This invention relates to a key management system for open communication environments for example the public switched telephone system, radio communications and others.
The term "key" in this specification is intended to refer to a code or number which can be used for authentication, identification, message encryption, message authentication, or digital signature.
The invention is based upon a unique approach to the handling and transfer of such numerical keys, to their use and to a memory module for storing the keys.
According to a first aspect of the invention, therefore, there is provided a security system for authenticating a potential user of a service comprising a first unit associated with the service, a second unit associated with the user, each of said first and second unit including means for communicating with the other through a communication medium, each of said first and second units including memory means, each of said memory means having stored therein a plurality of groups of random numbers, the numbers of each group being logically associated together as a group at a logical address in the memory, said random numbers of said groups and the associated addresses in the memory means of the first unit being identical to those of the memory means of the second unit, said first unit including control circuit means arranged, in a first cycle of operation to extract from the memory means thereof one of the random numbers in one of said groups at a respective address, to communicate said one random number to said second unit, to compare a received signal from the second unit with another of the random numbers in said one of said groups, and to provide authentication of said user only upon a match of said received signal with said another of the random numbers, and in each subsequent cycle of operation to extract one of the random numbers from a respective different one of the groups in the memory means, said second unit including control circuit means arranged on receipt from said first unit of said one of the random numbers in said one of said groups to extract from said memory means thereof said another of said random numbers of said group.
According to a second aspect of the invention there is provided a memory module for storing and transporting a plurality of numerical keys for use in a security system comprising a casing forming an outer protection for the module by which the module is a separate readily transportable unit, electrical connection means in said casing by which said module, can be electrically connected to said security system, a memory in said casing, means in said casing arranged to retain material in said memory when said module is separated from said security system, said memory having stored therein a plurality of groups of random numbers, the numbers of each group being logically associated together as a group at a logical address in the memory, and a logic control circuit defining a fixed set of rules which control access to the random numbers in the groups.
According to a third aspect of the invention there is provided a security system for secure information transmission comprising a first unit for transmitting information, a second unit for receiving the information, each of said first and second unit including means for communicating with the other through a communication medium, each of said first and second units including memory means, each of said memory means having stored therein a plurality of groups of random numbers, the numbers of each group being logically associated together as a group at a logical address in the memory, said random numbers of said groups and the associated addresses in the memory means of the first unit being identical to those of the memory means of the second unit, said first unit including control circuit means arranged in first cycle of operation to extract from the memory means thereof a first and a second random number from one of said groups at a respective address, to generate a concatenated message including said random number and including said information algorithmically acted upon using said second random number and to transmit said message to said second unit, and in each subsequent cycle operation to extract random numbers from a respective different one of the groups in the memory means, said second unit including control circuit means arranged on receipt from said first unit of said message including said first random number to extract from said memory means a random number from said one of said groups and to algorithmically act upon said message using said random number so extracted.
These techniques can thus be used for encryption, authentication, identification and/or digital signature. In lower levels of the security system, the memory requires to store only two random numbers associated with a particular position in the memory. In higher levels of security systems including many or all of the above, it is necessary to store in association with the particular position three random numbers in the aforementioned sets.
The invention has as an important part a technique for physical transmission of the memory in the memory module referred to hereinafter as a key transfer device (KTD) which provides security by the technique of giving an indication when the device has been read and by preventing its reversion to a normal transmission state without passing through a state in which the information is erased from the memory.
The new approach for key management described here allows encryption keys to be exchanged or transferred in any open communications environment (e.g. telephone, radio, etc.) without providing any information that an attacker could use to discover the keys. The method accommodates very rapid (less than one second) key changes any time during an established session with excellent economy and a minimum of administrative overhead.
An interesting benefit of this key management methodology is that it can be adopted to provide a form of digital signature which can be used with messages or for user authentication. When used for authentication, this digital signature exhibits the same strength against communications based attack as is provided by the key management approach and is unique in that it can automatically authenticate in both directions. A description of how this key management approach has successfully been incorporated into a commercial dial-access authentication product is included to demonstrate the practicality and future possibilities of this new methodology.
