data signature is computed as a function of the message content and the integrity key of the sender. The sender sends the digital signature to the receiver, which then performs a verification of the digital signature using the sender's public key. An asymmetric authentication system 50 is illustrated in fig. 1E, where a signature uses a private key and an authentication uses a corresponding public key.
In some schemes, the MAC or digital signature is computed from a 'message digest' that contains a unique mathematical description of the secret message. The message digest is shorter in length than the original message, so that the calculation of the message digest is more easily performed. Since the secret message or message digest is not kept constant, the MAC or digital signature relies on the secret message or message digest to ensure that the authentication data is not kept constant. If the authentication data is kept constant for multiple messages, an adversary can illegally easily steal the authentication data.
The message digest is typically computed using a cryptographic hash function. The cryptographic hash function computes a value (containing a fixed number of bits) from any input, regardless of the length of the input. One characteristic of cryptographic hash functions is that given an output value, it is computationally difficult to determine the input that would result in that output. An example of a cryptographic Hash function is SH-1, as described in Federal information processing Standard publication (FIPS PUBS) published and National Institute of Standards and Technology (NIST) published FIPPUB 180-1, "Secure Hash Standard".
Block ciphers are symmetric encryption schemes for which the input to the scheme is always a fixed length in number of bits. This length is called the block size of the block cipher. An example of a block cipher is the Data Encryption Standard (DES), as described in FIPS PUB 46-1, "Data encryption Standard," published by FIPS PUBS and by NIST. The block size of DES is 64 bits. Another example of a block cipher is the Advanced Encryption Standard (AES), as described in FIPS PUB 46-1, "advanced encryption Standard," published by FIPS PUBS and by NIST. The block size of AES is 128 bits.
The key length of a block cipher is the length of the number of bits of the key. However, the entropy of a key is the logarithm of the number of possible values of the key (base 2). Entropy is also written in terms of number of bits. For example, DES has a 64-bit key, with 8 of these bits used as a checksum to detect errors in key transmission. Thus, the key entropy of DES is (64-8) ═ 56 bits.
Given several pairs of inputs and corresponding outputs of a block cipher, an adversary can derive a key for that block cipher, who tests all possible key values to determine which inputs result in the correct outputs. This type of attack is known as an exhaustive key search. The computational complexity of such an attack is the number of cryptographic operations required for the attack. Therefore, in exhaustive key search, an attack to extract a K-bit key requires about 2K encryption operations to extract a block cipher key.
Block ciphers are useful for constructing other cryptographic entities. The way in which block ciphers are used is called the mode of operation. Four Modes of operation have been standardized for DES and are described in FIPS PUB 81, "DES models of Operaion", published by FIPS PUBS and published by NIST. The four modes are Electronic Codebook (ECB), Cipher Block Chaining (CBC), Output Feedback (OFB), and Cipher Feedback (CFB). For purposes of illustration, only ECB and CBC are discussed herein to encrypt plaintext Block P1,., and PmThe sequence of (a).
In ECB mode, a block cipher is used to encrypt each block of plaintext into a ciphertext block in accordance with the following relationship:
Ci=EK(Pi),
wherein EK(Pi) Marking as using a key K to a block PiEncryption of (2). As used herein, DK(Pi) Representing block P using key KiDecryption of (3).
In CBC mode, the first block of plaintext is either differentiated or formed into a result with a secret Initial Value (IV), which is then encrypted. The mathematical description of the process is written in terms of the following relationship:
C1=EK(P1IV)。
thereafter, each plaintext block is exclusive-ored with the previous ciphertext before encryption, as follows:
Ci=EK(PiCi-1)。
in symmetric cryptosystems, efficient encryption and authentication can be problematic. Until recently, the only solution to meet this demand was to use the original approach: encryption and authentication are provided as two separate functions. These two functions require approximately equal amounts of computation and therefore use of both functions is twice as expensive as use of only one or the other method.
