HK1099147A - Method and apparatus for cryptographically processing data - Google Patents
Method and apparatus for cryptographically processing data Download PDFInfo
- Publication number
- HK1099147A HK1099147A HK07105270.3A HK07105270A HK1099147A HK 1099147 A HK1099147 A HK 1099147A HK 07105270 A HK07105270 A HK 07105270A HK 1099147 A HK1099147 A HK 1099147A
- Authority
- HK
- Hong Kong
- Prior art keywords
- data
- predetermined portion
- encryption
- encrypted
- data segment
- Prior art date
Links
Description
Technical Field
The present invention relates to cryptography and cryptosystems. More particularly, the present invention relates to a method and apparatus for cryptographically processing data comprising a plurality of data segments.
Background
Various encryption methods and cryptosystems (cryptosystems) are currently used in various fields. For example, there are symmetric cryptosystems and asymmetric cryptosystems. Symmetric cryptography, also known as secret key cryptography, uses a single key (a secret key) to encrypt and decrypt information. Asymmetric cryptography, also known as public key cryptography, uses a pair of keys: one (public key) to encrypt data and the other (private key) to decrypt data. Currently available encryption algorithms include, for example: data Encryption Standard (DES), which is a symmetric algorithm using a block cipher with a single 56-bit key; triple DES, which is a secure form of DES using 168-bit keys; international Data Encryption Algorithm (IDEA), which is a block mode secret key encryption Algorithm using a 128-bit key; RC4, which is a widely used symmetric key algorithm; advanced Encryption Standard (AES), which provides a stronger Encryption scheme using three candidate key lengths of 128 bits, 192 bits, or 256 bits, and so on.
Many companies employ symmetric cryptosystems for secure communications, using predetermined encryption algorithms with fixed secret keys, such as triple DES or AES. With the continued development of computer-based technologies, it has become difficult to defeat security methods that previously appeared unbreakable, e.g., 56-bit key sized DES has no longer been considered to be able to protect against brute force attacks. Long-term use of the same encryption algorithm and the same secret key for communication may increase the risk of brute force attacks on the cryptosystem. However, it is often very costly to change the encryption algorithm and/or secret key once in an implemented cryptosystem, since it requires some form of key exchange to be done personally by the courier or the like between all entities using the cryptosystem, and any changes in the algorithm must also be synchronized between the entities. Fixed algorithm/key cryptosystems also lack compatibility with other cryptosystems that utilize different encryption algorithms and/or different secret keys.
Accordingly, it would be desirable to provide a cryptographic scheme for implementing secure communications and transactions that is less vulnerable to brute force and other attacks and that also has high flexibility and compatibility.
Disclosure of Invention
A method and apparatus cryptographically process data comprising a plurality of data segments. The cryptographic process includes (a) receiving a plurality of data segments, (b) selecting, for each data segment, a set of encryption information in accordance with data contained in a predetermined portion of the data segment to be encrypted, and (c) encrypting, for each data segment, using the set of encryption information selected for the data segment. At least one of an encryption algorithm, an encryption key, and an encryption parameter may be changed for each data segment according to data contained in the predetermined portion. The predetermined portion may comprise a first predetermined portion for selecting a first set of cryptographic information and a second predetermined portion for selecting a second set of cryptographic information, the cryptographic information comprising a cryptographic algorithm, a cryptographic key and optionally also cryptographic parameters.
In accordance with one aspect of the present invention, a method for encrypting data includes (a) receiving a plurality of data segments, (b1) selecting a first set of encryption information for each packet based on data contained in a first predetermined portion of the data segments, (b2) selecting a second set of encryption information for each packet based on data contained in a second predetermined portion of the data segments, (c1) encrypting the second predetermined portion of each data segment using the selected first set of encryption information for the data segment, (c2) encrypting the remaining portion of each data segment using the selected second set of encryption information for the data segment, and (d) generating an encrypted data segment for each original data segment, the encrypted data segment having a first predetermined portion, a second predetermined portion, and remaining portions, the first predetermined portion containing original data in a corresponding first predetermined portion of the original data segment, the second predetermined portion contains encrypted data of a corresponding second predetermined portion of the original data segment and the remaining portion contains encrypted data of a corresponding remaining portion of the original data segment.
In accordance with one aspect of the present invention, a method for decrypting data includes (a) receiving encrypted data comprising a plurality of encrypted data segments, each encrypted data segment having a first predetermined portion, a second predetermined portion, and a remainder, the first predetermined portion containing original data in a respective first predetermined portion of the original data segment, the second predetermined portion containing encrypted data in a respective second predetermined portion of the original data segment, and the remainder containing encrypted data in a respective remainder of the original data segment, (b1) selecting a first set of encryption information for each encrypted data segment based on the original data contained in the first predetermined portion of the encrypted data segment, (c1) decrypting the encrypted data contained in the second predetermined portion of each encrypted data segment using the first set of encryption information selected for the encrypted data segment, (b2) selecting a second set of encryption information for each encrypted data segment based on the second predetermined portion of decryption data, (c2) decrypting the remainder of each encrypted data segment using the second set of encryption information selected for that encrypted data segment.
In accordance with one aspect of the present invention, an apparatus for cryptographically processing data comprises (a) means for receiving a plurality of data segments, (b) means for selecting, for each data segment, a set of encryption information in dependence on data contained in a predetermined portion of the data segment to be encrypted, and (c) means for encrypting, for each data segment, using the set of encryption information selected for that data segment. The means for selecting may change at least one of an encryption algorithm, an encryption key, and an encryption parameter of each data segment according to the data contained in the predetermined portion.
According to one aspect of the invention, the means for selecting comprises (e) means for generating, for each data segment, a value from the data contained in the predetermined portion of the data segment, and (f) means for selecting a set of cryptographic information associated with the generated value, the set of cryptographic information comprising a cryptographic algorithm, a cryptographic key and optionally a cryptographic parameter. The means for generating a value may comprise means for hashing the data contained in the predetermined portion using a hash key.
In accordance with an aspect of the invention, the apparatus may further include means for providing an encryption table containing, for each entry associated with the generated value, an encryption type identifier, an encryption key for that encryption type, and an encryption parameter.
According to one aspect of the invention, the predetermined portions include a first predetermined portion for selecting a first set of cryptographic information and a second predetermined portion for selecting a second set of cryptographic information. Each set of encryption information includes an encryption algorithm, an encryption key, and optionally also encryption parameters.
According to an aspect of the invention, the apparatus may further comprise means for encrypting the second predetermined portion using the first set of encryption information and means for encrypting the remaining portion of the segment of data using the second set of encryption information.
