HK1118995A - Secure encryption system, device and method - Google Patents
Secure encryption system, device and method Download PDFInfo
- Publication number
- HK1118995A HK1118995A HK08110832.3A HK08110832A HK1118995A HK 1118995 A HK1118995 A HK 1118995A HK 08110832 A HK08110832 A HK 08110832A HK 1118995 A HK1118995 A HK 1118995A
- Authority
- HK
- Hong Kong
- Prior art keywords
- stream
- cipher
- plaintext
- key
- information
- Prior art date
Links
Description
Technical Field
The present invention relates generally to a system, apparatus and method for securely encrypting plaintext (a readable message) information, and more particularly to a system, apparatus and method for encrypting information to prevent unauthorized access to the encrypted information through the use of an internal synchronization mechanism.
Background
The process of transforming the readable information (plaintext P) into an unreadable format by using a password (or key K) is called encryption, and decryption is the reverse process of encryption. The entire process or system of encryption and decryption is often referred to as a "cipher". When a single key is used for encryption and decryption, the cipher is referred to as a symmetric key cipher (or scheme), as shown in fig. 1, reference numeral 100. Symmetric key ciphers are often classified as block ciphers or stream ciphers.
As shown in fig. 2, a typical block cipher, generally designated 200, acts on plaintext characters of a block at a time, using the same key for each block. Most encryption methods in use today are block ciphers such as Data Encryption Standard (DES), triple data encryption standard (Tri-DES), CAST, International Data Encryption Algorithm (IDEA), Blowfish/TwoFish, and Advanced Encryption Standard (AES). Symmetric key ciphers (blocks or streams) can be classified by block and key length. For example, the Tri-DES cipher is a 64-bit block cipher with a 168-bit key length and may be written as Tri-DES (64: 168). Similarly, other passwords can also be expressed as: CAST-128 (64: 128), RC4 (1: var), Blowfish (64: var), and AES (var: var). When the same key is used on each plaintext block P1, a so-called "blockiness" occurs, i.e., the same plaintext block will always generate the same ciphertext block C1. To eliminate or reduce blocking artifacts, a number of feedback mechanisms, referred to as "operating modes," may be used.
For example: an Electronic Codebook (ECB) pattern is shown in FIG. 3, reference numeral 300, in which each plaintext block P1 302,P2304, and P3306 are encrypted to form ciphertext blocks C, respectively1,C2And C3. The Cipher Block Chaining (CBC) mode is shown in FIG. 4, reference numeral 400, in which a plaintext block P is formed1402 and ciphertext block C0408, and the likePlaintext Block P2404 and ciphertext block C1412, and separately, a plaintext block P3406 and ciphertext block C2414, acted upon by the exclusive disjunction (XOR) 418, are encrypted in block E410 and ciphertext blocks C are generated, respectively1 414,C2414 and C3 416。
The Cipher Feedback (CFB) mode is shown in FIG. 5, reference numeral 500, where ciphertext block C is0512 encrypt in block E508, along with plaintext block P1502 together, acted upon by the Faculturable extraction operator XOR510, produce ciphertext block C1514. Likewise, ciphertext block C1514 is encrypted in block E508, together with plaintext block P2504 together, acted upon by the Faculturable extraction operator XOR510, produce ciphertext block C2516, and ciphertext block C2516 are encrypted in block E508, together with plaintext block P3506 together, acted upon by the Faculturable extraction operator XOR510, produce ciphertext block C3 518。
The Output Feedback (OFB) mode is illustrated in FIG. 6, reference numeral 600, where ciphertext block C0612, encrypted in block E610, the same outputs are: (1) together with the plaintext block P1602 together, acted upon by the Faculturable extraction operator XOR608, produce ciphertext block C1614, and (2) are input to the next encryption block 610, encrypted in the next block E610, and the same outputs are: (3) together with the plaintext block P2604 together, are acted upon by the next exclusive disjunction operator XOR608, producing ciphertext block C2616, and (4) are input to the next encryption block 610, encrypted in the next block E610, and the same outputs are: (5) together with the plaintext block P3606, acted upon by the Faculturable extraction operator XOR608, produce ciphertext block C3618, and continues in the same manner.
Generally, when the block length of a block cipher is reduced to 1, the cipher is similar to encrypting a stream of individual characters, and therefore, it is also classified as a stream cipher. A typical encryption process for a stream cipher, given a plaintext stream, is to generate an arbitrarily long string from a key K called a "key stream". The keystream is then used to perform a bit-wise XOR operation on the plaintext, character-by-character, to produce the ciphertext.
As shown in fig. 7, reference numeral 700, encryption 702 using a stream cipher acts 710 on plaintext 708 of a single character, each time using an encrypted character stream referred to as a "key stream" 706, to form ciphertext 712, which ciphertext 712, when received, undergoes a decryption process 704 in which a key stream 714 is applied to a reverse encryption process 716 to provide plaintext 718. To create a keystream, a feedback mechanism is utilized such that the key is constantly changing. Some of the stream ciphers currently in use are: RC4 (stream cipher designed by Rivest for RSA data security (now RSA security), which is a stream cipher with variable key size with byte-oriented operations based on the use of random permutations); ISAAC (internet security, application, authentication and cryptography), which is useful as a stream cipher for simulation and as a universal pseudo-random number generator); and SEAL (software optimized encryption Algorithm), which is a fast stream cipher designed by Rogaway and Coppersmith for 32-bit computers.
Stream ciphers are generally divided into two categories, known as "synchronous" and "self-synchronous". When the key stream of the generation of the stream cipher is independent of the plaintext and ciphertext, it is referred to as a "synchronous" stream cipher. The key stream of a synchronous stream cipher typically depends only on the key. One characteristic of these ciphers is that the sender and receiver must be synchronized. In other words, the decryption is unambiguous and performed therewith, as long as the same key and the same position of the keystream are used. In particular, when a keystream and a plaintext are XOR'd at a binary level (or bits) to produce a binary ciphertext, a synchronous stream cipher is referred to as a binary additive stream cipher. Binary-attached stream ciphers are popular in the industry. The structure of the password is not complicated. For example, any suitable pseudo-random number generator may be used in conjunction with the input key to generate the random bit sequence. Most practical and commercial stream ciphers are binary additive stream ciphers.
Stream ciphers are said to be "self-synchronizing" when the generated keystream is a function of the key and some portion of the previous ciphertext. Using partial cipher text data for encryption is used to eliminate the blocking artifacts of block ciphers. To this end, the cipher feedback mode (CFB) can be easily modified to operate as a stream cipher by using only encryption in the cipher to generate the same keystream. The modified cipher feedback mode (CFB) performs encryption and decryption as a stream cipher, as shown in fig. 8 and 9.
Block ciphers are used to generate the same keystream. For encryption in CFB mode, as shown in FIG. 8, reference numeral 800, block b1806 are sent to block cipher E802, generating cipher block E1 804。e1804 are then partitioned, represented as keystream k0,...,kn}808. Together with a part of the plaintext stream p0,...,pn810 together, perform an XOR operation 812 and generate a portion of the ciphertext stream { c }0,...,cn}814. This portion 814 is grouped into blocks and fed back to block cipher b1806 for the next encryption implementation.
