Cryptographic communication security for single domain networks
First Claim
1. A data security device having a dual master key arrangement in which a first master key provides protection for data encrypting keys and a second master key provides protection for key encrypting keys, said arrangement for protecting said key encrypting keys, comprising:
- working key storage means,means storing said second master key in said working key storage means as a working key,means providing input data representing a key encrypting key, andcipher means operable to encipher said input data under control of said working key to obtain ciphertext representing said key encrypting key enciphered under said second master key.
0 Assignments
0 Petitions
Accused Products
Abstract
A communication security system for data transmissions between remote terminals and a host system. The remote terminals and the host system include data security devices capable of performing a variety of cryptographic operations. At initialization time, a host master key is written into the host data security device and the host system generates a series of terminal master keys for the remote terminals. Protection is provided for the terminal master keys by enciphering them under a variant of the host master key. The terminal master keys are then written into the data security devices of the respective remote terminals to permit cryptographic operations to be performed. When a communication session is to be established between a designated remote terminal and the host system, a random number is generated and defined as an operational key enciphered under the host master key which permits the operational key to be used at the host system for enciphering or deciphering data operations. The host data security device, using the enciphered master key of the designated remote terminal, transforms the enciphered operational key under control of the host master key into a form in which the operational key is enciphered under the terminal master key of the designated remote terminal. The operational key enciphered under the terminal master key of the designated remote terminal is transmitted to the remote terminal to permit the enciphered operational key to be used at the remote terminal for enciphering or deciphering data operations.
191 Citations
49 Claims
-
1. A data security device having a dual master key arrangement in which a first master key provides protection for data encrypting keys and a second master key provides protection for key encrypting keys, said arrangement for protecting said key encrypting keys, comprising:
-
working key storage means, means storing said second master key in said working key storage means as a working key, means providing input data representing a key encrypting key, and cipher means operable to encipher said input data under control of said working key to obtain ciphertext representing said key encrypting key enciphered under said second master key. - View Dependent Claims (2, 3)
-
-
4. A data security device for performing a cryptographic operation comprising:
-
key storage means storing a first master key, working key storage means, means causing a variant of said first master key to be transferred from said key storage means as a second master key to said working key storage means as a working key, means providing input data representing a key encrypting key, cipher means operable to encipher said input data under control of said working key to obtain ciphertext representing said key encrypting key enciphered under said second master key.
-
-
5. A data security device for performing a cryptographic operation comprising:
-
working key storage means, means storing a key encrypting key in said working key storage means as a working key, means including a non-resettable counter providing a count value as input data, cipher means operable to encipher said input data under control of said working key to obtain ciphertext representing a random number.
-
-
6. A data security device for performing a cryptographic operation comprising:
-
key storage means storing a multi-bit key encrypting key, working key storage means, means causing a variant of said key encrypting key to be transferred from said key storage means to said working key storage means as a working key, means providing input data, cipher means operable to encipher said input data under control of said working key to obtain ciphertext representing a random number. - View Dependent Claims (7)
-
-
8. A data security device having a dual master key arrangement in which a first master key provides protection for data encrypting keys and a second master key provides protection for key encrypting keys, said data security device performing a cryptographic transformation operation comprising:
-
working key storage means, means storing said second master key in said working key storage means as a working key, input means providing first enciphered data representing a key encrypting key enciphered under said second master key, cipher means operable in a first cipher function to decipher said first enciphered data under control of said working key to obtain said key encrypting key in clear form, said input means providing second enciphered data representing an operational key enciphered under said first master key, means storing said first master key in said working key storage means to replace said second master key as the present working key, said cipher means operable in a second cipher function to decipher said second enciphered data under control of said present working key storage means to obtain said operational key in clear form, and means causing said key encrypting key in clear form to be transferred from said cipher means to said working key storage means to replace said first master key as the now present working key, said cipher means operable in a third cipher function to encipher said operational key under control of said now present working key to obtain ciphertext representing said operational key enciphered under said key encrypting key.
