In a symmetric cryptosystem, data which needs protecting, called plaintext, is encrypted in one environment to produce ciphertext. The ciphertext is decrypted in another environment to recover the original plaintext. One common key value needs to be supplied to both the encrypting and decrypting processes. The ciphertext can be freely communicated in untrusted environments, since an eavesdropper cannot recover the plaintext because that eavesdropper does not know the key.
A symmetric cryptosystem or encryption algorithm comprises an encryption function and a decryption function. The encryption function operates on plaintext and generates ciphertext. The decryption function operates on ciphertext and generates plaintext. An additional input to both functions is a key which is a data value k bits in length. In a good symmetric encryption process, unless all bits of the key are correctly supplied to the decryption function, no information from the plaintext will be revealed by the decryption function. A well-known example of a symmetric encryption process is the Data Encryption Standard (DES) in which k=56. U.S. Pat. No. 3,962,539, issued Jun. 8, 1976 to Ehrsam et al, describes this symmetric cipher process. FIGS. 1 and 2 illustrate schematically DES encryption and decryption processes respectively.
In co-pending U.S. patent application Ser. No. 08/285,678 filed on Aug. 4, 1994 (Adams) and assigned to the assignee of the present invention, another symmetric encryption system is described.
Any symmetric encryption process can be attacked using an exhaustive key search. The attacking system, which does not initially know the correct key, systematically tries to decrypt a piece of ciphertext using all possible key values until it finds the key value which successfully decrypts. If, in a given encryption system, all key values are equally likely, the chance of an exhaustive key search attack succeeding in a given time depends upon the size of the key space, that is, the number of possible key values, or 2.sup.k. Therefore, assuming all key values are equally likely, a symmetric encryption process with a given value of k will be stronger than another symmetric encryption process which has a smaller value of k.
Given a symmetric encryption process with a given value of k, it is possible to devise a weaker variant of that symmetric encryption process by always forcing j of the key bits (where j&lt;k) to have a known value. The weaker algorithm has an effective strength the same as that of a symmetric encryption process with a key length of (k-j) bits in which all key values are equally likely.
Encryption frequently needs to be used in communication networks which span different geographical regions which can be considered to be trusted to different extents. For example, one region might be considered a high-trust environment because it is within a country in which there are no concerns about unlawful use of encryption because the laws of that country provide for law-enforcement access to encryption keys under appropriate circumstances. In comparison, another region might be considered a low-trust environment because there is a risk of encryption being used for purposes which may subvert law-enforcement or the protection of national security, and because appropriate legislative or administrative safeguards are not in place.
The usual (prior-art) approach to using encryption in such environments is to have both a strong and a weak encryption algorithm, to restrict products installed in the low-trust environment to products containing only the weak algorithm, but to allow products installed in the high-trust environment to implement both the strong and the weak algorithms. Therefore, information communicated only within the high-trust environment may be protected securely with the strong algorithm, whereas information which enters or leaves the low-trust environment can only be protected with the weak algorithm, allowing authorities to intercept the communications and recover the plaintext if necessary for law-enforcement or national security reasons.
However, the above approach has two major deficiencies. The first is that it unnecessarily exposes sensitive information which is sent from the high-trust environment to both the low-trust environment and the high-trust environment, as such information must be encrypted with the weak algorithm. The current invention overcomes this deficiency, while retaining the objective of guarding against persons within the low-trust environment from using the encryption devices for purposes which may subvert law-enforcement or the protection of national security.
The second deficiency of the usual (prior-art) approach is that it requires an encryptor in the high-trust environment to know, at encryption time, whether the protected information is destined for systems in the high-trust or low-trust environment. This is not always feasible and, in any case, adds substantially to system complexity. The current invention allows the encrypting system to perform the same encryption process regardless of the information destination.