According to an aspect of the invention, the apparatus may further comprise means for generating for each original data segment an encrypted data segment having a first predetermined portion containing original data in a corresponding first predetermined portion of the original data segment, a second predetermined portion containing encrypted data of a corresponding second predetermined portion of the original data segment, and a remaining portion containing encrypted data of a corresponding remaining portion of the original data segment.
According to an aspect of the invention, the apparatus may further comprise means for transmitting the plurality of encrypted data segments as an encrypted data stream. The apparatus may further include means for storing a plurality of encrypted data segments on a data storage device, each encrypted data segment corresponding to a respective data sector of the data storage device.
In accordance with one aspect of the present invention, the apparatus may further include (a) means for receiving encrypted data comprising a plurality of encrypted data segments, (b1) means for selecting, for each encrypted data segment, a first set of encryption information based on data contained in a first predetermined portion of the encrypted data segment, (c1) means for decrypting encrypted data contained in a second predetermined portion of each encrypted data segment using the first set of encryption information selected for the encrypted data segment, (b2) selecting, for each encrypted data segment, a second set of encryption information based on decrypted data of the second predetermined portion, and (c2) decrypting the remaining portion of each encrypted data segment using the second set of encryption information selected for the encrypted data segment.
In accordance with one aspect of the present invention, the means for selecting the first encryption information may include means for generating the first value based on original data contained in the first predetermined portion of the encrypted data segment. The means for generating the first value may include means for hashing data contained in the first predetermined portion using a first hash key.
In accordance with one aspect of the invention, the means for selecting the second encryption information may include means for generating the second value based on the decrypted data in the second predetermined portion of the encrypted data segment. The means for generating the second value may comprise means for hashing the decrypted data in the second predetermined portion using the second hash key.
In accordance with one aspect of the present invention, an apparatus for decrypting data includes (a) means for receiving a plurality of encrypted data segments, each encrypted data segment having a predetermined portion, (b) means for selecting, for each encrypted data segment, a set of encryption information based on data contained in the predetermined portion of the encrypted data segment, and (c) means for decrypting each encrypted data segment using the encryption information selected for the encrypted data segment.
According to one aspect of the invention, the means for selecting may comprise means for generating a value for each encrypted data segment from data contained in a predetermined portion of the encrypted data segment, and means for selecting an encryption information set associated with the generated value, the encryption information set comprising an encryption algorithm, an encryption key and optionally an encryption parameter. The means for generating the value may comprise means for hashing the data contained in the predetermined portion using a hash key.
In accordance with an aspect of the invention, the apparatus may further comprise means for providing an encryption type identifier associated with the generated value, an encryption key for the encryption type, and an encryption parameter.
In accordance with one aspect of the invention, the predetermined portion may include a first predetermined portion for selecting the first set of cryptographic information and a second predetermined portion for selecting the second set of cryptographic information. Each set of encryption information may include an encryption algorithm, an encryption key, and optionally also encryption parameters.
In accordance with one aspect of the invention, the first predetermined portion contains data for a first protocol layer and the second predetermined portion contains data for a second protocol layer, wherein the first protocol layer is lower than the second protocol layer. The first predetermined portion may be an Internet Protocol (IP) header of the data packet. The second predetermined portion may be a selected data field portion, a Transmission Control Protocol (TCP) header or a User Datagram Protocol (UDP) header of the data packet.
According to one aspect of the invention, the first predetermined portion is a first selected portion in a sector of the data storage device and the second predetermined portion is a second selected portion in the sector.
In accordance with one aspect of the invention, data contained in a second predetermined portion of the encrypted data segment has been encrypted using the first set of encryption information, and data contained in the remaining portion of the encrypted data segment has been encrypted using the second set of encryption information.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate one or more embodiments of the invention and, together with the description, serve to explain the principles and implementations of the invention.
In the drawings:
fig. 1A is a block diagram schematically illustrating an encryption portion of an apparatus for encrypting/decrypting data according to one embodiment of the present invention.
Fig. 1B is a block diagram schematically illustrating a decryption portion of an apparatus for encrypting/decrypting data according to one embodiment of the present invention.
FIG. 2 is a chart schematically illustrating an example of an encryption table according to one embodiment of the present invention.
Fig. 3 is a process flow diagram schematically illustrating a method of encrypting/decrypting data in accordance with one embodiment of the present invention.
Fig. 4 is a diagram schematically illustrating an example of a data packet, wherein the first predetermined portion is an Internet Protocol (IP) header and the second predetermined portion is a Transmission Control Protocol (TCP) header.
Fig. 5 is a diagram schematically illustrating an example of a data packet, wherein the first predetermined portion is an Internet Protocol (IP) header and the second predetermined portion is a User Datagram Protocol (UDP) header.
Fig. 6 is a diagram schematically illustrating an example of a data packet, wherein the first predetermined portion is an Internet Protocol (IP) header and the second predetermined portion is a selected data field portion.
Fig. 7 is a diagram schematically illustrating an example of first and second predetermined portions in a sector of a data storage device.
Fig. 8 is a diagram schematically illustrating an example of first and second predetermined portions of a data segment stored in a memory card, wherein the data segment corresponds to data stored at each address.
FIG. 9 is a process flow diagram schematically illustrating a method of encrypting data in accordance with one embodiment of the invention, wherein the predetermined portion includes a first predetermined portion and a second predetermined portion.
Fig. 10 is a diagram schematically illustrating an example of encrypting a data packet using the method shown in fig. 9.
FIG. 11 is a process flow diagram schematically illustrating a method of decrypting encrypted data in accordance with one embodiment of the invention, wherein the predetermined portion comprises a first predetermined portion and a second predetermined portion.
Fig. 12 is a diagram schematically illustrating an example of decrypting a data packet using the method shown in fig. 11.
FIG. 13 is a block diagram schematically illustrating a data encryptor/decryptor in accordance with one embodiment of the present invention.
Fig. 14 is a diagram schematically illustrating an example of applying an encryption/decryption device to secure communication via the internet according to one embodiment of the present invention.
Detailed Description
Embodiments of the invention are described herein in the context of methods and apparatus for encrypting and decrypting data comprising a plurality of data segments. Those of ordinary skill in the art will realize that the following detailed description of the present invention is illustrative only and is not intended to be in any way limiting. Other embodiments of the invention will be apparent to those skilled in the art having the benefit of this disclosure. Reference will now be made in detail to implementations of the present invention as illustrated in the accompanying drawings. The same reference numbers will be used throughout the drawings and the following detailed description to refer to the same or like parts.
In the interest of clarity, not all of the routine features of the implementations are shown and described herein. It will of course be appreciated that in the development of any such actual implementation, numerous implementation-specific decisions must be made in order to achieve the developer's specific goals, such as compliance with application-and business-related constraints, and that these specific goals will vary from one implementation to another and from one developer to another. Moreover, it should be appreciated that such a development effort might be complex and time consuming, but would nevertheless be a routine undertaking of design for those of ordinary skill in the art having the benefit of this disclosure.