The purpose of a key management system is to provide a means of distribution and control of keys used to operate authentication, encryption and digital signature functions. Key management approaches should be designed to remain secure in a hostile telecommunications environment. Any attacker must be assumed to possess full knowledge of all hardware, software and algorithmic principles that are used as well as information from a line-tap. An attacker must be further assumed to have unlimited financial and technical resources.
Most current key management systems revolve around the protection of one master key or one master key pair using a combination of physical, algorithmic, procedural and protocol controls. It may be observed that these current systems do not depend heavily on either the capabilities of programmed electronic hardware or on the use of modern memory technology. This is interesting since programmed electronic hardware has the flexibility of software control, high operational speed and the ability to be protected physically. Memory based systems also offer significant flexibility and are becoming increasingly cost effective as the price consistently drops by orders of magnitude.
The key management system proposed in this paper takes advantage of memory and programmed electronic hardware technologies to form the basis of a very practical key management solution. This solution involves replacing the concept of distributing encryption or authentication keys with that of the distribution of an electronic unit which, for the purpose of this description, will be termed a Key Transport Device (KTD).
A KTD is used to store and securely transport thousands or even tens of thousands of encryption or authentication keys. Additionally, a KTD provides distributed operational control over the entire key management process by executing a very limited number of logical functions (as requested by a user) according to a strict set of programmed rules.
A typical Key Transport Device (KTD) consists of a microprocessor, a large quantity of memory which may be semi-conductor memory or use other memory technologies but is preferably volatile, and a battery power source in a physically secure package which is only slightly larger and heavier than the average credit card. Each KTD has a unique identification number that is permanently built-in and unalterable. The physical security is such that any attempt to breach the packaging results in the total destruction of the KTD contents.
The memory of the KTD is logically divided into three columns which can be designated as address, random number one and random number two which are represented in this paper by the symbols a, R and R' respectively, as follows:
______________________________________ a R R' ______________________________________ 1 A A' 2 B B' 3 C C' . . . . . . . . . . . . . . . . . . n X X' ______________________________________
Although organized in columns, KTD's are always accessed by rows. The address [a] is of course purely logical and requires no physical memory. Random number one [R] functions to provide authentication for key exchanges and random number two [R'] is a key used for encrypting or authenticating communicated messages.
A Key Transport Device performs a very limited set of logical tasks that are associated with the administration of encryption or authentication keys according to a very strict set of programmed rules. Although the rule set can vary depending on the specific application involved, the following is a list of the basic KTD functions for encryption and authentication applications with an explanation of the applicable rules. The notation KTD represents a KTD operation on a vector or scalar input.
KTD[.0.] is the KTD instruction to fetch the next authentication challenge. The KTD returns a vector [a,R] in response to this instruction. A KTD is only allowed to access each address [a] once (except KTD[a,R'] is allowed as next instruction) so that every authentication challenge is unique.
KTD[a,R] is the KTD instruction to fetch the decryption or authentication key scalar [R'] associated with [a] if and only if [R] is identical to random number one associated with address [a] (i.e. implicit authentication). This instruction is not valid if the specified address [a] has either been previously accessed via an other instructions or if the specified address [a] is numerically smaller than the last address [a] that was accessed.
KTD[a,R'] is the KTD instruction to verify an authentication key (challenge response) [R'] associated with address [a]. This instruction is only valid if the previous instruction executed was KTD[.0.] and the address resulting from the execution of that instruction was identical to [a]. The KTD returns a logical true [verified] or false [not verified] in response to this instruction.
KTD[.0..0.] is the KTD instruction to fetch the next encryption or authentication key set. The KTD returns a vector [a,R,R'] in response to this instruction. A KTD is only allowed to access each address [a] once so that every encryption or authentication key is unique.
The KTD key generation and programming process makes use of a special programming device which installs operational parameters as well as encryption and authentification keys. Operational parameters include the subset of enabled KTD functions and a number of variables used to control the actual encryption or authentication hardware. Depending on the KTD design, additional user authentication data can be programmed into the KTD such as passwords, retina scan signatures, etc.