For decryption in CFB mode, as shown in fig. 9, reference numeral 900, a portion of the ciphertext stream 912 is transformed into a block for block cipher encryption. Since the same block 906 is input to the block cipher E902, the same output E is obtained1 904。e1904 is then represented as a portion of the keystream k0,...,kn}908. Keystream 908 is then associated with ciphertext stream c0,...,cnXOR operation 912 results in plaintext block 910. Again, because the same keystream is used, the same plaintext part p is obtained0,...,pn}910。
The "output feedback mode (OFB)" of a block cipher is independent of cipher text or plain text, and it can be used to implement a synchronous stream cipher. As shown in FIG. 10, reference numeral 1000, the user key can be considered as block b in OFB mode encryption11006, and can be inputTo block cipher E1006. The result is block e11012. Block e11012 is transformed into a key stream k0,...,kn1002, and a key stream k0,...,kn1002 with a plaintext stream p0,...,pn}1004 performs X0R operation 1014 to generate ciphertext stream { c0,...,cn}1010. To get the next part of the key stream, block e11012 is again fed back to the block cipher E1006.
As shown in fig. 11, reference numeral 1100, for the decryption process, the same block b 11108 (e.g., user key) is input to block cipher E1106, resulting in E11104. Identical keystream k0,...,knThe 1102 is generated. In the key stream k0,...,kn1102 and ciphertext stream c0,...,cnPerforms an XOR operation on, thus resulting in the same plaintext stream p0,...,pn}1110。
However, neither of the conventional block and stream ciphers provide a secure encryption scheme.
Disclosure of Invention
According to an aspect of the invention, a system securely encrypts plaintext information and includes a sending agent for generating and synchronizing a first cipher stream using the plaintext information and a first key, generating and synchronizing a second cipher stream using a second key and a randomization function for randomizing a controllable plaintext stream to form a second synchronized cipher stream, and acting on a plurality of first and second cipher streams using a non-combinable extraction operator to obtain a ciphertext stream; and a receiving agent for decrypting the ciphertext stream.
The sending agent may include a central processing unit, memory, and transceiver coupled to process plaintext information and, where desired, decrypt the received ciphertext stream.
In accordance with aspects of the invention, the transceiver may transmit the ciphertext stream and the controllable plaintext stream separately to the receiver agent.
The system may include a data entry station and a database server linked via a wide area network/local area network or a combination thereof.
In accordance with an aspect of the invention, a device securely encrypts plaintext information and includes a data entry station. The data entry station may include a first cipher stream generator for generating and synchronizing a first cipher stream using the plaintext information and the first key; a second cipher stream generator for generating and synchronizing a second cipher stream by using a second key and a randomizing function for randomizing and synchronizing the controllable plaintext stream; and an irreducible disjunctive operator acting on the first and second synchronous cipher streams to obtain the cipher text stream.
The first stream cipher generator may comprise a block cipher encryption unit arranged to generate and synchronize the first stream cipher upon input of plaintext information and the first key, wherein the block cipher encryption unit comprises one of: a block cipher encryption device that generates a first cipher stream, and a first synchronization unit that synchronizes the first cipher stream; or a block cipher encryption/synchronization unit that generates and synchronizes the first cipher stream.
The second cipher stream generator may comprise a random function generator arranged to randomize and then synchronize the controllable plaintext stream after the second key and the controllable plaintext stream are input, outputting the second cipher stream, wherein the random function generator comprises one of: a random function generator device for randomizing the controllable plaintext stream, and a second synchronization unit for synchronizing the randomized second cipher stream; or randomize and then synchronize the random function generator/synchronization unit of the second stream cipher.
The non-facultative disjunction operator may be an exclusive or logical operator.
According to an aspect of the invention, a method generates and synchronizes a first stream cipher using plaintext information and a first key; generating and synchronizing a second cipher stream using a second key and a randomization function for randomizing the controllable plaintext stream to form a second cipher stream; and securely encrypting plaintext information by acting on the plurality of synchronized first and second cipher streams using a non-concurrent extraction operator to obtain a ciphertext stream.
In accordance with aspects of the present invention, a method securely encrypts plaintext information by using a non-facultative extraction operator to generate a ciphertext stream from a first cipher stream generated and synchronized from the plaintext information and a first key, and a second cipher stream randomized from a controllable plaintext stream using a second key and then synchronized.
According to an aspect of the invention, a method securely encrypts plaintext information by generating a plurality of synchronized cipher streams, wherein at least a first cipher stream is generated and synchronized by encrypting plaintext information using a first key word, and at least a second cipher stream is generated and synchronized by a random function acting on controllable plaintext and a second key word; and acting on the synchronized plurality of cipher streams by using a non-concurrent disjunction operator to obtain the cipher text stream.
According to an aspect of the present invention, a computer readable medium has recorded thereon computer readable instructions for securely encrypting plaintext information, wherein the computer readable instructions comprise generating and synchronizing a first cipher stream using the plaintext information and a first key; randomizing and then synchronizing a second cipher stream formed from the controllable plaintext stream using a second key and a randomization function; and acting on the synchronized plurality of first and second cipher streams by using a non-concurrent disjunction operator to obtain the cipher text stream.
According to an aspect of the invention, a computer readable medium has recorded thereon computer readable instructions for securely encrypting plaintext information, wherein the computer readable instructions comprise generating ciphertext streams from a first cipher stream and a second cipher stream using a non-facultative extraction operator, the first cipher stream generated and synchronized from the plaintext information and a first key, and the second cipher stream randomized and then synchronized from a controllable plaintext stream using a second key and a randomization function.
According to an aspect of the present invention, a computer readable medium has recorded thereon computer readable instructions for securely encrypting plaintext information, wherein the computer readable instructions comprise generating a synchronized plurality of cipher streams, wherein at least a first cipher stream is generated by encrypting plaintext information using a first keycode, and at least a second synchronized cipher stream is generated by applying a random function to controllable plaintext and a second keycode; and acting on the synchronized plurality of cipher streams by using a non-concurrent extraction operator to obtain the cipher text stream.
According to an aspect of the invention, a method of securely encrypting plaintext information on a credit card includes selecting, by a server/database record, plaintext P based on user information of a user at the time of applying for an account; generating, by the server/database record, a first key, a second key and a controllable plaintext stream as requested by the user and/or the company providing the credit card; performing, by the server/database record, encryption using the plaintext, the first key, the second key, and the controllable plaintext stream, producing a ciphertext C; inserting information of the plaintext, the first key, the controllable plaintext stream, and the first ciphertext stream into a credit card; inserting the information of the plaintext, the second key, the controllable plaintext stream and the second ciphertext stream into a card master database record; and encrypting the plaintext into ciphertext according to a predetermined scheme using the first key, the second key, and the controllable plaintext stream.
At least one of the plaintext string, the ciphertext string, and the controllable plaintext string may be partitioned.
According to an aspect of the invention, a method of securely encrypting plaintext information includes assigning a first key word K1, a second key word K2, a controllable plaintext stream F, and a randomization function R to a user input; sending K1, K2, F, and R to the receiving agent via the secure mode; and forming a ciphertext stream by encrypting the plaintext stream according to a predetermined scheme using K1, K2, F, and R, and transmitting the ciphertext stream to the receiving agent.
Encrypting the plaintext stream according to a predetermined scheme by using K1, K2, F, and R, including converting the plaintext stream into a first cipher stream using a block cipher and K1; randomizing F using R to form a second stream of ciphers; synchronizing the first stream cipher and the second stream cipher; and using a non-concurrent disjunction operator on the synchronized first and second cipher streams to obtain the cipher text stream.
According to aspects of the invention, a vector function may be used to provide header information from the synchronized first cipher stream to the cipher text stream.
In accordance with aspects of the present invention, a vector function may be used to act on the synchronized second cipher stream to provide header information to the cipher text stream.