In accordance with one embodiment of the present invention, components, process steps, and/or data structures may be implemented using various types of hardwired devices, Field Programmable Logic Devices (FPLDs) including Field Programmable Gate Arrays (FPGAs) and Complex Programmable Logic Devices (CPLDs), Application Specific Integrated Circuits (ASICs), or the like, and may be used without departing from the scope and spirit of the inventive principles disclosed herein.
Within the scope of the present invention, the term "network" includes local area networks (lans), Wide Area Networks (WANs), the internet, cable television systems, telephone systems, wireless telecommunications systems, fiber optic networks, ATM networks, frame relay networks, satellite communications systems, and the like. These networks are well known in the art and are not further described herein.
Fig. 1A schematically illustrates an apparatus 10 for encrypting/decrypting data according to one embodiment of the invention. As shown in fig. 1A, the apparatus 10 includes an input buffer 12, an encryption module 14, a controller 16 coupled to the input buffer 12 and the encryption module 14, and an output buffer 18 coupled to the controller 16 and the encryption module 14. The input buffer 12 is adapted to receive data comprising a plurality of data segments. Such data may be, for example, a data stream comprising a plurality of data packets. The data segments may also be read from corresponding sectors of a recording medium or data storage device, such as a hard disk, CD ROM, DVD, memory card, etc. The encryption module 14 is adapted to encrypt each data segment. The output buffer 18 buffers the encrypted data segment from the encryption module 14 and outputs encrypted data including a plurality of encrypted data segments.
For example, as shown in FIG. 1A, the device 10 may be used between a Universal Serial Bus (USB) port 11 and an Ethernet port 13, in which case the host computer communicates via a LAN. The device 10 may also be used for secure communications via a WAN, the internet, a wireless network, etc. Further, the device 10 may be used with Small Computer System Interface (SCSI), intelligent/Integrated Drive Electronics (IDE) interface, enhanced IDE interface, etc. to store secure data in a mass storage device. The device may also be used for other types of digital data transfer.
The controller 16 is adapted to select for each data segment a set of encryption information in dependence on the data contained in the predetermined portion of the data segment to be encrypted. For example, the encryption information includes an encryption algorithm, an encryption key, and encryption parameters such as an initial vector. The encryption parameters may be used to set or initialize the encryption process to a particular state. Since the encryption information is typically selected based on the data in a particular portion of the data segment to be encrypted, at least one of the encryption algorithm, encryption key, and encryption parameters is changed for each data segment. In other words, the encryption information is "self-determined" in that for each data segment, the data contained in the data segment itself is used. The predetermined portion of the data segment may be a header of each data packet, a selected portion of a data field of the data packet, such as a predetermined number of bytes of special data length starting from the beginning of the data field. The predetermined portion may be a selected sector portion in the data storage device, a sector number or address field for each sector in the data storage device, or the like.
The encryption module 14 includes a plurality of encryption engines 20(20a, 20b, 20 c.,) each encryption engine 20 corresponding to an encryption algorithm to be selected by the controller 16. The encryption module 14 may also include a data buffer 22 coupled to each of the plurality of encryption engines 20.
In accordance with one embodiment of the present invention, as shown in FIG. 1A, the controller 16 includes a data selector 24, an encryption selector 26 coupled to the data selector 24, and an encryption controller 28. The data selector 24 is adapted to select a predetermined portion from each data segment. The encryption selector 26 is adapted to select the set of encryption information in accordance with the data contained in the predetermined portion selected by the data selector 24. The set of encryption information comprises, for example, an encryption algorithm, an encryption key and optionally also encryption parameters. The encryption controller 28 is adapted to select and activate one of the encryption engines 20 based on the encryption information. For example, if encryption algorithm a is selected by the encryption selector 26, the encryption controller 28 selects the corresponding encryption engine (a)20a and uses the encryption parameters to activate or initialize the encryption engine 20 a. The data is encrypted by the encryption engine 20a using the selected key. It should be noted that different keys and/or different encryption parameters may result in different encrypted data even if the same encryption algorithm and thus the same encryption engine are used.
The controller 16 further includes a value generator 30 coupled to the data selector 24, in accordance with one embodiment of the present invention. The value generator is adapted to generate a value based on the data contained in the predetermined portion. For example, the value generator 30 may include a hash function and hash the data using a hash key to generate the value. The hash key may be preset in the value generator 30 or may be selected when the controller 16 is first programmed.
According to one embodiment of the invention, the encryption controller 26 includes an encryption table 32. The encryption table 32 contains, for each entry associated with a value generated by the value generator 30, an encryption type identifier, an encryption key for that encryption type, and encryption parameters such as an initial vector that specifies an initial encryption state of the encryption engine. FIG. 2 schematically illustrates an example of the encryption table 32. As shown in FIG. 2, each entry of the encryption table 32 has an index, e.g., a hash value, corresponding to the resulting value, and a corresponding set of the encryption algorithm (encryption type), the key used for the encryption algorithm, and the initial vector (encryption parameters). The number of entries depends on the value generated from the predetermined portion. In one embodiment of the present invention, the encryption table has approximately 1000 entries. Typically, different index values are derived from predetermined portions of different data segments, and thus each data segment is encrypted using different encryption information.
The above description is with respect to the encrypted portion of the device 10. Fig. 1B schematically illustrates a corresponding decryption portion 10' of the device 10 according to one embodiment of the invention. As shown in fig. 1B, the decryption portion 10 'may be constructed symmetrically to the encryption portion of the device 10 (fig. 1A), including decryption engines 20 a', 20B ', and 20 c' instead of the encryption engines 20a, 20B, and 20c, which may be well understood by those of ordinary skill in the art without further explanation.
Fig. 3 schematically illustrates a method for encrypting/decrypting data, in accordance with one embodiment of the present invention. The method may be performed by the encryption/decryption device 10. The plurality of data segments is received, for example, by receiving a data stream comprising a plurality of data packets or reading from a data storage device comprising a plurality of data sectors or addresses. The received data segments may be buffered by an input buffer. The data segments are encrypted segment by segment. As shown in fig. 3, each data segment is received (100), and a predetermined portion of each data segment is selected (102), and an encryption information set is selected (104) based on data contained in the predetermined portion of the data segment to be encrypted. The data segment (106) is encrypted using the selected set of encryption information. The next data segment is processed in the same manner until all data segments in the input buffer are processed (108). As described above, the encryption information set may include an encryption algorithm, an encryption key, and optionally an encryption parameter, and at least one of the encryption algorithm, the encryption key, and the encryption parameter is typically changed for each data segment according to data contained in the predetermined portion.
