1. Field of the Invention
The present invention relates to the protection of memory contents by encryption in general and particularly to the generation of unit-individual keys for accessing the address by units of a memory.
2. Description of the Related Art
For a protection against unauthorized spying out of stored information, the memory contents of the memory are encrypted in different applications. In the field of cashless payments, for example, amounts of money stored on chip cards are stored in an encrypted way to protect them from unauthorized spying out, or from manipulations, such as unauthorized alterations of the amount.
An unauthorized person obtains the encrypted information stored in the memory, i.e. the plain text, for example, by statistical analysis of the cipher text stored on the memory. This statistical analysis comprises, for example, an analysis of the occurrence probability of certain cipher text data blocks or the same. In order to impede these statistical analyses, it is desirable that equal plain texts, which are in encrypted form at different memory positions of the memory, do not exist there in the form of identical cipher texts.
One possibility to ensure the encryption of plain texts at different memory positions in the different cipher texts, is to use the so-called cipher block chaining method for encryption, i.e. operating a block cipher in the CBC mode, as it is, for example, described in the handbook of Applied Cryptography , CRC Press, NY, 1997, p. 230. In the CBC mode, for encrypting a plain text data block, always the cipher text of the previous plain text data block is used, such as of the plain text data block with an address lower by 1 or higher by 1 in the memory. The CBC mode has the disadvantage that an individual isolated datum in the memory can only be encrypted when the whole chain of sequential data is decrypted. Thus, no direct access to data is possible within the CBC chain. Going through the cipher chain takes up valuable computing time and consumes an unnecessary amount of current, which is particularly a disadvantage in smartcards used in battery-operated devices, such as mobile phones, or in chip cards, where the customers of the chip card providers require transaction times at the terminals, which are as short as possible.
A further possibility to ensure that equal plain texts, which are at different memory positions, are encrypted into different cipher texts, is to generate address-dependent keys for encrypting the plain text. The usage of address-dependent keys uses the fact that a fixed memory space and thus a dedicated address is associated to a datum to be stored and to be encrypted, and that the encrypted stored datum is stored at exactly this dedicated address, and remains there, until it is readout again on the basis of this address. An individual key can be generated from an existing secret master key and the address information for a memory position or an individually addressable unit, respectively, with which then the respective datum can be encrypted in a write and decrypted in a read. The address-dependent generation has the disadvantage that the effort for the key generation is about as high as the effort for the encryption or decryption, respectively, itself, since a key generation has to be performed for every addressable memory space or every addressable memory word, respectively, which ensures that the mapping of the address to associated address-dependent keys is as obscure as possible for an unauthorized person. Thus, key generation on memory word granularity causes a high degree of performance reduction, which can for example, reduce the customer convenience with chip cards.
One possibility to compensate for the lack of security by omitting the address dependency during encryption of stored memory contents would be to increase the block sizes during encryption, since this increases the number of possible plain texts for a cipher text. However, this involves an increased effort on the part of the encryption and decryption hardware, which makes this option unbearable for a mass commodity like chip cards.
The present invention provides a method and an apparatus for generating individual keys allowing access to a memory based on these individual keys and to thereby reduce the overall effort for the access.
In accordance with a first aspect, the present invention provides an apparatus for generating an individual key for accessing a predetermined addressable unit of a memory divided into addressable units, wherein the addressable units are combined into pages in groups, wherein a unique address is associated with the predetermined addressable unit, which is made up of a page address indicating the page to which the addressable unit belongs, and a unit address identifying the addressable unit among the other addressable units belonging to the page, having: a means for calculating a page pre-key based on the page address; a means for determining the individual key based on the page pre-key and the unit address; and a means for storing the calculated page pre-key; and a means for checking whether during a next access to a further predetermined unit to which a further unique address is associated, an already calculated page pre-key exists in a temporary memory, which has been calculated based on a page address of a unique address, which is identical to the page address of the further unique address, and, if this is the case, transmitting the already calculated page pre-key to the means for determining by bypassing the means for calculating, and, if this is not the case, transmitting the page address of the further unique address to the means for calculating.