In the paper "Encryption models with all the above Free Message Integrity", Jutla proposed two methods that provide Encryption and authentication that require slightly more computation than Encryption or authentication alone. These methods have a general form and use block ciphers as the cipher core.In the cryptographic community, such methods are also referred to as "modes of operation". One of the modes of operation of Jutla, referred to as Integrity Aware Parallelable Mode (IAPM) mode, is not discussed in this document. Another mode of operation of Jutla, referred to as Integrity Aware Cipher Block Chaining (IACBC) mode, is shown in fig. 3. The IACBC uses two keys: k0And K1. Suppose the sender wishes to encrypt and authenticate with the slave P1To Pm-1Of (m-1) message blocks. The sender sets t equal to the next integer greater than the logarithm of (m +1) (base 2). The sender selects a random value (called a nonce or initial value) to encrypt to form ciphertext block C0. The values r +1 to r + t are encrypted to form the value W0To Wt-1Wherein the encryption uses a secret key K0. Value W0To Wt-1Are then used to derive pairs of independent values S0To St-1. These values are referred to herein as noise blocks. If uniformly distributed to S0,...,SmAn n-bit random number having the following characteristics: for each pair SiAnd SjWhere i ≠ j, and each pair of n-bit constants c1And c2,Si=c1And Sj=c2Has a probability of 2-2nThen value S0,...,SmAre independent in pairs. To S0To SmThe actual calculation of (c) is not relevant for understanding the IACBC and will not be described below. Iteratively deriving ciphertext block c for 1 ≦ i ≦ m-1 according to the following relationship1To cm-1The value of (c):
Mi =PiNi-1,
Ni =EK1(Mi),
Ci =NiSi,
wherein the secret key K1Is applied to each cipher block and is initializedValue N0Is set to C0. These values MiCalled intermediate plaintext block, value NiReferred to as an intermediate ciphertext block. The sender then calculates a checksum value PmDefined as:
Pm=P1P2...Pm-1。
by using a secret key K1Encryption (P)mNi-1) And combining the encrypted result with S0Exclusive OR, from PmCalculating the MAC tag value Cm. Mathematically, this calculation can be expressed as follows:
Cm=EK1(PmNi-1)S0。
sender sends C0...Cm。
Assume that the receiver receives C'0...C’m. The receiver decrypts C 'by first'0Starting the decryption process with the formation r', wherein the decryption uses the key K1. Encrypting the values r ' +1 to r ' + t to form a value W '0To W't-1Wherein the encryption uses a key K0. The receiver then calculates value S'0To S'm. Iteratively deriving ciphertext block P for 1 ≦ i ≦ m-1 according to the following relationship1To Pm-1The value of (c):
N’i =C’i S’i,
M’i =DK1(N’i),
Pi =N’i-1M’i,
wherein the secret key K1Is used for each plaintext block, and has an initial value of N'0Is arranged asIs equal to C'0. The recipient then calculates a checksum value P'mDefined as:
Pm’=P’1P’2...P’m-1。
by using a secret key K1Encryption PmAnd Nm-1Exclusive OR of, then, the encrypted result is compared with S'0The value X is calculated by xoring. Mathematically, the process can be described as follows:
X=EK1(P’mN’m-1)S’0。
if X and C'mEqual, the receiver can be assured of the integrity of the fine encrypted message.
Gligor and Donescu in the paper "Fast Encryption and authentication: a similar schema is proposed in XCBCEncryption and XEBC Authentication models, "called extended ciphertext blockchain schema (XCBC schema), which provides encryption and Authentication using similar computational effort. The main difference between XCBC and IACBC is the noise block S0To SmThe representation of (2) is independent of this file.
The operation of the IACBC and XCBC modes has certain undesirable characteristics. The first undesirable characteristic is that these modes require all data to be sent encrypted. In internet protocols such as IPSec, it is not desirable to send messages in which all data is encrypted. In particular, the header containing the addressing information must be sent in the clear. The embodiments described herein propose variants of the IACBC and XCBC modes (hereinafter CBC-IO mode) that allow blocks of data to be sent in the clear, with only a small amount of processing added.
It should be noted that either the hardware or software in the data or communication system may be configured to perform different embodiments of the CBC-IO mode. Hardware may include, but is not limited to: the processing element implements a set of instructions stored on a computer-readable medium, such as a memory, to perform the encryption, authentication, decryption, and verification processes described below. In addition, various combining steps are described using a bit logical XOR operator. Other implementations of the embodiments may be performed using modulo integer addition operations, where two inputs are processed into binary representations of integers, the binary representation of the sum of the two integers constitutes an intermediate value, and the output is constructed by truncating the intermediate value to the size of the cipher block. Other group operators may also be used with appropriate modifications, however, for ease of illustration only embodiments using XOR operators are described herein.
One embodiment of the CBC-IO mode is illustrated in FIG. 4A. The operation of the CBC-IO mode uses two keys: k0And K1. It is assumed that the sender wishes to encrypt and authenticate the data block P1To Pm-1The (m-1) message of (c).
At step 400, the sender and recipient agree that the set of plaintext blocks is to be sent in unencrypted form. The set of exponents of a block of plaintext to be transmitted in unencrypted form is denoted by U, the elements of which are referred to as clear positions.
At step 402, the sender selects the nonce r and computes the noise block S in IACBC or XCBC mode0To SmTo obtain an intermediate ciphertext N0To Nm-1And obtaining a ciphertext C0To Cm-1. I.e. N0=C0=Ek1(r) and deriving the intermediate ciphertext N iteratively for 1 ≦ i ≦ m-1 according to the following relationship0To Nm-1And ciphertext block C1To Cm-1The value of (c):
Mi =PiNi-1,
Ni =EK1(Mi),
Ci =NiSi
note that the use of the secret key K for each ciphertext block1. In an alternative embodiment, the nonce r may be a predetermined value stored by both the sender and the recipient, rather than a derived value.