According to aspects of the invention, a method of decrypting plaintext information that is encrypted as described above may include using K1, K2, F, and R in the reverse process to decrypt a ciphertext stream.
The method may be implemented in one of the following transactions: credit card transactions, cash dispenser transactions, internet toll transactions, or online banking transactions.
Additional aspects and/or advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
These and/or other aspects and advantages of the present invention will become apparent and more readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
FIG. 1 is a block diagram representation of a conventional symmetric key cipher;
FIG. 2 is a block diagram representation of a conventional block cipher;
FIG. 3 is a block diagram representation of a conventional Electronic Codebook (ECB) schema;
FIG. 4 is a block diagram representation of a conventional Cipher Block Chaining (CBC) mode;
FIG. 5 is a block diagram representation of a conventional Cipher Feedback (CFB) schema;
FIG. 6 is a block diagram representation of a conventional Output Feedback (OFB) mode;
FIG. 7 is a block diagram representation of a conventional Output Feedback (OFB) mode;
FIG. 8 is a block diagram representation of conventional encryption in CFB mode;
FIG. 9 is a block diagram representation of conventional decryption in CFB mode;
FIG. 10 is a block diagram representation of a stream cipher implementing synchronization using a conventional output feedback mode of a block cipher at encryption;
FIG. 11 is a block diagram representation of a stream cipher implementing synchronization using a conventional output feedback mode of a block cipher at decryption;
12A-12B are block diagram representations of systems for securely encrypting plaintext information in accordance with two embodiments of the invention;
FIG. 13 is a schematic diagram of a system for securely encrypting plaintext information in accordance with another embodiment of the invention;
FIG. 14 is a block diagram representation of a device/data entry station securely encrypting plaintext information in accordance with an embodiment of the invention;
FIG. 15 is a block diagram representation of a device/data entry station securely decrypting plaintext information in accordance with an embodiment of the invention;
FIG. 16 is a block diagram representation of information of an encryption and output IV unit as header information stored in a ciphertext C stream, in accordance with an embodiment of the present invention;
FIG. 17 is a block diagram representation of information of a decrypt and output IV unit as header information stored in a ciphertext C stream, in accordance with an embodiment of the present invention;
FIG. 18 is a block diagram of a method for generating a second stream of ciphers C according to an embodiment of the invention2A block diagram representation of;
FIG. 19 is a diagram of using an all stream mode to align streams C according to an embodiment of the present invention1And C2A block diagram representation of performing a bit-wise XOR operation;
FIG. 20 is a block-by-block mode for stream C according to an embodiment of the present invention1And C2A block diagram representation of performing a bit-wise XOR operation;
FIG. 21 is a diagram of using a character-by-character mode for stream C, according to an embodiment of the present invention1And C2A block diagram representation of performing a bit-wise XOR operation;
FIG. 22 is a block diagram representation of securely encrypted/decrypted inputs/outputs of an embodiment of the present invention;
FIG. 23 is a block diagram representation of the delivery of secure messages, according to an embodiment of the invention;
FIG. 24 is a block diagram representation of broadcasting messages relating to a public or private message board, in accordance with an embodiment of the present invention;
FIG. 25 is a block diagram representation of a real-time application chat room or instant messaging, in accordance with embodiments of the present invention;
FIG. 26 is a block diagram representation of protecting content of a web page in accordance with an embodiment of the present invention;
FIG. 27 is a block diagram representation of a protected software installation, according to an embodiment of the present invention;
FIG. 28 is a block diagram representation of credit card verification, in accordance with an embodiment of the present invention;
FIG. 29 is a block diagram representation of the use of a credit card verification machine in accordance with an embodiment of the present invention;
FIG. 30 is a block diagram representation of controlling locking of doors and access to zones in accordance with an embodiment of the present invention;
FIG. 31 is a block diagram representation of the use of a cash machine, in accordance with an embodiment of the present invention;
FIG. 32 is a block diagram representation of the use of an embodiment of the present invention in charging an industry on the Internet;
FIG. 33 is a block diagram representation of the use of an embodiment of the present invention in online banking;
FIG. 34 is a flow chart showing the operation of a method/computer-readable medium having computer-executable instructions in accordance with the present invention;
FIG. 35 is a flowchart illustrating the operation of another method/computer-readable medium having computer-executable instructions in accordance with the present invention; and
FIG. 36 is a flowchart illustrating operations of a computer-readable medium having computer-executable instructions according to another method/method for embodiments of the present invention.
Detailed Description
Reference will now be made in detail to embodiments of the invention.
In accordance with a preferred embodiment of the present invention, as shown in FIG. 12A, reference numeral 1200, a system for securely encrypting plaintext information comprises a sending agent 1202 and a receiving agent 1204 that communicate using a broadcast channel 1206 and/or an interaction channel 1208. That is, the communication may be accomplished in a wireless or wired manner. The sending agent 1202 generates and synchronizes a first cipher stream using the plaintext information and a first key, and a second cipher stream using a second key and a randomization function to randomize the controllable plaintext stream to form a second synchronized cipher stream; and acting on the plurality of first and second cipher streams by using a non-combinable disjunction operator to obtain the cipher text stream. The receiving agent 1204 decrypts the ciphertext stream in the opposite manner.
In one embodiment of the invention, shown in FIG. 12B at 1250, the sending agent 1202 includes a first central processing unit CPU1210, a first memory 1212, and a first transceiver 1214 coupled to process the plaintext information and, where desired, decode the received ciphertext stream. The first transceiver 1214 also transmits the ciphertext stream to the receiving agent 1204. The receiving agent 1204 generally includes a second transceiver 1216, a second central processing unit CPU1218, and a second memory 1220 coupled to process the received ciphertext stream, to process the plaintext information, and to transmit the processed ciphertext stream of plaintext information to the sending agent 1202. Typically, the first transceiver 1214 transmits the ciphertext stream and the controllable plaintext stream, respectively, to the receiving agent.
As shown in fig. 13, numeral 1300, in one embodiment of the invention, the system includes a data entry station 1304 and a database server 1308 linked via a wide area network/local area network or a combination thereof. For example, a user may insert a credit card 1302 into the data entry station 1304, providing predetermined data, as described more fully below.
As shown in fig. 14, reference numeral 1400, the device/data entry station 1400 can include a first cipher stream generator 1403 that generates and synchronizes a first cipher stream using plaintext information 1416 and a first key 1418; a second cipher stream generator 1401 for generating and synchronizing a second cipher stream by using a second key 1406 and a randomizing function 1404 for randomizing a plaintext stream 1402 controllable for subsequent synchronization; and a non-combinable extractor 1420 that acts on the first and second synchronized cipher streams to obtain cipher-text stream 1410.
In one embodiment, the first cipher stream generator 1403 comprises a block cipher encryption unit E11414 arranged to generate and synchronize a first synchronized cipher stream upon input of plaintext information 1416 and a first key K11418, wherein the block cipher encryption unit comprises one of: a block cipher encryption device E11414 that generates the first cipher stream and a first synchronization unit S11412 that synchronizes the first cipher stream or a block cipher encryption/synchronization unit 1414, 1412 that generates and synchronizes the first synchronized cipher stream.
In an embodiment, the second cipher stream generator comprises a random function generator arranged to randomize and then synchronize the controllable plaintext stream 1402 after the second key K21406 is input with the controllable plaintext stream 1402, outputting a second synchronized cipher stream, wherein the random function generator comprises one of: a random function generator device R11404 randomizing the controllable plaintext stream, and a second synchronization unit S21408 synchronizing the randomized second cipher stream; or a random function generator/synchronization unit R11404, 1408 that randomizes and then synchronizes the second stream cipher. The non-facultative disjunction operator is usually an exclusive or logical operator.