-
-
9. A data security device for performing a cryptographic operation comprising:
-
key storage means storing a first master key, working key storage means, means causing a variant of said first master key to be transferred from said key storage means as a second master key to said working key storage means as a working key, input means providing first enciphered data representing a key encrypting key enciphered under said second master key, cipher means operable in a first cipher function to decipher said first enciphered data under control of said working key to obtain said key encrypting key in clear form, said input means providing second enciphered data representing an operational key enciphered under said first master key, means causing said first master key to be transferred from said key storage means to said working key storage means to replace said second master key as the present working key, said cipher means operable in a second cipher function to decipher said second enciphered data under control of said present working key to obtain said operational key in clear form, and means causing said key encrypting key in clear form to be transferred from said cipher means to said working key storage means to replace said first master key as the now present working key, said cipher means operable in a third cipher function to encipher said operational key under control of said now present working key to obtain ciphertext representing said operational key enciphered under said key encrypting key.
-
-
10. A data security device for performing a cryptographic operation comprising:
-
key storage means storing a key encrypting key, working key storage means, means causing said key encrypting key to be transferred from said key storage means to said working key storage means as a working key, data storage means, input control means controlling the writing of input data representing an operational key into said data storage means, cipher means operable to encipher said input data under control of said working key to obtain ciphertext representing said operational key enciphered under said key encrypting key for storage in said data storage means, and output control means controlling the reading of said ciphertext from said data storage means to a utilization device.
-
-
11. A data security device having a dual master key arrangement in which a first master key provides protection for data encrypting keys and a second master key provides protection for key encrypting keys, said arrangement for protecting said key encrypting keys comprising:
-
working key storage means, means storing said second master key in said working key storage means as a working key, data storage means, input control means controlling the writing of input data representing a key encrypting key into said data storage means, cipher means operable to encipher said input data under control of said working key to obtain ciphertext representing said key encrypting key enciphered under said second master key for storage in said data storage means, and output control means controlling the reading of said ciphertext from said data storage means to a utilization device.
-
-
12. A data security device for performing a cryptographic operation comprising:
-
key storage means storing a first master key, working key storage means, means causing a variant of said first master key to be transferred from said key storage means as a second master key to said working key storage means as a working key, data storage means, input control means controlling the writing of input data representing a key encrypting key into said data storage means, cipher means operable to encipher said input data under control of said working key to obtain ciphertext representing said key encrypting key enciphered under said second master key for storage in said data storage means, and output control means controlling the reading of said ciphertext from said data storage means to a utilization device.
-
-
13. A data security device for performing a cryptographic operation comprising:
-
working key storage means, means storing a key encrypting key in said working key storage means as a working key, data storage means, input control means controlling the writing of input data into said data storage means, cipher means operable to encipher said input data under control of said working key to obtain ciphertext representing a random number for storage in said data storage means, and output control means controlling the reading of said ciphertext from said data storage means to a utilization device. - View Dependent Claims (14)
-
-
15. A data security device for performing a cryptographic operation comprising:
-
key storage means storing a key encrypting key, working key storage means, means causing a variant of said key encrypting key to be transferred from said key storage means to said working key storage means as a working key, data storage means, input control means controlling the writing of input data into said data storage means, cipher means operable to encipher said input data under control of said working key to obtain ciphertext representing a random number for storage in said data storage means, and output control means controlling the reading of said ciphertext from said data storage means to a utilization device.
-
-
16. In a data communication network providing communication security for data communication sessions between a host system and a communication terminal, a host data security device for generating a terminal key encrypting key for said communication terminal comprising:
-
working key storage means, means storing a host key encrypting key in said working key storage means, means including a non-resettable counter providing a count value as input data, and cipher means operable in a cipher function to encipher said input data under control of said host key encrypting key to obtain ciphertext representing said terminal key encrypting key for said terminal.
-
-
17. In a data communication network providing communication security for data communication sessions between a host system and a communication terminal, a host data security device for generating a terminal key encrypting key for said communication terminal comprising:
-
key storage means storing a host key encrypting key, working key storage means, means causing a variant of said host key encrypting key to be transferred from said master key storage means to said working key storage means, means providing a random number, and cipher means operable in a cipher function to encipher said random number under control of said variant of said host key encrypting key to obtain ciphertext representing said terminal key encrypting key for said terminal.