Once the operational parameters have been loaded into a KTD, the KTD programming device generates the required set of truly random numbers. These random numbers are stored in the KTD which is then electronically sealed in preparation for secure transport to the intended user. Key generation does of course, require the usual physical safeguards such a personnel restrictions and a reasonably secure room.
A KTD programmer is designed to prevent any human from reading the generated keys either explicitly or via electromagnetic radiation. Additionally, once all KTD's using a specific set of random numbers have been programmed, the random numbers are erased and cannot be generated again.
Any number of key sets can be programmed into a KTD up to the limit of its memory capacity. The key random numbers can be of any bit length. In some cases the required application will call for a group of KTDs all programmed with the same key sets. In other cases only one pair of KTDs in a group will be identical, with a central KTD including all sets of a plurality of different KTDs.
From an external, electronic viewpoint a KTD can be modelled as a classic finite state machine. The following is a description of how key security is assured during transport.
State #1: This is the original state of a KTD as delivered from the factory. In this state the KTD can be considered a "key blank" that requires programming with a KTD programmer. Once the operational parameters and encryption or authentication keys have been programmed into the KTD, the device is "sealed" by signalling the KTD to move to state #2.
State #2: In this state the KTD is electronically "sealed," thus preventing any external agent from accessing the KTD contents by way of any electronic enquiries. All operational parameters are as inaccessible as are the authentication or encryption keys. The only allowed enquiry is a request for the KTD identification number which is not secret and is usually clearly printed on the external casing.
This electronic security is complimented by physical security that ensures KTD contents cannot be obtained through any physical attack. Physical protection involves encasement of the KTD in a manner that will not allow disassembly without causing the destruction of all internal memory related components. Additionally, KTD circuitry remains active during transport so that it can monitor the physical security controls to deliberately eras the KTD memory if any external attack is detected. These measures along with a few procedural precautions (described next) allow a KTD to "take care of itself" to an extent whereby there are no requirements for additional security precautions during transport (such as a bonded courier). KTD's can be transported to the user destination via any low cost, low security means desired, even the public mail.
Upon arrival at the user destination, a KTD is installed in an authentication or encryption device that is designed to be used with KTD's. The KTD is expected to arrive in state #2. This is checked by the encryption or authentication equipment and reported to the equipment user. Should the KTD arrive in state #3 or state #4 this is evidence that some agent has attempted to access the KTD and therefore the security of the memorized keys would be suspect. However, the KTD requirements associated with a transition to state #3 can be made arbitrarily difficult to limit the possibility of KTD compromise or disruption of KTD distribution. The transition to state #3 can be made conditional on some set of user authentication requirements such as the possession of a one-way authentication KTD (described later), password, retina scan or even the possession of specific encryption equipment.
State #3: If a KTD arrives in state #2 and the user is able to authenticate his or her identity sufficiently (by possession, knowledge and/or physical characteristic) then the push of a single button on the associated encryption or authentication device will cause the KTD to enter state #3. This is the normal operating state of the KTD in which it supplies keys to encryption or authentication equipment. While in this state, KTD security becomes dependent upon its logical adherence to the allowed set of functions and rules (described earlier), protocol and physical security. For certain operational environments it may be desirable to use a version of the KTD which enters state #4 if the KTD is removed from its receptacle in the encryption or authentication equipment.
State #4: Upon entering this state a KTD erases all encryption and authentication key information. This state is unique in that it can be entered directly from any other state as a function of the physical and logical security provided by the KTD. If the KTD is designed to be non-reprogrammable the KTD stays in this state permanently to ensure an attacker has no method of accessing the KTD, reading the contents and then reprogramming and resealing the KTD. Such KTDs can be used particularly for encryption where more information can be read from a single KTD. If a KTD is reprogrammable, that is, a transition from state #4 (erased) to state #1 (program) is allowed, generally speaking such KTDs will not be used for encryption. In this case, this state prevents an attacker from concealing that an attempt has been made to read the KTD.