As shown in fig. 34, reference numeral 3400, in one embodiment of the invention, a method/computer-readable medium 3400 having computer-executable instructions to securely encrypt plaintext information includes generating and synchronizing a first cipher stream 3402 by using the plaintext information and a first key; generating and synchronizing a second cipher stream using a second key and a randomization function used to randomize the controllable plaintext stream to form a second cipher stream 3404; and acting on the plurality of synchronized first and second cipher streams by using a non-concurrent disjunction operator to obtain ciphertext stream 3406.
As shown in fig. 35, reference numeral 3500, in one embodiment of the invention, a method/computer-readable medium 3500 having computer-executable instructions for securely encrypting plaintext information comprises generating a ciphertext stream using a non-facultative disjunction operator 3502 from: a first cipher stream generated and synchronized from the plaintext information and the first key, and a second cipher stream randomized from the controllable plaintext stream using the second key and then synchronized.
Referring to fig. 36, numeral 3600, in one embodiment of the invention, a method/computer-readable medium 3600 having computer-executable instructions for securely encrypting plaintext information includes generating a plurality of synchronized cipher streams, wherein at least a first cipher stream is generated and synchronized by encrypting plaintext information using a first cipher key, and at least a second cipher stream is generated and synchronized by applying a random function to controllable plaintext and a second cipher key 3602; and acting on the synchronized multiple cipher streams by using a non-concurrent disjunction operator to obtain ciphertext stream 3604.
As described above, the present invention can also be embodied as computer-readable codes on a computer-readable recording medium. The computer readable recording medium is any data storage device that can store data which can be thereafter read by a computer system. Examples of the computer-readable recording medium include read-only memory (ROM), random-access memory (RAM), CD-ROMs, magnetic tapes, floppy disks, optical data storage devices, and carrier waves (such as data transmission through the internet). The computer readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.
As shown in FIG. 14, reference numeral 1400, instead of generating a keystream from a key K as in conventional stream ciphers, the present invention generates two cipher streams C1And C2. The last stream 1410 is two streams C1And C2The output of the bit-wise XOR operation. In one embodiment, the first stream C is a stream of ciphers1Is generated by the block cipher E11414 using the original plaintext P1416 and the first key K11418, and is synchronized by using the synchronization unit S11412. Alternatively, the block cipher E11414 and the synchronization unit S11412 may be a combined unit. In one embodiment, the second stream C is a stream of ciphers2A random function R11404 and a second key K21406 are generated from the controllable plaintext stream F1402 and synchronized by using the synchronization unit S21408. Alternatively, the random function R11404 and the synchronization unit S21408 may be a combination unit. The final ciphertext C1410 is obtained by using C1And C2By bit (or character-by-character) XOR operations.
As shown in fig. 15, the operation of the decryption process, numeral 1500, is slightly different from the encryption. First, a second stream of ciphers C has to be generated21508, wherein the second stream cipher C2With the second stream C of FIG. 142And (5) the consistency is achieved. For this purpose, it is necessary to use a controllable plaintext F1502 in accordance with the controllable plaintext F1402, a random function R11504 in accordance with the random function R11404, and a random function in accordance with the second key K21406The second key K21506. When this stream is available, the controllable plaintext F1402 and random function R11404 are typically sent from the sending agent to the receiving agent separately (where the second key K21406 is generally known to the receiving agent, or may be rearranged to be received in the desired manner), the next operation being character by character for C2And the ciphertext C performs XOR by bit. The output plaintext stream 1512 is the first cipher stream C1The same applies. This result is guaranteed by the following bit-wise XOR operation:
C1=C1 1 XOR C2 1*C1 XOR C2 1=C1 1
once the first stream C is encrypted1Is generated, the original plaintext P1416 is obtained by decryption process D1 in relation to the original selection of E11414 and key K11418.
First cipher stream C1Depending on the selection and synchronization of P1416 and encryption device E11414, it may be done by a separate synchronization device S1, if desired.
First cipher stream C1Is generated by the block cipher E11414 using the original plaintext P1416 and the first key K11418. For example, a block cipher such as DES, Tri-DES, and AES may be used as E11414. In fact, not only block ciphers, but also stream ciphers with keys or even identification ciphers (straightforward ciphers, i.e. no encryption at all) can be used as E11414. The security features of ciphertext C1510 do not depend on the choice of E11414. By appropriately selecting the controllable plaintext F1402, the security features of C1510 are determined. The only requirement of the choice of E11414 is that the encryption be reversible. In other words, the corresponding decryption device (or process) D1 has the same key present, a different key present, or even no key involved.
Use of a block cipher to ensure a first cipher stream C1Is valid because the block cipher produces an effective encryption. For very efficient encryptionThe first cipher stream may utilize a block cipher such as AES (advanced encryption standard). For applications where speed is important, stream ciphers such as RC4, for example, may be used as E1.
The properties of the selected block cipher E11414, such as the length (or size) of the block and the encryption key length, directly affect the encryption process. The design of the synchronization process in S1 depends on the selection of E11414, S21405, and the title information H of the ciphertext C. The function of S11405 is to ensure: cipher stream C1Is a reaction of with C2Compatible so that the entire decryption process is effectively maintained. Specifically, when a block cipher is used, the result will be output block by block. In this case, the most basic function of S11405 is to convert block data into streams (character by character). In one embodiment, C1The length of (and/or P1416) is also stored in a parameter called "Initial Vector (IV)" along with the flow information. This IV will be used to provide updated information to S21508 so that the security features of C can be maintained.
Encryption typically involves processing messages down to the bit level. The computer stores binary data, a series of bits consisting of 0 and 1. The computer stores 8 of these bits in a structure called a byte. The big-end (big-end) system stores the highest-order value at the byte address of the lowest order value, and the little-end (little-end) system stores the lowest-order value at the lowest address, in contrast. Operating systems, such as Windows NT, are small end systems, and other operating systems, such as HP-UX, are large end systems. Some programs that are not written in Java may use little-endian; such as the C program. Some platforms use big end order (Mac, IBM390) internally; some use little-endian (Intel). Java hides the end order of the interior. Java assumes that binary data stores the highest byte first. Even if this is not the case internally, Java completely hides this fact. All the files it generates are the network order of the big end.
Transforming data between two end systems is sometimes referred to as the NUXI problem. Consider the word UNIX stored in two 2-byte words. In large end systems, it is stored as UNIX. In the small end system, it is stored as NUXI. It should be noted that the above examples show only large and small endianness. The order of bits within each byte may also be big-endian or little-endian, and some configurations actually use big-endian for bits and little-endian for bytes, or vice versa.
When dealing with internal computer structures or systems, both big-end and small-end scenarios, it may be desirable to resolve the "big-end" and "small-end" scenarios. For example, to select a block cipher using the big-endian configuration, and random device R11404 may be selected as the little-endian configuration. In this case, the S11412 and S21408 devices are used to handle compatibility issues. Additionally, if noise is introduced into E11414 before P1402, the noise data will be at C1The starting end of (a). In this case, it may be necessary to output a count or string into the IV unit (see fig. 16).
The information of the IV unit 1608 is output as header information to be stored in the ciphertext C stream 1606, as shown in fig. 16, reference numeral 1600. During the decryption process, the header information H will be input to S11410, and thus the synchronization process will be correctly performed, as shown in fig. 17, reference numeral 1700.