At step 410, the sender calculates checksum values CHK _ IN and CHK _ OUT, which are defined as follows:
and
CHK_OUT=(i∈U Ci)S0。
at step 420, the sender sends the message by using the key K1Encrypted CHK _ IN computing MAC tag CmAnd xors the result with CHK _ OUT. This process is described mathematically as follows:
Cm=EK1(CHK_IN)CHK_OUT。
at step 430, the sender resets those values CiWhere i ∈ U (i.e., those plaintext would be sent unencrypted), such that Ci=Pi. At step 440, the sender sends C0...Cm。
This mode is called CBC-IO because the authentication token is computed by combining the information with the last encrypted input and output. The step of generating the authentication flag using the CBC-IO mode is different from the IACBC IN that the values of CHK _ IN and CHK _ OUT are generated. Due to this difference, the decryption and authentication process at the receiver must also be configured differently.
FIG. 4B is a block diagram of hardware configured to perform the CBC-IO mode described above. It should be noted that FIG. 4B illustrates an implementation that may be an alternative to a software implementation, where the processor and memory are configured to execute a set of instructions for performing the CBC-IO mode described above. Memory element 450 stores plaintext block PiSome of which are to be encrypted and all of which are to be authenticated. The encryption elements 460A, 460B, 460C, and 460D are configured to perform encryption functions on these inputs. For purposes of illustration, four (4) encryption elements are shown in FIG. 4B for encrypting a plaintext block, but those skilled in the art will appreciate that more or fewer encryption elements may be implemented without affecting the scope of the present embodiment.
In this embodiment, the inputs to the encryption blocks 460A, 460B, 460C, and 460D are the temporary value r at the first encryption element 460A and the intermediate plaintext blocks M each at its respective remaining ciphertext element1To Mm-1. Intermediate plaintext block M1To Mm-1Is the output of combining elements 462A, 462B, and 462C. In one aspect, combining elements 462A, 462B, and 462C are exclusive or gates. The output of the encryption elements 460A, 460B, 460C, and 460D are intermediate ciphertext blocks N0To Nm-1. Intermediate ciphertext block N by combining elements 464A, 464B, and 464C0To Nm-1With corresponding noise block S1To Sm-1And (4) combining. The output of the combining elements 464A, 464B, and 464C is ciphertext block C1To Cm-1。
The processing block (or checksum generator) 470 is configured to process the plaintext block to be sent in encrypted form and the last intermediate ciphertext block N by using the plaintext block and the last intermediate ciphertext block Nm-1To determine the checksum value CHK _ IN. The processing block (or checksum generator 475) is configured to generate a first noise block S by using the first noise block S0And a ciphertext block corresponding to a plaintext block to be transmitted in plaintext form. The formulas for determining CHK _ IN and CHK _ OUT have been described above. CHK _ IN is then input into the encryption element 480. The output of the encryption element 480 is then combined with CHK _ OUT using a combiner element 490. Combiner elementThe output of 490 is the last ciphertext block CmIt is also used as an authentication mark.
Ciphertext block C1To Cm-1Authentication mark CmAnd plaintext block PiIs input to the selection element 495, the selection element 495 determining whether the block to be transmitted is ciphertext or plaintext. In other words, those P of i ∈ UiAnd thoseC of (A)iAre sent together.
FIG. 5 is a block diagram of decrypting and verifying messages encrypted and authenticated by CBC-IO mode. At step 500, a receiver receives Module C'0...C’m. Note that for i ∈ U, C'iIs sent unencrypted. At step 510, the recipient uses the key K1To decrypt C'0To obtain r'. Value r' and key K0Is used to derive a noise block S'0To S'mThe value of (c).
At step 520, for i, where 1 ≦ i ≦ m, an iterative process begins with a determination of whether i ∈ U. If it is notThen program flow proceeds to step 530. If i ∈ U, then program flow proceeds to step 540. At step 530, the recipient determines an intermediate ciphertext N'iWhereinThrough mixing C'iAnd S'iXOR to determine an intermediate ciphertext N'iWhereinThis is described mathematically as follows:
N’i=C’iS’i。
at step 532, the recipient decodes the intermediate ciphertext NiWherein
M’i=DK1(N’i),
P’i=M’iN’i-1。
Program flow proceeds to step 550.
For i ∈ U, the recipient determines P 'at step 540'i=C’iWhere i ∈ U.
At step 542, proceed sequentially through the value i ∈ U, the recipient will P 'according to the following relationship'iAnd N'i-1Combine to obtain M'i:
M’i=P’iN’i-1,
N’i=EK1(M’i)。
Program flow proceeds to step 550. At step 550, the exponent i is incremented by 1 and a determination is made whether i > m. If the condition i > m is false, then the program flows back to step 520. If the condition i > m is true, then program flow proceeds to step 560, where step 560 is the beginning of the verification process.
It should be noted that the above steps of determining intermediate ciphertext blocks and intermediate plaintext blocks for cleartext positions may be interchanged in order without affecting the scope of the embodiments. It should also be noted that the above steps can be easily adapted to a set of ciphertext positions, rather than cleartext positions, i.e., the steps can be described with respect to blocks that have been designated as encrypted, rather than blocks that have been sent in the clear. It should also be noted that the values calculated in the above steps are stored for further use in the iterative process.