-
-
18. In a data communication network providing communication security for data communication sessions between a host system and a communication terminal, a host data security device having a dual master key arrangement in which a first master key provides protection for data encrypting keys and a second master key provides protection for terminal key encrypting keys, said arrangement for protecting terminal key encrypting keys comprising:
-
working key storage means, means storing said second master key in said working key storage means as a working key, means providing input data representing said terminal key encrypting key, and cipher means operable to encipher said input data under control of said working key to obtain ciphertext representing said terminal key encrypting key enciphered under said second master key.
-
-
19. In a data communication network providing communication security for data communication sessions between a host system and a communication terminal, a host data security device for protecting a terminal key encrypting key for said terminal comprising:
-
key storage means storing a first host master key, working key storage means, means causing a variant of said first host master key to be transferred from said key storage means as a second host master key to said working key storage means as a working key, means providing input data representing said terminal key encrypting key, and cipher means operable to encipher said input data under control of said working key to obtain ciphertext representing said terminal key encrypting key enciphered under said second host master key.
-
-
20. In a data communication network providing communication security for data communication sessions between a host system and a communication terminal, a host data security device for generating a different session key in protected form for each communication session to be established between said host system and said terminal comprising:
-
working key storage means, means storing a host key encrypting key in said working key storage means, means including a non-resettable counter providing a different count value as input data for each communication session to be established, cipher means operable to encipher each said input data under control of said host key encrypting key to obtain different ciphertext each representing a different session key enciphered under a host master key for each communication session.
-
-
21. In a data communication network providing communication security for data communication sessions between a host system and a communication terminal, a host data security device for generating a different session key for each communication session to be established between said host system and said terminal comprising:
-
key storage means storing a host key encrypting key, working key storage means, means causing a variant of said host key encrypting key to be transferred from said key storage means to said working key storage means, means providing a different random number for each communication session to be established, cipher means operable to encipher each said random number under control of said variant of said host key encrypting key to obtain different ciphertext each defining a different session key as being enciphered under said host key encrypting key for each communication session.
-
-
22. In a data communication network providing communication security for data communication sessions between a host system and a communication terminal, a host data security device having a dual master key arrangement in which a first master key provides protection for data encrypting keys and a second master key provides protection for terminal key encrypting keys, said host data security device performing a cryptographic transformation function for reenciphering a data encrypting session key for a communication session from encipherment under a host key encrypting key to encipherment under a terminal key encrypting key of said terminal comprising:
-
working key storage means, means storing said second master key in said working key storage means as a working key, input means providing first enciphered data representing said terminal key encrypting key enciphered under said second master key, cipher means operable in a first cipher function to decipher said first enciphered data under control of said working key to obtain said terminal key encrypting key in clear form, said input means providing second enciphered data representing said session key enciphered under said first master key, means storing said first master key in said working key storage means to replace said second master key as the present working key, said cipher means operable in a second cipher function to decipher said second enciphered data under control of said present working key to obtain said session key in clear form, and means causing said terminal key encrypting key in clear form to be transferred from said cipher means to said working key storage means to replace said first master key as the now present working key, said cipher means operable in a third cipher function to encipher said session key under control of said now present working key to obtain ciphertext representing said session key enciphered under said terminal key encrypting key for transmission to said terminal.
-
-
23. In a data communication network providing communication security for data communications sessions between a host system and a communication terminal, a host data security device for reenciphering a session key for a communication session from encipherment under a host key encrypting key to encipherment under a terminal key encrypting key of said terminal comprising:
-
key storage means storing a host key encrypting key, working key storage means, means causing a variant of said host key encrypting key to be transferred from said key storage means to said working key storage means as a working key, input means providing first enciphered data representing said terminal key encrypting key enciphered under said variant of said host key encrypting key, cipher means operable in a first cipher function to decipher said first enciphered data under control of said working key to obtain said terminal key encrypting key in clear form, said input means providing second enciphered data representing said session key enciphered under said host key encrypting key, means causing said host key encrypting key to be transferred from said key storage means to said working key storage means to replace said variant of said host key encrypting key as the present working key, said cipher means operable in a second cipher function to decipher said second enciphered data under control of said present working key to obtain said session key in clear form, and means causing said terminal key encrypting key in clear form to be transferred from said cipher means to said working key storage means to replace said host key encrypting key as the now present working key, said cipher means operable in a third cipher function to encipher said session key under control of said now present working key to obtain ciphertext representing said session key enciphered under said terminal key encrypting key for transmission to said terminal.