Thus the operational and physical protection features of a KTD ensure that no attacker can attempt to read the device contents without at the very least revealing that attempt to the end user.
In order to prevent an unauthorized recipient from reading, rewriting and resealing the KTD, one or more of the following steps can be taken:
(a) The limited commands which the KTD will complete are designed to prevent a user from reading all the information from a single KTD.
(b) The unsealing can be made difficult.
(c) The KTD may store a number indicative of the number of times it has been rewritten.
(d) The optional transition from state #6 to state #1 can be disallowed.
An explanation of how a KTD system provides user authentication (authentication by possession) is the easiest introduction to KTD protocols. A session authentication KTD would be enabled to permit three functions:
KTD[.0.], KTD[a,R] and KTD[a,R']. For this example it will be assumed that two users wishing to establish sessions are already supplied with KTD's which have been programmed by one of the two users with each KTD having in its memory the same array as set out before in the table aRR'.
Assume user #2 wishes to originate an authenticated session with user #1 and assume that KTD memory address 1 has already been used. The protocol is as follows:
(a) User #2 calls user #1 (eg. on the telephone) and establishes connection.
(b) User #2 authentication device sends the KTD identification (#002 in this example) to user #1.
(c) Given that user #1 recognizes the #002 identification, user #1's authentication device requests KTD[.0.] which responds with the vector [2,B]. User #1's KTD marks address 2 as used.
(d) User #1's authentication device sends the authentication vector [2,B] to user #2 in plain text as a numeric challenge.
(e) User #2's authentication device receives the authentication vector [2,B] and requests KTD[2,B] which responds with the scalar [B']. User #2's KTD marks address 2 as unavailable. At this point, user #1 has been authenticated to user #2.
(f) User #2's authentication device sends the scalar [B'] to user #1 in plain text as the solution to the numeric challenge.
(g) User #1's authentication device requests KTD[2,B'] which responds with a logical true [verification] that [B'] is indeed the authentication key associated with KTD address 2 or of course logical false if a false response is received. User #1's KTD marks address as unavailable. At this point, user #2 has been authenticated to user #1.
Therefore, this key management system has the capability to provide authentication in two directions (user to host and host to user) in a virtually simultaneous manner using a simple plain text transaction. Additionally, this authentication has the property of being immune to any communications based attack in the context of user session authentication based on possession and given that the physical security of the KTD's is maintained.
This implicit style of authentication is fundamental to the use of KTD key management for the secure exchange of encryption keys in an open communications environment.
It is interesting to note that if user #1 had concatenated a plain text message to the transmission of step (d) of the above exchange then user #1 would have effectively provided a form of digital signature with that message. Although the message itself would not have been authenticated (subject to replacement, modification or deletion), user #2 could be absolutely certain that the message originated with user #1. Further, the scalar response [B'] from user #2 would act as a verifiable plain text receipt to user #1.
The KTD based key management system protocol for the exchange of encryption or authentication keys is again best demonstrated by example. KTDs used for this purpose need only be enabled to permit two functions: KTD[.0..0.] and KTD[a,R]. The remaining two functions: KTD[.0.] and KTD[a,R'] would also normally be permitted to facilitate session authentication or message receipting.
Assume that two users wishing to exchange encrypted or authenticated messages are already supplied with KTDs appropriately programmed with the array aRR's as set out before, and that an authenticated session has already been established.
Assume that user #1 wishes to send an encrypted message to user #2 and assume that KTD address 1 has already been used. The protocol is as follows:
(a) User #1's encryption device requests KTD[.0..0.] which responds with the vector [2,B,B']. User #1's KTD marks address 2 as unavailable.
(b) User #1's encryption device encrypts the plain text message P using B' as the encryption key (using whatever encryption algorithm is desired) producing the resultant vector [E.sub.B' (P)].
(c) User #1's encryption device sends the resultant vector concatenated to the key selection vector: [EB'(P)][2,B].