As described above, in the selection of the encryption information, a value (such as a hash value) may be generated from data contained in a predetermined portion of the data segment, and the generated value may be used to select the encryption information set. The set of encryption information may be provided in the form of an encryption table such as the encryption table 32 (FIG. 2) described above.
According to one embodiment of the invention, the predetermined portion comprises a first predetermined portion and a second predetermined portion. In case the data segment is a data packet, the first predetermined portion may contain data for a first protocol layer and the second predetermined portion may contain data for a second protocol layer, said second protocol layer being higher in the protocol hierarchy than said first protocol layer. The first protocol layer may be a network layer (or an internet layer) and the second protocol layer may be a transport layer.
Fig. 4 schematically illustrates an example of a data packet 34, wherein the first predetermined portion is an Internet Protocol (IP) header 36 and the second predetermined portion is a Transmission Control Protocol (TCP) header 38 of the data packet 34. Fig. 5 schematically illustrates an example of a data packet 40, wherein the first predetermined portion is an Internet Protocol (IP) header 36 and the second predetermined portion is a User Datagram Protocol (UDP) header 42 of the data packet 40. It should be noted that although the IP header 36, TCP header 38, and subsequent TCP data field 44 are illustrated separately in fig. 4, they are contiguous in the data packet 34. Similarly, although the IP header 36, UDP header 38, and subsequent UDP data field 46 are illustrated separately in fig. 5, they are contiguous in the data packet 40. In addition, the information illustrated in each header is by way of example and is not limited in any way. All information in the header may be used to derive (hash) values, or certain portions of the information may be selected to produce values.
According to an embodiment of the invention, the second predetermined portion is not limited to a TCP or UDP header, but may be selected from a data field. Fig. 6 schematically illustrates an example of a data packet 48, wherein the first predetermined portion is an Internet Protocol (IP) header 36 and the second predetermined portion is a portion 52(52a, 52b, and 52c) of the data field 50 of the selected data packet 48. As shown in fig. 6, the selected portion 52 may be divided and distributed in the data field 50 and specified by a predetermined number of bytes from the beginning of the data field 50 and a predetermined data length. A single portion may be selected.
According to one embodiment of the invention, the data segments may be sectors in a data storage device, such as a hard disk, CD ROM, DVD, memory card, or other mass storage device. In this case, the first predetermined portion is a first selected portion in a sector of the data storage device and the second predetermined portion is a second selected portion in the sector. Fig. 7 schematically illustrates such an example. In fig. 7, the first predetermined portion is a first selected portion 56 in a sector 54 of the data storage device and the second predetermined portion is a second selected portion 58(58a, 58b) in said sector 54. Fig. 8 schematically illustrates an example of a memory card in which a data segment corresponds to data stored in each address. In this case, the data may be encrypted on an address-by-address basis, and the first predetermined portion is a first selected portion 62(62a, 63b) of the memory address 60, and the second predetermined portion is a second selected portion 64 of said address 60. As shown in fig. 7 and 8, the first and/or second predetermined portions may be divided and distributed among sectors or data of the memory address, or may be a single portion.
Fig. 9 schematically illustrates a method for encrypting data according to one embodiment of the invention, wherein the predetermined portion comprises a first predetermined portion and a second predetermined portion as described above. Fig. 10 schematically illustrates an example of encrypting a data packet 70 using the method shown in fig. 9, wherein the data packet 70 comprises a first predetermined portion 72, such as an IP header, and a second predetermined portion 74, such as a TCP header or a selected data field portion.
As shown in fig. 9, a first predetermined portion and a second predetermined portion (112, 114) are selected for each data segment (110) received. Referring also to fig. 10, the first encrypted information 78 is selected (116) based on the data contained in the first predetermined portion 72. As described above, the selection 116 may include, for example, deriving a hash value based on the first predetermined portion 72 and selecting the first encryption information using an encryption table that associates the hash value with a respective set of encryption information. Similarly, the second encryption information 79 is selected (118) according to the data contained in the second predetermined portion 74. The selection 118 may, for example, comprise deriving a hash value from the second predetermined portion 74 and selecting the second cryptographic information using a cryptographic table that associates the hash value with the respective set of cryptographic information. The selection processes 116 and 118 may be provided with respective hash keys and respective encryption tables. For example, the controller 16 (FIG. 1) of the encryption/decryption device 10 may include a first set of hash keys and encryption tables for a first predetermined portion, and a second set of hash keys and encryption tables for a second predetermined portion.
The second predetermined portion 74 is then encrypted (120) using the first encryption information 78 and the remainder of the data segment 76 is encrypted (122) using the second encryption information 79. The remaining portion 76 is all of the remaining data in the data segment except the first and second predetermined portions. As shown in fig. 10, a first predetermined portion 82 containing original data (also referred to as "plaintext"), a second predetermined portion 84 containing encrypted data (also referred to as "ciphertext"), and a remaining portion 86 containing encrypted data are combined to produce an encrypted data segment (block) 80(124) corresponding to the original data segment (block) 70. For example, referring to fig. 1, the second predetermined portion may be encrypted using encryption engine 20a and the remaining portions encrypted using encryption engine 20b, and the respective encrypted data combined with the first predetermined portion into an encrypted data segment in data buffer 22 and sent to output buffer 18.
The processes 110 through 124 are performed until all data segments are encrypted (126). It should be noted that the selection and encryption process is controlled such that the second encryption information 79 is selected before encrypting the data contained in the second predetermined portion 74, and the plaintext data of the first predetermined portion 84, the ciphertext of the second predetermined portion 84 and the ciphertext of the remaining portion 86 are transmitted to the data buffer 22 in this order.
For secure data communication, the encrypted data segments may be sent as an encrypted data stream or may be stored on a data storage device, for example, to prevent sensitive or protected information from being read by unauthorized persons.
Fig. 11 schematically illustrates a method for decrypting encrypted data, wherein the predetermined portion comprises a first predetermined portion and a second predetermined portion, in accordance with an embodiment of the invention. Fig. 12 schematically illustrates an example for decrypting an encrypted data packet 80 using the method shown in fig. 11, wherein the encrypted data packet 80 comprises a first predetermined portion 82, such as an IP header, and a second predetermined portion 84, such as a TCP header or a selected data field portion. As described above, the first predetermined portion 82 contains plaintext and the second predetermined portion and remaining portion 86 contain ciphertext.