The receiver has now decrypted all the ciphertext, but the receiver now needs to verify integrity. To verify integrity, at step 560, the recipient first follows the following relationshipForm a secondary ciphertext C* iWherein i ∈ U:
C* i=N’iS’i,
at step 570, the recipient calculates a checksum value CHK _ IN', defined as follows:
at step 580, the recipient calculates a checksum value CHK _ OUT', defined as follows:
CHK_OUT’=(i∈U C* i)S’0。
at step 590, by using the key K1Encryption calculates the value X from CHK _ IN 'and xors the result with CHK _ OUT'. This process is described mathematically as follows:
X=EK1(CHK_IN’)CHK_OUT’。
the recipient will be X and C'mA comparison is made to determine if they are equal. If they are equal, the recipient can be confident of the integrity of the message. If the integrity of the message is verified, the message is:
P=P1,...,Pm-1。
in an alternative embodiment, the recipient uses the alternative value for the comparison. In one embodiment, the authentication flag is combined with CHK _ OUT to form a test encryption input checksum value. The input checksum value is encrypted and then compared to the test encrypted input checksum value. If the test encrypted input checksum value is the same as the encrypted input checksum value, then the authentication mark is verified. In another embodiment, the authentication tag is combined with the output checksum value to form a test encrypted input checksum value. The test encrypted input checksum is decrypted to obtain a test input checksum value; the test input checksum value is then compared to the input checksum value. If the test input checksum value and the input checksum value are the same, then the authentication indicia is verified.
In another alternative embodiment, the verification steps 560 through 590 may be performed in parallel with the decryption steps 520 through 550. This parallel processing speeds up the speed at which the receiver processes the encrypted and authenticated transmission from the sender.
FIG. 6A is a block diagram configured to perform decryption of messages encrypted with the CBC-IO mode described above. Fig. 6B, 6C, and 6D are block diagrams configured to perform verification using the CBC-IO mode authenticated message described above. In FIG. 6A, received Block C'0,C’1,..mIs stored in the memory 600. Decryption elements 610A, 610B, 610C, 610D, and 610E are configured to use key K1Performing a decryption function, said secret key K1Agreement is reached between the sender and the recipient during the key agreement process, the details of which are not discussed here. The input to the first decryption element 610A is Block C'0Which is the first message block from the sender. The output of the first decryption element 610a is r ', which will be used to determine noise block S'0,S’1,...,S’m-1This is determined by a hardware configuration not shown here.
Inputs to the other decryption elements 610B, 610C, 610D, and 610E each occur at each respective decryption elementBecome an intermediate ciphertext block N'0To N'm. Intermediate ciphertext Block N'1To N'mIs obtained by subjecting allCorresponding noise block S'iAnd received ciphertext Block C'iFormed using combinations of combination elements 620A, 620B, 620C, and 620D, such as, for example, exclusive or gates or modulo integer adders.
The outputs of decryption elements 610A, 610B, 610C, 610D and 610E are each associated with an intermediate ciphertext block N 'using combining elements 622A, 622B, 622C and 622D'iAre combined. The outputs of the combined elements 622A, 622B, 622C and 622D are plaintext blocks P'iWherein
For intermediate ciphertext block N'iWhere i e U, cryptographic elements 630A, 630B and 630C use key K1To encrypt the previous intermediate ciphertext block N'i-1Or intermediate ciphertext block N'i. Combining elements 624A, 624B and 624C will be the previous intermediate ciphertext block N'i-1And plaintext Block P'iCombine to form an intermediate plaintext Block M'iMiddle plaintext Block M'iIs encrypted by encryption elements 630A, 630B, 630C, and 630D. Note that P 'is being determined'iAfter (wherein) May be provided by'i=C’i(where i ∈ U) the plaintext block P 'can simply be derived'i(where i ∈ U). Contains an intermediate ciphertext block NiWhere i ∈ U, to allow forIteratively determining a plaintext Block P'iAnd generating a second ciphertext block CiFor verification. In this embodiment, switches 640A, 640B, 640C, and 640D are implemented with control lines (not shown) to facilitate selection of the appropriate intermediate ciphertext block according to whether the cleartext position or the ciphertext position is in front of the immediate position.
The input checksum CHK _ IN may be asserted as the output of a combining element (not shown) that will be the last intermediate ciphertext block N'mAnd all plaintext blocks P'iIn which) And (4) combining. The output checksum CHK _ OUT may be determined as the output of a combining element (not shown) that combines the first noise block S'0And all secondary ciphertexts C* iCombined, secondary ciphertext C* iAre defined as respective intermediate ciphertext blocks N'iAnd corresponding noise block S'iCombinations of (a) and (b). Secondary ciphertext block C* iIs the output of combining elements 645A, 645B, and 645C in fig. 6A.
FIG. 6B illustrates one embodiment of verifying an authentication mark. The CHK _ IN value is input into encryption element 650. The output of the encryption element 650 is combined with the CHK _ OUT value at combining element 655. Next, the output of combining element 655 is compared to the accepted block C 'at comparing element 657'mFor comparison, the Block C'mIs an authentication mark. Fig. 6C is another embodiment of verifying an authentication mark. The CHK _ IN value is input into the encryption element 660. At combination element 665, authentication indicia C'mCombined with the CHK _ OUT value. The output of the combining element 665 is compared with the output of the encryption element 660 at a comparing element 667 to verify the authentication token. Fig. 6D is another embodiment of verifying an authentication mark. At combination element 670, authentication indicia C'mCombined with the CHK _ OUT value. The output of the combining element 670 is input to a decryption element 675. The output of the decryption element 675 is then compared to the CHK _ IN value at a comparison element 677. If either comparison shows a match, then the authentication mark C'm is verified.