(d) User #2's encryption device receives the transmission: [E.sub.B' (P)][2,B] and requests KTD[2,B] which responds with the scalar [B']. User #2's KTD marks address #2 as unavailable. Again, user #2 can now be certain that the message originated from user #1.
(e) User #2's encryption device decrypts the message: D.sub.B' [E.sub.B' (P)]=P.
This simplified example has demonstrated how a KTD based key management system communicates encryption key selection without revealing the key even in encrypted form. It is further demonstrated that each transaction utilizing the above protocol is implicitly provided with a form of digital signature.
Now that the fundamental mechanism and protocols of a KTD base key management system have been explained, it is important to show how the use of this system with appropriate encryption and/or authentication algorithms meets the general qualifications for the provision of communication security. The te following points of discussion are based on the checklist of ten criteria for communication security proposed by Jueneman, Matyas and Meyer which are as follows. Although all these qualifications are not necessarily relevant to every application this list can be considered useful in determining the strengths and weaknesses of any proposed approach.
The checklist is as follows:
(a) To prevent disclosure of plain text to any person or process not possessing the appropriate cryptographic key.
(b) To prevent release of information by the sender, either accidentally or deliberately, by deceitful or faulty (Trojan Horse) mechanisms operation via nominally secure media or transmission paths.
(c) To permit the receiver to detect any modification of a message, including insertion, deletion, transposition, or modification of the contents.
(d) To permit the receiver to detect any modification of the sequence of messages, either in a session or on a recorded file (including the insertion, deletion, or rearrangement of messages). And further, to prevent the undetectable deletion or loss of message(s) at the end of the session or data file.
(e) To permit verification of message origin and destination. If the same key used for traffic from A to B is used for B to A traffic, messages from A might be delivered back to A, as though they had come from B. Valid messages from C to A might be copied and send as though they had come from B.
(f) To permit the verification of message timeliness. In a telecommunications session environment this implies that the entire session or sequences of messages is current, and not a replay of some previous (perhaps valid) session. In the absence of bidirectional session, the individual message or datagram must at least be timely, that is, with an authenticated time-stamp that is within some delta-t of the current date/time at the receiver.
(g) To permit the sender to detect a fraudulent acknowledgement of message receipt or non-receipt by someone other than the message recipient. That is, the opponent must be prevented from returning fraudulent acknowledgements to the sender while preventing or withholding the recipient's acknowledgements.
(h) To extend the above protections to include the case where any modification of the message, message sequence, or message acknowledgement must be detected, even in the absence of message secrecy, that is, when the plaintext may be known to or even originated by the opponent.
(i) To extend the above protections on a pair-wise basis to multi-party colloquies taking place via multi-drop line, packet network, or satellite broadcast circuit.
(j) To prevent fraudulent disavowal and or forgery of a signed message (digital signature), and to permit both sender and receiver to verify their claims to the satisfaction of an independent referee. The process of notarization and or claim verification should not compromise the secrecy of the information to the referee or any notary, nor should it compromise the digital signature scheme to either the recipient or the referee.
These points are specifically overcome as follows:
(1) Plain text is not disclosed to any person or process not in possession of the appropriate KTD and thus the cryptographic key for each message. This of course assumes the chosen encryption algorithm is reasonably strong and the message length is limited.
(2) The sender of a message cannot be tricked (either accidentally or deliberately) into releasing information via any transmission. Any intruder can be detected using the two-way session authentication process or at the very least would not be able to decrypt the message without possession of the appropriate and operational KTD.
(3) The receiver can detect if a message has been altered via insertion, deletion, transposition or modification if a standard Message Authentication Code (MAC) has been calculated using another key supplied by the KTD. The MAC would be concatenated to the encrypted or plain text message in the usual manner. Again, this assumes the chosen message authentication algorithm is sufficiently strong and assumes a slight modification of the KTD function set.
(4) The KTD approach to key management automatically detects any attempt to modify the sequence of messages in a session (insertion, deletion or rearrangement). A sequence number with each message might still be useful to detect rearrangements on a recorded file of the session and an authenticated message total should still be transmitted at the conclusion of each session to prevent loss of messages at the end of a session.