In accordance with a second aspect, the present invention provides a system for accessing a predetermined addressable unit of a memory divided into addressable units, wherein the addressable units are combined into pages in groups, wherein a unique address is associated with the predetermined addressable unit, which is made up of a page address indicating the page to which the addressable unit belongs, and a unit address identifying the addressable unit among the other addressable units belonging to the page. The system has the above-mentioned apparatus, and an apparatus for decrypting an encrypted memory content in the predetermined addressable unit based on the individual key.
In accordance with a third aspect, the present invention provides a system for accessing a predetermined addressable unit of a memory divided into addressable units, wherein the addressable units are combined into pages in groups, wherein a unique address is associated with the predetermined addressable unit, which is made up of a page address indicating the page to which the addressable unit belongs, and a unit address identifying the addressable unit among the other addressable units belonging to the page. The system has the above-mentioned apparatus, and an apparatus for encrypting data to be stored based on the individual key and writing the encrypted data to be written into the predetermined addressable unit.
In accordance with a fourth aspect, the present invention provides a method for generating an individual key for accessing a predetermined addressable unit of a memory divided into addressable units, wherein the addressable units are combined into pages in groups, wherein a unique address is associated with the predetermined addressable unit, which is made up of a page address indicating the page to which the addressable unit belongs, and a unit address identifying the addressable unit among the other addressable units belonging to the page. The method includes the steps of: calculating a page pre-key based on the page address in a means for calculating; determining the individual key based on the page pre-key and the unit address in a means for determining; temporarily storing the calculated page pre-key in a means for temporary storage; and checking whether during a next access to a further predetermined unit, to which a further unique address is associated, an already calculated page pre-key exists in a temporary memory, which has been calculated based on a page address of a unique address, which is identical to the page address of the further unique address; if an already calculated page pre-key exists, transmitting the already calculated page pre-key to the means for determining by bypassing the means for calculating; and if no already calculated page pre-key exists, transmitting the page address of the further unique address to the means for calculating.
In accordance with a fifth aspect, the present invention provides an apparatus for generating an individual key for accessing a predetermined addressable unit of a memory divided into addressable units, wherein the addressable units are combined into pages in groups, wherein a unique address is associated with the predetermined addressable unit, which is made up of a page address indicating the page to which the addressable units belongs, and a unit address identifying the addressable unit among the other addressable units belonging to the page. The apparatus includes: a calculator for calculating a page pre-key based on the page address; and a determiner for determining the individual key based on the page pre-key and the unit address. The determiner has a deriver for deriving several round keys from the page pre-key, and a definer for defining an order among the round keys to obtain a sequence of the round keys, wherein the sequence depends on the unique address and the order represents the individual key.
In accordance with a sixth aspect, the present invention provides a method for generating an individual key for accessing a predetermined addressable unit of a memory divided into addressable units, wherein the addressable units are combined into pages in groups, wherein a unique address is associated with the predetermined addressable unit, which is made up of a page address indicating the page to which the addressable units belongs, and a unit address identifying the addressable unit among the other addressable units belonging to the page. The method includes the steps of: calculating a page pre-key based on the page address in a means for calculating; and determining the individual key based on the page pre-key and the unit address in a means for determining. The step of determining the individual key has the following substeps: deriving several round keys from the page pre-key; and defining an order among the round keys to obtain a sequence of the round keys, wherein the sequence depends on the unique address and the order represents the individual key.
In accordance with a seventh aspect, the present invention provides a computer program with a program code for performing one of the above-mentioned methods when the computer program runs on a computer.