As shown in FIG. 18, numeral 1800, a second stream C2Depends on the controllable plaintext F1802, the random means R11806 (with key K21804), the second synchronizing means S21808, and the internal vector IV unit 1807. The main purpose of these devices is to secure C of F1802 as a password image2Are random and unpredictable. C2Covers the full bit group. In addition, C2Must be long enough to communicate with the entire flow C1A bit-wise XOR operation is performed.
In the embodiment shown in FIG. 18, numeral 1800, to generate a random and unpredictable stream C2Controllable plaintext F1802 is used. One preliminary choice for F1802 is that F1802 is itself a random number (or pseudo-random number) set. For example, F1802 may be a random set of characters generated by a Random Number Generator (RNG) or a pseudo-random number generator (PRNG). For practical purposes, printable character sets such as (a-Z) (A-Z) (0-9) are suggested, so that F1802 is editable or changeable by hand or an editor, such as, for example, a notebook. To improve the unpredictable nature of F1802, F should be changed often. Depending on the application, F1802 should be long enough to generate multiple encryption ciphers, and short enough to maintain the efficiency and performance of the encryption. For example, where encryption is used for short messages (less than 600 characters), the size of F1802 may be 2000 and 6000 characters.
The main function of randomizer R11806 is to generate an additional randomized stream using F1802 as a controllable plaintext. In addition, the burst of the stream should be a full bit depending on the machine and operating platform. For example, for an n-bit platform, each character of the stream produced by the randomizer R11806 should be equal (or approximately equal) to a probabilistic combination of n bits.
For example, a suitable randomizer R11806 may utilize a block cipher or a stream cipher, such as DES, Tri-DES, CAST, IDEA, Blowfish/TwoFish, AES, RC4, ISAAC, or SEAL, which are efficient randomizers and bit-spreading methods for the corresponding plaintext. Key K21804 intervenes automatically when a cipher is used for R11806, and is occasionally not shown. The presence of the decryption feature of R11806 is not important. Additionally, the encryption used for R11806 may be the same as or different from E1. For example, if AES is selected for E1, AES, RC4, or another cipher may be selected for R1. In many cases, standard encryption may be modified with or without decryption, and it may still be used for R1.
When a password is used for R11806, the output format will be dictated by the selected password. For example, if the stream cipher is selected for R11806, the output will be a character stream. If a block cipher is used, the output will be a packet in block format. In either case, the output stream is input to the synchronizer S21808, forming the cipher stream C2. Is justIs a reaction of with C1Acting together of C2A final ciphertext C1810 is generated. Therefore, S21808 has the effect of ensuring C2With C before XOR by bit1Are compatible.
To maintain the security features of encryption, each time encryption is used, C2Is different. There are many ways to achieve this, two of which are discussed below. Each time generating a different C2One method of (2) is to change the index of the start of F1802. For example, the initial vector IV unit 1807 may store a number k representing how many characters were used in F1802 in the previous encryption. When new encryption is required, the (k +1) character stored in F1802 will be input to the random (or password) device R11806. After encryption, the IV unit 1807 is updated to store the next starting index. When all controllable plaintext F1802 is used, the entire F1802 may be replaced with new controllable plaintext.
Each time generating a different C2Another method of (2) is to change C2Index of the start of (c). For example, the IV unit 1807 may store a start index k, representing C in a previous encryption2How many characters are used. When new encryption is required, all F1802 is input to R11806. The synchronizer S21808 is used to count the outputs and discard the first k characters. Stream C2Formed by (k +1) characters. This operation is particularly suitable for small messages P and F.
The final operation for encryption is for stream C1And C2A bit-wise XOR operation is performed. There are three modes of operation available for this process, i.e., whole stream, character by character, and block by block. Encryption operations using the entire stream mode, as shown in FIG. 19, reference numeral 1900, may be described as follows. When generating the first stream cipher C1When, C1Is transmitted to the device IV unit 1912. C of the same size according to length2Generated by synchronization unit S21902. For stream C1And C2A final XOR operation 1906 is performed. The process is particularly suitable for encrypting short messages. Whole stream modeOne advantage of (a) is that no synchronized feedback is required. When the whole plaintext P is known, C1Is fixed, so is C2. Thus, there is no need to monitor stream C in real time1And C2. On the other hand, the entire stream pattern is only in the entire C1Generation may begin as soon as possible, and may not be desirable for certain real-time applications that utilize real-time audio and video encryption, including police and military radios, broadcasting and transmission. From an operational point of view, the entire streaming mode is a static operation.
To include real-time as well as static applications, a block-by-block scheme may be used, as shown in fig. 20, reference numeral 2000. The first step in the block-by-block mode is to establish the block size, and then, for stream C1And C2The XOR operation is performed block by block. It should be noted that the size of the block in the block-by-block mode does not directly relate to the block cipher used in the encryption design, it is device and operating system dependent. For example, for an 32/64 bit operating system or chip, using 32/64 bits as the block length is, in many cases, more efficient. The main function of the synchronization means S1 and S22002 is to ensure that stream C is guaranteed when using the block-wise mode1And C2Grouped to the appropriate size prior to the XOR operation. In addition to this count, the functions of the S2 device 2002 include real-time feedback to the IV device unit 2012 so that processing can continue until encryption is complete. For example, when a new C1 block is generated, a signal is sent to the IV device unit 2012. In this case, the count feature in the IV device unit 2012 will be updated and the request comes from C2The new block of (2). The newly generated two blocks are XOR-ed together to form a new block of ciphertext C2010.
For some applications and small devices, the entire stream mode and/or the block-wise mode may not be the best method or it may not be easy to implement encryption. In this case, a character-by-character mode may be used. In fact, the character-by-character mode can be seen as a special case of the block-by-block mode in which the block size is 1. When using the character-by-character mode, the cipher stream C1And C2Is character based.In this case, the main function of the synchronising devices S1 and S2 is only to release the stream one character at a time. Whenever characters are separately read from each C1And C2When generated, the characters are XOR' ed together to form one character of ciphertext C, as shown in fig. 21, reference numeral 2100. The function of the device IV2112 is to increment the counter value until the end of C1. After encryption, the whole C1Is stored in the IV device unit 2112 so that it can be used for next encryption, and to bias the stream C1Or controllable plaintext F. The character-by-character mode is particularly suitable for real-time security applications using small devices with limited computing power and/or memory.
As shown in FIG. 22, reference numeral 2200, the operation of securely encrypting/decrypting depends on five inputs/outputs, plain text (P)2204, cipher texts (C2212 and 2214), and the first cipher (K)1)2206, 2220, second password (K)2)2208, 2222, and a separate cryptographic file (controllable plaintext streams F2210, 2224). In general, K12204, 2220 and K22208, 2222 may be a memorable password. The password file F may be a randomly generated file containing the entire spectrum of printable and/or non-printable characters. The combination of the above five inputs/outputs forms a series of functions in many security applications. Some applications/embodiments are listed below. One of the most basic applications of encryption is the transfer of secure messages from one location to another.
As shown in FIG. 23, reference numeral 2300, the passing of secure message processing may include assigning parameters K1, K2, and F to user input and including user input processes for K1, K2, and F in encryption unit E2304 and decryption unit D2314, where K1, K2, and F, respectively, entered by the user are sent from the encryption process to receiving agent 2310. The transmission may be any suitable method of passing the ciphertext from one location to another, such as an email transmission, an email attachment, an internet download, File Transfer (FTP), by hand (via messenger), mail, telephone, radio, or telegram.