As shown in fig. 11, a first predetermined portion and a second predetermined portion (132, 134) are selected for each received encrypted data segment (130). The encrypted data segment may be received as an encrypted data stream in a secure communication or may be read from a data storage device. Referring also to fig. 12, the first encryption information 88(136) is selected based on the data contained in the first predetermined portion 82. Similar to the encryption process described above, the selection 136 may include, for example, deriving a hash value from the first predetermined portion 82 and selecting the first encryption information using an encryption table that is used to associate the hash value with a respective set of encryption information. Since the first predetermined portion contains plaintext, the first encrypted information is identical to the original data segment.
The second predetermined portion 84 containing the ciphertext is then decrypted using the first encryption information 88 (138). The second encrypted information 89 is selected (140) according to the decrypted data 85 contained in the second predetermined portion 84. The selection 138 may, for example, comprise deriving a hash value from the decrypted data 85 and selecting the second encryption information 89 using an encryption table that associates the hash value with the respective set of encryption information. A respective hash key and a respective encryption table may be provided for each of the selection processes 136 and 138.
The remaining portion 86 of the data segment is then decrypted using the second encryption information 89 (142). The remaining portion 86 is all of the remaining data of the data segment except the first and second predetermined portions. The first predetermined portion 92, the second predetermined portion 94 and the remaining portion 96 are combined to produce the decrypted data segment (packet) 90(144) which is identical to the original data segment (packet) 70. The processes 130 through 144 are performed until all of the encrypted data segments are decrypted (146).
Fig. 13 schematically illustrates a data encryptor/decryptor 150 in accordance with one embodiment of the present invention. As shown in fig. 13, the data encryptor/decryptor includes a transmitting section 152 and a receiving section 162. The transmission section 152 includes a first timing analyzer 154, an encryption module (T)156, and a first data buffer 158. Similarly, the receiving portion 162 includes a second timing analyzer 164, a decryption module (R)166, and a second data buffer 168. The encryption module 156 may be the encryption portion (encryption module 14 and controller 16) of the encryption/decryption device 10 described above, and the decryption module 166 may be the decryption portion 10' of the encryption/decryption device 10 described above. For example, in the transmit section, the input buffer 12 may be integrated within the timing analyzer 154 according to a particular implementation (of FIG. 1A). Output buffer 18 (of FIG. 1A) may also be integrated within data buffer 158, depending on the particular implementation. The same is true for the receiving portion 154.
Since the data encryptor/decryptor 150 typically transmits and receives data streams (Tx and Rx), the timing analyzers 154 and 164 synchronize the encryption/decryption processes for the respective data streams so that the encrypted/decrypted data is properly combined into respective encrypted/decrypted data segments (data packets) and transmitted to or output from the data buffers 158 and 168, respectively.
The data encryptor/decryptor 150 (and the encryption/decryption device 10) may be implemented in the form of a card for a computer, according to one embodiment of the present invention. Since all necessary components for encryption/decryption are provided in the data encryptor/decryptor (encryption/decryption card), the user/computer does not have to install any special software program for encryption/decryption as long as the computer can use the encryption/decryption card (i.e., port-compatible). By simply sending or storing the data via the encryption/decryption card, the data is automatically encrypted and thus securely sent over a network or securely stored in a storage device. The same encryption/decryption card may be used to receive securely transmitted data or to read securely stored data.
In order to receive or read encrypted data, the same encryption/decryption card or device must be used to decrypt the encrypted data. By "identical" is meant that the card or device is able to select the same predetermined first and second portions from the data segments and to select/derive the same first and second encryption information if the data contained in the predetermined portions are identical. For example, the corresponding (communication) encryption/decryption cards typically have identical hash keys and identical encryption tables.
The encryption/decryption module portion 170 (of fig. 13) may be customized at the time of manufacture or initial programming according to a user's requirements, in accordance with one embodiment of the present invention. For example, since the encryption/decryption card may be implemented in Field Programmable Logic Devices (FPLDs), such as FPGAs and CPLDs, the encryption/decryption card or device may be programmed with special settings of the hash key and encryption table (encryption information) according to user specifications (e.g., security, transmission speed, required protocol or standard, specific storage medium and/or format to be used, etc.).
In addition, the user and computer do not have to be aware of the settings, and the settings are not accessible to the user and computer, and such information cannot be stolen from the user or computer for use in "cracking the code". Furthermore, the encryption algorithm, encryption key and optionally also encryption parameters are actually changed for each data segment, and only the data segment to be encrypted itself "knows" the algorithm, key and parameters to be used. Synchronization between the sending and receiving ends is unnecessary since the encryption algorithm, keys and/or parameters are automatically changed according to the determined data contained in the data segments themselves.
Fig. 14 schematically illustrates an example of applying the present invention to secure communication via the internet. As shown in fig. 14, users l80, 182, 184 may use respective encryption/decryption devices 190, 192, and 194 in accordance with one embodiment of the present invention. The encryption/decryption devices 190, 192, and 194 may be the encryption/decryption device 10 or the encryptor/decryptor 150 as described above. All encryption/decryption devices 190, 192 and 194 are identically programmed and provided with the same settings, e.g., the same hash key and encryption table. As shown in fig. 14, the encryption/decryption device may be used by more than one computer 184 and 186. For example, the encryption/decryption device 194 may be used with a hub within a LAN so that all data transmissions from a computer or host connected to the hub are encrypted.
Since the IP header of each data packet is not encrypted, the encryption/decryption scheme of one embodiment of the invention does not affect the routing or switching of data packets (i.e., operations in the network protocol layers) via the internet or other network, in accordance with one embodiment of the invention. Additionally, in the event that some routers may look at packet fields other than the IP header in a routing operation, the first predetermined portion may be selected such that it includes the IP header and such data field portions to be used by the router.
As described above, in accordance with one embodiment of the present invention, each data segment is encrypted using two-level encryption. That is, the data segment other than the first and second predetermined portions is encrypted using the information contained in the second predetermined portion. The second predetermined portion is then encrypted using the information contained in the first predetermined portion. Thus, although the first predetermined portion contains plaintext, the second predetermined portion containing encrypted data (ciphertext) provides an additional level of security, since the second predetermined portion and the remaining portion are typically encrypted by means of different encryption algorithms, different encryption keys and/or different encryption parameters. In addition, since the encryption algorithm, encryption key and/or encryption parameters are changed for each data segment, it is virtually impossible for a hacker to crack the code.
While embodiments and applications of this invention have been shown and described, it would be apparent to those skilled in the art having the benefit of this disclosure that: many variations other than those described above may be made without departing from the principles of the invention. Accordingly, it is intended that the invention be limited only by the spirit of the claims.
Claims (97)
1. A method for cryptographically processing data, the method comprising:
receiving a plurality of data segments;
for each data segment, selecting a set of encryption information in dependence on the data contained in the predetermined portion of the data segment to be encrypted; and
for each data segment, encryption is performed using the set of encryption information selected for that data segment.