When a recipient attempts to decrypt a message, the attacker may cause the recipient to use the wrong set of clear locations. To prevent this type of attack, the sender and receiver must use other methods to verify the cleartext position applied to a particular ciphertext message. There is a simple solution to this problem. One solution is to have a standard protocol for those locations that are clear. Another approach is to include a representation of the set U of cleartext positions in the data block, such that the verification of the ciphertext includes verification of the set of cleartext positions.
Including the value C in the checksumiWhereinConstitutes a distinction between CBC-IO mode operation and the mode operation proposed by Jutla and Gligor and Donescu. Note that the CBC-IO uses block cipher encryption when computing the ciphertext and authentication tag. However, it is equally effective to use block cipher decryption where some or all of the block cipher encryption operations are. This can result in a change from block cipher decryption to block cipher encryption (and vice versa) during decryption and message integrity.
In the CBC-IO mode, if the block cipher of the base layer is secure, the encryption and authentication functions are secure. Formal expressions are meant in the art for the phrases "the encryption and authentication functions are secure" but are not relevant to the subject matter of the present invention and are not discussed here. Those skilled in the art will be familiar with the meaning of the phrase "the encryption and authentication functions are an arc secure".
Although the embodiments herein are described with respect to a CBC-IO mode based on AES block ciphers, the embodiments may also be applied to building CBC-IO modes based on other block ciphers. Note that the sender may choose to send PiOr CiThis does not jeopardize the authentication. The embodiments described herein allow for a single party to issueEncrypted or unencrypted blocks are sent without compromising the security of the authentication scheme. If P isiSent in the clear, then PiIs still secure and unpredictable and can be used as a secure authentication.
It is common practice to define and finalize only a part of the block for the MAC when using authentication mode. The invention may also be modified so that only a portion of the final block is sent as MAC.
Those of skill in the art would understand that information and signals may be represented using any of a variety of different technologies and techniques. For example, data, instructions, commands, information, signals, bits, symbols, and chips that may be referenced throughout the above description may be represented by voltages, currents, electromagnetic waves, magnetic fields or particles, optical fields or particles, or any combination thereof.
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The implementation or execution of the various illustrative logical blocks, modules, and algorithm steps described in connection with the embodiments described herein may be implemented or performed with: a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination designed to perform the functions described herein. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. The ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.
The previous description of the preferred embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without the use of the inventive faculty. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (22)
1. A method of encrypting and verifying data as a single entity, the method comprising:
arranging data or a plurality of plaintext blocks, and determining the size of each plaintext block according to the size of the cipher block;
specifying at least one cleartext position for which at least one ciphertext block is identical to a corresponding plaintext block;
determining a plurality of noise blocks using the nonce value and the first key;
determining a plurality of intermediate ciphertext blocks, wherein the first intermediate ciphertext block corresponds to the encrypted nonce, iteratively calculating remaining intermediate ciphertexts by encrypting the plurality of intermediate plaintext blocks with a second key, wherein each intermediate plaintext block is a combination of one of the plurality of plaintext blocks and a previous intermediate ciphertext block;
determining a plurality of ciphertext blocks using a plurality of intermediate ciphertext blocks and the plurality of noise blocks, wherein the first ciphertext block is the same as the first intermediate ciphertext block, and deriving remaining ciphertext blocks by combining a respective intermediate ciphertext block with a respective noise block;
calculating an input checksum value based on the plurality of plaintext blocks and an intermediate ciphertext block corresponding to a previous plaintext block;
calculating an output checksum value based on the plurality of ciphertext blocks and a noise block;
calculating an authentication token by encrypting an input checksum value with the second key and combining the encrypted input checksum value and output checksum value;
replacing each of the plurality of ciphertext blocks specified by the cleartext position with a respective plaintext block; and
the authentication mark is attached.
2. The method of claim 1, wherein the encryption uses block cipher encryption.
3. The method of claim 1, wherein the encrypting comprises:
selecting to apply block cipher encryption or block cipher decryption;
selecting a block cipher for use according to a set of predefined selection rules; and
a plurality of intermediate ciphertext blocks is formed by applying the selected block cipher encryption or block cipher decryption to one of the plurality of plaintext blocks that is combined with a previous intermediate ciphertext block.
4. The method of claim 1, wherein said calculating the input checksum value comprises:
combining all of the plurality of plaintext blocks corresponding to a location that is not designated as the at least one cleartext location; and
the last noisy block is combined with the combined plurality of plaintext blocks.
5. The method of claim 1, wherein said calculating an output checksum value comprises;
combining all of the plurality of ciphertext blocks corresponding to the at least one cleartext position; and
the first noise block is combined with the combined plurality of ciphertext blocks.
