Secure management of keys using extended control vectors
First Claim
1. In a data processing system which outputs cryptographic service requests for operations with cryptographic keys which are associated with control vectors defining the functions which each key is allowed by its originator to perform, an improved apparatus to enable the use of control vectors having a given length, comprising:
- a control vector input for receiving a control vector of a given length associated with an N-bit cryptographic key;
a control vector checking means having an input coupled to said control vector input and input for receiving a cryptographic service request, for checking that said control vector authorizes the cryptographic function which is requested by said cryptographic service request, and outputting an enable signal;
a hash function generator having an input coupled to said control vector input and an N-bit output, for mapping said control vector into an N-bit hash value;
a key input for receiving said N-bit cryptographic key;
a logic block having a first input coupled to said N-bit output of said hash function generator, and a second input coupled to said key input, for forming at the output thereof a computed key value which is a product of said N-bit key and said N-bit hash value;
a cryptographic transformation device having a first input for receiving input information and a key value input coupled to the output of said logic block, for forming output information which has been cryptographically transformed from said input information using said computed key value;
said cryptographic transformation device coupled to said enable signal output from said control vector checking means for inhibiting said formation of said cryptographically transformed output information if said control vector checking means determines that said requested cryptographic function is not authorized by said control vector.
0 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus are disclosed for use in a data processing system which executes a program which outputs cryptographic service requests for operations with cryptographic keys which are associated with control vectors defining the functions which each key is allowed by its originator to perform. The improved method and apparatus enable the use of control vectors having an arbitrary length. It includes a control vector register having an arbitrary length, for storing a control vector of arbitrary length associated with an N-bit cryptographic key. It further includes a control vector checking means having an input coupled to the control vector register, for checking that the control vector authorizes the cryptographic function which is requested by the cryptographic service request. It further includes a hash function generator having an input coupled to the control vector register and an N-bit output, for mapping the control vector output from the control vector register, into an N-bit hash value. A key register is included for storing the N-bit cryptographic key. It further includes a logic block having a first input coupled to the N-bit output of the hash function generator, and a second input connected to the key register, for forming at the output thereof a product of the N-bit key and the N-bit hash value. Finally, an encryption device is included having a first input for receiving a cleartext data stream and a key input coupled to the output of the logic block, for forming a ciphertext data stream at the output thereof from the cleartext data stream and the product. A decryption device can be substituted for the encryption device to perform decryption operations in a similar manner.
97 Citations
41 Claims
-
1. In a data processing system which outputs cryptographic service requests for operations with cryptographic keys which are associated with control vectors defining the functions which each key is allowed by its originator to perform, an improved apparatus to enable the use of control vectors having a given length, comprising:
-
a control vector input for receiving a control vector of a given length associated with an N-bit cryptographic key; a control vector checking means having an input coupled to said control vector input and input for receiving a cryptographic service request, for checking that said control vector authorizes the cryptographic function which is requested by said cryptographic service request, and outputting an enable signal; a hash function generator having an input coupled to said control vector input and an N-bit output, for mapping said control vector into an N-bit hash value; a key input for receiving said N-bit cryptographic key; a logic block having a first input coupled to said N-bit output of said hash function generator, and a second input coupled to said key input, for forming at the output thereof a computed key value which is a product of said N-bit key and said N-bit hash value; a cryptographic transformation device having a first input for receiving input information and a key value input coupled to the output of said logic block, for forming output information which has been cryptographically transformed from said input information using said computed key value; said cryptographic transformation device coupled to said enable signal output from said control vector checking means for inhibiting said formation of said cryptographically transformed output information if said control vector checking means determines that said requested cryptographic function is not authorized by said control vector. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 38, 39, 40, 41)
-
-
33. In a data processing system which outputs cryptographic service requests for operations with cryptographic keys which are associated with control vectors defining the functions which each key is allowed by its originator to perform, an improved apparatus to enable the use of control vectors having a length of 2N-bits comprising:
-
a control vector input for receiving a control vector of 2N-bits in length, associated with a 2N-bit length cryptographic key; said control vector having a left portion CL of N-bits in length and a right portion CR of N-bits in length; said cryptographic key having a left portion KKL of N-bits in length and a right portion KKR of N-bits in length; a first exclusive-OR logic block coupled to receive CL and KKL to form the exclusive-OR product KKL+CL as a first key value; a second exclusive-OR logic block coupled to receive CR and KKR and to form the exclusive-OR product KKR+CR as a second key value; a first encryption device having a cleartext input and a key input coupled to receive said first key value and having an output; a first decryption device having an input connected to an output of said first encryption device and a key input coupled to receive said second key value, and an output; a second encryption device having an input connected to the output of said decryption device and a key input coupled to receive said first key value, and an output for producing a ciphertext which is a transformation of the cleartext input to said first encryption device.
-
-
34. In a data processing system which outputs cryptographic service requests for operations with cryptographic keys which are associated with control vectors defining the functions which each key is allowed by its originator to perform, an improved apparatus to enable the use of control vectors having 2N-bits length, comprising:
-
a control vector input for receiving a control vector having 2N-bits length associated with a 2N-bit cryptographic key; a control vector checking means having an input coupled to said control vector input and an input for receiving a cryptographic service request for checking that said control vector authorizes the cryptographic function which is requested by said cryptographic service request, and outputting an enable signal; said control vector having a left portion CL of N-bits in length and a right portion CR of N-bits in length;
said cryptographic key having a left portion KKL of N-bits in length and a right portion KKR of N-bits in length;a first exclusive-OR logic block which is coupled to receive CL and KKL and to produce the exclusive-OR product KKL+CL which is a first key value; a second exclusive-OR logic block which is coupled to receive CR and KKR and to produce the exclusive-OR product KKR+CR which is a second key value; a first decryption device having an input for receiving ciphertext, a key input coupled to receive said first key value and an output; an encryption device having an input connected to the output of said first decryption device, a key input coupled to receive said second key value, and an output; a second decryption device having an input connected to said output of said encryption device, a key input coupled to receive said first key value, and an output for producing cleartext from said ciphertext input to said first decryption device.
-
-
35. In a data processing system which outputs cryptographic service requests for operations with cryptographic keys which are associated with control vectors defining the functions which each key is allowed by its originator to perform, an improved method to enable the use of control vectors having a given length, comprising the steps of:
-
receiving a control vector having a given length, associated with an N-bit cryptographic key; checking that said control vector authorizes the cryptographic function which is requested by a cryptographic service request; mapping said control vector into an N-bit hash value;
forming a computed key value which is a product of said N-bit key and said N-bit hash value;cryptographically transforming input information using said computed key value, into output information; selectively inhibiting said formation of said cryptographically transformed output information if said control vector checking determines that said requested cryptographic function is not authorized by said control vector. - View Dependent Claims (36, 37)
-
Specification