When the plaintext P is one of the following items, and in accordance with embodiments of the present invention, secure transmission is provided for email messages, text messages, graphics and charts, photographs (including from satellites), music recordings (including locked CDs or DVDs), videos, and various types of computer files and documents. For the last four items cited above, the input to the sending agent may sometimes first be changed to a printable and text format, such as UU encoding or yEnc, and then may be sent to the receiving agent. In fact, all kinds of plaintext formats may be handled according to various embodiments of the invention. Sometimes it is the interface or sending agent that cannot handle the input format.
To use the present invention in accordance with an embodiment of the present invention, typically, a receiving agent such as the recipient's email address is required. However, as shown in fig. 24, reference numeral 2400, if the receiving destination is not specifically designated, the secure message can be delivered by broadcasting the message on a public or private message board 2408. To broadcast the secure message, the ciphertext C may be generated by posting a corresponding public and/or private message board on the internet 2408. For example, the secure message may be left in a so-called VIP book at a public location or a private company location. Although the published message can be seen by anyone, the content of the message is protected by encryption. From a cryptographic point of view, the publication of the ciphertext does not reveal the secure message to an unauthorized individual. Only the intended person with the appropriate password and decryption can get the plaintext.
One advantage of the broadcast method is that there is no transmission to a particular party or destination and no delay. The intended recipient can virtually access the message at any time from any location (which is where it can be properly connected to send the message). The broadcast embodiment of the present invention is most useful for small messages but may be inconvenient for instant or real-time discussion.
For real-time secure discussions or conversations, another embodiment of the present invention utilizing a two-way structure (encryption and decryption) and a chat room environment may be implemented as shown in FIG. 25, numeral 2500. After opening the chat room, the ciphertext can be copied and posted to the opposite party's chat room window.
Embodiments of the present invention provide for real-time secure message exchange in any network environment, including private networks, Local Area Networks (LANs), and the internet. All communication records will be automatically saved at the same time. Real-time secure discussions or conversations provide secure communications between parties or clients, such as auctions, bids, purchase and sale prices, costs, secure discussions with bankers and keeping all records, real-time interactive military instructions such as demolition of bombs, various online consultations such as purchasing computers, real-time consultations for online shopping, legal advice (where the receiving area is a general chat room and all clients who may view all entries and visits and the consultant may email an instant message and use one time K1, K2 and F to the client and open a private chat room to begin the consultations), instant, secure and open online banking (where the bank may serve a large number of clients in a normal chat room and each individual client may communicate with the associated banking staff in a private chat room), and instant, secure and open online banking, Secure and open online commerce, such as interactive ordering, purchasing and payment. Typically, the messages exchanged instantly are small.
As shown in FIG. 26, a web page written in HTML and script may be encrypted similar to the encryption of normal text, reference numeral 2600. In this case, the encrypted web page can be read out as data through a specially designed decryption page. When the parameters K1, K2, and F are input to the decrypted page D2608, the original web page is obtained and can be immediately displayed on the screen. With the secure encryption of the present invention, the security of the encrypted web page (as data) is ensured. When the parameters K1, K2, and F are input to the decryption page D2608, the original web page is displayed on the screen. To change to another web page, another set of K1, K2, and F may be entered, and the web page may be encrypted again. The present embodiment may be used for applications such as, for example, "stock and investment", "horse racing forecast", "bonus work", and "downloadable song". The ciphertext data C may be easily generated by inputting the web page directly to the encryption. In one embodiment, the parameters K1, K2, and F may be selected and periodically emailed to the user as files. In this way, the entire decoding process can be arranged automatically.
As shown in fig. 27, reference numeral 2700, in one embodiment, the present invention can be used to protect general software and installations. Specially designed decryption D software 2708 may be used to read out the ciphertext data C2706 and then install the desired software 2710. However, such embodiments do not identify who is accessing the software or store information about the length of time the software is utilized, making charging for the use of software information difficult.
By rearranging the input parameters P, K1, K2, F and C, a secure toll facility can be created. The charging facility may utilize the present invention in various embodiments, such as the following: credit card security, cash machine card security, access control, online banking, online shopping, and online entertainment service providers.
In a credit card embodiment, a credit card user obtains a credit card after approval from a vendor (typically a bank) with a pre-negotiated credit limit. When making a purchase, the credit card user typically indicates approval of the payment by signing a record with the details of the card and a receipt indicating the number of purchases. In many cases, electronic authentication systems are used that allow a merchant (using a strip of magnetic material on the card to hold information in a manner similar to a magnetic tape T or floppy disk) to verify that the card is valid and that the credit card customer has sufficient credit to complete the purchase or transaction at the time of purchase.
However, there is very little or no security on credit cards. For example, a credit card verification check basically checks the validity period. When the credit card machine makes a request, the card owner's information and the remaining credit are sent without further verification, the specific credit card number and rules are open, and the credit card information is easily copied, stolen, and copied without the credit card owner's permission. When the database is accessed illegally by hackers or insiders, all card owner information and records are volatile. Card malfunction and crimes easily occur in a wide range. Evidence indicates that an organization's crime is selling a duplicate credit card.
To provide a solution to the credit card security problem, secure encryption according to embodiments of the present invention may be used to provide a powerful verification method to verify the validity of the card, secure encryption of card information, secure encryption of credit card database servers, and limit economic losses when card information is acquired and/or copied by criminals or illegally accessed during transmission. When the user applies for an account, the server may perform the following operations: the plaintext P is selected based on the user information. This P may include, for example, the name of the card owner, the start and expiration dates, the credit card number, and other desired information; generating the remaining parameters K1, K2 and F according to the user and/or company requirements, performing encryption using all the parameters P, K1, K2 and F, and generating a ciphertext C; the strings P, C and F are split into two parts, such as P1+ P2, C1+ C2, and F1+ F2 (no specific requirements for the split), the information of P1, K1, F1 and C1 is inserted into the credit card, and the information of P2, K2, F2 and C2 is inserted into the card master database record. For further security, any other information relating to the card owner, credit limit and remaining credits may be encrypted and stored to the card owner database record.
As shown in fig. 29, reference numeral 2900, a credit card verification machine 2904 may utilize the present invention to secure credit card transactions in accordance with embodiments of the present invention. When a credit card is inserted into the credit card verifier machine, the credit card verifier machine retrieves P1, K1, and F1 from credit card 2902 and retrieves values P2, K1, K2, F2 from database record 2906, performs encryption. The encryption result is ciphertext C. This newly created ciphertext C is used to verify the ciphertext C1(from credit card 2902) and C2 (from database record 2906) for verification. When the two ciphertexts agree, the credit card verification is considered to be successful. Upon successful verification, the encrypted credit information is sent to complete the transaction. After each access (or of course after a successful transaction), randomly generatedA new F group and a new ciphertext C is obtained by using encryption. The information for F and C is divided into F1, C1, F2, and C2 and stored back to the user's credit card 2902 and database record 2906, respectively, for updating. In addition, a new set of encrypted credit limit information is updated. All necessary prior records and associated transactions may be recorded, building a history of the credit card user's account. Therefore, card copying of information from the server is not possible. All card verification and authentication is done in the card reader. All information transmissions via the internet or network are encrypted to eliminate network snooping attacks such as "snooping tools", "trojan horses", or "insider thieves". Since the information C1, C2, F1 and F2 are changed after each use, copying the card from the user card is worthless. For the same reason, after the copy card is used, the original card will be invalid, so that illegal activities using the copy card can be monitored and more easily detected. Generally, there is no user interaction for credit card operations, so credit card operations may be referred to as "non-interactive operations".