6. The method of claim 1, wherein combining is performed using a bit exclusive or operation.
7. The method of claim 1, wherein combining is performed using a group operation.
8. The method of claim 7, wherein the group operator is a modulo integer addition operator.
9. A method for decrypting and verifying a plurality of data blocks accompanied by an authentication mark, wherein a set of clear locations is defined, the method comprising:
determining a plurality of noise blocks using the nonce value and the first key;
combining each of a plurality of data blocks not specified by a cleartext position in the set of cleartext positions with a corresponding noise block to determine a plurality of intermediate ciphertext blocks;
designating each of the plurality of blocks of data designated by one of the set of cleartext positions as one of a plurality of blocks of plaintext;
for each cleartext position in the set of cleartext positions, combining a corresponding plaintext block with a previous intermediate ciphertext block to form an intermediate plaintext block and encrypting the intermediate plaintext block to form an intermediate ciphertext block corresponding to the cleartext position;
for each position not in the set of cleartext positions, decrypting the corresponding intermediate ciphertext block to form an associated intermediate plaintext block, and combining the associated intermediate plaintext block with a previous intermediate ciphertext block to form a plaintext block for each position not in the set of cleartext positions;
determining a plurality of secondary ciphertext blocks, wherein each of the plurality of secondary ciphertext blocks corresponds to a cleartext position in the set of cleartext positions and is formed by combining a respective intermediate ciphertext block and a respective noise block;
calculating an input checksum value by combining the last intermediate ciphertext block with a plurality of data blocks not specified by a cleartext position in the set of cleartext positions;
calculating an output checksum value by combining the noise block and the plurality of secondary ciphertext blocks; and
verifying the authentication mark.
10. The method of claim 9, wherein verifying the authentication mark comprises:
calculating a test authentication mark by encrypting the input checksum value with the second key and grouping the encrypted input checksum value with the output checksum value; and
the test authentication mark and the authentication mark are compared, wherein the authentication mark is verified if the test authentication mark and the authentication mark are the same.
11. The method of claim 9, wherein verifying the authentication mark comprises:
combining an authentication tag and the output checksum value to form a test encrypted input checksum value;
encrypting the input checksum value; and
the test encrypted input checksum value and the encrypted input checksum value are compared, wherein the authentication tag is verified if the test encrypted input checksum value and the encrypted input checksum value are the same.
12. The method of claim 9, wherein verifying the authentication mark comprises:
combining an authentication tag and the output checksum value to form a test encrypted input checksum value;
decrypting the test encrypted input checksum value to obtain a test input checksum value; and
comparing the test input checksum value with the input checksum value, wherein the authentication indicia is verified if the test input checksum value and the input checksum value are the same.
13. Apparatus for encrypting and authenticating data, the apparatus comprising:
at least one memory element; and
at least one processing element configured to execute a set of instructions stored in a memory element, the set of instructions for:
arranging the data into a plurality of plaintext blocks, and determining the size of each plaintext block according to the size of the cipher block;
specifying at least one cleartext position for which at least one ciphertext block may be identical to a corresponding plaintext block;
determining a plurality of noise blocks using the nonce value and the first key;
determining a plurality of intermediate ciphertext blocks, wherein the first intermediate ciphertext block corresponds to the encrypted nonce, iteratively calculating remaining intermediate ciphertexts by encrypting the plurality of intermediate plaintext blocks with a second key, wherein each intermediate plaintext block is a combination of one of the plurality of plaintext blocks and a previous intermediate ciphertext block;
determining a plurality of ciphertext blocks using a plurality of intermediate ciphertext blocks and the plurality of noise blocks, wherein the first ciphertext block is the same as the first intermediate ciphertext block, and deriving remaining ciphertext blocks by combining a respective intermediate ciphertext block with a respective noise block;
calculating an input checksum value based on the plurality of plaintext blocks and an intermediate ciphertext block corresponding to a previous plaintext block;
calculating an output checksum value based on the plurality of ciphertext blocks and a noise block;
calculating an authentication token by encrypting an input checksum value with the second key and combining the encrypted input checksum value and output checksum value;
replacing each of the plurality of ciphertext blocks specified by a cleartext position with a corresponding plaintext block; and
the authentication mark is attached.
14. Apparatus for encrypting and authenticating data, the apparatus comprising:
at least one memory element; and
at least one processing element configured to execute a set of instructions stored in a memory element, the set of instructions for:
determining a plurality of noise blocks using the nonce value and the first key;
combining each of a plurality of data blocks not specified by one of the set of cleartext positions with a corresponding noise block to determine a plurality of intermediate ciphertext blocks;
designating each of a plurality of blocks of data designated by one of the set of cleartext positions as a plaintext block of a plurality of plaintext blocks;
for each cleartext position in the set of cleartext positions, combining a corresponding plaintext block with a previous intermediate ciphertext block to form an intermediate plaintext block and encrypting the intermediate plaintext block to form an intermediate ciphertext block corresponding to the cleartext position;
for each position not in the set of cleartext positions, decrypting the corresponding intermediate ciphertext block to form an associated intermediate plaintext block, and combining the associated intermediate plaintext block with a previous intermediate ciphertext block to form a plaintext block for each position not in the set of cleartext positions;
determining a plurality of secondary ciphertext blocks, wherein each of the plurality of secondary ciphertext blocks corresponds to a cleartext position in the set of cleartext positions and is formed by combining a respective intermediate ciphertext block and a respective noise block;
calculating an input checksum value by combining the last intermediate ciphertext block with a plurality of data blocks not specified by a cleartext position in the set of cleartext positions;
calculating an output checksum value by combining the noise block and the plurality of secondary ciphertext blocks; and
verifying the authentication mark.
