Showing papers on "Encryption published in 1990"

Exponentiation cryptosystems on the IBM PC

Abstract: Several cryptosystems based on exponentiation have been proposed in recent years. Some of these are of the public key variety and offer notable advantages in cryptographic key management, both for secret communication and for message authentication. The need for extensive arithmetic calculations with very large integers (hundreds of digits long) is a drawback of these systems. This paper describes a set of experimental programs that were developed to demonstrate that exponentiation cryptosystems can be efficiently implemented on the IBM Personal Computer (PC). The programs are organized into four layers, comprising procedures for: multiple precision integer arithmetic, modular exponentiation, prime number generation and testing, and cryptographic key generation. The major emphasis of the paper is on methods and techniques for improving execution speed. The items discussed include: the use of a specialized squaring procedure; a recursive splitting method to speed up squaring and multiplication; the computation of residues by using multiplication instead of division; the efficient encoding of residue information; and the use of thresholds to select the most effective primality testing algorithm for a given size number. Timing results are presented and discussed. Finally, the paper discusses the advantages of a mixed system that combines the superior key management capabilities inherent in public key cryptosystems with the much higher bulk-encryption speed obtainable with the Data Encryption Algorithm.

Method for delegating authorization from one entity to another through the use of session encryption keys

Abstract: A method for delegating authorization from one entity in a distributed computing system to another for a computing session is disclosed wherein a session public/private encryption key pair is utilized for each computing session. The private encryption key is erased to terminate the computing session.

Prepayment metering system using encoded purchase cards from multiple locations

Abstract: A prepayment system for dispensing utilities using mag-stripe cards is disclosed wherein an accounting computer in a central office is used in conjunction with point-of-sale machines for encrypting a value message which is written onto the mag-stripe of a mag-stripe card. The value message contains information relating to the amount of utilities purchased by the customer, the utility rates, the site identification number, and a unique password formed by the site number, a hidden number, and the transaction number. The mag-stripe card is carried by mail or in person to the consumer's home or office and inserted into a mag-stripe card reader attached to microprocessor-based utility control device. This utility control device is capable of reading and decoding the mag-stripe card and storing the value information into memory for use in monitoring the utility usage of the customer and disconnecting or connecting the utility based on the amount of utilities purchased.

Computer software encryption apparatus

Abstract: Data security is provided using an encryption/decryption algorithm which attaches at the primitive BIOS level of the operating system automatically during the power-on self-test routines. The encryption/decryption process is implemented by intercepting the removable media or floppy diskette interrupt in order to add additionasl interrupt ahandling routing instructions which perform the encryption and decryption of data passed between the diskette controller and the data transfer buffer area within system RAM. Bitwise alteratio of the data in a predefined relationship is used to encrypt and decrypt. The encryption/decryption system sttaches before the computer power-up sequence renders data entry hardware active, hence the user cannot readily override the secrity system. Data stored on nonremovable media such as hard disk media is not encrypted, thereby preserving the integrity of more permanent data.

Multiple user stored data cryptographic labeling system and method

Abstract: There is disclosed a system and method of extending the labels on an encryption technique so that different users can utilize the same files under different rights established by both the user and the system administrator. This system and method take advantage of an extension of the file label which contains configuration capabilities and user rights and privileges to that file. The extended labeling is expandable so that several users can each be identified having specific rights and specific encryption capability with respect to the file.

Encryption of streams of addressed information to be used for program code protection

Abstract: An encryption method is taught which chooses certain bytes of data, stored in a particular on-chip memory, as encryption keys. These chosen bytes are used to encrypt themselves, and all of the remaining data in the above mentioned particular memory. The chosen bytes do not have values specifically assigned for encryption, they are merely chosen, according to a rule, from the body of data to be encrypted. When this technique is implemented, each byte of data, stored in the mentioned memory, is combined (for example using an exclusive NOR gate) with one of the designated encryption key bytes prior to disclosure. The user is not required to provide, program, or safeguard a set of key bytes separately. Additionally, no silicon area is wasted in storing such bytes. An intruder would need certain pieces of the original data in order to decipher the results of this encryption technique. Additionally, this technique degrades gracefully. The keys are chosen such that encrypted data does not have a single common dependency. Thus, in the event a single key is discovered, only a very small portion of the encrypted data will be disclosed.