As shown in fig. 30, the present invention according to an embodiment, designated 3000, may be utilized to control locks on doors and access specific areas. Typically, the card key allows a person to open the door. Conventional access control methods (encryption and authentication) suffer from the same problems as credit cards, namely: there is a lack of a powerful method of verifying the legitimacy of the card key, since the card key is easy to steal and copy, and a powerful method of protecting the card key server from hacker attacks (e.g., it is well known that an intruder could illegally enter the card key server's database, steal all key records and use the stolen key/stolen key card information to gain access to any room). By using the secure encryption of the present invention, these above-referenced problems can be prevented. As shown in FIG. 30, the card key information includes P1,K1,C1And F and13002, the lock unit 3004 is used for encryption, and the database record includes P2,K2,F2And C and23006. when the key card is inserted into the lock, the verification process follows the verification of the credit card processThe process is carried out. Basically, if the encryption yields the same ciphertext, the card key is considered valid and the door will open. The information C1, C2, F1 and F2 changes and is updated after each access. All necessary prior records and transactions can be recorded, building a history of the account. When the server is attacked by an organized crime or hacker, the copying of the key from the server record is prevented. Losing and duplicating keys is of no value, since C and F change at each access. Lost and stolen keys can be easily replaced.
As shown in fig. 31, reference numeral 3100, cash machine operation can also utilize secure encryption in accordance with embodiments of the invention. Generally, a password, typically a storable password, 3106 may be entered to initiate a cash machine 3104 transaction. Cash machine security suffers from the same problems as in credit card applications. Part of the plaintext P is extracted as the memorized password in the case of a credit card, i.e., P1+ P2+ P3. In general, the parameter P3 should be a number or string that is relatively easy to remember and, when prompted, used to enter encryption. Parameters P1, K1, F1, and C1 are inserted into the cash card 3102. The parameters P2, K2, F2 and C2 are inserted into the bank's database record 3108. To further improve security, the account and associated information may be encrypted by the same secure encryption or other selected methods. The parameters F1, F2, C1 and C2 are regenerated and updated in the card and database after each access or, of course, after each successful transaction. The new account balance and other related information may be encrypted and updated so that the information is protected. All necessary prior records and transactions can be recorded to build a history of the account. For credit cards, cash machine cards and database records are secured by secure encryption. Copying cash machine cards from database records is not possible when the server is accessed illegally by an organized crime or insider. Duplicate cards are worthless, as C and F change for each access. For the same reason, after using a copy card, the original card will be invalid, so that illegal activities using the copy card can be monitored and more easily detected. Lost and stolen keys can be easily replaced by changing F1, F2, C1 and C2. The application is further protected by the remembered password.
As shown in fig. 32, reference numeral 3200, software downloadable from the internet may be protected by secure encryption according to an embodiment of the present invention. Fixed E, K2, P2, F2 is inserted into the software in the database record 3210 and is protected by the executable code of the software. The authentication process with encryption is included in the software installation. The software is then imported into the internet 3206 for download. When a user logs into the software at a licensed location, parameters P1, K1, F1, and C1 (referred to as "boot files" 3204) are generated from the encryption parameters within the software 3202. The startup file 3204 is then sent as an email to the logged-in user for licensed software installation. During software installation, the startup file 3204 is requested and entered into secure encryption. When the parameters P1, P2, K1, K2, F1, F2 and encryption E generate the same ciphertext C as in the boot file 3204, the software installation proceeds and the installation is deemed successful. P1, K1, F1 and C may be different for different logged-on users, so each user has an appropriate logged-on version of the software. To further protect the software, the user password P3 may sometimes be extracted from P1 as software launch code and provided to the service web page 3206, thus requiring interaction parameters for software installation as well. All necessary prior records and transactions can be recorded to build the history of the account.
Secure encryption according to embodiments of the present invention may be used to charge industries on the internet. For example, secure encryption may be used when a user applies for an account by form-filling, the service provider establishing the user account in a database, instead of the usual "user name" and "password", the provider sending the start-up file as an email to the logged-on user at the same time. Based on the user name, password, and boot file, the user may log into the service location via the encryption process record described above. The user downloads and runs the service page on the local machine 3202. Information of the start-up file 3202 is automatically read by the service page 3206. The user inputs the user name and password P33208 to the service page 3206 so that security encryption can be performed. After user authentication, the encrypted service data and/or web page is sent by the database record 3210 to the local machine 3202 for decryption and service to the customer.
For further protection, P3 may include a fingerprint or other biometric information. The startup file may be stored in the memory stick for portability of the application. Applications include use by Internet Service Providers (ISPs), such as America Online (AOL), job hunting, dating agents, internet television, and radio telephony.
As shown in fig. 33, reference numeral 3300, an online bank may utilize secure encryption in accordance with embodiments of the present invention. Since most online banking systems have banking operations and a database server, secure encryption can be added to the existing protection program, forming an encryption layer in the database server. Banking operations and database servers should be physically protected from unauthorized access and should not be directly connected to the internet. The bank account and related information should be encrypted by the encryption layer before being sent to the bank page via the internet or network environment. The user downloads and runs 3302 the online banking page 3306 on the local machine. The information of start file 3308 is automatically read by bank page 3306. Along with the user name and password P33304 entered into the bank page, secure encryption is performed for user authentication. After user authentication, the encrypted banking operation 3312 is sent to the encryption layer 3310 for decryption. The decrypted banking information is then sent to the banking operations and database server 3312 for actual banking actions. To improve portability of online banking, the start-up file may be stored on a local machine, memory stick, and/or any portable storage device, such as a hard disk or CD. To improve security, the P3 or startup file may include biometric information, such as a fingerprint. The addition of the encryption layer will keep all existing online banking operations unchanged so that the amount of modification is kept to a minimum.
Although a few embodiments of the present invention have been shown and described, it would be appreciated by those skilled in the art that changes may be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the claims and their equivalents.
Claims (22)
1. A system for securely encrypting plaintext information, comprising:
a sending agent for generating and synchronizing a first cipher stream using the plaintext information and the first key, generating and synchronizing a second cipher stream using the second key and a randomization function for randomizing the controllable plaintext stream to form a second synchronized cipher stream, and acting on the plurality of first and second cipher streams using the non-combinable extraction operator to obtain a ciphertext stream; and
and the receiving agent is used for decrypting the ciphertext stream.
2. The system of claim 1, wherein the sending agent includes a central processing unit, memory, and transceiver coupled to process the plaintext information and, if desired, to decrypt the received ciphertext stream.
3. The system of claim 2, wherein the transceiver transmits the ciphertext stream and the controllable plaintext stream separately to the receiving agent.
4. The system of claim 1, wherein the system comprises a data entry station and a database server linked via a wide area network/local area network or a combination thereof.
5. An apparatus for securely encrypting plaintext information, comprising:
a data entry station comprising
A first cipher stream generator for generating and synchronizing a first cipher stream by using the plaintext information and the first key;
a second cipher stream generator for generating and synchronizing a second cipher stream by using a second key and a randomizing function for randomizing and synchronizing the controllable plaintext stream; and
an irreducible operator acts on the first and second synchronous cipher streams to obtain a cipher text stream.
6. The apparatus of claim 5, wherein the first stream cipher generator comprises:
a block cipher encryption unit arranged to generate and synchronize a first cipher stream upon input of plaintext information and a first key, wherein the block cipher encryption unit comprises one of:
a block cipher encryption device to generate a first cipher stream and a first synchronization unit to synchronize the first cipher stream; or
A block cipher encryption/synchronization unit for generating and synchronizing a first cipher stream.
