1. Field of the Invention
The present invention relates to an encryption-decryption processor, particularly to a DES cipher processor (DCP) for executing 16 rounds of data encryption standard (DES) operations in four encryption modes and four decryption modes, namely: Electronic Code Book (ECB) mode, Cipher BlockChaining (CBC) mode, Cipher Feedback (CFB) mode and Output Feedback (OFB) mode for both encryption and decryption. DES stands for Data Encryption Standard, an encryption and decryption standard adopted by the United States Government Details concerning DES can be found in FIPS (Federal Information Processing) Publication 46-2 and 74 published by the National Institute of Standards and Technology.
2. Description of the Related Art
When encrypted communication is undertaken using high speed communication equipment, such as full duplex E1, T1, and V.35 services, among others, two DCPs will be needed in an encryption-decryption module: one DCP for encryption, and another for decryption.
A DCP is composed of a data I/O unit, an IV/key storage unit, a control unit, and an algorithm unit. The algorithm unit is used to encrypt/decrypt the incoming text message. FIG. 1 (Prior Art) is a block diagram illustrating the algorithm unit of a conventional DES cipher processor. The crypto engine 2 receives a modified input IN1 from the mode selection sub-unit 1 and encrypts it according to subkeys provided by the key generation sub-unit 3 to obtain an encrypted text OUT1. The mode selection sub-unit 1 processes an input IN to be encrypted, an initial vector for encryption IVE corresponding to a selected encryption mode, such as CBC mode, and the encrypted text OUT1 of the crypto engine 2 to obtain the modified input IN1 or the encrypted text OUT2. The multiplexor 4 then selects OUT1 or OUT2 as an encrypted output OUT of the algorithm unit according to the selected encryption mode. In this case, only one buffer (not shown) is needed in the crypto engine 2 to store intermediate encrypted texts during the sixteen rounds of DES operations. The results of the sixteenth round of DES operation is therefore also be stored in this buffer.
FIGS. 2A and 2B (Prior Art) illustrate the data path of a single-port simplex encryption processor and a dual port simplex encryption processor, respectively. The input and the output of the single-port encryption processor are delivered through the same data port, that is, the data to be encrypted/decrypted are inputted to the DES cipher processor DCP1 through data port Port1, and the encrypted outcome thus obtained is outputted from the same data port Port1. The input and the output of the dual-port simplex encryption processor DES cipher processor DCP2 are delivered through different data ports, that is, the data to be encrypted/decrypted are inputted to the DES cipher processor DCP2 through data port Port1, and the encrypted/decrypted outcome thus obtained is outputted from another data port Port2, and vice versa.
A decryption processor for executing sixteen rounds of DES operations has a structure similar to the encryption processor described above. The initial vector for encryption IVE is replaced by the initial vector for decryption IVD and the key generation sub-unit 3 rearranges the subkeys to allow the original crypto engine to perform decryption. The IVE and IVD are used for the CBC mode, CFB mode, and OFB mode only and are only employed at the beginning of the processing of the text message.
A DCP that dissects a text message into various blocks, each of which is encrypted or decrypted according to prescribed sequence, can perform a decryption operation only after the whole previous plain text message is completely encrypted, or can perform an encryption operation only after the whole previous cipher text message is decrypted. For the CBC mode, CFB mode, or OFB mode, the values of the sixteen-round DES encryption operation, stored in the sole data buffer, have to be fed back to the mode selection sub-unit to interact with the next incoming block of plain text message, namely, the values of sixteen-round DES encryption operation cannot be used to interact the next block of incoming ciphered text message and vice versa. Also, the algorithm unit has a long wait between the operation of two blocks of text message since I/O port is the bottleneck of the throughput. Therefore, the idle time for the algorithm unit can be much longer than the time required for the actual encryption or decryption operation.
Consequently, an encryption-decryption module for full duplex operation needs either two DCPs or two crypto engines, one for encryption and the other for decryption. This results in an increase in cost and required space. Alternatively, the mode selection sub-unit 1 and the key generation sub-unit (as shown in FIG. 1) are modified to enable the crypto engine 2 to perform DES in four encryption modes and four decryption modes.