method and apparatus for the secure transfer of objects between

United States Patent [19] Smith, Sr. et al.

USOO6 144744A

[11] Patent Number: 6,144,744 [45] Date of Patent: *Nov. 7, 2000

[54] METHOD AND APPARATUS FOR THE SECURE TRANSFER OF OBJECTS BETWEEN CRYPTOGRAPHIC PROCESSORS

[75] Inventors: Ronald M. Smith, Sr., Wappingers Falls; Edward J. D’Avignon, Kingston, both of NY; Robert S. DeBellis, Raleigh, NC; Phil Chi-Chung Yeh, Poughkeepsie, NY.

[73] Assignee: International Business Machines Corporation, Armonk, NY.

[*] Notice: This patent issued on a continued pros ecution application ?led under 37 CFR 1.53(d), and is subject to the tWenty year patent term provisions of 35 U.S.C. 154(a)(2).

[21] Appl. No.: 08/885,612

“Efficient Methods for TWo Party Entity Authentication and Key Exchange in a High Speed Environment” by E. Basturk et al., IBM Technical Disclosure Bulletin, vol. 38, No. 03, Mar. 1995. “Message Replay Prevention Using a Previously Transmit ted Random Number To Sequence The Messages” by W. C. Martin, IBM Technical Disclosure Bulletin, vol. 27, No. 3, Aug. 1984. “Personal Veri?cation and Message Authentication Using Personal Keys” by R. E. Lennon et al., IBM Technical Disclosure Bulletin, vol. 24, No. 12, May 1982. “SNA Bind Security Enhancement” by R. E. Lennon et al., IBM Technical Disclosure Bulletin, vol. 26, No. 10A, Mar. 1984. “Transaction Incrementing Message Authentication Key” by W. D. Hopkins, IBM Technical Disclosure Bulletin, vol. 26, No. 1, Jun. 1983.

Primary Examiner—Thomas R. Peeso Assistant Examiner—Todd Jack Attorney, Agent, or Firm—William A. Kinnaman, Jr.

[57] ABSTRACT

[22] Flled: Jun‘ 30’ 1997 Objects such as master keys or object protection keys that [51] Int. c1.7 ..................................................... .. H04K 9/00 are kept in a Protected environment of n crypto module are [52] US. Cl. ............................ .. 380/45; 380/47; 380/257; Securely transferred between modules by means of transport

705/53; 705/54 keys. The transport keys are generated by public key pro [58] Field of Search ................................ .. 380/21 45 47 Cedures and are inaccessible Outside the modules‘ Master

380/257; 395/186; 705/53, 54; 413/150: keys are encrypted under the transport key Within the 153 protected environment of the source module, transmitted in

encrypted form to the target module, and decrypted With the [56] References Cited transport key Within the protected environment of the target

module. Object protection keys that are encrypted under a US- PATENT DOCUMENTS ?rst master key kept in the protected environment of the

4 405 829 9/1983 Rivest et a1‘ ' source module are decrypted With the ?rst master Within the 4j755:940 7/1988 Brachtl et aL _ protected environment of the source module before being 5,313,521 5/1994 Torii et al. .............................. .. 380/21 encrypted under the transport key- The Object Protection 5,572,590 11/1996 Chess _ keys are encrypted under a second master key Within the 5,796,830 8/1998 Johnson etal. ......................... .. 380/21 protected environment of the target module after being 5,850,444 12/1998 Rune ....................................... .. 380/21 decrypted With the transport key. The procedure is secure

OTHER PUBLICATIONS

“Applied Cryptography” Second Edition, Protocols, Algo rithms and Source Code in C, by B. Schneier, 1996, pp. 466—471.

CRYPTO MODULE 100 ____ ____|'/

since the transport key, the master keys and the object protection keys are never made available outside the pro tected environments of the crypto modules.

