It is becoming relatively common to exchange electronically stored documents between parties to a transaction, for instance via a widely distributed information network such as the Internet of the World Wide Web (WWW). A common problem with the Internet is a lack of secure communication channels. Thus, in order for hospitals, governments, banks, stockbrokers, and credit card companies to make use of the Internet, privacy and security must be ensured. One approach to solving the aforementioned problem uses data encryption prior to transmission. In a prior art system a host computer system is provided with an encryption unit, for example an encryption processor that is in electrical communication with at least a memory circuit for storing at least a private encryption key. When information is to be transmitted from the host computer system to a recipient via the Internet and is of a confidential nature, the information is first passed to the encryption processor for encryption using the stored private key. Typically, a same private key is used every time a data encryption operation is performed. Alternatively, an encryption key is selected from a finite set of private encryption keys that is stored in the at least a memory circuit in electrical communication with the encryption processor.
Of course, a data encryption operation that is performed by an encryption processor is a mathematical algorithm in which an input data value is the only variable value. It is, therefore, possible to optimize the encryption processor to perform a desired encryption function using a least amount of processor resources. Additionally, in the prior art encryption units the optimized encryption processor is typically separate from the microprocessor of the host computer system, because it is best optimized in this way. In use, the microprocessor polls the encryption processor to determine a status of the encryption processor before sending data for encryption. If the encryption processor returns a signal that is indicative of an “available” status, then the microprocessor writes data, for instance a hashed version of a document, into an area of the memory circuit in electrical communication with the encryption processor, for instance a memory buffer. The memory buffer is dual ported such that each one of the encryption processor and the microprocessor has the ability to read data from the buffer and to write data to the buffer. The encryption processor reads the data from the buffer, encrypts the data using a private key, and writes the processed data back into the buffer. Of course, the encryption processor must send a signal to the microprocessor to indicate that the data has been processed and is available within the buffer. Alternatively, the microprocessor polls the encryption processor to determine when the provided data has been processed and written into the buffer. Unfortunately, the microprocessor is unable to provide additional data for processing by the encryption processor until the processed data previously provided to the encryption processor has been safely read out of the buffer.
It will be obvious to one of skill in the art that the system described above is not even efficient for a system comprising a single host computer and a single encryption processor, the encryption processor being dedicated to the host computer. In fact, a single encryption processor typically supports a plurality of host computers, wherein the plurality of host computers and the encryption processor are in electrical communication, for instance via a local area network (LAN). The encryption unit provides encryption functions for every computer connected via the LAN, but not at a same time. When a microprocessor has data for encryption by the encryption processor, the microprocessor must wait until the encryption processor is available, and until all of the data that the encryption processor has previously processed has been read out of the buffer safely.
When the encryption processor indicates an “available” status, the microprocessor authenticates itself to the encryption processor and establishes a protocol for the data exchange. The encryption processor becomes dedicated to the authenticated microprocessor until such time that the data provided by the authenticated microprocessor is processed and safely read out of the buffer by the authenticated microprocessor. It is a disadvantage of the prior art system that each microprocessor of the plurality of computers must poll the encryption processor via the LAN prior to sending data thereto, in order to determine one of an “available” status and a “not-available” status of the encryption processor. Optionally, when the encryption processor is in an available state for receiving data, the encryption processor broadcasts a signal that is indicative of this available status to each microprocessor of the plurality of computers that are connected via the LAN. It is, therefore, a further disadvantage of the prior art system that the network messages exchanged between each of the plurality of host computers and the encryption processor contribute to the total volume of network data traffic. For example, if the encryption processor signs 60 documents per second, and there are 20 computers connected via the LAN, then there are approximately 1200 network messages every second to indicate that the encryption processor is available.
Prior art systems including a shared encryption processor are also known in which the encryption processor is in electrical communication with a dual ported buffer. The encryption processor and each microprocessor of the plurality of computers connected via the LAN are able to write data to and read data from the buffer. In use, a microprocessor establishes communication with the encryption processor, determines a protocol for the data exchange, and signals to the encryption processor that it is the next microprocessor for which dedicated encryption functions are requested. The microprocessor writes data for processing by the encryption processor into the buffer. When the encryption processor is available, it sends a signal to the microprocessor, which then returns a signal to the encryption processor indicating that the data in the buffer is ready for processing. Alternatively, the microprocessor polls the encryption processor to determine the ready state thereof. When the encryption processor finishes processing the data, it sends the data back to the buffer for retrieval by the microprocessor. Advantageously, the prior art system having a large enough buffer reduces delays associated with reading data into and out of the buffer. Unfortunately, the time that is required to exchange the network messages between the plurality of computers and the encryption processor to determine the status of the encryption processor is wasted time, in terms of the actual processing overhead of the encryption processor. For example, exchanging messages requires two or three processing cycles, during which time the encryption processor is not performing encryption functions. When doing 40-bit encryption, for example, which requires on the order of forty processing cycles, an approximately five percent processing bandwidth loss is incurred. Even when 128-bit encryption is performed, requiring 128 processing cycles, there is an approximately one to two percent processing loss. Since the encryption processor is typically a most expensive part of a computer network, it is highly undesirable to incur any unnecessary loss of processor bandwidth.
It would be advantageous to provide a system and a method for allocating with improved efficiency the processing resources of an encryption processor that is in communication with a plurality of computers via a LAN. Most preferably, it would be advantageous to provide a system and a method that allows the encryption processor to identify a memory storage location, in which data that are ready to be processed are stored, approximately immediately before the completion of a current processing operation. Advantageously, such a system and method allows the encryption processor to begin a next processing operation as soon as the current processing operation is completed.