It is the knowledge of the present invention that the grouping of individually addressable units of a memory into groups or pages, respectively, which is already present in many systems, can be used to significantly decrease the complexity of the address-dependent key generation with only a slight reduction in security, if at first a page pre-key is calculated based on a page address and then the individual key is determined based on the page pre-key and the word address. Thereby, the address-dependent key generation can be divided into a cryptographically demanding and relatively expensive process, which, however, only has to be performed rarely, namely the page pre-key calculation, and into a fast, almost effortless step that has to be generated for every word or every individually addressable unit, respectively, namely the determination of the individual key based on the page pre-key and the word address. Thus, the page pre-key calculation process can be chosen such that the process has less chip area and/or more processing run time during implementation than the implementation of the determination of the individual key. Thereby, the access time to the memory can be reduced, since the page address is the same for all individually addressable units belonging to one page, and thus does have not to be calculated again each time. Rather, the page address can be latched in order to be available for those of the subsequent accesses to the memory, which relate to the addressable units in the respective memory page. Storing can, for example, be performed in a displacement memory, where a certain displacement mechanism is used to temporarily store in the same, for example, the page pre-keys for those pages or their included units to which access will be made again shortly with high probability. If this memory is present, the same can be integrated or combined, respectively, with a cache or data cache memory, respectively, which exists in a similar way to provide current data for a fast access, without requiring access to a slower background memory.
These and other objects and features of the present invention will become clear from the following description taken in conjunction with the accompanying drawings, in which:
a is a schematical block diagram for illustrating the structure and the mode of operation of the key generation means in the memory system of
b is a schematical representation of the structure of a page of words according to an embodiment of the present invention;
Before the present invention will be discussed below in more detail with reference to the based on embodiments, it should be noted that equal elements or similar elements in these figures are designated with equal or similar reference numbers, and that a repeated description of these elements is omitted.
The CPU 10 executes a program which can, for example, also be stored in the memory 12, in order to be protected from access by unauthorized persons. Some instructions in the program require that the CPU 10 loads memory contents into the memory 12 or reads them out, or writes or overwrites memory contents in the memory 12 by new information.
The access apparatus 14 is provided to ensure that the secret information in the memory 12 is always stored in encrypted form, and that, on the other hand, the encrypted memory contents of the memory 12 are decrypted again during load processes or during reading out the same, respectively.
The access apparatus 14 comprises an encryption/decryption means 16 as well as a key generation means 18. The encryption/decryption means 16 is provided to encrypt data from the CPU to be stored in the memory 12 prior to their storage, and to decrypt stored and encrypted data output by the memory 12 prior to their transmission to the CPU 10. For this purpose, the decryption/encryption means 16 uses a word-individual key, which it obtains from the key means 18.
Specifically, the CPU 10 is connected to both an address input of the memory 12 and an address input of the key generation means 18 via an address bus 20. The key generation means 18 outputs word-individual keys for the addresses on the address bus 20 at its output, wherein the output of the key generation means 18 is connected to a key input of the encryption/decryption means 16. The CPU 10 is connected to a data input/output of the memory 12 via a data bus 22. The decryption/encryption means 16 is connected into the data bus 22. Particularly, a data input of the encryption/decryption means 16 is connected to a data output of the CPU 10, and a further data input of the encryption/decryption means 16 is connected to a data output of the memory 12, while a data output of the encryption/decryption means 16 is connected to a data input of the memory 12 and a further data output of the encryption/decryption means 16 to a data input of the CPU 10. Thus, the encryption/decryption means 16 forms an interface between CPU 10 and memory 12 and ensures that the data exist on that part of the data bus 22 between CPU 10 and encryption/decryption means 16 only in decrypted form, i.e. in plain text, and in that part of the data bus 22 between the memory 12 and the encryption/decryption means 16 only in encrypted form, i.e. as cipher text.
Since the structure of the system of
The key generation means 18 also receives the address output by the CPU 10. As will be described below, the key generation means 18 determines a word-individual key from the address on the address bus 20, which is required by the encryption/decryption means 16 to decrypt the encrypted readout memory contents from the memory 12. Therefore, the key generation means 18 outputs the word-individual key to the encryption/decryption means 16. The same decrypts the memory content received from the memory 12 based on the word-individual key and outputs this memory content in plain text to the CPU 10, which processes the now decrypted memory content in plain text, depending on the instruction, such as loading the same into an internal register or the same.
