CA1119268A - Cryptographic verification of operational keys used in communication networks - Google Patents

Abstract

CRYPTOGRAPHIC VERIFICATION OF OPERATIONAL KEYS USED IN
COMMUNICATION NETWORKS
ABSTRACT
In a data communication network providing communication security for communication session between a first station and a second station where each station has cryptographic apparatus provided with an operational key which should be common to both stations for cryptographic operation, an operational key verification arrangement is provided in which a first number provided at the first station is operated upon in accordance with the first station operational key to obtain cryptographic data for transmission to the second station, requiring the second station to perform an operation on the first station cryptographic data in accordance with the second station operational key to obtain cryptographic data for transmission back to the first station and performing an operation at the first station in accordance with the first number and the second station cryptographic data to verify that the second station is the source of second station cryptographic data only if the operational keys are identical.

Description

~i~9;26~3 1 CROSS REFERENCE TO RELATED APPLICATIONS:

2 This application is related to the following U.S.

3 patents and Canadian patent applications which are

4 concurrently filed herewith and assigned to the same assignee as the patent application:
6 1. "Cryptographic Communication and File Security Using 7 Terminals", Canadian Application No. 316,965, filed 8 November 28, 1978, by Ehrsam et al.
9 2. "Cryptographic Communication Security for Single Domain Networks", U.S. Patent No. 4,238,853, issued December 9, 11 1980, by Ehrsam et al.
12 3. "Cryptographic File Security for Single Domain Networks"
13 U.S. Patent No. 4,238,854, issued December 9, 1980, 14 by Ehrsam et al.
4. "Cryptographic Communication Security for Multiple Domain 16 Networks", U.S. Patent No. 4,227,253, issued October 7, 17 1980, by Ehrsam et al.
18 5. "Cryptographic File Security for Multiple Domain Networks"
19 U.S. Patent No. 4,203,166, issued May 13, 1980, by Ehrsam et al.
21 BACKGROUND OF THE INVENTION:
22 This invention relates to cryptographic commllnication 23 security techniques and, more particularly, to an operational 24 key verification arrangement for verifying at a first station that a second station is the source of cryptographic data 26 communicated to the first station only if the operational keys 27 Of both stations are identical.

~."', 1 With the increasing number of computer end u~ers, ~harlng 2 of common system resources such as files, pr~gram~ and hardware 3 and the increa~ing use of di~tributed ~ystems and tele-4 communi~ation~, larger and more complex computer base information sy~tem~ are being created. In ~uch ~y~tem~, 6 an increasing amount of sensitive data may ke tranYmitt~d 7 acro~s unsecure communication line~. ~ecause of the 8 insecurity of communication line~, there i9 an increasing 9 concern over the interception or alteration of ~ensitive data which mu~t pass outside a controlled or protected 11 environment or which may become accesslble lf maintained 12 for too long a period of time. Cxypto~raph~- has been 13 recognized as an effective data security mea~ure in that 14 it protects the data itself rather than the medium over which it i~ transmitted or the media on which it is stored.
16 Cryptography aeals with methods by wh$ch me~saga data 17 called cleartext or plaintext is enc~ypted or enclphered 18 into unintelligible data called ciphertext h~d by which the 19 ciphertext is decrypted or deciphered back into thQ plaintext.
The encipherment/decipherment transformations are carried out 21 by a clpher f~nction or algorithm controlled ln aa¢ordance 22 with A cryptographlc or cipher key. The cipher key select~
23 one out of many possible relationships between the plaintext 24 and the ciphertext. Variou~ algorithm~ have been developed in the prlor art for improving data ~ecurity ~n data procs~ing 26 system~. Examples of such algorithms are da~cribed in U.S.
27 Patent Number 3,796,830 is~ued March 12, 1974 and U. S. Patent 28 Number 3,798,359 is~ued March 19, 1974. Anokher more recent 29 algorithm providing data security in data pro~essing systam~

11:192~

1 is described in U. S. Patent ~umber 3,958,081 issued May 18, 2 1976. This algorithm was adopted by the National Bureau of 3 Standards as a data encryption standard (DE~ ) algorithm and i8 4 de~cribed in d~tail in the ~ederal Inormat~on Processing Standard~ publication, January 15, 1977, FIPS PUB 46.
6 A data communication network may include a complex of 7 communic~tion terminal~ connected via communication lines 8 to a single host system and its associated re~ources such 9 as the host program~ and locally attached terminals and data files. Within the data communication network, the 11 domain of the host system is considered to be the set of 12 resources known to and managed by the host sy3tem. As the 13 size of data co~munication networks increase~, othor host 14 systems may be brought into the network to provide multiple domaln networks with each ho~t ~ystem having knowledge of 16 and manag~ng it~ a~sociated resourc~s which make up a portion 17 or domain of the network. By providing the proper cross 18 domain data link between the domains of the network, two or 19 more domains may be ~nterconnected to provid~ a notworking facility. Acaordingly, as the slze of the nstwork lncrea~es 21 and the number of communication ~lnes inter~onnecting the 22 do~ain~ of networX incr¢ases, there is an increasing need to 23 provide co~nunication security for data tran~mitted over 8uch 24 communication lines connecting the domains of a multiple domain communication network. Various data communication 26 networks have been developed in the prior art using crypto-27 graphic techniques for improving the security of data 28 communication within the network. In such networks, a 29 cryptographic facllity is prov~ded a~ the ho~t system and a~
various ones of the remote terminals. In order for the host ~1~9Z6~3 1 system and a remote t~rminal to perform a cryptographic 2 communication, both must use the same cryptographic algorithm 3 and a co~non operational key so that the da~a enciphered by 4 the sending station can be deciphered at the receiving station. In prior art cryptographic communication arrangements, 6 the operational key to be used at the sending station i.8 7 co~nunicated by mail, telephone or courier to the receiving 8 station ~o that a con~on operational key i9 installed at 9 ~oth stations to permit the cryptographic communications to be perfor~ed. Other prior art arrangements developed 11 techniques which permitted the communication line connecting 12 the two stations to be used for co~nunicating the operational 13 ~ey from one station to the other station by enciphering the 14 operational kcy in a form which is recoverable at the receiving station as exemplified by the Consumer Transaction 16 Facility described in V. S. Patent ~o. 3,956,615 issued 17 Ma~ 11, 1976.
18 With such an arrangement, an opponent who attempt~ to 19 intercept data com~unications over the communication line to recover the communicated operational key in order to be able 21 to decipher subsequent cryptographic data communication~ over tha 22 communication line will be blocked inasmuch as he does not 23 have available to him the cipher key under which the operational 24 key is enciphered. Cne way in which he may be able to ma~e U8 of the intercepted enciphered operational key and crypto-26 graphic data communications is to make an attack at 27 the station for which the message was int`enc1ed and gain acces~
28 to that station 50 that he may play a recording of the 29 enciphered o~erational key into the cryptographic apparatu~
of that station which will then decip~er tne enciphered l operational key after which he may then play a recording of 2 the cryptographic data communication into the cryptographic 3 apparatus of that ~tation and obtain the data communication 4 in clear form.
Accordingly, it i~ an object of the invention to 6 maintain communication security of data transmis~lons between 7 stations connected by a communication line.
Another ob~ect of the invention is to verify at a 9 cryptographic station the source of communicated crypto-graphic data.
11 A further object of the invention i3 to mainta$n 12 communication security of data transmissions between a 13 irst cryptographic station and a second cryptographic 14 station by verifying that both stations are using a common operational key.
16 Still.another object of the invention is to send a 17 challenge from a first cryptographic station in accordance 18 with its operational key to a second cryptographic ~tation 19 requlring the second station to return a cryptographic message in accordance with its operational key in such a 21 form that the first ~tation can verify that the second station 22 i8 the ~ource of the cryptographic message only if the 23 operational keys of both ~tations are identical.
24 In a data communication network providing data commun~cations between a first cryptographic ~ation provided with a fir~t 26 operational Xey and a second cryptographic ~tation provided 27 with a ~econd operational key, an operational ~ey verificat~on 28 arrangement i3 provided in accordance with the invention in 29 which the first station provides a first veriflcation number and then performs a first operation in accordance with the 11~9Z61~