26 Claims, 24 Drawing Sheets

'- ———————————————— -—g-—-—— 160 I AUTHORITIES ‘54 PCB ’/ r-m WORK SECURITY

PSEUDO I SWIoN OFFICER

1'35 0 156 RANDOM A] NUMBER SIGNATURE /REQUIREMENT/ GENERATOR

ARRAY (88A) AUTHORIZATION 134

9 REGISTERS r’

mm In “*3 ‘50 Inn “6 mmlisml 1n

/ / /

WORK SECURITY STATION OFFICER

A5 DIGITAL SIGNATURE VERIFIER

] 26 1 14 1 1 8

I___ ______________________ __

SIGNED UNSICNED UNSIGNED ‘247 REPLY REQUEST iREPLY I 16 COMMAND

l

U.S. Patent Nov. 7,2000 Sheet 2 0f 24 6,144,744

211 212 213 214 215 216 217

00 a 16 7 32140748 56' 63 210x

8 H 2 K114 ——'— QUERY IF (QID) (16 BYTES)

2.29 24

311 312 313 314 315 316 4 OO 8 16 7 32140 48 63

K310 8

CRYPTO MODULE ID (GMID)(16 BYTES) g)

24

CRYPTO MODULE SIGNATURE SN (16 BYTES) 3_

SIGNED 40 PORTION?

:: ORIGINAL QUERY MESSAGE (24 BYTES) :: IA)

64 K124

126~\ L ,L / REPLY TO QUERY /

Fl 3 _59

\208

126 ’ HASH SIGNATURE (128 BYTES) ::

336


411 412 4137 414 415 416V” A 00 s 16 32340 48' 56' 63/410

8

CRYPTO MODULE lD (CMID)(16 BYTES) A»- 420

{ 24

120_\ TRANSACTION SERIAL NO. (TSN)(16 BYTES) /— 430

40 ,- 440

i COMMAND DATA :i

k m A» 118

:: HASH SIGNATURE (128 BYTEs) ::

m + 128

K116

U.S. Patent Nov. 7, 2000 Sheet 4 0f 24 6,144,744

gLTTEO 7/502 16 [504 32 1/506 48 [508 63 0 ASM ACM DXM DCM s

/ S|GNATURE~REQU|REMENT ARRAY (SRA) {8O BYTEST / 88 A

BYTE SIGNATURE-REQUIREMENT ARRAY (sRA) r156 O ENTRY 0, FOR LOAO AUTHORIZATION PUBLIC MODULUS (LAP) /—602

8 ENTRY 1, FOR LOAO PKSC CONTROL BLOCK (LCB) /~602

I6 ENTRY 2, FOR ZEROIZE DOMAIN (2O) "602

24 ENTRY 3, FOR LOAO ENVIRONMENT-CONTROL MASK (LEC)

32 ENTRY 4, FOR EXTRACT AND ENCRYPT MASTER KEY (xEM)

4O ENTRY 5, FOR LOAD KEY PART (LKP)

48 ENTRY 6, FOR EXTRACT AND ENCRYPT SMK OR RMK (XES OR xER)

7.

8,

9,

56 ENTRY FOR LOAD AND COMBINE SMK OR RMK (LCS OR LCR)

64 ENTRY FOR REENCIPHER TO SMK OR RMK (RTS OR RTR)

72 ENTRY FOR REENCIPHER FROM SMK OR RMK (RFS OR RFR)

FIG.6

SRA ENTRY 704

r C1 C2 C3 MAsK 1 MASK 2 MAsK 3


BIT 0 1s 32 63 BYTE _/802 I/8O4 0 SSM CSA :4 BYTES}

8 PCID 310 0115s; 806-—/'

24 F150

/ C88 4128 BYTES} f 152| -

\sos

Fl .8

411 412 413 414 415 416 417

BIT 07 8 816 Z 32? 40 Z48 zss?cs ’ BYTE . . . . . .