Method and apparatus for authenication and protection of subscribers in telecommunication systems

Abstract: Radio frequency based cellular telecommuication systems often require a subscriber (10) to maintain a proprietary identifier (19) or serial number (18) which is transmitted to a fixed network communication unit (20) to verify the authenticity of the subscriber (10). An enciphering and call sequencing method and apparatus are provided which can decrease unauthorized detection of these proprietary ID's (18, 19). This method and apparatus permit efficient roaming by allowing authentication variables for multiple calls to be sent from the "home" system (20) to the "visted" system and stored by the "visted" system for use with subsequent calls. Further, a method and apparatus are provided which force the authenticating mobile (10) to use information that only it has available to itself. Furthermore, a method and apparatus are provided which allow continued encryption integrity during handoffs by maintaining a record of pseudo random events between a subscriber unit (10) and any radio communication unit (20) and using that record as an encryption variable.

Databaseless security system

Abstract: An improved security system, including a portable smart card and a host computer, eliminates the need for the computer to store individual personal identification (ID) numbers for each user seeking access to the computer. Instead, the computer stores a first encryption algorithm E1 used in converting a particular identification number (ID)n into a secret code Sn for that particular user. Sn also exists within the memory of the smart card having been loaded into its memory atthe time of issue. A challenge number C is generated by the computer and transmitted to the smart card. Within the smart card and the computer, microprocessors respond to the challenge number C, the secret code Sn, and a second encryption algorithm E2 in order to generate response numbers Rn and R'n respectively. Thereafter, Rn is transmitted to the computer where it is comparedwith R'n. A favorable comparison is necessary for gaining access to the computer.

Portable pin card

Abstract: A portable Personal Identification Card allows a cardholder to enter a PIN code into his card at a location remote from an authorization terminal. In an alternate embodiment, a PIN code may be enterd at the authorization terminal. The authorization terminal reads the cardholder's account number from the PIN card. The account number is transmitted to a central computer which uses this number to index into memory to find a personal identification number and encryption parameters. The centerl computer transmits a pseudo-random number to the PIN Card. Both the PIN Card and the central computer perform an encryption of a function of the corresponding personal indentification number and pseudo-random number to derive a CGIPIN (Computer Generated Image of the PIN). If the CGIPIN transmitted from the PIN card matches the CGIPIN of the central computer, access is authorized.

LOKI—a cryptographic primitive for authentication and secrecy applications

Abstract: This paper provides an overview of the LOKI encryption primitive which may be used to encrypt and decrypt a 64-bit block of data using a 64-bit key. The LOKI primitive may be used in any mode of operation currently defined for ISO DEA-1, with which it is interface compatible [AAAA83]. Also described are two modes of operation of the LOKI primitive which compute a 64-bit, and 128-bit, Message Authentication Code (or hash value). These modes of operation may be used to provide authentication of a communications session, or of data files.

Fast Software Encryption Functions

Abstract: Encryption hardware is not available on most computer systems in use today. Despite this fact, there is no well accepted encryption function designed for software implementation - - instead, hardware designs are emulated in software and the resulting performance loss is tolerated. The obvious solution is to design an encryption function for implementation in software. Such an encryption function is presented here - on a SUN 4/260 it can encrypt at 4 to 8 megabits per second. The combination of modern processor speeds and a faster algorithm make software encryption feasible in applications which previously would have required hardware. This will effectively reduce the cost and increase the availability of cryptographic protection.

A method for utilizing an encrypted key as a key identifier in a data packet in a computer network

Abstract: The nodes in a computer network utilize an encrypted key as a key identifier in a data packets transferred between nodes which eliminates the need for a receiving node to perform a memory look up operation to ascertain the key used to encrypt the data. Each node is provided with a master key that is unique to each node. When two nodes want to establish communications they first negotiate a shared key. This shared key is then encrypted under each nodes' master key. The nodes then exchange their respective encrypted key. The encrypted key of the receiving node is placed in the data packet to be sent by the transmitting node. Upon receiving a data packet, the receiving node decrypts the encrypted key to determine the shared key. This shared key is then used to decrypt encrypted data in the data packet.