1 first verification num~er and the fir~t operational k~y to 2 provide first ~tation ciphertext for transmission o the 3 second station. ~t the second station, an operat~on ~s 4 performed in accordance with the first station oiphertext S and the second operational key to provide second station 6 ciphertext fo~ tran~mission back to the first statlon and 7 performing a ~econd operation at the first ~tation ln accordance with the fir~t verification number and the 9 received second station ciphertext to veri~y that the second stat~on is the source of the second station ciphertext only 11 if the operational keys of the two stations are identical.
12 In the v~rification arrangement of the present 13 invention, the fir~t station ciphers the first verificatlon 14 nu~ber under control of the first operational key to provide lS first station ciphertext for transmi~ion to the second 16 3tation. The second station ciphers the first station 17 ciphertext under control of the second operational key to 18 obtain a seco~ld verification number which is equal to the ~, 19 fir~t verification nun~er i~ the operat~onal keys of the two stations are identical. The secon~ verification nun~er i~
21 then modified in accordance with a fir~t functlon to obtain 22 a modified second verification number which 15 then ciphered 23 under control of the ~econd operational key to provide ~econd 24 station ciphertext for transmission back to the fir~t station.
i 25 Variou~ embodiment~ of verification at the first station 26 are provided by the present invent~on. In one embodiment, 27 the second station ciphertext received at the first station 28 i~ ciphered under control of the first oper~t~onal ~ey to 29 obtain a f~rst re~ulting nur;~er which i~ equal to the 1 modified second verification nu~er if the operational keys 2 of the two stations are identical. ~he first resulting 3 n~her is then modified by a second function which i6 the 4 inverse of the first function to obtain a second resulting number which is e~ual to the first verification n~mher 6 if the operational keys of the two stations are identical.
7 The first verification num~er is compared with the second 8 resultin~ num~er for equality to verify that the second 9 station is the source of the cryptographic data comm~nicat~on only if the operational keys of the two stations are identical.
11 In another e~odiment of ~he verification at the first 12 station, the second station ciphertext received at the first 13 station is ciphercd under control of the first operational 14 key to obtain a first resulting nwnber which is equal to the mod~fied second verification number, previously produced by 16 the second station, if the operational ~ey~ of the two statlons 17 are identical. The first station then modifies the first 18 verification number by a second function which i~ identical 19 to the first function, previously performed at the second station, to ohtain a modified first verification number 21 which is equa~ to the modified second verification n~lber, 22 previously produced by the second station, if the operational 23 keys of the two stations are identical. The modified flx~t 24 verification number is then compared with the first resulting number for equality to verify that the second station i8 26 the source of the cryptographic data co~unication only if 27 the operatlonal keys of the two stations are identical.
28 In another embodiment of the verificati~n at the first 29 statlon, the second station ciphertext, whic~h represents the modified second verification number ciphered under the KI9770~2 -8-1 ~econd operational key, is received and stored at the first 2 station. The first station then modifies the first verification 3 nur~er ~y a second func~ion which is identical to the firqt 4 function, previously performed at the second station, to obtain a modif$ed first verification number which is egual to the 6 modifled second verification number previou~ly produced by 7 the second ~tation if the operational keys o the two station~
8 are identical. ~he modified first verification number i8 9 then ciphered undex the first operational ke~ to obtain additional first station ciphertext which i~ then compared 11 with the received second station ciphertext for equality to 12 verify that the second station is the ~ource of the second 13 station ciphertext only if the operational keys of the two 14 stations are identlcal.
The foregoing and other ob~ects, features and advantage~
16 of the invention will be apparent from the following particular 17 aescription of preferred embodiments of the invention, 18 as lllustrated in the accompanying drawings.

KI977012 -~~

Z6~

1 BR~EF DESCRIPTION OF THE DRAWINGS:
.
2 Fig. 1 i~ a block diagram of a repre~entative data 3 eommunication network illustrating, in block form, the 4 detail3 of a terminal and a host 8y8tem in such a network~
Fig. 2 13 a block diagram of a cryptographie englne 6 whieh perform~ cryptographic functlon~ ln ~ loglcally and 7 physieally ~eeure manner.
8 Fig. 3 illu~trate~ in block diagram form a manual 9 WMK funetion.
Fig. 4 illu~trates in block diagram form a proees~or 11 eontrolled WMR funetion.
12 Fig. 5 111u~trates in block diagram form a DECR funetion.
13 Flg. 6 illu~trate~ in block diagram form an ENC funetion.
14 Flg. 7 illustrate~ in bloek diagram form a DEC funetion.
Fig. 8 illustrates in block diagram form an ECPH
16 funetion.
I7 Fig. 9 lllu~trate~ in bloek diagram form a DCP~
18 funetion.
l9 Fig. 10 i~ a dlagram of how Figs. 10a and 10b may be plaeed to form a detailed ~ehematie diagram.
21 Flg~. 10~ and 10b, taken together, eomprise a detalled 22 ~ehematie d~agram of one embodiment of the verifieation 23 arranqement of the pre~ent invention illu~trating a data 24 communieation from ~ fir~t st~tion to a ~eeond ~tation.
Flg. 11 is a diagram of how Fig~. lla and llb may be 26 plaeed to forn a detailed 3chematic diagram.
27 Figs. lla and llb, taken together, compri~e a detailed 28 ~ehematie diagram of one embodiment of the verifleation 29 arrangement of the pre3ent inventlon illu~trating a data communication from the ~econd ~tation to the first statlon.