0 ‘00103’ ‘0088’ ‘30' SX ‘00' ‘00"’410 (CMID) r116

8 CRYPTO MODULE 10 /_ 116 was; 420

120\ 24 TRANSACTION SN (TSN) pm < 116 BYTES}

40 051311 PENDING 001111114110 10 /_44O (P010) {16 BYTES}

50/ HASH 510114110115 7-118 . {128 BYTES} I

0 184

FIG.9


ORIGINAL COMMAND

‘ /IOO2 CLEAR SIGNATURE SUMMARY MASK (SSM)

[I000 1004

SIGNATURE VERIFICATION

BIT SET ?

1006

SET SSM BIT OF ORIGINAL SIGNING AUTHORITY

‘I [1008 EXAMINE SRA ENTRY FOR ORIGINAL

COMMAND TO DETERMINE IF SIGNATURE REQUIREMENTS ARE SATISFIED

IOIO

SATISFIED

?

/IOI2 EXECUTE COMMAND

‘I /I O1 A REPLY To REQUESTOR

U.S. Patent

IG.11

Nov. 7, 2000 Sheet 7 0f 24 6,144,744

COSIGN COMMAND

/1102 COMPARE CSBFI FIELD OF REQUEST MESSAGE WITH

PCID IN PCR

I104

NO

YES /1 106

SET SSM BIT OF COSIGNING AUTHORITY

I 1108 EXAMINE SRA ENTRY FOR ORIGINAL

COMMAND TO DETERMINE IF SIGNATURE REQUIREMENTS ARE SATISFIED

EXECUTE COMMAND

‘I 11111r REPLY TO REQUESTOR


211 212 213 214 215 216 217

BIT 07 8 216 Z 32? 411F423 ZSG?B BYTE . - - . - .

0 0002' ‘0018’ '00’ ‘0000' ‘00"’210 {-114

8 QUERY ID (QID) 116 BYTES; 2A)

24

£12

311 312 313 314 315 316

B1TO 8216 Z32Z40€48Z 63 BYTE I 1

0 ‘00"83’ ‘0150' ‘0000' ‘0002'

f 8 CRYPTO MODULE 10 (CMID) {16 BYTES; @

24 CRYPTO MODULE SlGNATURE SN H6 BYTES} _0

ORIGINAL QUERY MESSAGE 40/ £24 BYrES; j / ‘"124

128\ 1 64 CRYPTO CONFIGURATION CONTROL

(CCC) {16 BYTES; L02 350 80 CRYPTO MODULE PUBLIC MODULUS / (CMPM) £126 BYTES§ 1304/

208 / HASH SIGNATURE / l 1126 BYTES; 1_26 I

L 336

FIG.13


211 212 213 214 215 216 217

BIT O7 8 216 K 32? 40848 FSG?Is BYTE . . . . . .

0 ‘00"02’ ‘0018’ ‘01"00' Ox ‘OO’rZm F114

8 QUERY ID (QIO) 118 BYTES§ 2Q

24

FIG.14

311 312 315 314 315 316

8ITO 8W6 Z32Z4OZ48 Z 63 BYTE - I I v

0 ‘00"83’ ‘0150' ‘00"00’ ‘0002'

r 8 CRYPTO MODULE IO (CMID) 116 8YTES; __O

24 CRYPTO MODULE SIGNATURE SN {18 BYTES§ __0

ORIGINAL QUERY MESSAGE 40/ 124 BYTES§ @ / "124

128\ I 64 AUTHORIZATION PUBLIC MOOULUS

/ (APM) 1128 BYTES} 1502/ 350 192 TRANSAGTION SN

(TSN) §16 BYTES§ 1504 208 HASH SIGNATURE

/ 1128 BYTES§ 126 / l — J L 336

FIGJ 5


MASTER KEY TRANSFER

T

ESTABLTSH TRANSPORT KEY 1702 ,/17OO

EXTRACT KEY PART FROM FIG.17 FIRST CRYPTO MODULE USING F1704

EXTRACT AND ENCRYPT MASTER KEY (XEM) COMMAND

T

LOAD KEY PARTAINTO SECOND CRYPTO MODULE USING LOAD "1706 KEY PART (LKP) COMMAND

SOURCE KEY CSB.F2

kpt=‘CLEAR’ T ‘ kpt=‘ENCRYPTED"

