Encrypting method and apparatus enabling multiple access for multiple services and multiple transmission modes over a broadband communication network

US 6,028,933 A
Filed: 04/17/1997
Issued: 02/22/2000
Est. Priority Date: 04/17/1997
Status: Expired due to Term

First Claim

Patent Images

1. A method for encryption of a digital signal transmitted from a source to a destination, said method comprising the steps of:

generating a multiplicity of periodic units from a clock;

representing each of said multiplicity of periodic units with an identifying pattern of bits corresponding thereto;

utilizing said identifying pattern of bits as an encrypting variable at said source; and

transmitting said identifying pattern of bits, accompanying said digital signal, to said destination.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The specification relates to the encryption of data transmitted over a broadband multiple access bi-directional hybrid fiber/coax (HFC) network. The method supports downstream broadcast encryption from headend to cable modem, and also provides for encryption of transmissions from cable modems back to the headend. Although the present invention is described in relation to an HFC network, it is also equally applicable to a cellular wireless communications environment or any other digital broadcast medium. The invention is implemented in two subdivisions, a slow but secure software encrypting algorithm, and a fast but less secure hardware encrypting algorithm. The combination produces the security of the software subdivision, with the encrypting speed of the hardware subdivision. The encryption method and apparatus supports the various access and transmission modes, such as STM, ATM, and VL. The present invention utilizes a virtual random number generator at the individual cable modems to reduce cable modem hardware. The authentication and key generation process between headend and cable modem produces a mutually authenticated and mutually generated permanent key. The present invention features a cryptosync clock at the headend which is transmitted to individual cable modems as a broadcast clock, thus eliminating a need for a clock at each cable modem.

334 Citations

34 Claims

1. A method for encryption of a digital signal transmitted from a source to a destination, said method comprising the steps of:
- generating a multiplicity of periodic units from a clock;
  
  representing each of said multiplicity of periodic units with an identifying pattern of bits corresponding thereto;
  
  utilizing said identifying pattern of bits as an encrypting variable at said source; and
  
  transmitting said identifying pattern of bits, accompanying said digital signal, to said destination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method in accordance with claim 1, said method encrypting partially in software and partially in hardware, said method further comprising the steps of:
    - utilizing said identifying pattern of bits as a unique encrypting variable for a portion of encryption performed in software; and
      
      utilizing said identifying pattern of bits as a unique encrypting variable for a portion of encryption performed in hardware.
  - 3. The method in accordance with claim 2 further comprising the steps of:
    - creating a permanent key, said permanent key being mutually generated and mutually authenticated between said source and said destination;
      
      utilizing said permanent key to generate a connection key, said connection key mutually generated and mutually authenticated between said source and said destination;
      
      encrypting said identifying pattern of bits in software, said connection key operable as an encrypting key, said encrypting process producing a series of cryptovariables;
      
      sending cryptosync to a high speed engine, said high speed engine operable to encrypt said cryptosync, said high speed engine providing a rapid keystream generation output; and
      
      sending said cryptovariables to said high speed engine, said cryptovariables operable as keys for encryption of said cryptosync within said high speed engine.
  - 4. The method in accordance with claim 3 wherein said connection key is replaced with a unique mutually generated and authenticated connection key for each new connection between said source and said destination.
  - 5. The method in accordance with claim 3 wherein said connection key is replaced with a unique mutually generated and authenticated connection key whenever a specific duration of time has expired.
  - 6. The method in accordance with claim 3 wherein each of said cryptovariables is replaced after a specified number of keystream bytes generated from said high speed engine with each of said cryptovariables.
  - 7. The method in accordance with claim 1 further comprising the steps of:
    - incorporating said identifying pattern of bits as a cryptosync stream;
      
      dividing said cryptosync stream into a multiplicity of frame counter packets;
      
      assigning each of said multiplicity of frame counter packets to each of a multiplicity of downstream frames;
      
      broadcasting each of said multiplicity of downstream frames to a plurality of destinations;
      
      reformatting said multiplicity of frame counter packets into said cryptosync stream at said plurality of destinations; and
      
      utilizing said cryptosync stream at each of said plurality of destinations as a broadcast clock, said broadcast clock utilized for decryption of said transmitted digital signal.
  - 8. The method in accordance with claim 7 wherein broadcast of each of said multiplicity of frame counter packets is transported within a region of downstream frame structure dedicated to transport of asynchronous data.
  - 9. The method in accordance with claim 7 wherein broadcast of each of said multiplicity of frame counter packets is transported within a fast control field (FCF), said FCF being a subdivided portion of said region of downstream frame structure dedicated to transport control and messaging information.

