1. Field of the Invention
The present invention relates generally to secure computer systems, and more particularly, to securing information transmitted between computer systems by encrypting the information.
2. Description of Related Art
Encryption, which is the conversion of information into a form that cannot be easily understood by unauthorized parties, is used extensively in modern computer networks to keep sensitive information, such as credit card numbers or confidential corporate information, from interception by the unauthorized parties. Encryption has become particularly important with the growth in popularity of large, relatively public networks such as the Internet.
Decryption converts encrypted information back into its original form. To convert the information back and forth between its encrypted and unencrypted (plaintext) forms, a numerical code called an encryption key is used in combination with an encryption algorithm.
In operation, the party sending the information encrypts the plaintext information with the encryption algorithm and the key. The encrypted information is then transmitted over the insecure medium and decrypted by the receiving party using the encryption algorithm and the key. Although an intercepting party may know the encryption algorithm used by the sender and receiver, without the key, they will not be able to understand the encrypted data.
One well known encryption algorithm is the data encryption standard (DES) algorithm. DES applies a 56-bit key to 64-bit blocks of the data that is to be encrypted, to obtain 64-bit blocks of encrypted data.
Some DES key transmission protocols increase the length of the key from 56 bits (7 bytes) to 64 bits (8 bytes) by adding a parity bit to each 7 bit segment of the original 56 bit key. Parity refers to a technique of checking whether data has been lost or written over when it""s transmitted between computers. The additional bit, the parity bit, is added to the 7 bit segment such that the sum of the bits before transmission is either even (even parity) or odd (odd parity). The receiving computer may then check the sum of each received byte to verify that the bits were not corrupted in transmission. A parity bit is not a perfect indicator of transmission error, because, for example, if two bits are corrupted during transmission, their errors may cancel each other out and the sum of the bits may still pass the parity check.
Before being used as a key to the DES algorithm, the 64-bit keys are stripped of their parity bits. Stripping a 64-bit key involves copying the 7-bit non-parity portion of each parity byte and concatenating the eight 7-bit portions to reform the original 56 bit key. It is desirable to perform this key stripping procedure as efficiently as possible.
One aspect of the present invention is a method of stripping parity bits from an input stream. The method includes successively retrieving a portion of the input stream of a plurality of portions of the input stream. For each successively retrieved portion of the input stream, at least three acts are performed. To wit: (a) setting an additional bit of each said retrieved portion of the input stream to zero to obtain a zeroed value; (b) shifting the bits in the zeroed value a certain number of bits based on the position of the retrieved portion in the input stream; and (c) integrating the shifted bits into an output location.
A second aspect of the present invention is directed to a computer system. The computer system comprises a cryptographic engine, the cryptographic engine encrypting and decrypting information based on an encryption key. A processor is coupled to the cryptographic engine and the a memory. The memory stores instructions that when executed by the processor, cause the processor to convert an input encryption key including parity bits to an output encryption key that does not include parity bits by performing the tasks of (a) setting a parity bit of each portion of a plurality of portions of the input encryption key to zero to obtain a zeroed value; (b) shifting the bits in the zeroed value a certain number of bits based on the position of each portion in the input encryption key; and (c) integrating the shifted bits into a memory location that stores the output encryption key.
A third aspect of the present invention is directed to a computer-readable medium encoded with a plurality of processor-executable instruction sequences. The instruction sequences successively retrieve a portion of an input stream of a plurality of portions of the input stream, each portion including at least seven bits plus an additional parity bit. For each successively retrieved portion of the input stream, at least the following acts are performed: (a) setting the additional bit of each said retrieved portion of the input stream to zero to obtain a zeroed value; (b) shifting the bits in the zeroed value a certain number of bits based on the position of the retrieved portion in the input stream; and (c) integrating the shifted bits into an output location.