The U.S. government has developed and published an encryption scheme known as the Data Encryption Algorithm (DEA) that cannot be broken by the most powerful high-speed computer, or, at least not in a time frame that would be acceptable. Integrated circuits designed specifically for encryption and decryption of data in accordance with the DEA are readily available from several vendors, such as Western Digital.TM. and are widely used by industry. This algorithm, like most encryption schemes, uses an encryption key to encrypt data for transmission to a remote site. At the receiving site, the encrypted data are decoded using the same algorithm and the same encryption key used by the transmitting site. Successful use of the DEA, and almost any other encryption/decryption algorithm commonly employed to provide secure communications, requires that the station receiving the encrypted transmission have the necessary encryption key to decode an encrypted signal, but that no unauthorized party know or have access to that encryption key.
For most prior art encryption/decryption systems, extensive security measures are required for managing and periodically changing the encryption keys that are used at different sites. Any third party who gains access to the encryption key being used to encrypt data can tap into a non-secure line over which encrypted messages are transmitted and then use the key to decrypt messages that are intercepted. Even if knowledge of the encryption key used is limited to those operating the encryption/decryption equipment in a network, it is possible for others outside the organization to breach the security and learn the encryption key due to the failure of someone to follow security procedures that should be followed by those using the system.
Since any person with access to the encryption keys can breach the security of encrypted communications between members of a secure network, encryption keys are typically changed on a regular basis. Frequent changes in the encryption keys in use minimize the risk of disclosure by individuals that previously had access to the keys. However, any such change requires that the new encryption keys be distributed to all stations comprising the network. In many cases, the new encryption keys must be hand-carried to each station site by bonded couriers, any of whom might breach security. Even if a security breach does not occur, the cost of regularly distributing encryption keys to each station of a large network in this manner may be prohibitive.
For these reasons, it is preferable to use encryption keys at each station in a network that are not known to anyone, even those operating the encryption/decryption apparatus. Various techniques have been developed to access encryption keys stored in an electronic memory for this purpose. For example, a new encryption key can be selected for subsequent encryption of communications between stations based on the last encryption key that was used, by applying a secret formula to generate the new key. However, if the formula is discovered or otherwise becomes known by someone who is outside the organizational network, security of the encryption system is breached, since that person can generate the encryption keys that will subsequently be used, simply by applying the formula to any previously discovered key.
Clearly, it would be preferable to randomly generate the encryption key that is used to encrypt data transmitted to another station each time that communications are initiated between any two stations on a network. Yet, random generation of an encryption key at one station inherently renders the receiving station unable to decrypt the message, because it does not have the encryption key used.
A solution to this problem is disclosed in U.S. Pat. Nos. 5,237,611 and 5,222,136, both of which are commonly assigned to the same assignee as the present invention. The apparatus and method disclosed in these patents uses an encryption/decryption unit (EDU) that includes a central processing unit (CPU) to control the operation of the EDU, and random access memory (RAM) in which tables of key exchange keys (KEKs) are stored. Also provided is a data encryption standard (DES) coprocessor that implements the DES algorithm. These components comprise a module that is embedded in potting material. Any attempt to remove the potting material, either mechanically or by using solvents is likely to result in loss of the data and program code stored in the module. The CPU includes special circuitry enabling it to operate in an encrypted mode and to be locked so that it cannot be interrogated to discover the program or data stored in the module. This program enables the EDU to establish secure communications with another, similar EDU over a non-secure link. Each EDU involved in establishing a secure communication session randomly generates a portion of a session data encryption key (DEK) that is encoded by using a KEK from either a public or private table of KEKs stored in the embedded RAM. The two EDUs exchange the encrypted portions of the DEK, along with first and second check values, decrypt the portions by using the first and second check values to determine the KEK used by the EDU at the other site to encrypt the portion of the DEK received, and then logically combine the two portions of the DEK to determine the complete DEK that will be used to encrypt and decrypt data during the current communication session. Each EDU is identified by a stored ID assigned when manufactured that subsequently cannot be altered. Use of a third EDU to bridge the link between two EDUs attempting to communicate securely is prevented because the ID of the third EDU does not match the expected ID of either of the other two. If the ID does not match the expected value, the embedded program in the EDU detecting the mismatch terminates the communications.
While the key management technique just described is generally superior to other prior art techniques, it is possible that a party intercepting communications between two EDUs might eventually be able to work backwards from the check values that are exchanged in a number of sessions to determine the KEKs stored in the RAM. Even though each public and private table of KEKs includes over 64,000 keys, the possibility that with sufficient intercepted traffic, the stored table of keys might be discovered has justified developing a different and better approach. Clearly, the solution to this problem must avoid exchanging any value between stations that could serve as a basis for working toward discovery of information that might compromise secure communications. The previously developed approach provided access to only the public network and one private network of KEKs. A better key management technique would provide for selective access to many more private networks, without requiring a different table of KEKs to be stored in RAM for each different network.