(5) Message origin and destination are automatically verified using the KTD key management approach. Messages from A can not be delivered back to A as though they came from B since each encryption or authentication key is only used once. Any attempt to resend a message would result in an error response from the recipient's KTD. Additionally valid messages from any third party C can not be copied and sent as though they had come from B since KTD key sets are distributed on a pairwise basis (see section on large scale KTDs).
(6) The timeliness of messages can be verified by the inclusion of an authenticated date and time stamp with each encrypted or authenticated message.
(7) The sender can detect a fraudulent acknowledgment of message receipt or non-receipt by someone other than the intended recipient. For plain text messages an authenticated receipt is automatically provided by the KTD. For encrypted or authenticated messages a receipt can simply be provided by the sender making a second request: KTD[.0.] (slightly altered function set required). The returned vector can be concatenated onto the sent message to be interpreted as "receipt requested". Only the designated receiver in possession of the required KTD can acknowledge receipt by returning [a,R'] to the sender who will in turn verify that receipt via his or her KTD. (A simpler method of achieving this same result is described in the section on encryption with digital signature).
(8) The above protections are extended to include the detection of any modification of the message sequence or message acknowledgment even in the absence of message secrecy. The detection of message modification requires the use of a KTD supplied key to generate a Message Authentication Code that is sent with the message.
(9) All of the above protections apply on a pair-wise basis to multi-party colloquies taking place via multi-drop line, packet network or satellite broadcast circuit. This type of network arrangement of "equal" nodes, requires the use of large scale KTD's which are described later.
(10) Although the KTD based key management system as it has been described thus far does provide a form of digital signature with each message, it does not prevent fraudulent disavowal or forgery of an encrypted or authenticated message. However, a simple modification will provide this feature. This modification is described next.
In summary, the KTD based key management approach has been shown sufficient to support all of the encryption, authentication and procedural operations necessary to provide complete communications security.
Without modification, the KTD based key management system can not provide a digital signature when either message authentication or encryption is used. Since the instruction: KTD[.0..0.] responds with the vector [a,R,R'], one user is provided with sufficient information to forge a message to his or her self, claiming it was sent by another party using an identically programmed KTD.
The solution is to change the memory organization of the KTD to include an additional column of random numbers. Each KTD memory entry is then a vector [a,R,R',R"]. It is also necessary to change the KTD function and rule set such that the result of the instruction: KTD[a,R] returns the vector [R',R"] (instead of the scalar [R']) and to add an instruction: KTD[a,R"] which returns a logical verification of the R" input (only if last instruction was KTD[.0..0.]). Note that the instruction KTD[.0..0.] still only returns the vector [a,R,R'].
Therefore, the sending party can only obtain R" if the receiving party actually received the message and the receiving party can only obtain R" if the sending party actually sent the message. It is interesting to note that only one "receipt" is actually used and that the digital signature is provided as part of a plain text transaction.
The now classic question of how Bob and Alice (mutually distrustful people) can play poker on the telephone now has an interesting solution. Using KTD's, the process requires two enhanced digital signature KTD's (one for Alice and one for Bob) which have been programmed by one of the two players (or a trusted third Party). Each KTD stores a randomly shuffled deck of 52 cards.
The KTD functions and rules are similar to those used for session authentication: KTD[.0.] means draw card for the other player=[a,R]; KTD[a,R] means fetch card selected by other player=[R',R"]; where KTD[.0.] and KTD[a,R] are mutually exclusive functions: KTD[a,R'] means confirm hand card of other player=[verify]: and KTD[a,R"] means confirm discarded card of other player=[verify]; where KTD [a,R'] and KTD [a,R"] are mutually exclusive functions. The example follows:
(a) Bob selects five cards for Alice: KTD[.0.], KTD[.0.], KTD[.0.], KTD[.0.], KTD[.0.].
Sends vectors: [1,A], [2,B], [3,C], [4,D], [5,E] to Alice.