15. A method for encrypting and authenticating data as a single entity, the method comprising:
specifying a set of cleartext positions and a set of ciphertext positions, wherein the set of cleartext positions is used to indicate that a block in a cleartext position is unencrypted and the set of ciphertext positions is used to indicate that a block in a ciphertext position is encrypted;
if the data block is in a clear position, then:
setting a plaintext block equal to the data block;
differentiating the plaintext block from the previous intermediate ciphertext block to form an intermediate plaintext block;
encrypting the intermediate plaintext block to form an intermediate ciphertext block;
if the block of data is in the ciphertext position:
xoring the data block with a sequence corresponding to the data block from the set of sequences to form a respective intermediate ciphertext block;
decrypting the corresponding intermediate ciphertext block to form an intermediate plaintext block; and
the intermediate plaintext block is differed from the previous intermediate ciphertext block to form a plaintext block;
calculating an authentication mark using all the intermediate blocks;
computing a first ciphertext block using an authentication token, a first sequence from the set of sequences, and a last sequence from the set of sequences; and
and transmitting the ciphertext block and the authentication mark.
16. A method for secure data transmission, wherein a first portion of the data transmission is sent as plaintext, a second portion of the data transmission is sent as ciphertext, and all of the data transmission is authenticated, the method comprising:
generating a set of cleartext positions;
encrypting the first portion of the data transmission and the second portion of the data transmission as ciphertext, wherein the first portion of the data transmission is specified by the set of cleartext positions and the second portion of the data transmission is not associated with any one of the set of cleartext positions;
generating an input checksum value using a data transmission not associated with any of the set of cleartext positions;
generating an output checksum value using ciphertext of the data transmission of the first portion;
generating an authentication token using the input checksum value and the output checksum value; and
transmitting the plaintext, the ciphertext, and the authentication tag, wherein the plaintext is a first portion of a data transmission specified by the set of cleartext positions.
17. A method for decrypting and verifying a plurality of received transport blocks, the method comprising:
determining whether each of the plurality of received transport blocks is specified by a clear position from a set of clear positions;
decrypting a plurality of received transport blocks, said decrypting comprising;
if not specified by the cleartext position, generating a set of intermediate ciphertext blocks, decrypting the set of intermediate ciphertext blocks to generate a set of intermediate plaintext blocks, and generating a set of plaintext blocks;
if specified by the cleartext position, combining each of the plurality of received transmission blocks specified by the cleartext position with a previous intermediate ciphertext block to form an intermediate plaintext block, and encrypting the intermediate plaintext block to obtain an intermediate ciphertext block; and
authenticating a plurality of received transport blocks, the authenticating comprising:
forming an input checksum value using the set of plaintext blocks not specified by a cleartext position;
constructing an output checksum value using a set of secondary ciphertext blocks, wherein the secondary ciphertext blocks are derived from a set of intermediate ciphertext blocks that are not associated with a cleartext position; and
using the input checksum value and the output checksum value for comparison with the authentication token.
18. The method of claim 9, wherein the decrypting is performed in conjunction with the verifying bank.
19. Apparatus for encrypting and authenticating data, the apparatus comprising:
at least one memory element for storing a set of plaintext blocks;
at least one combining element for combining the input blocks;
at least one cryptographic element for performing cryptographic functions on the input;
at least one selection element for selecting a plaintext block or a ciphertext block for transmission at a specified location in a transport stream;
at least two checksum generators; and
at least one processing element, wherein the at least one process is for controlling the at least one memory element, the at least one combining element, the at least one encryption element, the at least two checksum generators, and at least one selection element such that:
a first part of the at least one combination element is for combining the plaintext block with an intermediate ciphertext block of a previous stage to output an intermediate plaintext block, the first portion of the at least one cryptographic element is an intermediate ciphertext block for generating a current stage from the intermediate plaintext block, the second part of the at least one combination element is for outputting a ciphertext block from combining the ciphertext block of the current state with the noise block, said first checksum generator being for outputting a first checksum from a specified set of plaintext blocks, a second portion of at least one encryption element being for encrypting said first checksum, the second checksum generator is for outputting a second checksum from a specified set of ciphertext blocks, and a third part of the at least one combination element is for combining the encrypted first checksum and the second checksum to form an authentication token.