2. The method of claim 1, wherein the selecting comprises:
at least one of an encryption algorithm, an encryption key, and an encryption parameter is changed for each data segment in accordance with the data contained in the predetermined portion.
3. The method of claim 1, wherein the selecting comprises:
for each data segment, generating a value from data contained in the predetermined portion of the data segment; and is
An encryption information set associated with the generated value is selected, the encryption information set comprising an encryption algorithm, an encryption key and optionally also an encryption parameter.
4. The method of claim 3, wherein the generating a value comprises:
the data contained in the predetermined portion is hashed using a hash key.
5. The method of claim 3, further comprising:
providing an encryption table containing, for each entry associated with a generated value:
an encryption type identifier;
an encryption key for the encryption type; and
and encrypting the parameters.
6. The method of claim 1, wherein the predetermined portion comprises:
for selecting a first predetermined portion of a first set of cryptographic information, the first set comprising a first cryptographic algorithm, a first cryptographic key and optionally also first cryptographic parameters; and
for selecting a second predetermined portion of a second set of cryptographic information, the second set comprising a second cryptographic algorithm, a second cryptographic key and optionally also second cryptographic parameters.
7. The method of claim 6, wherein the receiving comprises:
a data stream is received that includes a plurality of data packets, each data packet corresponding to a data segment.
8. The method of claim 7, wherein the first predetermined portion contains data for a first protocol layer and the second predetermined portion contains data for a second protocol layer, wherein the first protocol layer is lower than the second protocol layer.
9. The method of claim 7, wherein the first predetermined portion is an Internet Protocol (IP) header of a data packet.
10. The method of claim 9, wherein the second predetermined portion is a selected portion of a data field of a data packet.
11. The method of claim 9, wherein the second predetermined portion is a Transmission Control Protocol (TCP) header of the data packet.
12. The method of claim 9, wherein the second predetermined portion is a User Datagram Protocol (UDP) header of the data packet.
13. The method of claim 6, wherein the receiving comprises:
a plurality of data segments are read from respective sectors in a data storage device.
14. The method of claim 13, wherein the first predetermined portion is a first selected portion in a sector of a data storage device and the second predetermined portion is a second selected portion in the sector.
15. The method of claim 6, further comprising:
encrypting the second predetermined portion using the first set of encryption information.
16. The method of claim 15, further comprising:
the remaining portion of the data segment is encrypted using the second set of encryption information.
17. The method of claim 16, further comprising:
an encrypted data segment is generated for each original data segment, the encrypted data segment having a first predetermined portion containing original data in a corresponding first predetermined portion of the original data segment, a second predetermined portion containing encrypted data of a corresponding second predetermined portion of the original data segment, and a remaining portion containing encrypted data of a corresponding remaining portion of the original data segment.
18. The method of claim 17, further comprising:
the plurality of encrypted data segments are transmitted as an encrypted data stream.
19. The method of claim 17, further comprising:
a plurality of encrypted data segments are stored on a data storage device, each encrypted data segment corresponding to a respective data sector of the data storage device.
20. The method of claim 17, further comprising:
receiving encrypted data comprising a plurality of encrypted data segments;
for each encrypted data segment, selecting a first set of encryption information based on data contained in a first predetermined portion of the encrypted data segment;
decrypting the encrypted data contained in the second predetermined portion of each encrypted data segment using the first set of encryption information selected for the encrypted data segment;
for each encrypted data segment, selecting a second set of encrypted information in dependence on the second predetermined portion of decrypted data; and is
The remaining portion of each encrypted data segment is decrypted using the second set of encryption information selected for the encrypted data segment.
21. The method of claim 20, wherein the selecting first encryption information comprises:
a first value is generated based on original data contained in a first predetermined portion of the encrypted data segment.
22. The method of claim 21, wherein the generating a first value comprises:
data contained in the first predetermined portion is hashed using a first hash key.
23. The method of claim 20, wherein the selecting second encryption information comprises:
generating a second value based on decrypted data of a second predetermined portion of the encrypted data segment.
24. The method of claim 23, wherein said generating a second value comprises:
hashing the second predetermined portion of the decrypted data using a second hash key.
25. A method for cryptographically processing data, the method comprising:
receiving a plurality of encrypted data segments, each encrypted data segment having a predetermined portion;
for each encrypted data segment, selecting a set of encryption information based on data contained in a predetermined portion of the encrypted data segment; and
for each encrypted data segment, decryption is performed using the encryption information selected for the encrypted data segment.
26. The method of claim 25, wherein the selecting comprises:
for each encrypted data segment, generating a value from data contained in a predetermined portion of the encrypted data segment; and is
An encryption information set associated with the generated value is selected, the encryption information set comprising an encryption algorithm, an encryption key and optionally also an encryption parameter.
27. The method of claim 26, wherein the generating a value comprises:
the data contained in the predetermined portion is hashed using a hash key.
28. The method of claim 27, further comprising:
providing an encryption table containing, for each entry associated with the generated value:
an encryption type identifier;
an encryption key for the encryption type; and
and encrypting the parameters.
29. The method of claim 25, wherein the predetermined portion comprises:
for selecting a first predetermined portion of a first set of cryptographic information, the first set comprising a first cryptographic algorithm, a first cryptographic key and optionally also first cryptographic parameters; and
for selecting a second predetermined portion of a second set of cryptographic information, the second set comprising a second cryptographic algorithm, a second cryptographic key and optionally also second cryptographic parameters.
30. The method of claim 29, wherein the receiving comprises:
an encrypted data stream is received that includes a plurality of encrypted data packets, each encrypted data packet corresponding to an encrypted data segment.
31. The method of claim 30, wherein the first predetermined portion contains data for a first protocol layer and the second predetermined portion contains data for a second protocol layer, wherein the first protocol layer is lower than the second protocol layer.
32. The method of claim 30, wherein the first predetermined portion is an Internet Protocol (IP) header of a data packet.
33. The method of claim 32, wherein the second predetermined portion is a selected portion of a data field of a data packet.
34. The method of claim 32, wherein the second predetermined portion is a Transmission Control Protocol (TCP) header of the data packet.
35. The method of claim 32, wherein the second predetermined portion is a User Datagram Protocol (UDP) header of the data packet.
36. The method of claim 29, wherein the receiving comprises:
a plurality of encrypted data segments are read from respective sectors in a data storage device.
37. The method of claim 36, wherein the first predetermined portion is a first selected portion in a sector of a data storage device and the second predetermined portion is a second selected portion in the sector.
38. The method of claim 29, wherein the data contained in the second predetermined portion of the encrypted data segment has been encrypted using the first set of encryption information.
39. The method of claim 38, wherein data contained in the remainder of the encrypted data segment has been encrypted using the second set of encryption information.
40. An apparatus for cryptographically processing data, comprising:
an input buffer adapted to receive data comprising a plurality of data segments;
an encryption module adapted to encrypt each data segment;
a controller coupled to the input buffer and the encryption module, the controller being adapted to select, for each data segment, a set of encryption information in accordance with data contained in a predetermined portion of the data segment to be encrypted; and
an output buffer coupled to the controller and the encryption module, the output buffer adapted to output encrypted data comprising a plurality of encrypted data segments.
41. The apparatus of claim 40, wherein the controller changes at least one of an encryption algorithm, an encryption key, and an encryption parameter for each data segment.
42. The apparatus of claim 40, wherein the encryption module comprises:
a plurality of encryption engines, each encryption engine corresponding to a respective encryption algorithm.
43. The apparatus of claim 40, wherein the encryption module further comprises:
a data buffer coupled to each of the plurality of encryption engines.
44. The apparatus of claim 40, wherein the controller comprises:
a data selector adapted to select a predetermined portion of each data segment;
an encryption selector coupled to the data selector and adapted to select an encryption information set based on the data contained in the predetermined portion, the encryption information set including an encryption algorithm, an encryption key and optionally an encryption parameter; and
an encryption controller adapted to select and activate an encryption engine based on the encryption information.
45. The apparatus of claim 40, wherein the controller further comprises:
a value generator coupled to the data selector and adapted to generate a value based on data contained in the predetermined portion.
46. The apparatus of claim 45, wherein the value generator is adapted to hash the data contained in the predetermined portion using a hash key.
47. The apparatus of claim 45, wherein the encryption controller includes an encryption table containing, for each entry associated with the generated value:
an encryption type identifier;
an encryption key for the encryption type; and
and encrypting the parameters.
48. The apparatus of claim 40, wherein the predetermined portion of each data segment comprises:
a first predetermined portion; and
a second predetermined portion.
49. The apparatus of claim 48, wherein the plurality of data segments are data packets in a data stream.
50. The apparatus of claim 49, wherein the first predetermined portion contains data for a first protocol layer and the second predetermined portion contains data for a second protocol layer, wherein the first protocol layer is lower than the second protocol layer.
51. The apparatus of claim 49, wherein the first predetermined portion is an Internet Protocol (IP) header of a data packet.
52. The apparatus of claim 51, wherein the second predetermined portion is a selected portion of a data field of a data packet.
53. The apparatus of claim 51, wherein the second predetermined portion is a Transmission Control Protocol (TCP) header of a data packet.
54. The apparatus of claim 51, wherein the second predetermined portion is a User Datagram Protocol (UDP) header of the data packet.
55. The device of claim 48, wherein the plurality of data segments are sectors in a data storage device.
56. The device of claim 55, wherein the first predetermined portion is a first selected portion in a sector of a data storage device and the second predetermined portion is a second selected portion in the sector.
57. The apparatus of claim 48, wherein the controller comprises:
a first encryption table for selecting a first encryption information set according to data contained in the first predetermined portion; and
a second encryption table for selecting a second encryption information set according to data contained in the second predetermined portion.
58. An apparatus for cryptographically processing data, comprising:
an input buffer adapted to receive a plurality of encrypted data segments, each encrypted data segment having a predetermined portion;
a decryption module adapted to decrypt each encrypted data segment;
a controller coupled to the input buffer and the decryption module, the controller being adapted to select, for each encrypted data segment, a set of encrypted information based on data contained in a predetermined portion of the encrypted data segment; and
an output buffer coupled to the controller and the decryption module, the output buffer adapted to output decrypted data comprising a plurality of decrypted data segments.
59. The apparatus of claim 58, wherein the decryption module comprises:
a plurality of decryption engines, each decryption engine corresponding to a respective encryption algorithm.
60. The apparatus of claim 58, wherein the decryption module further comprises:
a data buffer coupled to each of the plurality of decryption engines.
61. The apparatus of claim 58, wherein the controller comprises:
a data selector adapted to select a predetermined portion of each encrypted data segment;
a decryption selector coupled to the data selector and adapted to select a set of decryption information based on the data contained in the predetermined portion, the set of decryption information comprising an encryption algorithm, an encryption key and optionally also encryption parameters; and
a decryption controller adapted to select and activate a decryption engine according to the encryption information.
62. The apparatus of claim 58, wherein the controller further comprises:
a value generator coupled to the data selector and adapted to generate a value based on data contained in the predetermined portion.
63. The apparatus of claim 62, wherein the value generator is adapted to hash the data contained in the predetermined portion using a hash key.
64. The apparatus according to claim 62, wherein the decryption controller includes an encryption table containing, for each entry associated with the generated value:
an encryption type identifier;
an encryption key for the encryption type; and
and encrypting the parameters.
65. The apparatus of claim 58, wherein the predetermined portion of each data segment comprises:
a first predetermined portion; and
a second predetermined portion.
66. The apparatus of claim 65, wherein the plurality of data segments are data packets in a data stream.
67. The apparatus of claim 66, wherein the first predetermined portion contains data for a first protocol layer and the second predetermined portion contains data for a second protocol layer, wherein the first protocol layer is lower than the second protocol layer.
68. The apparatus of claim 66, wherein the first predetermined portion is an Internet Protocol (IP) header of a data packet.
69. The apparatus of claim 68, wherein the second predetermined portion is a selected portion of a data field of a data packet.
70. The apparatus of claim 68, wherein the second predetermined portion is a Transmission Control Protocol (TCP) header of a data packet.
71. The apparatus of claim 68, wherein the second predetermined portion is a User Datagram Protocol (UDP) header of the data packet.
72. The device of claim 58, wherein the plurality of data segments are sectors in a data storage device.
73. The device of claim 72, wherein the first predetermined portion is a first selected portion in a sector of a data storage device and the second predetermined portion is a second selected portion in the sector.
74. The apparatus of claim 58, wherein the controller comprises:
a first encryption table for selecting a first set of decryption information based on data contained in the first predetermined portion; and
a second encryption table for selecting a second set of decryption information based on data contained in the second predetermined portion.
75. An apparatus for cryptographically processing data, the apparatus comprising:
means for receiving a plurality of data segments;
means for selecting for each data segment a set of encryption information in dependence on the data contained in a predetermined portion of the data segment to be encrypted; and
means for encrypting each data segment using the set of encryption information selected for the data segment.
76. The apparatus of claim 75, wherein said means for selecting varies at least one of an encryption algorithm, an encryption key, and an encryption parameter for each data segment based on data contained in said predetermined portion.
77. The apparatus of claim 75, wherein the means for selecting comprises:
means for generating, for each data segment, a value based on data contained in a predetermined portion of the data segment; and
means for selecting an encryption information set associated with the generated value, the encryption information set comprising an encryption algorithm, an encryption key and optionally also an encryption parameter.
78. The apparatus of claim 77, wherein the means for generating a value comprises:
means for hashing the data contained in the predetermined portion using a hash key.
79. The apparatus of claim 77, further comprising:
means for providing an encryption type identifier associated with the generated value, an encryption key for the encryption type, and an encryption parameter.
80. The apparatus of claim 75, wherein the predetermined portion comprises:
for selecting a first predetermined portion of a first set of cryptographic information, the first set comprising a first cryptographic algorithm, a first cryptographic key and optionally also first cryptographic parameters; and
for selecting a second predetermined portion of a second set of cryptographic information, the second set comprising a second cryptographic algorithm, a second cryptographic key and optionally also second cryptographic parameters.
81. The apparatus of claim 80, further comprising:
means for encrypting the second predetermined portion using the first set of encryption information.
82. The apparatus of claim 81, further comprising:
means for encrypting the remaining portion of the data segment using the second set of encryption information.
83. The apparatus of claim 82, further comprising:
means for generating for each original data segment an encrypted data segment having a first predetermined portion containing original data in a respective first predetermined portion of the original data segment, a second predetermined portion containing encrypted data of a respective second predetermined portion of the original data segment, and a remainder portion containing encrypted data of a respective remainder portion of the original data segment.
84. The apparatus of claim 83, further comprising:
means for transmitting the plurality of encrypted data segments as an encrypted data stream.
85. The apparatus of claim 83, further comprising:
means for storing a plurality of encrypted data segments on a data storage device, each encrypted data segment corresponding to a respective data sector of the data storage device.
86. The apparatus of claim 83, further comprising:
means for receiving encrypted data comprising a plurality of encrypted data segments;
means for selecting, for each encrypted data segment, a first set of encryption information based on data contained in a first predetermined portion of the encrypted data segment;
means for decrypting encrypted data contained in the second predetermined portion of each encrypted data segment using the first set of encryption information selected for the encrypted data segment;
means for selecting a second set of encrypted information for each encrypted data segment based on the decrypted data of the second predetermined portion; and
means for decrypting the remaining portion of each encrypted data segment using the second set of encryption information selected for that encrypted data segment.
87. The apparatus of claim 86, wherein the means for selecting the first encryption information comprises:
means for generating a first value from original data contained in a first predetermined portion of the encrypted data segment.
88. The apparatus of claim 87, wherein the means for generating a first value comprises:
means for hashing data contained in the first predetermined portion using a first hash key.
89. The apparatus of claim 86, wherein the means for selecting the second encryption information comprises:
means for generating a second value based on decrypted data of a second predetermined portion of the encrypted data segment.
90. The apparatus of claim 89, wherein the means for generating a second value comprises:
means for hashing the second predetermined portion of the decrypted data using a second hash key.
91. An apparatus for cryptographically processing data, the apparatus comprising:
means for receiving a plurality of encrypted data segments, each encrypted data segment having a predetermined portion;
means for selecting, for each encrypted data segment, an encryption information set based on data contained in a predetermined portion of the encrypted data segment; and
means for decrypting each encrypted data segment using the encryption information selected for that encrypted data segment.
92. The apparatus of claim 91, wherein the means for selecting comprises:
means for generating, for each encrypted data segment, a value based on data contained in a predetermined portion of the encrypted data segment; and
means for selecting an encryption information set associated with the generated value, the encryption information set comprising an encryption algorithm, an encryption key and optionally also an encryption parameter.
93. The apparatus of claim 92, wherein the means for generating a value comprises:
means for hashing the data contained in the predetermined portion using a hash key.
94. The apparatus of claim 93, further comprising:
means for providing an encryption type identifier associated with the generated value, an encryption key for the encryption type, and an encryption parameter.
95. The apparatus of claim 91, wherein the predetermined portion comprises:
for selecting a first predetermined portion of a first set of cryptographic information, the first set comprising a first cryptographic algorithm, a first cryptographic key and optionally also first cryptographic parameters; and
for selecting a second predetermined portion of a second set of cryptographic information, the second set comprising a second cryptographic algorithm, a second cryptographic key and optionally also second cryptographic parameters.
96. The apparatus of claim 95, wherein data contained in the second predetermined portion of the encrypted data segment has been encrypted using the first set of encryption information.
97. The device of claim 96, wherein data contained in the remainder of the encrypted data segment has been encrypted using the second set of encryption information.
Publications (1)
| Publication Number | Publication Date |
|---|---|
| HK1099147A true HK1099147A (en) | 2007-08-03 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8983061B2 (en) | Method and apparatus for cryptographically processing data | |
| KR102477070B1 (en) | Data conversion system and method | |
| Hercigonja | Comparative analysis of cryptographic algorithms | |
| EP1387236B1 (en) | Key management system and method for secure data transmission | |
| US6504930B2 (en) | Encryption and decryption method and apparatus using a work key which is generated by executing a decryption algorithm | |
| US20020114453A1 (en) | System and method for secure cryptographic data transport and storage | |
| US9621520B2 (en) | Network service packet header security | |
| US7110539B1 (en) | Method and apparatus for encrypting and decrypting data | |
| US20040057579A1 (en) | Roaming hardware paired encryption key generation | |
| US20110138170A1 (en) | System and method of per-packet keying | |
| Agrawal et al. | Implementation and analysis of various symmetric cryptosystems | |
| JPH0969830A (en) | Cryptographic communication system | |
| JP2006502451A (en) | Efficient encryption and authentication for data processing systems | |
| WO2018002856A1 (en) | Systems and methods for authenticating communications using a single message exchange and symmetric key | |
| US10686587B2 (en) | Method for safeguarding the information security of data transmitted via a data bus and data bus system | |
| WO2022096141A1 (en) | Method for processing encrypted data | |
| KR20060011999A (en) | Encryption technique based on DES algorithm | |
| US20240305444A1 (en) | Digital Signature Enhancement | |
| KR20060058789A (en) | Method and device for data security in home network system | |
| HK1099147A (en) | Method and apparatus for cryptographically processing data | |
| Tripathi et al. | The hybrid cryptography for enhancing the data security in fog computing | |
| WO2003049363A1 (en) | System and method for symmetrical cryptography | |
| Kambhampati et al. | UNLOCKING SECURITY: AN IN-DEPTHANALYSISOFKEY BASED CRYPTOGRAPHIC ALGORITHMSANDTHEIR USES | |
| WO2023228623A1 (en) | Encryption system and encryption method | |
| KR20250099748A (en) | Method for encrypting plaintext |