Management of cryptographic keys

US 4,912,762 A
Filed: 04/18/1988
Issued: 03/27/1990
Est. Priority Date: 04/22/1987
Status: Expired due to Term

First Claim

Patent Images

1. A method of encoding messages in a communication network in which a first set of nodes transmits and receives messages to and from a second set of nodes, each of the nodes in each set having an identification code unique, the method including the steps of:

deriving a first common cryptographic key for said first set and a second common cryptographic key for said second set;

storing, at each node of the first set of nodes, said first key common to the first set of nodes and a first value derived from the encryption of said second key common to the second set of nodes with a node identification code;

storing, at each node of the second set of nodes, said second key common to the second set of nodes and a second value derived from the encryption of said first key common to the first set of nodes with a node identification code;

and whenever a sender node of said first set has a message to transmit to a destination node of said second set;

deriving a message encryption key from a combination of the destination node identification code encrypted by said first set common key and said first derived value;

transmitting to the destination node the sending node'"'"'s identification code and the message encrypted under the derived message encryption key;

and at the destination node;

deriving said message encryption key from a combination of the sending node'"'"'s identification code encrypted by said second set common key and said second derived value; and

decoding the message.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for simplifying key management in situations where unique cryptographic keying relationships are required end-to-end between pairs of parties and a symmetric encryption algorithm is to be used. It is useful in cases where the parties come from disjoint subsets of the total population of parties. The method provides some of the characteristics of a public key crypto system (PKS) utilizing the public identities of the parties as part of the key, but lacks the property of PKS which allows a party to independently generate a secret key which is known only to that party.

Citations

13 Claims

1. A method of encoding messages in a communication network in which a first set of nodes transmits and receives messages to and from a second set of nodes, each of the nodes in each set having an identification code unique, the method including the steps of:
- deriving a first common cryptographic key for said first set and a second common cryptographic key for said second set;
  
  storing, at each node of the first set of nodes, said first key common to the first set of nodes and a first value derived from the encryption of said second key common to the second set of nodes with a node identification code;
  
  storing, at each node of the second set of nodes, said second key common to the second set of nodes and a second value derived from the encryption of said first key common to the first set of nodes with a node identification code;
  
  and whenever a sender node of said first set has a message to transmit to a destination node of said second set;
  
  deriving a message encryption key from a combination of the destination node identification code encrypted by said first set common key and said first derived value;
  
  transmitting to the destination node the sending node'"'"'s identification code and the message encrypted under the derived message encryption key;
  
  and at the destination node;
  
  deriving said message encryption key from a combination of the sending node'"'"'s identification code encrypted by said second set common key and said second derived value; and
  
  decoding the message.
- View Dependent Claims (2, 3, 4)
- - 2. A method as claimed in claim 1, in which the network includes a set of intermediate nodes, and the transmission of messages sent between nodes of the first set and nodes of the second set includes the further steps of:
    - storing at adjacent intermediate nodes in the network, common encryption keys; and
      
      encrypting messages that are sent between adjacent intermediate nodes using sequence variants of the common encryption key, so that no two sequential messages are encrypted under the same variant of the common encryption key.
  - 3. A method as claimed in claim 2 in which said combination is by a logical Exclusive OR operation.
  - 4. A method as claimed in claim 1 in which said combination is by a logical Exclusive OR operation.

5. A communication network in which a first set of nodes transmits and receives messages to and from a second set of nodes, each of the nodes in each set having an identification code;
- each node of the first set of nodes including;
  
  storage means which stores a first key common to the first set of nodes and a first value derived from the encryption of a second key common to the second set of nodes with a node identification code;
  
  data processing means operable, whenever the node is a sending node and has a message to transmit to a destination node of the second set, to derive a message encryption key from a combination of a destination node identification code encrypted by said first set common key and said first derived value;
  
  and means to transmit to the destination node of the second set the sending node'"'"'s identification code and the message encrypted under the derived message encryption key; and
  
  at each node of the second set of nodes;
  
  storage means which stores said second key common to the second set of nodes and a second value derived from the encryption of said first key common to the first set of nodes with a node identification code;
  
  data processing means operable, whenever the node is a destination node and receives a message from a sending node of the first set, to derive a message encryption key from a combination of said sending node identification code encrypted by said second set common key and said second derived value, and to use the derived key to decode the message.
- View Dependent Claims (6, 7, 8)
- - 6. A communication network as claimed in claim 5 in which the data processing means in each node of both sets of nodes is operable to both encrypt outgoing messages and to decrypt incoming messages.
  - 7. A communication network as claimed in claim 6 in which the nodes of the first set are end user terminals suitable for use in an electronic funds transfer transaction and the nodes of the second set are host data processing systems.
  - 8. A communication network as claimed in claim 5 in which the nodes of the first set are end user terminals suitable for use in an electronic funds transfer transaction and the nodes of the second set are host data processing systems.

9. A method for encoding messages in a communications network including a first node with a first ID and a second node with a second ID in a first set coupled over said network to a second set including a third node with a third ID and a fourth node with a fourth ID, comprising the steps of:
- storing a first base key at said first and second nodes and storing a second base key at said third and fourth nodes;
  
  deriving a first value of said first ID enciphered under said second base key and storing it at said first node;
  
  deriving a second value of said second ID enciphered under said second base key and storing it at said second node;
  
  deriving a third value of said third ID enciphered under said first base key and storing it at said third node;
  
  deriving a fourth value of said fourth ID enciphered under said first base key and storing it at said fourth node;
  
  generating a communications key for transmission of messages from said first node to said third node by enciphering said third ID under said first base key and logically combining the result thereof with said first value;
  
  generating said communications key for receiving messages transmitted from said first node to said third node by enciphering said first ID under said second base key and logically combining the result thereof with said third value;
  
  enciphering a message under said communications key at said first node for transmission over said network to said third node and deciphering said message under said communications key at said third node.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9, wherein said logically combining in said generating steps is the logical exclusive OR operation.
  - 11. The method of claim 9, in which said second set in said communications network further includes a fifth node coupled to said third node, said third node serving as an intermediate node between said fifth node and said network, comprising the steps of:
    - storing a link key at said third node and at said fifth node;
      
      enciphering said message under a variant of said link key at said third node for transmission to said fifth node;
      
      deciphering said message under said variant of said link key at said fifth node.
  - 12. The method of claim 11, in which said variant of said link key is a time variant.
  - 13. The method of claim 11, in which said variant of said link key is a sequence variant.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Smith, Peter R., Lee, Stephen G.
Primary Examiner(s)
Buczinski, Stephen C.
Assistant Examiner(s)
Gregory, Bernarr Earl

Application Number

US07/182,555
Time in Patent Office

708 Days
Field of Search

380/23-25, 380/28, 380/44, 380/47, 380/49, 380/29, 364/200, 364/900, 235/379, 235/380
US Class Current

705/71
CPC Class Codes

G06Q 20/3829   involving key management

G07F 7/1016   Devices or methods for secu...

H04L 9/0866   involving user or device id...

Management of cryptographic keys

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Management of cryptographic keys

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links