Data authentication and protection system

US 4,933,969 A
Filed: 03/01/1988
Issued: 06/12/1990
Est. Priority Date: 03/03/1987
Status: Expired due to Term

First Claim

Patent Images

1. A data authentication system comprising:

means for storing a body of data which consists of a plurality of individual messages; and

means, responsive to the plurality of messages in the means for storing, or producing an individual message authentication code (MAC) for each message and for producing a global MAC from the individual MACs.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure information storage system in which a directory stores identifying titles and pointers to areas of a memory storing respective messages. To protect the messages against unauthorized changes, a MAC (message authentication code) is calculated for them in known manner and stored in a register in a secure unit. This involves processing the whole of each message every time the MAC is checked or, if a message has been changed, a fresh MAC has to be calculated. To avoid this, a separate MAC is calculated for each message and stored in the directory, and a global MAC is calculated for the individual MAC'"'"'s (treating them as if they were a message) and stored in a secure register. To check a stored message, the global MAC is recalculated (thus verifying the MAC of the message), and the MAC of the message is recalculated (thus verifying the message). If the message is changed, its new MAC and a new global MAC are calculated. The system can be extended to a hierarchy of sub-global MAC'"'"'s.

Citations

19 Claims

1. A data authentication system comprising:
- means for storing a body of data which consists of a plurality of individual messages; and
  
  means, responsive to the plurality of messages in the means for storing, or producing an individual message authentication code (MAC) for each message and for producing a global MAC from the individual MACs.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A data authentication system according to claim 1, further comprising means for comparing a previously created global MAC with a newly created global MAC to produce a global authentication signal indication whether the MACs are identical, an affirmative indication of such identity serving to indicate that the body of data has not been altered and thereby to authenticate the body of data.
  - 3. A data authentication system according to claim 2, further comprising means, operative if the authentication signal does not indicate identity between the global MACs, for comparing a previously created individual MAC which corresponds with a given individual message with the newly created individual MAC which corresponds with said message to determine whether they are identical, an affirmative indication of such identity serving to indicate that said message has not been altered and thereby to authenticate said message.
  - 4. A data authentication system according to claim 1 wherein:
    - the individual messages are grouped into blocks;
      
      the means for producing a MAC is operative to produce a block MAC for the individual MACs of the messages in a block; and
      
      the global MAC is produced in from block MACs of all the blocks.
  - 5. A data authentication system according to claim 1, further comprising means for storing a plurality of keys in a security module, one of which keys is used for producing the MACs.
  - 6. A data authentication system according to claim 5, further comprising means responsive to the key used for producing the MACs for encrypting a message prior to storage and for decrypting the message upon retrieval.

7. A data authentication system comprising:
- means for storing a body of data which consists of a plurality of individual messages;
  
  means, responsive to the plurality of messages in the storage means, for producing an individual message authentication code (MAC) for each message and for producing a global MAC from the individual MACs;
  
  means for storing a plurality of keys in a security module, one of which keys is used for producing the MACs; and
  
  means for producing a hierarchy of two or more keys, with the lowest key being produced randomly for each messages and stored in the message, and being combined with the next key up the hierarchy to yield an encryption key.
- View Dependent Claims (8, 9, 10)
- - 8. A data authentication system according to claim 7 wherein the hierarchy of keys has more than two levels and a key of any level up to but not including the highest is appended to the body of a message under encryption by means of a key of the next level up the hierarchy.
  - 9. A data authentication system according to claim 8, further comprising:
    - means for receiving and storing an encrypted message from a terminal remote from the system;
      
      means for appending to the message a key of any level up to but not including the highest used for encrypting the message at the remote terminal under encryption by means of a key of the next level up the hierarchy; and
      
      means for calculating an individual MAC corresponding with the message and any appendices and including that MAC in the calculation of the global MAC.
  - 10. A data authentication system according to claim 7, wherein the means for producing a hierarchy of two or more keys comprises:
    - means for counting the number of times each key is used; and
      
      means responsive to the means for counting for changing a key when its usage count reaches a predetermined value.

11. A data authentication system comprising:
- means for storing a body of data including a plurality of individual messages;
  
  means for producing a unique message key for each message;
  
  means for producing a key having an hierarchical level above the message keys;
  
  means for combining a key having an hierarchical level above the message keys with a message key for one of the messages to produce an encryption key for said message; and
  
  means for encrypting a message, producing an individual message authentication code (MAC) for a message, and producing a global MAC from individual MACs for all the messages.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. A data authentication system according to claim 11 wherein the means for producing a message keys comprises a random number generator.
  - 13. A data authentication system according to claim 11 and further comprising a security module for storing any keys an hierarchical level above the message keys.
  - 14. A data authentication system according to claim 11 wherein the hierarchy of keys has more than two levels and a key of any level up to but not including the highest is encrypted by means of a key of the next level up the hierarchy and appended to an encrypted message.
  - 15. A data authentication system according to claim 11 wherein the means for producing a key having a hierarchy above the message keys comprises a counter for counting the number of times a key is used and means responsive to the counter for changing said key when its usage count reaches a predetermined value.
  - 16. A data authentication system according to claim 11 wherein the means for encrypting a message and producing a MAC is comprised in a single encryption unit.
  - 17. A data authentication system according to claim 11 wherein the means for producing a MAC uses a message key for a given message to produce the MAC corresponding with that message.
  - 18. A data authentication system according to claim 11 wherein the means for producing a MAC uses a single key to produce all of the individual message MACs.
  - 19. A data authentication system according to claim 18 wherein said key is also used by the combining means to produce the encryption keys.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Company (HP Inc.)
Original Assignee
Hewlett-Packard Company (HP Inc.)
Inventors
Proudler, Graeme J., Mitchell, Christopher J., Marshall, Alan D.
Primary Examiner(s)
Buczinski, Stephen C.
Assistant Examiner(s)
Gregory, Bernarr Earl

Application Number

US07/162,725
Time in Patent Office

833 Days
Field of Search

380/3-5, 380/23-25, 380/21, 380/49, 380/50, 380/29, 364/200, 364/900, 340/825.34, 370/94.1
US Class Current

713/177
CPC Class Codes

G06F 21/64   Protecting data integrity, ...

G06F 21/72   in cryptographic circuits

G06F 21/79   in semiconductor storage me...

G06F 2221/2153   Using hardware token as a s...

H04L 2209/60   Digital content management,...

H04L 9/0836   using tree structure or hie...

H04L 9/0891   Revocation or update of sec...

H04L 9/3242   involving keyed hash functi...

Data authentication and protection system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Data authentication and protection system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links