Browse Prior Art Database

Method for Associating Key Identifiers with Manually Entered Key Parts

IP.com Disclosure Number: IPCOM000104058D
Original Publication Date: 1993-Mar-01
Included in the Prior Art Database: 2005-Mar-18
Document File: 4 page(s) / 133K

Publishing Venue

IBM

Related People

Le, AV: AUTHOR [+2]

Abstract

This article describes a control vector based method.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 44% of the total text.

Method for Associating Key Identifiers with Manually Entered Key Parts

      This article describes a control vector based method for:

o   manually entering key parts into a cryptographic facility via a
    hand held key entry device attached to a secure front panel
    interface,

o   assigning a key identifier to each entered key via a key
    identifier field in the control vector of the key part,

o   encrypting key parts under a system master key (KM) so that they
    may be safely stored outside the cryptographic facility until the
    key parts necessary to form a key have been provided,

o   decrypting two or more encrypted key parts whose key identifiers
    are equal (i.e., match), combining them to form a key, and
    re-encrypting the so-formed key under a system master key.

      Since each key part has an assigned key ID, an insider
adversary cannot indiscriminately produce keys by mixing and matching
key parts.  Such manipulation of the cryptographic interfaces is
sometimes the basis for a cryptographic attack, therefore, should be
disallowed if only on general principles.  In effect, the method
assures that keys are formed only from prescribed key parts.
Likewise, associating a key ID with each key part permits the key
entry process to be more effectively monitored and controlled.

      Fig. 1 illustrates a cryptographic system consisting of a
cryptographic facility 1 containing a crypto instruction execution
unit 2 capable of executing a set of cryptographic instructions, a
key storage 3, and a utility program 4, called UTIL, that interfaces
directly to the cryptographic facility.  The cryptographic facility
has a master key register 7 for storage of a system master key (KM)
and a key part register 8 for storage of a key part.  It also has a
front panel interface 9 with an attached key entry device 10, which
allows key parts to be manually entered into the cryptographic
facility for storage in key part register 8.  The set of
cryptographic instructions 2 contains, among others, an Import Key
Part (IKP) instruction and a Combine Key Parts (CKP) instruction.

      Let K denote a cryptographic key formed from key parts KP1 and
KP2.  Actually, keys can be formed from any number of key parts,
although the process of key entry can be illustrated using only two
key parts.  It shall be assumed that K is formed as the Exclusive OR
product of KP1 and KP2, although other combining operations are
possible.  The order in  which key parts are entered is unimportant,
although the present example assumes that KP1 is entered first and
KP2 is entered second.  At step 1, the security officer enters KP1
via hand held key entry device 10 attached to front panel interface
9, which causes KP1 to be stored in key part register 8.  At step 2,
the security officer invokes a key installation utility (called
UTIL), optionally specifying a key identifier, say IDi, as a
parameter input.  A key labe...