(b) Alice retrieves hand and receipts: KTD[1,A], KTD[2,B], KTD[3,C], KTD[4,D], KTD[5,E].
Alice's hand is: A', B', C', D', E'; Alice's receipts are: A", B", C", D", E".
(c) Alice selects five cards for Bob: KTD[.0.], KTD[.0.], KTD[.0.], KTD[.0.], KTD[.0.].
Alice sends vectors: [6,F], [7,G], [8,H], [9,I], [10,J] to Bob.
(d) Bob retrieves hand and receipts: KTD[6,F], KTD[8,H], KTD[9,I], KTD[10,J].
Bob's hand is: F', G', H', I', J'; Bob's receipts are: F", G", H", I", J".
(e) A bidding exchange takes place.
(f) Bob discards three cards by sending vectors: [8,H"], [9,I"], [10,J"] to Alice.
(g) Alice verifies Bob's discards without obtaining knowledge of discards: KTD[8,H"], KTD[9,I"], KTD[10,J"]=[verify], [verify], [verify].
(h) Alice selects three new cards for Bob: KTD[.0.], KTD[.0.], KTD[.0.]. Sends vectors: [11,K], [12,L], [13,M] to Bob.
(i) Bob retrieves 3 new cards and receipts: KTD[11,K], KTD[12,L, KTD[13,M].
Bob's new hand is: F', G', K', L', M'; Bob's receipts are: F", G", K", L", M".
(j) Alice has no discards. A bidding exchange takes place and the hand is called.
(k) Bob shows his hand to Alice by sending vectors: [6,F'], [7,G'], [11,K'], [12,L'], [13,M'].
(l) Alice verifies Bob's hand: KTD[6,F'], KTD[7,G'), KTD[11,K'], KTD[12,L'], KTD[13,M'].
Result is: [verify], [verify], [verify], [verify], [verify]. Bob did not cheat.
(m) Alice shows her hand to Bob by sending vectors: [1,A'], [2,B'], [3,C'], [4,D'], [5,E'].
(n) Bob verifies Alice's hand: KTD[1,A'], KTD[2,B'], KTD[3,C'], KTD[4,D'], KTD[5,E'].
Result is: [verify], [verify], [verify], [verify], [verify]. Alice did not cheat.
Therefore, a successful hand of draw poker has been played by Bob and Alice over the phone using KTD based key management technology in "real" time using absolutely no encryption whatsoever! A virtually unlimited number of poker hands can be played in this manner since the equipment and communications costs are very low.
An originate-only authentication KTD is only provided with the single function capability KTD [a,R] producing the result [R'] or an error. The standard rule applicable to this function is that only one attempt can be made for any given [a]. The interesting feature of such a KTD is that it provides additional security during transport. An intruder that intercepts a one-way authentication KTD must have possession of the matching normal KTD in order to access any information, even if the one-way authentication KTD is unsealed (in state #3).
When more than two equal network nodes wish to converse using a KTD based key management approach, each node must necessarily be provided with a uniquely programmed KTD for every other node (on a pairwise basis) with which secure communication is to take place. This does not imply hundreds of KTD's stacked in computer rooms but rather the use of large scale KTD's utilizing existing mass memory technologies. Therefore, each network node still only requires one KTD, although it is necessarily larger in size.
Thus for a network of N "equal" nodes there is a requirement for N large scale KTD's, each with (N-1) programmed KTD key sets. Over this N node network (N.times.(N-1))/2 unique KTD key sets are needed.
These large scale KTD's are of course more difficult to protect physically for distribution purposes. The solution to this problem involves either additional physical protection or the information on a large scale KTD can be encrypted with keys stored in an originate-only authentication KTD.
Other possible uses of these techniques include the use of KTD keying material for encryption based on other than message boundaries. By applying this concept, a user could theoretically have discretionary control over key granularity for each message up to the point where the KTD effectively becomes a one-time pad (continuous control over encryption strength).
Another area which presents some interesting possibilities is the use of KTD based key management with hierarchical key distribution. The use of multiple personal KTD's to protect access to information by combinatorial control (e.g.: cooperation of President plus one VP or cooperation of three VPs would be required to gain access) is also possible.