10. A method for encryption of a digital signal transmitted from a source and subsequent decryption at a destination, said method comprising the steps of:
- dividing time into a multiplicity of periodic units;
  
  representing each of said multiplicity of periodic units with a unique bit pattern corresponding thereto;
  
  utilizing said unique bit pattern for encrypting said digital signal at said source;
  
  transmitting said unique bit pattern, accompanying said digital signal, to said destination; and
  
  utilizing said unique bit pattern for decrypting said digital signal at said destination.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 11. The method in accordance with claim 10, said method including a first portion of encryption performed in software and a second portion of encryption performed in hardware, said method further comprising the steps of:
    - encrypting said unique bit pattern with a secret connection key as said first portion;
      
      utilizing said unique bit pattern as a pseudo-frame counter, said pseudo-frame counter an input to a pseudorandom feedback shift register (PFSR);
      
      transforming said unique bit pattern within said PFSR into a high speed engine (HSE) cryptosync;
      
      inputting said HSE cryptosync to a device implementing said second portion of encryption, said device comprising a high speed engine (HSE);
      
      utilizing said first portion of encryption output as an input to said HSE;
      
      generating an encryption keystream from said HSE, said encryption keystream formulated by encrypting said HSE cryptosync with said first portion of encryption output as said key; and
      
      utilizing said encryption keystream to encrypt a stream of plaintext from said source into a stream of ciphertext, said ciphertext to be transmitted to said destination.
  - 12. The method in accordance with claim 11 wherein said HSE cryptosync further comprises an input associating individual subframe identities with a unique combination of bits within said HSE cryptosync.
  - 13. The method in accordance with claim 11 wherein said PFSR output is utilized to extend said PFSR uniqueness across a downstream subframe by acting as a scrambler.
  - 14. The method in accordance with claim 11 wherein said PFSR output is utilized to pre-spread input to said HSE, said pre-spreading reducing computational loading of said HSE.
  - 15. The method in accordance with claim 11 wherein said PFSR output is utilized to cryptoinitialize said HSE.
  - 16. The method in accordance with claim 11 further comprising the steps of:
    - encrypting said secret connection key to generate a plurality of cryptovariables within said first portion of encryption;
      
      periodically replacing a previous cryptovariable with a unique new cryptovariable; and
      
      transmitting a mini-message to said destination, said mini-message used to notify said destination of a utilization of said unique new cryptovariable.
  - 17. The method in accordance with claim 16 wherein said mini-message is a predecessor mini-message, said predecessor mini-message transmitted prior to said utilization of said unique new cryptovariable.
  - 18. The method in accordance with claim 16 wherein said mini-message is a successor mini-message, said successor mini-message transmitted subsequent to said utilization of said unique new cryptovariable.
  - 19. The method in accordance with claim 16 wherein said mini-message is transmitted within a fast control field.
  - 20. The method in accordance with claim 11, said method operable for transmission of synchronous transfer mode (STM) protocol data units (PDUs), said method further comprising the steps of:
    - sampling said encryption keystream designated for encryption of said STM PDUs;
      
      writing a plurality of STM PDU encryption keystream sample values to at least one table, said at least one table configured as a pseudo-shift register;
      
      reading said plurality of STM PDU encryption keystream sample values from said at least one table after an appropriate temporal delay, said appropriate temporal delay chosen to compensate for context switching overhead and cryptoalgorithm latency encountered with STM PDU transmission;
      
      encrypting STM PDU plaintext with said plurality of STM PDU encryption keystream sample values, said sample values having been read from at least one table after said appropriate temporal delay; and
      
      transmitting a plurality of encrypted STM PDUs to said destination for subsequent decryption.
  - 21. The method in accordance with claim 20 wherein said at least one table is implemented as a first table and a second table;
    - said first table used for writing to while said second table is being read from; and
      
      said first table used for reading from while said second table is being written to.
  - 22. The method in accordance with claim 20 wherein said at least one table is implemented with one table, said table providing said appropriate temporal delay by performing as a pseudo-shift register.
  - 23. The method in accordance with claim 10, said method encompassing bi-directional data transfer between a common source and a plurality of destinations, said method further comprising the steps of:
    - mutually authenticating said common source with each of said plurality of destinations; and
      
      mutually generating a shared secret permanent key between said common source and each of said plurality of destinations.
  - 24. The method in accordance with claim 23, said method featuring an asymmetric encrypting/decrypting exchange for mutual authentication and shared secret permanent key generation, further comprising the steps of:
    - transmitting at least one encrypted authenticating message from said common source to each of said plurality of destinations;
      
      transmitting encrypted authenticating return messages from each of said plurality of destinations to said common source over a separate plain old telephone service (POTS) return;
      
      utilizing encryption/decryption functions using squaring operations at each of said plurality of destinations; and
      
      utilizing encryption/decryption functions using square root operations at said common source.
  - 25. The method in accordance with claim 23, said method featuring an asymmetric encrypting/decrypting exchange for mutual authentication and shared secret permanent key generation over a two-way broadband transmission medium, further comprising the steps of:
    - transmitting downstream encrypted authenticating messages from said common source to each of said plurality of destinations over said two-way broadband transmission medium;
      
      transmitting return upstream encrypted authenticating messages from each of said plurality of destinations to said common source over said two-way broadband transmission medium;
      
      utilizing encryption/decryption functions using squaring operations at each of said plurality of destinations; and
      
      utilizing encryption/decryption functions using square root operations at said common source.