Method and apparatus for authenticating messages

Abstract: A method and system for authenication of communications. More particularly the subject application discloses a method and apparatus whereby a third party may validate that a communication is an authentic communication from a second party sent with the authorization of a first party. For example, the third party may be a postal service, the second party may be a mailer, and the communication may be a postal indicia showing that a mail piece has been properly franked. The first party and the second party share an encryption key, or a series of keys. The first party also has a second encryption key which the third party has the ability to decrypted. In the subject invention the first party encrypts a key shared with the second party with the first party's second key and transmits this to the second party. The second party then uses its copy of the key to encrypt information and appends its encrypted information to the message received from the first party and transmits all this to the third party. The third party may then decrypt the copy of the key encrypted by the first party and use this information to decrypt the information encrypted by the second party. The known technique of eliptical logarithms may be used to provide highly secure encryption of short messages. The second party may be a mailer and the apparatus of the subject invention may include a postage meter which prints the information transmitted to the third party, who may be a postal service, on a mail piece as a postal indicia.

Pipelined cryptography processor and method for its use in communication networks

Abstract: Cryptographic apparatus, and a related method for its operation, for in-line encryption and decryption of data packets transmitted in a communication network. A full-duplex cryptographic processor is positioned between two in-line processing entities of a network architecture. For example, in a fiber distributed data interface (FDDI) network, the processor is positioned between a media access control (MAC) sublayer and a ring memory controller (RMC). Incoming information packets are analyzed to decide whether or not they contain encrypted data and, if they do, are subject to decryption before forwarding. Outbound information packets have their data portions encrypted if called for, and are usually forwarded toward the network communication medium. Cryptographic processing in both directions is performed in real time as each packet is streamed through the processor. The processing of outbound information packets includes using optional data paths for looping of the processed information back in a reverse direction, to permit the host system to perform local encryption or decryption for various purposes.

Method for encrypting transmitted data using a unique key

Abstract: The invention comprises a method for encrypting data for communication between a host computer and each of a plurality of remote terminals in a network. A method is provided for periodically generating a unique dynamic encryption key for each of said plurality of terminals using a system seed key residing only in the host computer. The dynamic encryption key generated for use by said terminal in encrypting data transmitted to said host computer and for decrypting data received from said host computer. The method includes storing at said terminal the dynamic key previously generated by said host for said terminal.

Video control system for transmitted programs

Abstract: A video system includes a central facility and a terminal. Means are provided for transmitting to the terminal a video program including a series of television fields including a first field containing both a random digital code encrypted according to a code encryption key and program identification data, and a second field containing an unintelligible video signal previously transformed from an intelligible video signal according to the random digital code. The terminal includes means for sending the program identification data to the central facility. The central facility includes a data base for storing and retrieving at least one code encryption key corresponding to the program identification data and means for sending the code encryption key from the central facility to the terminal. The terminal further includes means for receiving the code encryption key from the central facility, decrypting means for decrypting the encrypted digital code of the first frame in accordance with the code encryption key and means for transforming the unintelligible video signal of the second frame to the intelligible video signal using the decrypted random digital code.

Recorded medium for video control system

Abstract: A video recording medium storing a video program includes a series of television fields including a first field containing both a random digital code encrypted according to a code encryption key and program identification data, and a second field containing an unintelligible video signal previously transformed from an intelligible video signal according to the random digital code.

Access controller for local area network

Abstract: An access controller for peer-to-peer communication networks which monitors the data packets transmitted between stations, determines when an access that needs to be controlled is being made, and then either destroys the packet or transmits one or more packets which appear as legitimate message packets to the stations but which, in fact, terminates or alters the communication path between the two stations. Since the invention is free of any particular protocol restrictions, it can be implemented with any type of protocol and at any layer of that protocol. And since the access control mechanism is neither part of the physical communication path nor part of the communication primitives, the stations cannot detect, in any direct sense, that their access is being controlled, and they do not need to be programmed to follow any special control protocols, or to use encryption. A signature signal can be used as a safety mechanism to prevent multiple access controllers from controlling the same network, to prevent an unauthorized access controller from seizing control of the network.