;26~

1 Fig. 12 is a detailed ~chematic diagram of another 2 embodimQnt of ~he verification arrangement at one of the 3 stations of the present ~nventlon.
4 Fig. 13 i5 a detailed schematic diagram of stlll another embodiment of the verification arrangement at one 6 of the station~ of the pre~ent invention.

; 22 : 24 i,.

Z6~

1 GENERAL DESCRIPTION: -2 INTRoDucTIoN:
3 In a ~ingle domain data communication network, a 4 complex of co~munication terminal~ are connected via a plurality of co~munication lines to a host data proces~ing 6 system and its associated resources such a~ host programs, 7 and locally attached terminal~ and ~econdary ~torage files.
8 Because of the complexity and increa~ing size of ~uch networks 9 other host systems may be brough~ into the network by providing the proper cross domaln link between the multiple 11 ~ystems thereby providing a multiple domain natwork.
12 However, with this increasing size of the network, the 13 problem of transmitting data over unsecure communication 14 line~ becomes more acute and it iB nece~ary to protect the data to maintain the confidentiality and integrity of the 16 information represented by that data. Cryptography provide~
17 an effective data ~ecurity measure for communication security 18 in that it protects the confidentiality and integrity of tho 19 data it~elf rather than the medium over which it is tran3-mltted.
21 .~ost practical cryptographic systems re~ulre two baslc 22 element~, namely, (1~ a cryptographic algorithm which ls a ~et 23 of rule~ that specify the steps required to ~ransform or 24 encipher plaintext into ciphertext or to tran~form or decipher ciphertext ~ack into plaintext and (2) a cipher key. The cipher 26 key i8 u~ed tc select one out of many possible relation~hlp~
27 between the plain ext and the ciphertext. Variou~ cryptographic 28 algorithm~ have been developed in the prior art for ~mproving 29 data security in data processing sy~tems. ~ne euch algorithm KI977012 ~12-Z~

described in u.S. Patent ~o. 3,958,081 issued Ç~ay 18, 2 1976 and wa~ recently adopted as a United States Federal 3 Data Processing Standard as set forth in the aforementloned 4 Federal Information Proces~ing Standard publication.
The cryptographic algorithm operates to transform or encipher 6 a 64 bit block of plaintext into a unique 64 bit block o~
7 ciphertext under control of a 56 bit cipher ~ey or to 8 transform or decipher a 64 bit block of cipher~ext back into 9 an or1ginal 64 b~t bloc~ of plaintQxt under control of the ~ame 56 bit cipher key with the decipher~ng pxoce~s being 11 the rever~e of the enciphering proces~. The effectivenes~
12 of thi~ cipher proceQs depends on th~ techn~ques used for 13 the selection and management of the cipher key u~ed in the 14 cipher proce~. The only cipher kay actually used in the cipher procesa to personalize the algorithm when encrypting 16 or decrypting data or other keys is termed the wor~ing key 17 and i~ accessible only by the cryptographic apparatu~. All 18 other key~ hereafter di~cussed are used at different times 19 as working key~ depending upon the cipher operation to be performed.
21 Thera are baslcally two categories of cipher key~ used in 22 the oryptographic sy~tem, namely, operatlonal keys ~RO) and 23 key encrypting keys (KEX) with oper~tional key~ being referred 24 to ~nd used as data encrypting keys. Data encrypting or operational keys are a category of key~ used to encrypt/decrypt 26 data while key encrypting keys are a category of keys used 27 to encrypt/decrypt other key~.
28 Withln the two ba~ic categories, there are variou~ly defined 29 classe~ and type~ of cipher keys. Thus, in the data encrypting 11'~

1 or operational cla~s of cipher keys, the data enc~ypting or 2 operational key which protect~ data during data communication 3 sessions i~ a claYs of key called the primar~ communic~tion 4 key. One type of this class of keys is one which i8 a sy~tem generated, time variant, dynamically created key transmltted 6 in enciphered form under a key encrypt~ng k~y from a host 7 system to a remote terminal. The key is deciphared at the 8 terminal and then loaded into the working key register and g used as the working key. The key exists only for the duration of the communication session and will be referred to as 11 the system se~sion key (~S).
12 Within the key encrypting category of cipher keys, 13 there are two ~ub-categories, namely, the primary key encrypting 14 key nnd the secondary key encrypting key. In the primary key encrypting key sub~category of cipher key~, the key 16 encrypting key used in the host system to encipher other 17 key~ i5 a class of key called the sy~tem key. One type of 18 this class of keys is one which is used to protect the 19 system ses~ion keys actively used at the host and will ~e referred to as the host master key (XMH). In the secondary 21 key encrypting key ~ub-~ategory of cipher key~, there i8 22 a cla~s of key called a secondary communication key which 23 i~ u~ed to protect other key~. This class of key ls u~ed to 24 protect ystem session keys transmitted to a terminal and when system generatad will be referred to as the termlnal 26 master key (~IT). Another type of this cla~s of key is u~ed 27 to protect ~ystem ses~ion keys transmitted from the ho~t 28 system in one domain to a host sy~tem in another domain of a 29 multiple domain communication network and w~ll be reerred to as a cross-domain key (KNC). An additional type of ~68 1 thi~ clas~ of key is uQed to protect system se~ion keys 2 tran~mltted to an application program associated with a host 3 sy~tem and when ~ystem generated will be ref~rred to a~ the 4 application ksy (KNA). The various cryptographic key~
defined above are ~ummarized in the following table ~y 67 cat~gory, clas~, type and use:

_ ..

