1. Field of the Invention
This invention relates generally to encrypting devices and more particularly to a process and apparatus for the protection of secret elements in a network of encrypting devices with open key management.
2. Background Description
Communication networks, which are widely used at the present time, require comprehensive cryptological protection. This gives rise to certain problems relative to key management, which seldom arose in the case of conventional point-to-point connections for the following reasons:
1. the networks are dynamic, i.e. the number of users constantly varies: old participants leave and new ones are entering, furthermore, the volume of the connections required (or permitted) is also variable; and
2. the open nature of the networks requires special measures for the identification of the users, as everyone may have access to the network.
In recent years, different possibilities of key management were proposed for such a situation. Methods are known, based on conventional (symmetrical) block encrypting algorithms, but public key methods were also used. In the following discussion, mainly the situation of conventional algorithms is described, in particular relative to certain embodiments; however, most of the inventive concepts may be extended to the public key situation.
The fundamental concept of conventional key management processes is based on the so-called "master key" principle. This signifies that a certain hierarchy of keys is established, so that certain keys (the lowest hierarchy level) are used for the data coding itself. The keys of the higher levels (master key) are used for the encrypting of "key management reports". These reports serve the transmission of new keys of a lower level.
A corresponding method was standardized by ANSI (ANSI X9.17). There exists also a proposed standard of ISO (ISO DP 8732) for a practically identical system. Here, a distinction is made between "data encrypting keys" (KD-s) and "key encrypting keys" (KK-s). In a typical application, at the onset of every new session (data transmission), a random KD is transmitted with the bilateral KK in an encrypted form and subsequently used for encrypting.
As the encrypting algorithm, DES ("Data Encryption Standard" according to FIPS Pub. 46, National Bureau of Standards, Washington DC, Jan., 1977) is being proposed in the standards. However, the methods also work with any other block encryptors in the same manner.
As further security, the standard specifies the use of "counters". These are counters, which on the one hand count the number of applications of a KK and on the other, alter this KK prior to its use (key offsetting). The devices should be designed so that any decrementation of the counter would be impossible. Processes are further provided, whereby the counters of two system participants may be synchronized. This results in that old reports stored earlier cannot be decoded with stolen devices, as in their case a lower counter value was used and decrementation of the counter is not possible.
FIG. 1 of the drawing shows schematically the operations required for the construction of a session according to ANSI X9.17. Blocks designated E symbolize an encrypting operation. Initially, the randomly produced KD data key, for example by means of a random generator, encrypted by using the key coding key KK, is transmitted. For this purpose, KK is altered first, using the associated counter (offsetted). The result of this operation is designated KKo (offsetted KK) and the encrypted data key with E.sub.KKo [KD]. Subsequently, the data encrypted under KD are transmitted, the cipher being designated E.sub.KD (data). The receiver therefore first determines the KD by the inversion of the first operations and is then able to decipher the data.
In the design of a cryptological system, one of the principal problems is the question of what elements are to be protected against what type of access. If cost effective devices that are still secure are to be produced, on the one hand,.the area to be protected must be kept as small as possible. On the other hand, the concepts must be selected so that relatively simple protective measures will suffice. Accordingly, there is a need for a key management system such that cost effective protective measures for sensitive elements become possible. The system should preferably be capable also of making possible the simple identification of users, or the use of access controls and permit directly the provision of a "key gun" for the distribution of KKs of the highest security (or hierarchy) levels. Accordingly, a suitable alternative is provided including features more fully disclosed hereinafter.