Secure video decoder system

Abstract: A video decoder includes an application specific integrated circuit (ASIC) that has the decoder address and a secure decryption key stored in a one-time-programmable memory. Encrypted messages are received and selectively supplied to a packet decrypter and to a video decrypter based upon the location of bits in the message string. The packet decrypter is responsive to a flag in the packet data for utilizing a secure key or a unsecure key for decryption of the packet data. The information derived from the secure decryption and the secure key itself are never available (or ascertainable) outside of the ASIC. Only information concerning the unsecure key is available outside of the integrated circuit.

Enumerating boolean functions of cryptographic significance

Abstract: In this paper we describe applications of functions from GF(2) m onto GF(2) n in the design of encryption algorithms. If such a function is to be useful it must satisfy a set of criteria, the actual definition of which depends on the type of encryption technique involved. This in turn means that it is important to ensure that the selected criteria do not restrict the choice of function too severely, i.e., the set of functions must be enumerated. We discuss some of the possible sets of criteria and then give partial results on the corresponding enumeration problems. Many open problems remain, some of them corresponding to well-known hard enumeration questions.

Video control system having session encryption key

Abstract: A video system includes a central facility and a terminal. Video program means for provides the terminal with a video program including a series of television fields including a first field containing both a random digital code encrypted according to a code encryption key and program identification data, and a second field containing an unintelligible video signal previously transformed from an intelligible video signal according to the random digital code. The terminal includes means to store terminal identification data and a terminal specific encryption key; and means to send to the central facility the program idenficiation data and the terminal identification data. The central facility includes means for providing a session encryption key, means for encrypting the session encryption key according to the terminal specific encryption key, means for sending the encrypted session encryption key from the central facility to the terminal, a data base for storing and retrieving at least one code encryption key corresponding to the program identification data, means for encrypting the code encryption key according to the session encryption encryption key, and means for sensing the encrypted code encryption key from the central facility to the terminal. The terminal further includes means for receiving the encrypted session encryption key from the central facility, decryption means for decrypting the session encryption key according to the terminal specific encryption key, means for receiving the encrypted code encryption key from the central facility, decryption means for decrypting the code encryption key according to the session encryption encryption key, and decrypting the encrypted random digital code of the first frame in accordance with the code encryption key; and means for transforming the unintelligible video signal of the second frame to the intelligible video signal using the decrypted random digital code.

Network security via private-key certificates

Abstract: We present some practical security protocols that use private-key encryption in the public-key style. Our system combines a new notion of private-key certificates, a simple key-translation protocol, and key-distribution. These certificates can be administered and used much as public-key certificates are, so that users can communicate securely while sharing neither an encryption key nor a network connection.

Transmitting encoded data on unreliable networks

Abstract: Information encoded by data compression (or another data encoding technique, e.g., encryption, requiring synchronization between the encoder (12a) and decoder (22b) is transmitted over an unreliable network (16) by checking for transmission errors after decoding. if an error is detected, the encoder (12a) is reset, using a reset protocol, which may operate over an unreliable re-verse channel (16) by using a timer (46) to generate further reset requests when the receiver does not acknowledge them in a timely fashion.

Video control system for recorded programs

Abstract: A video system includes a central facility and a terminal. Means are provided for playing a video recording medium storing a video program including a series of television fields including a first field containing both a random digital code encrypted according to a code encryption key and program identification data, and a second field containing an unintelligible video signal previously transformed from a intelligible video signal according to the random digital code. The terminal includes means for sending the program identification data to the central facility. The central facility includes a data base for storing and retrieving at least one code encryption key corresponding to the program identification data and means for sending the code encryption key from the central facility to the terminal. The terminal further includes means for receiving the code encryption key from the central facility, decrypting means for decrypting the encrypted digital code of the first frame in accordance with the code encryption key, and means for transforming the unintelligible video signal of the second frame to the intelligible video signal using the decrypted random digital code.

Method for secure communication

Abstract: A method for the secure communication of messages. A first party is provided with a set of numbers that have the property that when encrypted using an RSA encryption key the resulting set of encrypted numbers is of an order substantially smaller than that of the original set. If the encryption key and the original set of numbers are of the order of 200 decimal digits then the resulting set of encrypted numbers may be of the order of 15-30 decimal digits. To communicate a message the first party selects a number from the original set and applies a hashing function to the selected number to obtain a 64 binary bit DES key. The selected number is then encrypted with the RSA key and a message is encrypted with the DES key obtained. The encrypted message and the encrypted selected number are combined and the combined message is sent to a second party who has the corresponding RSA decryption key and knows the hashing function. The second party then decrypts the number, applies the hashing function to obtain the DES key and decrypts the message. Thus the parties may communicate with substantially the security of RSA while significantly reducing the minimum message length which may be securely encrypted.

Communication network intended for secure transmission of speech and data

Abstract: This invention relates to a communication network intended for secure transmission of speech and data, including different types of subscriber terminals (10-15) and switching modules (4-6), and where the network further comprise crypto devices to undertake encryption/decryption of information transmitted through the network. At least one of the crypto devices is constituted by a crypto-pool device (7,8,9) having a number of crypto modules (CM) physically separated from the switching modules (4,5,6). Each crypto-pool (7,8,9; 20) is provided with a managing device (MA, 26) for communicating with a ciphering key distribution authority through standardized communication protocols and distribute keys to the relevant CM through a control path (25) of the crypto-pool. Each crypto-pool has access to an authentication server (AS, 16; 41,43) providing a directory of security certificates necessary in the authentication process when initiating a network connection.

Key management system

Abstract: This key management system effectively solves the key distribution problems of distance, time, operator error, and security risk by transferring encryption keys with appropriate system information between a key management controller (101) and a remote keyloader (109). The keyloader (109) is then coupled to a communication device to transfer (327) the keys and receive (329) identification information from the communication device. The keyloader (109) then sends (323) the information to the key management controller (101) that controls the distribution of the encryption keys and collection of the communication device identifications.

Retrofittable encryption/decryption apparatus using modified frequency modulation

Abstract: A communication system for providing secured communication over a communication channel. The system includes a DES encryption device and a DES decryption device retrofittable into or within a conventional radio unit. The encryption device receives analog input at the transmitter end of the radio and converts the analog signal to digital signal, then encrypts this digital data, modulates the encrypted digital data using modified frequency modulation (MFM) which is then sent over the communication path. During decryption, the apparatus receives MFM data from the communication path, demodulates this digital data, decrypts the data and then outputs this decrypted digital data to the interface unit. The interface unit contains both a transmitter and a receiver which is capable of half duplex operation. The interface unit also contains a voice coder and a voice decoder which are of the sub-band type. The interface unit further contains a method for selecting from either a digital data transceiver or a voice coded digital data transceiver. Still further, the apparatus contains a method for selectively controlling the authorized reception for digital data by a single receiver or a plurality of receivers. Also, a method is available for selecting one of a plurality of master keys, which are used for the encryption process initialization. Still further, the present system allows for encrypting and decrypting the digital data by exclusive-oring the digital data with the operative digital encryption device which is implemented in DES.

Probabilistic cryptographic processing method

Abstract: A decryption method, and associated cryptographic processor, for performing in-line decryption of information frames received from a communication network through a first in-line processing stage. As an information packet is streamed into the cryptographic processor, a determination is made to an acceptable level of probability whether the packet contains data that should be decrypted. The decision whether or not decrypt is made by analyzing the incoming packet header, recognizing a limited number of packet formats, and further parsing the packet to locate any encrypted data and to make sure that the packet is not a segment of a larger message. Falsely decrypted packets are looped back through the cryptographic processor, to regenerate the data that was falsely decrypted. Decryption and encryption are performed in such a manner that a false decryption is completely reversible without loss of data. Special treatment is provided for packets containing data that cannot be divided into an integral number of standard blocks required for decryption processing.

Correction to Secure communication in INTERNET environments : a hierarchical key management scheme for end-to-end encryption

Abstract: A hierarchical approach for key management is presented which utilizes the existing network specific protocols at the lower levels and protocols between authentication servers and/or control centers of different networks at the higher levels. Details of this approach are discussed for specific illustrative scenarios to demonstrate the implementation simplicity. A formal verification of the security of the resulting system in the sense of protecting the privacy of privileged information is also conducted by an axiomatic procedure utilizing certain combinatory logic principles. This approach is general and can be used for verifying the security of other existing key management schemes. >