.
9 Xey Encrypt~ng Key~ ~RER) Primary Sy~tem Key ~08t Master 11 . _ Key (KNH) Enoiphor : Terminal Master 12 Key ~ST) Other 13 Secondary 14 Secondary Communication Key (RNC) Cryptographlc Rey~ Applic~tion 16 Rey (RNA) Keys _ .
17 Data System Ses3ion Enciphsr 18 Xey Key tKS) Or 19 (Operational Communication Deciph~r : Key KO) Key ~ata 20 _ : 23 GENERATION, DISTRIBUTION, I~STALLATION AN~ MANAGEMENT OF
;! CRY'PTOGRAPHIC XEYS:
3 Key generation 18 the proces~ which proviae~ for the 4 creation of the cipher keys required by a cryptographic syst~m.
Xey generation include~ the speclfication of a system ma~ter 6 key and primary and secondary communication keys.
7 The host ma~ter key is the primar~ key encrypting 8 key and i~ ths only cipher key that needs to be pre~ent in g the host cryptographic facility in clear form. Since th~
ho~t master key doe~ not ~enerally change for long periods 11 of time, great care must be taken to select ~his key in a 12 random manner. This may ~e accomplished by using some random 13 experiment such a~ coin to~3inq where bit values O and 1 are i 14 determined by the occurrence of heads and tails of the coin or by throwing dice where bit value~ O and 1 ar~ determin~d 16 by the occurrence of ev~n or odd rolls of the dice, with the 17 occurrence of each group of coin~ or aice bei~g converted into 18 correspond~ng parity adjusted digit~. By enciphering all other 19 cipher key~ stored in or passed outside the host ~y~tem, overall ecurity i8 enhanced and secrecy for such other cipher keys 21 reduc~ to that of providin~ secrecy for the ~lngle host ma~ter 22 key. Secrecy for the host ma~ter key may be accomplished by 23 storing it in a non-volatile master key memory so that the ho~t 24 ma~ter key need only be installed once. Once installed, the ma~ter key is u~ed only ~y the cryptographic apparatus for 26 internally deciphering enciphered keys which may then be used : 27 as the workin~ key in a subsequent encipher/decipher operation.
28 In~tallation of the host master key may be accompli~hed 29 by a dLrect ~anual entry proce~s using mechanical ~witches, dial~, or a hand-held key entry device. Alternately, an 1 indirect entry method may be used in which case the host 2 master key may be entered from a non-volatile media such as 3 a magnetic card or tape which is maintained in a secure 4 location (safe, vault, etc.) accessible only to the security administrator. Another alternative indirect entry method 6 may be to use a keyboard entry device, though this method is 7 subject to human error. In any event, whichever indirect 8 method is chosen, during initialization, the host master key g may be read into and temporarily stored in the host memory and then transferred to the master key memory with the host memory 11 entry being subsequently erased so that only one copy is 12 present and accessible only by the cryptographic facility.
13 The terminal master key is a secondary key encrypting 14 key and like the system master key, is the only key encrypting key that needs to be present in clear form in the terminal 16 cryptographic facility. Since there may be numerous 17 terminals associated with a host system, it may not be 18 practical or prudent to have these keys generated by a human ; 19 user using some type of random experiment. Therefore, to relieve the system administrator from the burden of creating 21 cryptographic keys, except for the single system master key, 22 the cryptographic apparatus of the host system can be used 23 as a pseudo random generator for generating the required 24 terminal master keys used by the various terminals associated with the host system. The manner by which such 26 host system generated random numbers are produced is described 27 in greater detail in the aforementioned U.S. Patent No.
28 4,238,853, entitled "Cryptographic Communication Security 29 for Single Domain Networks". The clear form of the system generated terminal master key is distributed in a secure .

1 manner to the authorized terminal users. Thi~ may be 2 accomplished by transporting the key by courier, registered 3 mail, public telephone, etc. The liklihood of an opponent 4 obtaining the key during transit can be lessened by trans-mitting diffe_ent portions of the key over independent path~
and then co~bining them at the destination. Once having 7 properly received a valid system or private generated 8 terminal ma~ter key in clear form, it becomes nece~sary to 9 maintain its secrecy. ~t the terminal, thi~ is acco~nplished by writing the terminal ma~ter key into a non-volatile 11 master key memory, a~ in the case of the host syatem master 12 key. Once installed, the terminal master key is used only 13 by the terminal cryptographic apparatus for internally 14 deciphering enciphered sy~tem generated primary communication keys which may then be used as the working key in a subse-16 quent encipher/decipher operation.
17 The cro~s-domain key i~ a secondary key encrypting 18 key which i~ used as a secondary communication key to allow 19 a se~sion key generate~ at the host ystem in one domain to be transmitted and recovered at the host ~ystem in 21 another domain of R multiple domain communication network.
22 The cryptographic apparatus of the sendin~ host system 23 usod as a pseudo random generator, as in the case of 24 generating terminal master keys, can al~o be used to generate the cros~-domain key. Becau~e there may be 26 numerou~ host systems interconnected in the multiple domain 27 communication network, it is necessary to generate a 28 separate cros~-domain key for each cross-domain communication 29 between each host 3ystem and the other host systems of the network. As in the case of the terminal master key~, these 1 cross-domain keys must be distributed from each host 2 system to each of the other host systems in the network 3 in a secure manner. This may be accomplished in a similar 4 manner to that described for the distribution of terminal master keys. Once having properly received a valid 6 cross-domain key in clear form at the receiving host system, 7 it becomes necessary to maintain its secrecy. However, 8 once installed at the receiving host system in a protected 9 form, the cross-domain key is used only by the receiving host system for internally transforming enciphered session 11 keys transmitted by a sending host system into a form usable 12 by the receiving host system to carry out cryptographic 13 operations.
14 The application key is a secondary key encrypting key which is used as a secondary communication key to protect 16 the session key generated at a sending host system of a 17 multiple domain network. The session key protected by the 18 application key is transformed into a form usable by the 19 sending host system to carry out cryptographic operations.
Since there may be numerous application programs associated 21 with a host system, it is necessary to generate a separate 22 application key for each application program. Therefore, 23 the cryptographic apparatus of a host system may be used as 24 a pseudo random generator, as in the case of generating terminal master keys and cross-domain keys, to generate 26 the application keys for each of the application programs 27 associated with the host system.

., . .,~

~9~8 1 Once having validly generated a system application key, it 2 becomes necessary to maintain its secrecy.
3 System generated primary communication keys, i.e.
4 session keys, are time variant keys which are dynamically ~enerated for each communication session and are used to 6 protect communicated data. Since there may be numerous 7 communications sessions it is impractical to have these keys 8 generated by a human user. Therefore, the cryptographic g apparatus of the host system may be used as a pseudo-random generator for generating, as each communication session is 11 required, a pseudo-random number which, in keeping with the 12 objective that cryptographic keys should never occur in the 13 clear, may be defined as being a session key enciphered under 14 the host key encrypting key.
In a multiple domain network when cross domain communic-16 ation is to be established between a terminal associated 17 with a host system in one domain and an application program 18 associated with a host system in another domain, the generated 19 random number is defined as being the session key enciphered under a host master key. The enciphered session key is 21 reenciphered from encipherment under the host master key of 22 the host system in the one domain to encipherment under the 23 cross domain key used for cross domain communication between 24 the respective host systems and is also reenciphered from encipherment under the host master key of the host system 26 in the one domain to encipherment under the terminal 27 master key of the terminal with which the communication KI977012 -20~

6~

1 session is to be established. Both of these reenciphered 2 sess:ion keys are communicated to the host system in the 3 other domain. At the host system in the other domain, 4 the session key enciphered under the cross domain key is reenciphered from encipherment under the cross domain key 6 to encipherment under the host master key of the host 7 system in the other domain. The session key now enciphered 8 under the host master key of the host system in the other 9 domain and the session key enciphered under the terminal master key are then communicated to the application program 11 associated with the host system in the other domain where 12 the session key enciphered under the host master key is 13 retained for cryptographic operations at the host system 14 in the other domain and the session key enciphered under the terminal master key is communicated to the terminal 16 associated with the host system in the one domain. At this 17 point, a common session or operational key is now present 18 in a form usable at the terminal and application program 19 permitting a communication session to proceed between them.
On the other hand, when cross domain communication 21 is to ~e established between an application program in 22 one domain and an application program in another domain, 23 the generated random number is defined as being the session 24 key enciphered under the application key associated with the application program of the sending host system. The 26 enciphered session key in addition to being used for communic-27 ation to the application program in the host system with which 28 is associated is also used in a reencipher operation to ~'~
,~

~926~

1 reencipher the ~ess~on key from encipherment under thQ
2 application key to encipherment under the host ma~ter key 3 of the ho~t system in the one domain and then the session 4 key now enciphered under the host master key of the host s ~ystem in the one domain i~ used in another reencipherment 6 operation to reencipher the session key from encipherment 7 undex the ho~t master key to encipherment under the 8 cross domain key used for cross domain communication - g between the respective host qystems of the multiple domain network. The session key enciphered under the application 11 key of the application program associated with the one 12 domain and the se~sion key enciphered under the cro~s domain 13 key are then communicated to the host system in the other 1 14 domain. ~t the host system in the other domain, the ses~ion lS key enciphered under the cross domain key is reenciphered 16 from encipher~ent under the cro~s domaln key to encipherment 17 under the host master key of the host sy~tem in the other 18 domain. The session key now enciphered under the host 19 master key of the host system in the other domain and tho session key enciphered under the application key are then 21 communicated to the application program asqociated with the 22 host system in the other domai~ where the ses~ion key 23 enciphered under the host master key of that host syst~m 1~
24 retained for crypto~raphic operations at the host ~ystem in the other domain and the session key enciphered under the 26 application key is com~unicated to the application program 27 a~sociated with the host system in the one domain. The 28 appl~cation program then causes another reencipher operation 29 to be perfoxmed at the host system in the one domain to reencipher the session key from encipherment under the ~I97701~ -22-926~

1 application key to encipherment under the host master key of 2 the host system in the one domain. ~t this point, a common 3 session or operational key is now present in usable form at 4 the application programs in the different domains permitting S a communication session to proceed between the two appli-6 cation programs.

~I977012 -23-11~9Z~

1 DATA CO~ IUNICATION ~ETWORRS
2 ~odern day data co~nunication networks may include a 3 complex of comN,lunication terminals connected via communicat~on 4 lines to a single host and its associated re~ources such as the ho~t programs and locally attached terminal~ and data 6 files. As the size of a data com~unication network increase8 7 other host ~ystems may be brought into the n~twork to 8 provide multiple domain networks with each host systam 9 having knowle~ge of and managing its associated resources which ma~e UF a portion or domain of the network. By 11 providing the proper cross domain link between the 12 domAin~ of the network, two or more ~omains may be inter-13 connected to provide a networking facility. A representative 14 multiple domain ne~work is shown in Fig. 1 with a repre-sentative one of the host systems and its associated reRources 16 shown in block form and a representative one of the plurality 17 of remote communication terminals associated with a host 18 system also sho~m in block form. One domain of th~ network 19 includes the remote com~unication tcrminals 8, ~ and 10 connected by communication lines to the Hostk system 30;
21 a second domain of the network includes the remote communi-22 cation terminals 31 and 32 connected by co~munication lines 23 to the Host~ system 33 and a third domain of the network 24 includes the remote co~munication terminals 34 and 35 connected by communication lines to the Hos~i system 36.
26 While the particular manner in which the host is 27 implemented is not critical to the prasent invention, the 28 block diagram of the host in Fig, 1 shows the data flow and 29 control relationships of a representative host arrangement.
The host includes a programmable processor 1 operationally 1 connected to a memory 2 which provide~ storage for data and 2 the programs ~hich are utilized to control the system and a 3 channel 3 whicl~ controls the transfer o ~ata between 4 input/output devices and the proce~sor 1. Channel 3 i9 S connected to the processor 1 an~ memory 2 and via a channel 6 I/O Interface, with control units such as control unit 4 7 capable of cor;trolling a clu~ter of input~output devices 8 which may be ~isplay or printer type of devi~e~, control 9 unit 5 capable of controlling a plurality of magnetic tape units or control unit 6 capable of controlling a plurality 11 of disk file~. Communication controller 7 i5 a two-direction 12 control unit that links the host to communi~ation lines 13 connected to remote terminals such as co~munication terminals 14 ~, 9 and 10 and host systems l~i and Hi each of which is similar to Host k and also having a plurality of terminals 16 associated therewi~l.
17 The collection of data and control line~ connected betwoen 18 the channel and I/~ control units is commonly referred to as 19 the channel Iin interface providing an information format ~o and signal sequence co~non to all the I~O control units.
21 The I/O interface lines generally include a d~ta bus out 22 which i5 used to transmit device addre~ses, commands and 23 data from the channel 3 to ~he I/O control unit; a data bus 24 in which is used to transmit device identification, data or status infor~ation from the I~O control unit to the channel 3 26 and tag signal lines ~hich are used to provi~e signals 27 i~entifying an I~O operation, the nature of information on 28 the data bus and parity condition. Since eac~ I~O control 29 unit has a unique electrical interface, device adapters are generally provided to allow device connection to the ~19;2~3 1 common I/O interface. All I/O data transfers between the 2 processor and the attached control units may be performed in 3 a programmed input/output (PIO) mode on a 1 byte per I/O
4 instruction basis. Included in this organization of a general purpose host system is a host data security device 11.
6 Briefly, the host data security device (DSD) 11 includes 7 a crypto device 12, a master key (MK) memory 13, a DSD
8 adapter 14 which connects to the I/O interface and a manual 9 entry device 15 for manually loading a host master key into the MK memory 13. Either one of two methods can be used for 11 writing a host master key into the MK memory 13. The first 12 method for writing the host master key into the MK memory 13 13 is achieved under program control. In this method, an I/O
14 device having a keyboard, magnetic stripe card reader or the like, may use such elements to cause the host master key to 16 be stored in the host memory 2 as in the case of conventional 17 data entry. Subsequently, under program control, the host 18 master key may be read from the host memory 2 to the MK
19 memory 13 of the DSD. The other method of writing the host master key into the MK memory 13 consists of manually writing 21 the host master key into the MK memory 13 by means of indiv-22 idual toggle or rotary switches. To enable master key writing 23 into the MK memory 13 by either method, an enable write key 24 (EW) switch is provided which is initially turned on when a write master key operation is initiated and turned off at the 26 end of ,, ~92~

1 write master key operation. To prevent the key from being 2 changed by unauthorized persons, the EW switch operation may 3 he activated by a physical ~ey lock arrangemen~.
4 The ~SD adapter 14 ser~es a dual function namely, pro~iding adapter functions for DSD connection to the I~O
6 interface and control functions for the DSD.
7 The I/O inter~ace provides thc DSD adap~er 14 with 8 overall direction, gives it cipher key~ to be used, presents g it with data to be processed and accepts the processed results. Overall direction is achieved by use o~ operation 11 commands which are decoded and subsequently provide control 12 in properly timed s~quences of signals to carr~ out each 13 command. These signals are synchronized with the transfer 14 of data in and out. The DSD adapter 14 also control~ the placing of cipher keys in the crypto device 12 and directs 16 the crypto device in the enciphering and dec~phering operation~.
17 The MK memory 13 is a non-volatile 16X4 bit random 18 access memory (RAM) which i~ battery powered to enable key 19 retention when host power may not be pre~ent. The host master key consi3t~ of eiqht ~aster key bytes (64 bits) each 21 of which consists of seven key bits and one parity b~t.
22 ~ikewise, while the particular manner in which a 23 communication terminal is imple~en~ed i5 not crLtical to the 24 present invention, Fig. 1 illu~trates in block diagram form a repre~entative communication t~rminal 32 showing data flow 26 and control relation~hips. The terminal 32 i~ generally 27 modular in nature and include~ a programmable processor 37 28 operationally connected to a memory 38 which provide~
29 stora~e for data and the programs which are utilized to control the terminal 32. rrhe proc~s~or 37 contain~ the ~119Z68 normal facilities for addressing memory, for fetching and storing data, for processing data, for sequencing program instructions and for providing operational and data transfer control of a single I/O device 39 which may be a display type of device having a keyboard entry unit 40 and/or magnetic stripe card reader entry unit 41 and a single I/O
device 42 which may be a printer type of device. The collection of data and control lines connected between the processor 37 and the I/O device or devices is commonly referred to as the I/O interface providing an information format and signal sequence common to all the I/O devices.
The I/O interface lines generally include a data bus out which is used to transmit device addresses, commands and data from the processor 37 to the I/O device; a data bus in which is used to transmit device identification, data or status information from the I/O device to the processor 37 and tag signal lines which are used to provide signa~s identifying an I/O operation, the nature of information on the data bus and parity condition. Since each I/O device has a unique electrical interface, device adapters such as adapters 44 and 45 are generally provided to allow device connection to the common I/O interface. All I/O data transfers between the processor and the attached adapters may be performed in a programmed input/output (PIO) mode on a 1 byte per I/O instruction basis. In addition to the device adapters, a communication adapter 45 is also generally provided to connect the communication terminal 1 via a communication line to a host system. Included in this organization of a general purpose communication terminal 32 is a data security device (DSD) llA containing a crypto device 12A, a master 2~1 1 key (MK) memory 13, a DSD adapter 14A which connects to the 2 I/O interface and optionally a manual entry device 15A for 3 manually loading a terminal master key into the MK memory g 13. Either one of two methods described above in connection with the host data security device can be used for writing a 6 terminal master key into the MK memory 13A.
7 The DSD adapter 14A serves a dual function namely, 8 providing adapter functions for DSD connection to the I/O
g interface and control functions for the DSD.
The I/O interface provides the DSD adapter 14A with 11 overall direction, gives it cipher keys to be used, presents 12 it with data to be processed and accepts the processed 13 results. Over-all direction is achieved by use of operation 14 commands which are decoded and subsequently provide control in properly timed sequences of signals to carry out each 16 command. These signals are synchronized with the transfer 17 of data in and out. The DSD adapter 14A also controls the 18 placing of cipher keys in the crypto device 12A and directs 19 the crypto device in the enciphering and deciphering operations.
The MK memory 13A is a non-volatile 16X4 bit random 21 access memory (RAM) which is battery powered to enable key 22 retention when terminal power may not be present. The 23 terminal master key consists of eight master key bytes (64 24 bits) each of which consists of seven key bits and one parity bit.

~;

~7 . .

1~9~8 The crypto device 12 is the heart of the terminal and host DSD for performing enciphering and deciphering operations and is identical for both units. The crypto device 12 performs encipher/decipher operations on a block cipher basis S in which a message block of 8 data bytes (64 bits) is enciphered/deciphered under control of a 56 bit cipher working key to produce an enciphered/deciphered message block of 8 data bytes. The block cipher is a product cipher function which is accomplished through successive applications of a combination of non-linear substitutions and transpositions under control of the cipher working key. Sixteen operation defined rounds of the product cipher are executed in which the result of one round serves as the argument of the next round. This block cipher function operation is more fully described in the aforementioned U. S. Patent No. 3,958,081.
A basic encipher/decipher operation of a message block of data starts with the loading of the cipher key from the terminal or host memory. This key is generally stored under master key encipherment to conceal its true value.
Therefore, it is received as a block of data and deciphered under the master key to obtain the enciphering/deciphering key in the clear. The clear key does not leave the crypto device 12 but is loaded back in as the working key. The message block of data to be enciphered/deciphered is then transferred to the crypto device 12 and the cipher function is performed, after which the resultant message block of enciphered/deciphered data is transferred from the crypto device 12 to the terminal or host memory. If subsequent encipher/decipher functions are to be performed using the same working key, there is no need to repeat the initial ~!

1~9~

steps of loading and deciphering the working key as it will still be stored in the working key register.
The crypto device 12 includes duplicate crypto engines operating in synchronism to achieve checking by 100~ redundancy.
Referring now to Fig. 2, one of the crypto engines is shown in simplified block form with a heavy lined border signifying a secure area. The crypto engine 16 contains a 64 bit input/output buffer register 17 divided into upper and lower buffer registers 18 and 19 of 32 bits each. The buffer register 17 is used in a mutually exclusive manner for receiving input data on a serial by byte basis from the bus in, termed an input cycle, and for providing output data in a serial by byte basis to the bus out, termed an output cycle. Thus, during each input cycle a message block of eight data bytes is written into the buffer register 17 from the terminal or host memory while during each output cycle a message block of eiyht processed data bytes is read from the buffer register 17 to the terminal or host memory. Serial outputs of the buffer register 17 are also applied as serial inputs to the working key register 20 and a parity check circuit 21, the latter being controlled to be effective only when a 64 bit clear cipher key is to be loaded directly into the working key register 20 from the terminal or host memory via the buffer register 17. Only 56 of the 64 bits are stored in the working key register 20, the 8 parity bits being used only in the parity check circuit 21. The buffer register 17 is also provided with parallel input and output paths from and to a 64 bit data register 22 also divided into upper and lower data registers 23 and 24 of 32 bits each. The upper and lower data registers 23 and 24 each ~197~6~

possesses parallel outputs and two sets of parallel inputs.
The parallel inputs to the lower data register 24 being from the lower buffer register 19 and the upper data register 23 while the parallel inputs to the upper data register being from the upper buffer register 18 and from the lower data register 24 after modification by the cipher function circuits 25. The 64 bit master key is inputted to the crypto engine 16 on a serial by byte basis with each byte being checked for correct parity by the parity check circuit 26. As in the case of the cipher key transfer from the buffer register 17 to the working key register 20, only 56 of the 64 bits are stored in the key register 20, the 8 parity bits being used only in the parity check circuit 26.
During the loading process, the key register 20 is configured as seven 8-bit shift right registers to accommodate the eight 7-bit bytes received from the MK memory 13 (or the buffer register 16).
When the working key is used for enciphering, the key register 20 is configured as two 28 bit recirculating shift left registers and the working key is shifted left, in accordance with a predetermined shift schedule, after each round of operation of the cipher function so that no set of key bits once used to perform a cipher operation is used again in the same manner. Twenty-four parallel outputs from each of the two shift registers (48 bits) are used during each round of the encipher operation. The shift schedule provided is such that the working key is restored to its initial beginning position at the end of the complete encipher operation.
When the working key is used for deciphering, the key 1~9~6~

1 regi~ter 20 is configured as two 28 bit recirculating 2 ~hift right re~i~ters and the working key i8 shifted right 3 in accordance with a predetermined shift schedule, after 4 each round of operation of the cipher function 80 that again no ~et of key bits is used again. A~ in the enciphering 6 operation, twenty-four parallel outputs from each of the two 7 ~hift registers ~48 bits) are used during each round of the 8 declpher oper~tion. The shift schedule provided in thi~ cas~
g i~ also such that the working key i3 restored to it~ init~al beginning position at the end of the complete decipher 11 operation.
12 The ciphsr function circuits 25 perform a product 13 cipher through successive application of a combin~tion of 14 non-linear su~titutions and transpo itions under control of the cipher work$ng key. Sixteen rounds of tlLe product 16 cipher are executed in which the results of one round serves 17 a~ the argument of the next round. Deciphering is accomplished 18 by using the name key as for enciphering but w$th the shift 19 scheaule for shifting the key belng altered 80 that the dec~phering proce~s i8 the rever~e of the enciphering proce~, 21 thus undoing in reverse order every ~tep tha~ was carried 22 out during the enciphering proce~ uring each round of 23 the cipher function, the data contents of the upper data 24 regi~ter 23, designated R, i8 enciphered under control of the worklng key, designated X, with the re~ult belng added 26 modulo-2 to the contents of the lower data register 24, 27 desi~nated L, the operat~on being expressed a3 Lef~R,K). At 28 the end of the cipher round, the content~ of tha upper data 29 register 23 i~ parallel tran~ferred to the lower data regi~ter 24 while the output of the cipher function circuits 25 i8 ~119Z~8 1 parallel tran~ferred to the upper data register 23 to form 2 the arguments for the next round of the cipher function.
3 After a total of ~ixteen rounds, which completes the total 4 cipher function, the content~ of the upper data register 23 is parallel transferred to the upper buffer regi~ter 18 6 while the output of the cipher function circuits 25 i~
7 parallel transferred to the lower buffer regi~ter 19. The 8 transformed data content~ of the buffer regi~ter 17 1~ then 9 outputted vi~ the bu~ out to the terminal or ho~t memory.

~9~

1 DSD COMMAND AND ORDERS:
2 Input/output operations of an I/O device are generally 3 directed by the execution of I/O instructions. In executing 4 an I/O instruction, the processor in the case of terminals and the channel in the case of host systems generally 6 provides an address field for addressing the I/O device, a 7 command field for designating the operation to be performed 8 and another address field for addressing the data field in 9 memory from which data is fetched or to which data is stored.
The data security device 11 is responsive to a variety 11 of commands. However, for the purposes of the present 12 invention the only commands used are (1) the PIO Write Data 13 (PIOW) command which causes a data field to be loaded into 14 the buffer register of the crypto device or the bits ~, 1, 2 and 3 of the data field to be stored in the MK memory when 16 writing a master key therein (2) the PIO Read Data (PIOR) 17 command which causes the contents of the buffer register of 18 the crypto device, with correct parity, to be read out and 19 passed via a data bus in to the terminal or host memory and (3) the Write DSD Order (WR DSD) command which designates 21 cipher key handling and data processing orders. The subset 22 of orders capable of being performed by a terminal and a 23 host system are different, with the host system having a 24 larger repertoire mainly because of the fact that key management functions are limited to host system control.

,. ~

2~8 1 ~lowever, for the purposes of the present invention, there 2 is a limited num~er of orders used wllich can be commonly 3 performed by either the terminal DSD or the h~st DSD.
4 These include ~1) the Write ~aster Xey order (~MX) which is u~ed to control writing a master key into the ,~ memory 6 (2) the Decipher Key order (DECK) which is u~ed to control 7 a decipher operation to decipher an operativnal key which 8 i8 enciphered under a master key under control of the master 9 key ~3) the Encipher order (F.NC) which is used to control the encipherment of data under control of a working key and 4) the Decipher ~D~C) order which i5 used to control the 12 decipherment of enciphered data under control of a working key.

14 DSD cryptographic function~ may be perf~rmed by combin-ation~ of the previou~ly defined commands or by a combination 16 of functions. These function~ require an input to the 17 cryptographic apparatus con~isting of a key parameter or a 18 data parameter. The notation used to de~cribe these function~
19 will be expreP:sed as follows:
0 FUNCTION~KEY PARAMETER]~OUTPUT
or 21 FUNCTION[DATA PARAMETER]~OUTPUT
2 and when function~ are combined, the notation u~ed to describe 23 the combined function~ will be expressed as follow~:
24 FUNCTIONlKEY PARAM~TER, DATA PAR~ETER]~OUTPUT
The salient characteri~tics of host cyrptographic 26 functions are that (1) the key parameter, is always in 27 enc~phered form and therefore muqt be internally deciphered 28 by the cryp~o engine before the clear key i~ used and that 29 (2) no function allow~ key~ to become available in clear form. The description~ that follow describe what each ~9Z~3 1 function does and how it is performed. In the diagrams 2 which are referenced in the following, the cryptographic 3 facility is shown in simplified block form for ease of 4 understanding these operations.
Before proceeding to the description of the functions, 6 a brief general description will be given of how the manual 7 write key operation is performed. Referring now to Fig. 3, 8 there is shown a simplified block diagram of a manual WMK
9 operation. In the manual WMK operation, an EW switch is set on to enable writing into the MK memory 13 after which 11 a MW switch is closed to enable manual writing and causing 12 the current master key to be overwritten with whatever 13 happens to be set in the data key entry switches. Following 14 this, 16 sets of 4 bits (64 bits) are manually written into the MK memory 13 as the new master key to complete the manual 16 WMK operation.
17 Referring now to Fig. 4, there is shown a simplified - 18 block diagram of a write master key tWMK) function. This 19 function is carried out by the following sequence of commands: (1) WMK and (2) 16 PIOW's. In this operation, 21 as in the manual WMK operation, the EW switch is previously 22 set on to enable writing into the MK memory 13. The execution 23 of this function causes the current master key in the master 24 key ~,...