-
-
24. In a data communication network providing communication security for data communication sessions between a host system and a communication terminal, a host data security device providing a session key for cryptographic operations with said terminal comprising:
-
master key storage means storing a host master key, working key storage means, means causing said host master key to be transferred from said master key storage means to said working key storage means as a working key, input means providing input data representing a session key enciphered under said host master key, cipher means for performing cipher functions, decipher key control means causing said cipher means to decipher said input data under control of said working key to obtain data representing said session key in clear form, and means causing said data representing said session key in clear form to be transferred to said working key storage means as the present working key for subsequent cryptographic operations with said terminal. - View Dependent Claims (25, 26)
-
-
27. In a data communication network providing data communication sessions between a host system having a data security device and a communication terminal having a data security device, the method of providing communication security for data communication sessions comprising the steps of:
-
storing a session key enciphered under a first host key encrypting key at said host system, storing a terminal key encrypting key enciphered under a second host key encrypting key at said host system, reenciphering said session key from encipherment under said first host key encrypting key to encipherment under said terminal key encrypting key, communicating said session key enciphered under said terminal key encrypting key as key synchronizing data to said terminal, storing said terminal key encrypting key at said terminal, providing said terminal key encrypting key as a terminal working key at said terminal, providing said received key synchronizing data as input data at said terminal, carrying out a decipher key operation at said terminal to decipher said input data under control of said terminal working key to obtain said session key in clear form, and replacing said terminal key encrypting key with said session key as the present terminal working key at said terminal to establish a communication session between said terminal and said host system. - View Dependent Claims (31, 32, 33, 34, 35, 36)
-
-
28. In a data communication network providing data communication sessions between a host system having a data security device and a communication terminal having a data security device, the method of providing communication security for data communication sessions comprising the steps of:
-
storing a session key enciphered under a host key encrypting key at said host system, storing a terminal key encrypting key enciphered under a variant of said host key encrypting key at said host system, reenciphering said session key from encipherment under said host key encrypting key to encipherment under said terminal key encrypting key, communicating said session key enciphered under said terminal key encrypting key as key synchronizing data to said terminal, storing said terminal key encrypting key at said terminal, providing said terminal key encrypting key as a working key at said terminal, providing said received key synchronizing data as input data at said terminal, carrying out a decipher key operation at said terminal to decipher said input data under control of said working key to obtain said session key in clear form, and replacing said terminal key encrypting key with said session key as the present working key at said terminal to establish a communication session between said terminal and said host system. - View Dependent Claims (29, 30)
-
-
37. In a data communication network which provides communication security for data communication sessions between a host system and a communication terminal, the method of generating a terminal key encrypting key at said host system for said terminal comprising the steps of:
-
providing a host key encrypting key, providing a random number, and carrying out an encipher operation to encipher said random number from a non-resettable counter under control of said host key encrypting key to obtain ciphertext representing said terminal key encrypting key for said terminal.
-
-
38. In a data communication network which provides communication security for data communication sessions between a host system and a communication terminal, the method of generating a terminal key encrypting key at said host system for said terminal comprising the steps of:
-
storing a host key encrypting key, providing a variant of said host key encrypting key, providing a random number, and carrying out an encipher operation to encipher said random number under control of said variant of said host key encrypting key to obtain ciphertext representing said terminal key encrypting key for said terminal.
-
-
39. In a data communication network which provides communication security for data communication sessions between a host system and a communication terminal by a dual master key arrangement at said host system in which a first master key provides protection for data encrypting keys and a second master key provides protection for terminal key encrypting keys, the method of protecting a terminal key encrypting key at said host system comprising the steps of:
-
providing said second master key at said host system as a working key, providing said terminal key encrypting key at said host system as input data, and carrying out an encipher operation to encipher said input data under control of said working key to obtain said terminal key encrypting key enciphered under said second master key.