In the case when the program to be executed indicates a write in the instruction line to be executed, the CPU 10 outputs the address on the address bus 20, which indicates the word wherein a date specified by the write instruction is to be stored. The datum to be stored is output by the CPU 10 on the data bus 22 to the encryption/decryption means 16. As before in the load process, the key generation means 18 generates a word-individual key from the address on the address bus 20 and outputs the same to the encryption/decryption means 16. The same uses the word-individual key for encryption of the datum to be stored and outputs the cipher text to the memory 12. The memory 12 stores the received cipher text at the location indicated by the address on the address bus 20 in the respective word.
In the above description, the mode of operation of the key generation means 18 has not been discussed in detail. As the embodiments for the key generation means 18 described below will show, the key generation means 18 is formed such that it is able to generate word-individual keys for encrypting memory contents or words, respectively, in the memory 12, but without performing a key generation process each time, which requires about the same effort. This is obtained by combining several words, which represent the smallest addressable data units of the memory 12, to one page, and that for one page only the page address, which specifies the page among the pages of the memory 12, is used in a complicated and expensive and thus secure way for generating a page pre-key, while for the words within the page, the word-individual keys are generated in a simple and less complicated way based on the page pre-key. If then, as frequently happens, the CPU 10 sequentially loads the words of a page, then it is only required to perform the expensive pre-key generation at the first word of this page, while for the other words of the page only the less expensive derivation of the word-individual keys based on this pre-key is required.
In order to illustrate the division of the memory 12 in pages and words in more detail, first, reference will be made to
In order to simplify the representation of the following description, it will be assumed below that the memory 12 comprises 220 words. Every word consists of 32=25 bits. Thus, according to this merely illustrative example, the memory size of the memory 12 is 225 bit=217×28 bit=128 kilobyte. The division into pages is exemplarily performed such that all words with addresses whose 16 most significant bits (MSB) are equal, belong to one page or are combined into one page, respectively. Thus, the word addresses of words in one page differ merely in the remaining four least significant bits (LSB) of the twenty bit word address. Thus, the memory 12 contains 216 pages.
In
This will be illustrated in
With reference to
The page change detection means 32 is provided to receive the page address part 30a of the unique address 30 on the address bus 20 and then check whether this concerns a page for which a page pre-key is already in the latch 38. If this is the case, the page change detection means 32 can access the latch 38 based on the page address stored therein, which then transmits the latched page pre-key for the page indicated by the page address to a page pre-key input of means 36.
If the page change detection means 32 determines that no page pre-key is present for the page indicated by the page address, the same transmits the page address to a page address input of the pre-key calculation means 34. The pre-key calculation means 34 calculates a page pre-key for this page from the page address and transmits the calculated page pre-key to the page pre-key input of the means 36. Further, it outputs the same by displacing an already stored page pre-key to the memory 38 for temporary storage.
The word address part 30b of the unique address 30 present on the address bus 20 is transmitted to a word address input of the means 36 for determining the individual key. The means 36 determines a word-individual key for the word to which the unique address 30 points, from the received word address or received offset value, respectively, and received page pre-key. The means 36 outputs this word-individual key at its output, which at the same time represents the output of the key generation means 18, which is connected to the key input of the encryption/decryption means 16, as shown in
Since the structure as well as the mode of operation of the individual components of the key generation means 18 has been described above, in the following, the mode of operation will be described. For that purpose, it is at first assumed that no page pre-key has been generated for any page 12a of memory 12, which means that none is stored in the memory 38.
When a unique address 30 is received, the page change detection means 32 first looks up in the memory 38 whether a page pre-key is present for the page address of the page included in the page address part 30a wherein the word is, to which the unique address 30 points, as indicated by an arrow 40. Looking up takes place by using the page address as index, wherein a table of page address/page pre-key pairs is provided in the memory 38. Thus, the memory 38 is a content addressable memory, which looks up for incoming page addresses whether it has a page address/page pre-key pair with this page address and outputs the respective key, if this is the case. According to the above assumption, this will not be the case. The memory 38 thus indicates the miss to the page change detection means 32, which again transmits the page address to the pre-key calculation means 34.
The pre-key calculation means 34 calculates a page pre-key based on the page address. According to the embodiment described in more detail with reference to
The word address part 30b of the unique address 30 present on the data bus containing the offset value and the page pre-key just calculated from the pre-key generation means 34 is used by the means 36 to calculate the word-individual key. As will be discussed below with reference to
The word-individual key as determined by means 36 is then transmitted to the encryption/decryption means 16.
In order to avoid that the complicated pre-key calculation has to be performed again for every unique address output on the address bus 20, the pre-key calculation means 34 stores the just calculated page pre-key in the latch 38 during every calculation. The latch 38 is, for example, managed according to the FIFO principle (FIFO=first in, first out), so that during storing a new page pre-key by the pre-key calculation means 34, the page pre-key that has been written in first is displaced or overwritten, respectively. Of course, other update or displacement principles can be used, such as the LRU (least recently used) principle, where that page pre-key, which the page change detection means 32 has not accessed for the longest time, is displaced, or the LFU (least frequently used) principle, where that page pre-key is displaced which has the lowest number of accesses from the page change detection means 32.
If a subsequent unique address 30, which will be output on the address bus 20, has a page address part 30a including a page address indicating a page for which a page pre-key is latched in the latch 38, the latch 38 indicates this by a hit signal to the page change detection means 32 in response to receiving the page address as index. Then, the page change detection means 32 does not transmit the page address to the page address input of the encryption calculation means 34, but by bypassing the latter, the page pre-key associated to the page address of interest and already calculated before, is output from the memory 38 to the page pre-key input of means 36. Due to bypassing the pre-key calculation means 34 in the case of a hit, in that case, no complicated and time consuming pre-key calculation has to be performed. Merely a look-up process in the latch 38 is required to determine the page pre-key for the new unique address 30 on the address bus 20. Here, in the meantime, one or several unique addresses 30 can have been output on the address bus 20 between the unique address 30, upon the output of which on the address bus 20 the page pre-key has actually been calculated by the pre-key calculation means 34 and inserted into the latch 38, and the unique address 30, upon which the page pre-key is retrieved from the latch 38. This means that no pre-key calculation has to be performed with an appropriate displacement strategy of the latch 38 adapted to the respective application of the system of
The latch 38 can be integrated in a cache memory (not shown in
With reference to
With reference to the following
According to the embodiment of
The page key is, for example, given as vector {overscore (K)}page=(k0k1k2 . . . k62k63), wherein ki, for i=0 . . . 63, is the bit value of the page pre-key at the bit position i, and the word address is given by the vector (w0 w1 w2 w3), wherein wj with j=0 . . . 3 is the bit of the word address at the bit position j. The bitwise XOR operation results of the XOR gate 60a-60i are then combined into a word-individual key with 64 bits such that the word-individual key to a vector {overscore (K)}Word results, with {overscore (K)}Word=(k0⊕w0, k1⊕w1, k2⊕w2, k3⊕w3, k4⊕w0, k5⊕w1, k6⊕w2, k7⊕w3, . . . , k60⊕w0, k61⊕w1, k62⊕w2, k63⊕w3), wherein ⊕ indicates an XOR operation.
According to the embodiment of
If the page pre-key is, for example, given by the vector {overscore (K)}page defined with regard to
According to the embodiment of
If the page pre-key is given, for example, by the vector {overscore (K)}page, defined with reference to
In other words, according to the embodiment of
With regard to the embodiments described above with regard to
The multiplexer 90 can, for example, be formed such that it maps the page pre-key {overscore (K)}page=(k0, k1, k2, . . . , k77, k78) in dependence on the word address W to the word-individual 64-bit key {overscore (K)}word=(k0, k1, . . . , k63), when W=0000b, to {overscore (K)}word=(k1, k2, . . . , k64) when W=0001b, to {overscore (K)}word=(k2, k3, . . . , k65) when W=0010b . . . and to {overscore (K)}word=(k15, k16, . . . , k78) when w 1111b.
Of course, different embodiments than the ones shown in
Since the above embodiments of
The decryption part of
Since the structure of the decryption part 16a has been described above, its mode of operation will be briefly described below. The encrypted 32-bit word read out from the memory 12 reaches the permutation means 106 across the data input 100. The same permutes the encrypted word with regard to the arrangement or bit position distribution, respectively, of its bits according to a permutation regulation P−1. Then, the S boxes 108 connected in parallel provide for a nonlinear mapping of the permuted 32-bit value to a permuted mapped 32-bit value. The same is XORed bit by bit in the XOR operation means 110 with a first round key, which the round key generation means 112 has generated from the word-individual key for the first round, whereby the round intermediate result with 32 bits is obtained. If more than one round is to be performed, the switch 114 passes this 32-bit word again to an input of the permutation means 106, whereby the permutation, the nonlinear mapping as well as the XOR operation are repeated, the latter, however, with a newly determined round key. After the last round, the switch 114 switches to the round termination switch output and outputs the round intermediate result as decrypted 32-bit word.
The decryption part of the encryption/decryption means 16 described with regard to
The encryption part 16b comprises a data input 120 for receiving an unencrypted word to be encrypted from the CPU 10 as well as a data output 122 for outputting an encrypted word for transmission to the memory 12. Further, the encryption part 16b comprises a key input 124 for receiving the word-individual key. Above that, the encryption part 16b comprises a permutation means 106 for permuting a 32-bit value at a permutation input according to permutation P, which is inverse to the permutation performed by the permutation means 106, to a permutation result at a permutation output, eight 4×4 S boxes S1-S8 128 connected in parallel, an XOR operation means 130, a round generation means 132 and a switch 134.
The XOR operation means 130 comprises two 32-bit data inputs, one of which is connected to the data input 120 and the other to a data output of the round key generation means 132. A 32-bit data output of the XOR operation means 130 is connected to the S boxes S1-S8 such that four different bits of the 32-bit data output of the XOR operation means 130 are applied to the 4-bit data inputs of the same. The S boxes S1-S8 map 4-bit values at their data inputs according to nonlinear mappings to four bit values at their data outputs, wherein the linear mappings are inverse to those associated to the S boxes of
The 4-bit values at the data outputs of the S boxes 128 are transmitted as 32-bit value to the permutation input of the permutation means 126. The permutation output of the permutation means 126 is connected to a switch input of the switch 134. A round continuation switch output of the switch 134 is connected to the first data input of the XOR operation means 130, while a round termination switch output of the switch 134 is connected to the data output 122. An input of the round key generation means 132 is connected to the key input 124.
Since the structure of the encryption part 16b has been described above, its mode of operation will be described below. The encryption part 16b is substantially structured inversely to the decryption part 16a. When an unencrypted word reaches the XOR operation means 130 at the data input 120, the XOR operation means 130 links this unencrypted word to the round key, which the round key generation means 132 generates from the word-individual key. This round key is that round key which the decryption part 16a will use in its last round to decrypt the encrypted word again. The safe XORed 32-bit value is mapped to a mapped 32-bit value by the S boxes 128. This operation will be reversed exactly by the S box mapping of the last round during decryption in the decryption part 16a. The mapped 32-bit value is permuted by the permutation means 126 according to the permutation regulation P to obtain the permuted 32-bit value representing the round intermediate result. This permutation of the first round during the encryption will be reversed during the decryption in the first round by the permutation P−1 in the decryption part 16a. As long as further rounds are desired, the switch 134 connects the switch input to the round continuation switch output, otherwise to the round termination switch output to output the 32-bit round intermediate result as the encrypted word to the memory 12 across the data output 122. The round keys, which the round key generation means 132 generates from the word-individual key, are different for the respective rounds and are exactly inversely associated to the rounds compared to the round keys which the round key generation means 112 generates for the decryption rounds. In that way, it is ensured that an encrypted word as generated by the encryption part 16b is decrypted again by the decryption part 16a to a decrypted word with the original value. The word-individual key applied to the key input signal 104 or 124, respectively, is the same during decryption and encryption, since both during load and store access the same unique address for the respective word is output at the address bus 20 (
With regard to
The above embodiments assumed that a 64-bit key is supplied as word-individual key to the encryption/decryption means, which then generates thereupon round keys according to the embodiments of
In other words, according to the embodiment of
Thus, the above-described embodiments for generating keys for the encryption of data to be stored and/or decryption of stored read data when accessing a memory provide an address-dependent area key generation. Instead of performing the area key generation for every word in the same complicated way, the process of the area key generation is divided into two sub processes, namely a relatively expensive and slow step and a simple and fast step, which is practically for free. Only the simplest step has to be performed for every single word, the expensive step, however, only once for several words simultaneously.