26. A method for encryption at a source, and decryption at a destination, of digital signal bi-directional transmission between a headend and a plurality of cable modems, said digital signal bi-directional transmission over a broadband hybrid fiber/coax communications network, said method comprising the steps of:
- dividing time into a multiplicity of periodic units at said headend;
  
  representing each of said multiplicity of periodic units with an identifying bit pattern corresponding thereto;
  
  utilizing said identifying bit pattern as an encrypting variable at said headend;
  
  transmitting said identifying bit pattern to said plurality of cable modems; and
  
  utilizing said identifying bit pattern as a decrypting variable at said plurality of cable modems.
- View Dependent Claims (27, 28, 29)
- - 27. The method in accordance with claim 26, said method encompassing bi-directional data transfer between said headend and said plurality of cable modems, said method further comprising the steps of:
    - mutually authenticating said headend with each of said plurality of cable modems; and
      
      mutually generating a shared secret permanent key between said headend and each of said plurality of cable modems.
  - 28. The method in accordance with claim 27 wherein said headend is operable to select an appropriate level of security.
  - 29. The method in accordance with claim 27, said method incorporating a process of mutually authenticating said headend to each of said plurality of cable modems, said method requiring the bilateral transmission of certificates between said headend and each of said plurality of cable modems, said method requiring generation of random numbers at said headend and each of said plurality of cable modems, said method further comprising the steps of:
    - incorporating a random number generator at said headend;
      
      writing a unique random seed key within a nonvolatile memory component of each of said plurality of cable modems;
      
      generating a random number as required at the headend via said random number generator;
      
      publicly transmitting said random number to one of said plurality of cable modems; and
      
      one of said plurality of cable modems performing as a virtual random number generator by encrypting said random number with said unique random seed key.

30. A bi-directional broadband communications and data transfer encryption system having a plurality of cable modems, said plurality of cable modems interconnected with a headend via a transmission medium having a multiple access upstream channel and a broadcast downstream channel, comprising:
- a cryptosync clock at said headend, said cryptosync clock dividing time into a multiplicity of periodic units;
  
  a CV refresh unit, said CV refresh unit obtaining one input from said cryptosync clock and a second input from a connection key, said CV refresh unit encrypting said cryptosyne clock with said connection key, said CV refresh unit producing a cryptovariable output;
  
  a load subframe counter, said load subframe counter obtaining one input from said cryptosync clock, a second input of a subframe identifying number, and a third input of a subframe start indicator;
  
  a cryptosync pseudorandom feedback shift register (PFSR), said load subframe counter input to said PFSR, said PFSR providing initial prespreading of high speed engine cryptosync;
  
  a high speed engine (HSE), said HSE producing an keystream generator output, said HSE having a HSE cryptosync as a first input and said cryptovariable as a second input;
  
  said second input utilized as an encryption key for said first input;
  
  an XOR gate, said XOR gate performing a bit by bit "exclusive or" operation between said keystream generator output and a plaintext bytestream, said XOR gate producing a ciphertext bytestream output for transmission to said cable modem; and
  
  a broadcast clock, said broadcast clock consisting of the transmission of said headend cryptoclock to said plurality of cable modems, said broadcast clock utilized for decryption of said ciphertext bytestream at said plurality of cable modems.
- View Dependent Claims (31, 32, 33, 34)
- - 31. The encryption system of claim 30 wherein said CV refresh unit is implemented in software.
  - 32. The encryption system of claim 30 wherein said HSE is implemented in hardware.
  - 33. The encryption system of claim 30 wherein encryption algorithms requiring utilization of a square root function are performed at the headend.
  - 34. The encryption system of claim 30 wherein encryption algorithms requiring utilization of a square function are performed at said plurality of cable modems.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent USA, Inc. (Nokia Corporation)
Original Assignee
Lucent Technologies, Inc. (Nokia Corporation)
Inventors
Heer, Daniel N., Rance, Robert J.
Primary Examiner(s)
Gregory, Bernarr E.

Application Number

US08/837,423
Time in Patent Office

1,041 Days
Field of Search

380/9, 380/10, 380/20, 380/21, 380/23, 380/25, 380/28, 380/29, 380/46, 380/48, 380/49, 380/50, 380/59
US Class Current

713/169
CPC Class Codes

H04L 63/04   for providing a confidentia...

H04L 63/0823   using certificates cryptogr...

H04L 63/0869   for achieving mutual authen...

Encrypting method and apparatus enabling multiple access for multiple services and multiple transmission modes over a broadband communication network

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

334 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Encrypting method and apparatus enabling multiple access for multiple services and multiple transmission modes over a broadband communication network

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

334 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links