BTK_, etk2 HASH BTK._> d’ck

T T T

B B HP lNPUT E X X KEY PART

EXTRACT AND ENCRYPT MASTER KEY (XEM) LOAD KEY PART (LKP)

FIG.18 F|G.19


BITO 8 16 32 40 48 56 63 BYTE 0 ‘0003' ‘0088’ ‘74' SX dx mkr

8 CRYPTO MODULE ID (CMID) {16 BYTEs;

24 TRANSACTION SN (TSN) {16 BYTEs;

CSB.F1 hp OF BASIC TRANSPORT KEY 40 hp(BTK) §16 BYTES} 56 / HASH SIGNATURE /

3128 BYTES; 184

mkr KEY TO BE EXTRACTED

1 MASTER KEY 2 AUX MASTER KEY

U.S. Patent Nov. 7, 2000 Sheet 13 0f 24

BITO 8 16 32 4O 48 56 63 BYTE O ‘00"03’ ‘OOCB’ ‘75’ sx dx kpt

8 CRYPTO MODULE ID (CMID) {16 BYTES§

24 TRANSACTION SN (TSN) {16 BYTEST

4O CSB.F1 hp OF BASIC TRANSPORT KEY hp(BTK) {16 BYTEST

56 CSB.F2 CLEAR/ENCRYPTED KEY PART KP / etk2(KP) {16 ems}

72 HASH SIGNATURE / ma ems;

200 l

BTKT" (-3

/ J

6,144,744


T BTKT-> d BTKP’ d

T T

2502\\ AUTHENTICATION PARAMETER (AP)

/25OO 2504\\ ENCRYPTED OPI<

2506-\ PUBLIC PORTION

2508\\ PRIVATE PORTION

FIG.25


ENCAPSULATED OBJECT TRANSFER

T

ESTABLISH PKA TRANSPORT KEY /—26Q2 PKT

DECRYPT ENCRYPTED OPK r2604 USING SOURCE PMK 2600

RFR OR T / RFS

REENCRYPT OPK UNDER /-—26Q6 TRANSPORT KEY PKT

l TRANSMIT REENCRYPTED OPK /-—2608

TO TARGET MODULE

T DECRYPT OPK USING TRANSPORT r26“;

KEY PTK RTR OR T RTS

ENCRYPT OPK UNDER r2612 TARGET PMK

FIG.26


CSB.F2

K_, ded3

H927 INPUT KEY

V V HASH

PTK__> etk5 PATTERN (HP)

T } EPX PX HP

CSBFZ

PTK_> dtk?

H923 lNPUT KEY

T T HASH

K _, 6085 PATTERN

(HP)

EPX PX HP

U.S. Patent Nov. 7, 2000 Sheet 17 0f 24

IBIT O 8 16 32 4O 48 56 63 BYTE O ‘00' ‘03' ‘OOE8’ ‘79' SX dx pmr

8 CRYPTO MODULE ID (CMID) {16 BYTESZ

24 TRANSACTION SN (TSN) 316 BYTES}

4O CSBFI hp OF PKA TRANSPORT KEY hp(PTK) {16 MES;

56 CSBFZ ENCRYPTED OBJECT PROT. KEY e3*PMK(OPK) {4s BYTESI

104/ HASH SIGNATURE / I {128 BYTESI J

232

F|G.29

IBIT O 8 I6 32 4O 48 56 63 BYTE O ‘O0’ ‘O3’ ‘OOE8’ ‘78’ sx dx prnr

8 CRYPTO MODULE ID (CMID) I16 BYrEs;

24 TRANSACTION SN (TSN) :16 BYTESI

4O CSBFI hp OF PKA TRANSPORT KEY hp(PTK) {I6 BYTESI

56 CSB.F2 ENCRYPTED OBJECT PROT. KEY etk5(OPK) {4s BYTESI

104/ HASH SIGNATURE / 1 I128 BYTESI I

232

FIG.3O

6,144,744

method and apparatus for the secure transfer of objects between

Documents