Choice of bit length for each random number along with the associated economies and access probability tradeoffs is of obvious importance. The description of these tradeoffs is however, largely self evident and may be calculated if the reader is so inclined.
Other possible arrangements are as follows:
(a) The use of KTD keying material for encryption based on other than message boundaries:
KTD keying material can be applied at session boundaries, message boundaries, character boundaries, or even variable boundaries.
There are two possible approaches to dynamically access keys larger than a KTD may contain. Pictorially, these are: ##STR1##
In an environment where key granularity is changing dynamically, the chosen key length must be transmitted to the recipient.
(b) KTD based key management with hierarchical key distribution:
By using KTDs to drive a hierarchial key management system, the operational life of a programmed KTD could be significantly extended. This life extension is at the cost of security since key density, compared with message length is decreased.
A KTD could easily provide a new "master key" each hour, or day, or month or at any length of time. The "master keys" would then be used to encrypt "session keys" that can be transmitted to users for decryption and use.
(c) The use of KTDs for combinatorial control:
This is a variant of Shamirs' method first published in 1979. Shamir proposed providing various positions within an organization with sets of points (x-y coordinates) that could be used to solve an n-degree polonomial in order to protect an encryption key. i.e., when the equation: 14x.sup.3 +21x.sup.2 +14x+12=y is solved, then 12 would be the encryption key.
Now, access via the same physical approach can be provided with KTDs, only without the need for the mathematical derivations. For example, KTDs would be supplied to the president, each vice president and each manager. A single station would be capable of holding, say 4 KTDs. That station would then use software logic to provide access to the encryption key only in the presence of, say one president or three vice presidents or four managers. Any combination is of course, possible.
(d) The user of KTDs to allow use of other authentication techniques in a telecommunications environment:
KTD technology has the unique capability of enabling other authentication systems to work in telecommunications environments. Generally, retina scanners, fingerprint analyzers or hand geometry analyzers are used for local (e.g., door) access applications because if the information produced by these devices is transmitted on a telecommunications circuit, that information could be recorded via a line-tap, then used by another person. Passwords, which are commonly used: on telecommunication systems, also suffer from this deficiency.
Since KTDs can provide memory to compare this data against a local input device, the authentication can be achieved at the user location and then confirmed via a standard KTD authentication exchange as described earlier.
(e) KTD technology applied to physical locks
KTD technology to act as a general locking mechanism. A mechanical lock authenticates an individual by his or her possession of a physical, mechanical key. Similarly, a KTD lock would authenticate an individual by his or her possession of an appropriately programmed KTD. The advantages of this approach would be electronic controlled over access and over the number of access.
(f) For Pay TV protection
KTD key management technology to provide simple, but virtually unbeatable Pay TV channel encryption. Only those subscribers with the KTD for a given subscription period could decrypt the channel signal for viewing. Advantages would include the ability for parents to remove the KTD when they're absent.
(g) General advantages
The following advantages can thus be obtained:
The operational and physical protection features of a KTD ensure that no attacker can attempt to read the device contents without at the very least revealing that attempt to the end user.
This key management system has the capability to provide authentication in two directions (user to host and host to user) in a virtually simultaneous manner using a simple plain text transaction.
This authentication has the property of being immune to any communications based attack in the context of user session authentication based on possession and given that the physical security of the KTD's is maintained.
A KTD based key management system communicates encryption key selection without revealing the key, even in encrypted form.
Each transaction utilizing the KTD authentication protocol is implicitly provided with a form of digital signature.
The KTD based key management approach has been shown sufficient to support all of the encryption, authentication and procedural operations necessary to provide complete communications security.
The digital signature is provided as part of a plain text transaction utilizing only one "receipt".
A user could theoretically have discretionary control over key granularity for each message up to the point where the KTD effectively becomes a one-time pad (continuous control over encryption strength).
One example of the system used for authorization will now be described in conjunction with the accompanying drawings in which: