Browse Prior Art Database

Method for Providing Cryptographic Separation between 64 and 128 Bit Cryptographic Keys

IP.com Disclosure Number: IPCOM000108944D
Original Publication Date: 1992-Jul-01
Included in the Prior Art Database: 2005-Mar-23
Document File: 3 page(s) / 138K

Publishing Venue

IBM

Related People

Abraham, D: AUTHOR [+6]

Abstract

This article describes a method for the management of 64-bit and 128-bit cryptographic keys implemented within the same cryptographic system, such that 64-bit key security does not weaken 128-bit key security. The method is based on a key form field stored within the control vector of each key. The encoded key form field permits the key management services and instructions to cryptographically distinguish the left and right 64-bit halves of 128-bit keys from a single 64-bit key. The controlling mechanism, in turn, eliminates the opportunity for an insider adversary to manipulate key parameters at the cryptographic instruction interface, thus nullifying attacks aimed at substituting a 64 bit key for either a left or right half of a 128-bit key.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 51% of the total text.

Method for Providing Cryptographic Separation between 64 and 128 Bit Cryptographic Keys

       This article describes a method for the management of
64-bit and 128-bit cryptographic keys implemented within the same
cryptographic system, such that 64-bit key security does not weaken
128-bit key security.  The method is based on a key form field stored
within the control vector of each key.  The encoded key form field
permits the key management services and instructions to
cryptographically distinguish the left and right 64-bit halves of
128-bit keys from a single 64-bit key.  The controlling mechanism, in
turn, eliminates the opportunity for an insider adversary to
manipulate key parameters at the cryptographic instruction interface,
thus nullifying attacks aimed at substituting a 64 bit key for either
a left or right half of a 128-bit key.

      Fig. 1 illustrates a cryptographic network consisting of a
first cryptographic system 100 connected to several other
cryptographic systems 200, 300, etc., via a cryptographic
distribution channel 1000.  Cryptographic system 100 consists of a
cryptographic facility 1 cap able of executing a set of cryptographic
instructions 2, a key storage 3, a cryptographic facility access
program (CFAP) 4, and using application programs 5.  A typical
request for cryptographic service is initiated by an application
program 5, via a function call to CFAP 4.  The request may consist of
one or more data and keys parameters, including those key identifiers
of keys to be accessed from key storage 3.  In turn, CFAP 4 processes
the service request by issuing one or more cryptographic instructions
to the cryptographic facility 1.  Each cryptographic instruction is
processed by the cryptographic instruction execution unit 2, which
computes and returns instruction outputs to CFAP.  In turn, CFAP may
store encrypted keys in key storage 3 or return one or more key and
data parameters to the requesting application 5 or both.

      Fig. 2 is a block diagram illustrating the Reencipher From
Master Key (RFMK) instruction, one of several cryptographic
instructions available in the crypto instruction execution unit at 2.
The RFMK instruction offers a mechanism for exporting operational
keys from one cryptographic system or node to another.  (An
operational key is an existing key-generated previously stored under
encipherment of a master key KM.)  To accomplish this, the RFMK
instruction reenciphers keys from encipherment under the master key
to encipherment under a key encrypting key KK shared by the sending
and receiving nodes.  The key KK can be either a 128-bit key or a
64-bit key, i.e., the RFMK instruction is defined to permit the
reencipherment of keys to either 64-bit or 128-bit key encrypting
keys.  Referring now to Fig. 2, the inte...