Here, holding on to the address-dependent area key generation is more than only useful: Nowadays, the word size in a microprocessor is only several bytes, for example 4 byte or 32 bit, respectively. However, a cryptographic 32-bit block cipher does not make any sense. The number 32 is small enough that an unauthorized person can collect the associated cipher text for all possible 232≈4.3 billion plain texts and list them in a type of coding dictionary. Cryptographical block ciphers only make sense for a block width of 64 bit, better for 128 bit. This problem cannot be solved by applying a CBC mode, as described in the introduction of the description, to a “32-bit block cipher”. However, the address-dependent area key generation solves this problem in a satisfactory way. Now, no coding dictionary of the above type can be obtained. Because the same 32-bit plain text word appearing at two different memory addresses is encrypted with different area keys.
Thereby, the associated cipher texts will also be different, even when the underlying plain text is the same.
The area key generation for accessing a memory with encrypted content according to the above embodiment was to generate a pre-key valid for the whole page from the secret master key and the page address. This is the expensive step that has be performed only once per page. Then, a word-individual key is derived from the pre-key and the word address in a simple way. The encryption of the word is now performed with the word-individual key.
The resulting advantages are the following: The calculation of the page key has to fulfill certain cryptographic criteria is correspondingly expensive. The page key is either calculated in an individual hardware unit or the encryption unit 16 is also used for calculating the page key. Since the calculation of the page key is required less frequently (only once per page), the hardware unit for the page key generation can be made smaller. In the other case, where the encryption hardware is also used for page key generation, the encryption rate increases due to the less frequent usage of the encryption hardware.
With reference to the above embodiments, it should be noted that, for example, the XOR gates can easily be replaced by NXOR gates. The above-described previous storage of a page pre-key with displacement strategy can also be replaced by a storage in a sufficiently large volatile memory without displacement strategy, so that the page pre-keys are automatically deleted when the power supply is missing. Further, prior to generating the page pre-key, the page address could also be subjected to other operations than the expansion in
Particularly, it should be noted that depending on the circumstances, the inventive scheme can also be implemented in software. The implementation can be made on a digital storage media, particularly a disc or CD with electronically readable control signals, which can cooperate with a programmable computer system such that the respective method is performed. Generally, thus, the invention consists also in a computer program product with a program code for performing the inventive method stored on a machine-readable carrier, when the computer program product runs on a computer. In other words, the invention can be realized as a computer program with a program code for performing the method when the computer program runs on a computer.
While this invention has been described in terms of several preferred embodiments, there are alterations, permutations, and equivalents, which fall within the scope of this invention. It should also be noted that there are many alternative ways of implementing the methods and compositions of the present invention. It is therefore intended that the following appended claims be interpreted as including all such alterations, permutations, and equivalents as fall within the true spirit and scope of the present invention.
Number | Date | Country | Kind |
---|---|---|---|
103 45 454.3 | Sep 2003 | DE | national |
This application is a continuation of copending International Application No. PCT/EP2004/009054, filed Aug. 12, 2004, which designated the United States and was not published in English.
Number | Date | Country | |
---|---|---|---|
Parent | PCT/EP04/09054 | Aug 2004 | US |
Child | 11396211 | Mar 2006 | US |