-
-
40. In a data communication network which provides communication security for data communication sessions between a host system and a communication terminal, the method of protecting a terminal key encrypting key at said host system comprising the steps of:
-
storing a host key encrypting key at said host system, providing a variant of said host key encrypting key as a working key, providing said terminal key encrypting key at said host system as input data, and carrying out an encipher operation to encipher said input data under control of said working key to obtain said terminal key encrypting key enciphered under said variant of said host key encrypting key. - View Dependent Claims (41, 42)
-
-
43. In a data communication network which provides communication security for data communication sessions between a host system and a communication terminal, the method of generating session keys for each communication session to be established between said host system and said terminal comprising:
-
providing a host key encrypting key, providing a different random number from a non-resettable counter for each communication session to be established, carrying out an encipher operation to encipher each said random number under control of said host key encrypting key to obtain different ciphertext each representing a different session key enciphered under a host master key for each communication session.
-
-
44. In a data communication network which provides communication security for data communication sessions between a host system and a communication terminal, the method of generating session keys for each communication session to be established between said host system and said terminal comprising:
-
storing a host key encrypting key, providing a variant of said host key encrypting key, providing a different random number for each communication session to be established, carrying out an encipher operation to encipher each said random number under control of said variant of said host key encrypting key to obtain different ciphertext each representing a different session key enciphered under said host key encrypting key for each communication session.
-
-
45. In a data communication network which provides communication security for data communication sessions between a host system and a communication terminal by an arrangement at said host system in which a host first key encrypting key provides protection for data encrypting keys and a host second key encrypting key provides protection for terminal key encrypting keys, the method of performing a cryptographic transformation function for reenciphering a data encrypting session key for a communication session from encipherment under a host first key encrypting key to encipherment under a terminal key encrypting key of said terminal comprising:
-
providing a host second key encrypting key as a working key, providing first enciphered data representing said terminal key encrypting key enciphered under said host second key encrypting key, carrying out a first cipher function to decipher said first enciphered data under control of said working key to obtain said terminal key encrypting key in clear form, providing second enciphered data representing said session key enciphered under said host first key encrypting key, replacing said host second key encrypting key with said host first key encrypting key as the present working key, carrying out a second cipher function to decipher said second enciphered data under control of said present working key to obtain said session key in clear form, replacing said host first key encrypting key with said terminal key encrypting key as the now present working key, and carrying out a third cipher function to encipher said session key under control of said now present working key to obtain ciphertext representing said session key enciphered under said terminal key encrypting key for transmission to said terminal.
-
-
46. In a data communication network which provides communication security for data communication sessions between a host system and a communication terminal, the method of reenciphering a session key for a communication session from encipherment under a variant of a host key encrypting key to encipherment under a terminal key encrypting key of said terminal comprising:
-
storing a host key encrypting key, providing a variant of said host key encrypting key as a working key, providing first enciphered data representing said terminal key encrypting key enciphered under said variant of said host key encrypting key, carrying out a first cipher function to decipher said first enciphered data under control of said working key to obtain said terminal key encrypting key in clear form, providing second enciphered data representing said session key enciphered under said host key encrypting key, replacing said variant of said host key encrypting key with said host key encrypting key as the present working key, carrying out a second cipher function to decipher said second enciphered data under control of said present working key to obtain said session key in clear form, replacing said host key encrypting key with said terminal key encrypting key as the now present working key, and carrying out a third cipher function to encipher said session key under control of said now present working key to obtain ciphertext representing said session key enciphered under said terminal key encrypting key for transmission to said terminal.
-
-
47. In a data communication network which provides communication security for a data communication session between a host system having a data security device and a communication terminal having a data security device, the method of establishing a common private session key for a private data communication session comprising the steps of:
-
providing a host master key as a working key at said host system, providing said private session key enciphered under said host master key at said host system as input data, carrying out a decipher operation at said host system to decipher said input data under control of said working key to obtain said private session key in clear form, replacing said host master key with said private session key as the present host working key at said host system, providing said private session key as the present terminal working key at said terminal so that a common private session key is maintained as the present working key at both said terminal and said host system for establishing a private communication session. - View Dependent Claims (48, 49)
-
Specification