7. The apparatus of claim 5 wherein the second stream cipher generator comprises:
a random function generator arranged to randomize and then synchronize the controllable plaintext stream after the second key and the controllable plaintext stream input to output a second cipher stream, wherein the random function generator comprises one of:
a random function generator device for randomizing the controllable plaintext stream, and a second synchronization unit for synchronizing the randomized second cipher stream; or
A random function generator/synchronization unit for randomizing and then synchronizing the second stream.
8. The apparatus of claim 5, wherein the non-disjunctive operator is an exclusive or logical operator.
9. A method of securely encrypting plaintext information, comprising:
generating and synchronizing a first cipher stream using the plaintext information and a first key;
generating and synchronizing a second cipher stream using a second key and a randomization function for randomizing the controllable plaintext stream to form a second cipher stream; and
the plurality of synchronized first and second cipher streams are acted upon by using a non-concurrent disjunctor to obtain a cipher text stream.
10. A method of securely encrypting plaintext information, comprising:
generating a ciphertext stream using a non-facultative disjunction operator from:
generating and synchronizing a first cipher stream from the plaintext information and a first key; and
a second cipher stream randomized and then synchronized from the controllable plaintext stream using a second key.
11. A method of securely encrypting plaintext information, comprising:
generating a plurality of synchronized cipher streams, wherein at least a first cipher stream is generated and synchronized by encrypting plaintext information using a first key word, and at least a second cipher stream is generated and synchronized by applying a random function to controllable plaintext and a second key word; and
the ciphertext stream is obtained by using a non-concurrent disjunction operator to act on multiple cipher streams that are synchronized.
12. A computer-readable medium having computer-readable instructions recorded thereon for securely encrypting plaintext information, the computer-readable instructions comprising:
generating and synchronizing a first cipher stream using the plaintext information and a first key;
randomizing and then synchronizing a second cipher stream formed from the controllable plaintext stream by using a second key and a randomization function; and
the plurality of synchronized first and second cipher streams are acted upon by using a non-concurrent disjunctor to obtain a cipher text stream.
13. A computer-readable medium having computer-readable instructions recorded thereon for securely encrypting plaintext information, the computer-readable instructions comprising:
generating a ciphertext stream using a non-facultative disjunction operator from:
generating and synchronizing a first cipher stream from the plaintext information and a first key; and
a second cipher stream randomized and then synchronized from a controllable plaintext stream using a second key and a randomization function.
14. A computer-readable medium having computer-readable instructions recorded thereon for securely encrypting plaintext information, the computer-readable instructions comprising:
generating a synchronized plurality of cipher streams, wherein at least a first synchronized cipher stream is generated by encrypting plaintext information using a first key word, and at least a second synchronized cipher stream is generated by applying a random function to controllable plaintext and a second key word; and
the ciphertext stream is obtained by using a non-concurrent disjunction operator to act on multiple cipher streams that are synchronized.
15. A method of securely encrypting plaintext information on a credit card, the method comprising:
selecting a plaintext P according to user information when a user applies for an account by a server/database record;
generating, by the server/database record, a first key, a second key and a controllable plaintext stream as requested by the user and/or the company providing the credit card;
performing, by the server/database record, encryption using the plaintext, the first key, the second key, and the controllable plaintext stream to produce a ciphertext C;
inserting information of the plaintext, the first key, the controllable plaintext stream, and the first ciphertext stream into a credit card;
inserting the information of the plaintext, the second key, the controllable plaintext stream and the second ciphertext stream into a card master database record; and
the plaintext is encrypted into ciphertext according to a predetermined scheme using the first key, the second key, and the controllable plaintext stream.
16. The method of claim 15, wherein at least one of the plaintext string, the ciphertext string, and the controllable plaintext string is partitioned.
17. A method of securely encrypting plaintext information, comprising:
assigning a first key word K1, a second key word K2, a controllable plaintext stream F, and a randomization function R to the user input;
sending K1, K2, F, and R to the receiving agent via the privacy mode; and
a plaintext stream is encrypted according to a predetermined scheme by using K1, K2, F, and R to form a ciphertext stream, and the ciphertext stream is transmitted to a receiving agent.
18. The method of claim 17, wherein encrypting the plaintext stream according to the predetermined scheme by using K1, K2, F, and R comprises:
converting the plaintext stream into a first cipher stream using a block cipher and K1;
randomizing F using R to form a second stream of ciphers;
synchronizing the first stream cipher and the second stream cipher; and
a non-concurrent disjunction operator is used to act on the synchronized first and second cipher streams to obtain a cipher text stream.
19. The method of claim 17, further comprising using a vector function to provide header information from the synchronized first cipher stream to the cipher text stream.
20. The method of claim 17 further comprising using a vector function to act on the synchronized second cipher stream to provide header information to the cipher text stream.
21. A method of decrypting plaintext information encrypted in accordance with claim 17, comprising:
the ciphertext stream is decrypted using K1, K2, F, and R in a reverse process to that of claim 17.
22. The method of claim 17, wherein the method is implemented in one of the following transactions:
credit card transactions, cash machine transactions, toll transactions over the internet, or online banking transactions.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US11/041,436 | 2005-01-25 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| HK1118995A true HK1118995A (en) | 2009-02-20 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8595508B2 (en) | Method of secure encryption | |
| US6311270B1 (en) | Method and apparatus for securing communication utilizing a security processor | |
| US7940928B2 (en) | Systems and methods for protecting data secrecy and integrity | |
| US6367010B1 (en) | Method for generating secure symmetric encryption and decryption | |
| US8077870B2 (en) | Cryptographic key split binder for use with tagged data elements | |
| US20060195402A1 (en) | Secure data transmission using undiscoverable or black data | |
| US20040208316A1 (en) | Cryptographic key split binder for use with tagged data elements | |
| US20100150352A1 (en) | Secure self managed data (ssmd) | |
| US6711553B1 (en) | Method and apparatus for digital content copy protection | |
| CN114244508A (en) | Data encryption method, device, equipment and storage medium | |
| Vyakaranal et al. | Performance analysis of symmetric key cryptographic algorithms | |
| US20020021804A1 (en) | System and method for data encryption | |
| JP2005502269A (en) | Method and apparatus for creating a digital certificate | |
| CN1558580B (en) | A network data safety protection method based on cryptography | |
| US11468178B1 (en) | Embedded obfuscated channel cryptography | |
| HK1118995A (en) | Secure encryption system, device and method | |
| JPH10228375A (en) | Electronic distribution system | |
| Reddy et al. | Data Storage on Cloud using Split-Merge and Hybrid Cryptographic Techniques | |
| Allwine et al. | Advanced Encryption Standard (AES) Cryptography Application Design | |
| US20070192589A1 (en) | System and method for encrypting webpage logs | |
| CN116527236B (en) | Information change verification method and system for encryption card | |
| Chaudhary et al. | A security solution for the transmission of confidential data and efficient file authentication based on DES, AES, DSS and RSA | |
| Alhamalawy et al. | A Comprehensive Survey on Digital Rights Management Systems (DRM) and Advanced Encryption Techniques | |
| US20250158804A1 (en) | Method for randomized data hybridized handshake wrapped around AES, or similar symmetric encryption allowing mutual secure exchange and generation of symmetric session keys, wherein sender, receiver and any command instructions are mutually and simultaneously authenticated, while only sending 100% randomized data, with the exception of a hashed or encrypted user ID | |
| WO2025215393A1 (en) | Improved encryption and authentication method with associated data |