20. A device for decrypting and verifying data, the device comprising:
at least one memory element for storing a set of data transfer blocks;
at least one combining element for combining the input blocks;
at least one cryptographic element for performing a first cryptographic function on an input;
at least one decryption element for performing a second encryption function on the input, wherein the second encryption function is the reverse of the first encryption function;
at least one switching element for selecting an output from the at least one encryption element or an output from the at least one combination element;
at least two checksum generators for generating an input checksum based on the specified plaintext block set and an output checksum based on the secondary ciphertext block set; and
at least one processing element, wherein the at least one process is for controlling the at least one memory element, the at least one combining element, the at least one encryption element, the at least one decryption element, the at least two checksum generators, and at least one conversion element such that:
a first part of the at least one combining element is for combining the data transmission block with the noise block to form an intermediate ciphertext block, the at least one decryption element is for decrypting the intermediate ciphertext block to form an intermediate plaintext block, a second part of the at least one combination element is for combining the intermediate plaintext block with an intermediate ciphertext block of a previous stage to form a plaintext block, a third part of the at least one combining element is for combining the data transmission block with an intermediate ciphertext block of a previous stage to form a second intermediate plaintext block, the at least one encryption element is for encrypting the second intermediate plaintext block to form a second intermediate ciphertext block, the at least one conversion element is for selecting the first intermediate ciphertext block or the second intermediate ciphertext block, and a second part of the at least one combining element is for combining the noise block with the second intermediate ciphertext block to form a secondary ciphertext block.
21. Apparatus for secure data transmission, wherein a first portion of the data transmission is sent as plaintext, a second portion of the data transmission is sent as ciphertext, and all of the data transmission is authenticated, the method comprising:
means for generating a set of cleartext positions;
means for encrypting the first portion of the data transmission and the second portion of the data transmission into ciphertext, wherein the first portion of the data transmission is specified by the set of cleartext positions and the second portion of the data transmission is not associated with any of the set of cleartext positions;
means for generating an input checksum value using a data transmission not associated with any of the set of cleartext positions;
means for generating an output checksum value using ciphertext of the data transmission of the first portion;
means for generating an authentication tag using the input checksum value and the output checksum value; and
means for transmitting the plaintext, the ciphertext, and the authentication tag, wherein the plaintext is a first portion of a data transmission specified by the set of cleartext positions.
22. A device for decrypting and verifying a plurality of received transport blocks, the method comprising:
means for determining whether each of the plurality of received transport blocks is specified by a clear position from a set of clear positions;
means for decrypting a plurality of received transport blocks, said decrypting comprising;
if not specified by the cleartext position, generating a set of intermediate ciphertext blocks, decrypting the set of intermediate ciphertext blocks to generate a set of intermediate plaintext blocks, and generating a set of plaintext blocks;
if specified by the cleartext position, combining each of the plurality of received transmission blocks specified by the cleartext position with a previous intermediate ciphertext block to form an intermediate plaintext block, and encrypting the intermediate plaintext block to obtain an intermediate ciphertext block; and
means for authenticating a plurality of received transport blocks by: forming an input checksum value using the set of plaintext blocks not specified by the cleartext position, and forming an output checksum value using a set of secondary ciphertext blocks, wherein the secondary ciphertext blocks are derived from a set of intermediate ciphertext blocks that are not associated with the cleartext position; and using the input checksum value and the output checksum value for comparison with the authentication token.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US10/205,132 | 2002-07-24 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| HK1081019A true HK1081019A (en) | 2006-05-04 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1529365B1 (en) | Efficient encryption and authentication for data processing systems | |
| US6948067B2 (en) | Efficient encryption and authentication for data processing systems | |
| US8126139B2 (en) | Partial encryption and full authentication of message blocks | |
| US7305084B2 (en) | Fast encryption and authentication for data processing systems | |
| US7860241B2 (en) | Simple universal hash for plaintext aware encryption | |
| US7254233B2 (en) | Fast encryption and authentication for data processing systems | |
| CN1185821C (en) | Cipher communication method | |
| CN1104118C (en) | Process for computer-controlled exchange of cryptographic keys between first and second computer unit | |
| CN101061661A (en) | Enciphering method | |
| CN1168041A (en) | Encryption and decryption method and encryption and decryption device | |
| CN118337498B (en) | A data transmission method based on symmetric key pool | |
| CN1801693A (en) | Short block processing method in block encryption algorithm | |
| CN118473653A (en) | Key negotiation identity authentication method and device based on lattice composite encryption signature | |
| CN1484901A (en) | Threshold Cipher Scheme for Message Authentication System | |
| CN1268086C (en) | Ring-based signature scheme | |
| CN1237752C (en) | Method and device for multiple CMEA iterative encryption and decryption for improving wireless telephone message security | |
| HK1081019A (en) | Efficient encryption and authentication for data processing systems | |
| HK1081020A (en) | Efficient encryption and authentication for data processing systems | |
| Frankel et al. | RFC3566: The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec | |
| KR20050023447A (en) | Efficient encryption and authentication for data processing systems | |
| Teo et al. | Analysis of authenticated encryption stream ciphers | |
| CN1757189A (en) | CFM mode system | |
| Kyi et al. | Implementation of E-mail Security System Using NTRU Cryptosystem and SHA-1 Algorithm |