~1~92~

1 memory 13 to be over-written wi~h whatever happen~ to be 2 present as bit~ 0, 1, ~ and 3 on the bus in. Thereafter, 3 the crypto engine controls are set to allow a 64 bit ma~ter 4 key RM to be wr~tten as a key parameter into the ~IK memory 13 by means of 16 succe~sive PIOW ~ata coI~nands with the 6 bits 0, 1, 2 and 3 in the data field~ as~ociate~ w1th the 16 7 PIOW data co~mandY constituting the new master key. The 8 notatLon ~r~R~Kl~1]tKil is u~ed to describe thi~ operation 9 whereby the term W~lK indicate~ the function, the contents of the brackets indicate the key parameter inpu~ to the MK
11 memory 13 and the arrow points to the re~ult.
12 Referrinq now to Fig. 5, there is shown a s$mplified 13 block diagram of a decipher key DECR function. This function 14 iB carried out by the following ~equence of commands:
(1) D~CR and (2) 8 PIOW's. The execution of this function 16 sets the crypto engine controls to fir~t all~w the master 17 key XM in the ~K memory 13 to be transferred to the crypto 18 engine 16 as the working key. After or during the master 19 key transferr a 64 bit data block, defined a~ an operational key enciphered under the master key, i~ loaded as a kay 21 parameter into the crypto engine 16 by means o~ 8 ~ucce~sive 22 PIOW data commands with the succes~ive data field~ asso~lated 23 with the 8 PIOW commands constituting the enciphered operational 24 key. After ~he key parameter loading i9 co~pleted, the crypto engine 16 performs a decipher operation to obtain the 26 cipher key in clear form. The re~ultant clear cipher key 27 doe~ not leave the crypto engine 16 but i~ loaded back into 28 the key register of the crypto engine 16 replacing the 29 master key a~ the working key. The notatinn ~ECKl~K~KO]~XO
is used to de~cribe this operation whereby the term DECK

KI977012 -3~-2~

1 inclicates the function, the contents of the bracket indicate 2 the k~y para~eter which is inputted to the crypto engine 16 3 and the arrow points to the result.
4 ~eferring now to ~ig. 6, there i~ shown a simplified block dia~ram of an encipher (ENC) function. ~his function 6 is carried out by the following sequenGe of command~: (1) ENC
7 (2) 8 PIOW's and (3) 8 PIOR's. The execution of this 8 function sets the crypto engine controls to the enclpher 9 mode of operation and allows a 64 bit message hloc~ of data to he loaded as a data parameter into the crypto engine 16 11 by means of 8 ~ucce3sive PIOW data commands with the 12 successive data fields a~sociated with the 8 PIOW commands 13 con~tituting t~e ~essage block of data to be enciphered.
14 ~fter the data parameter loa~ing is completed, the crypto engine 16 performs an encipher operation to encipher the 16 data parameter under the operational key presently stored 17 in the working key regi~ter of the crypto device 16. The 18 64 bit enciphered re~ult is transferred by a series of 8 PIOR
19 commands from the crypto engine 16 for storage in designated data fields of the terminal or host memory. The notation 21 E~7C[DATAI~EKoDATA i~ used to describe this operat~on whereby 22 the term ~C ~ndicates the function, the contents of the 23 bracket indicata the data parameter input to the crypto 24 enqine 16 and the arrow point~ to the result.
~eferring now to Fig. 7, there is shown a s~mplified 26 block diagram of a decipher ~DEC) function. This function i~
27 carried out ~y the following se~uence of com~ands: (1) DEC
28 ~2) 8 PIOW'~ and ~3) 8 PIOR's. The execution of this function 29 ~ets the cry2to engine controls to a decipher mode of operation and allows a 64 hit me~sage block of enciphered data KIg77012 -39-~9;~

1 to be loaded as a data parameter into the crypto engine 16 2 by means of 8 succe~sive PIOW data commands with the 3 successive data fields as~ociated with the 8 PIOW commands 4 constituting the me3sage block of enciphered data to be deciphered. ~fter the data parameter loading 18 completed, 6 the crypto engine 16 perform~ a decipher operation to 7 decipher the data parameter under control of the operational 8 key presently stored in the working key register of the 9 crypto engine 16. The 64 bit deciphered result is tran~ferr~d ~y a series of 8 PIOR commands from the crypto engine 16 for 11 ~torage in de~ignated data field~ of the terminal or host 12 memory. ~he notation DEClExoDATAl~DATA is used to describe 13 this operation whereby the term DEC indicates the function, 14 the contents of the bracket indicate the data parameter input to the crypto engine 16 and the arrow points to the 16 result~.
17 Referring now to Fig. 8, there is shown a ~implified 18 block diagram o~ an encipher data (ECPH) function. This 19 function is a combination of the DECK function and the ENC
functlon and is carried out by the following sequence of 21 commands: (1) DECK ~2) 8 PIOW's (3) ENC (4) 8 PIOWIs and (5 22 8 PIOR's. Accordingly, in exacuting this function, the 23 crypto engine control~ are first set to the decipher key 24 mode of operation by the DECK command causing the master key ~Y in the master key memory 13 to be transferred as th~
26 working key to the working key register of the crypto engine 27 16. Aftex or during the master key loading, the key parameter 28 of the function, consisting of an operational key enciphered 29 under the master key, is loaded in~o the crypto engine 16 by means of 8 successive PIOW data commands. The crypto engine 1119;ZS8 1 16 then performq a decipher key operation to obtain the 2 op~rational key in clear form which i8 then loaded back in 3 a~ the worktng key of the crypto engine 16 replacing the 4 previou~ly loaded ma~ter key. The crypto e,~gine controls are then set to an encipher mode of operation by the ENC
6 command and the data parameter of the function, consisting 7 of clear data, i~ loaded into the crypto engine 16 by means 8 of 8 ~ucce~sive PIOW data commands. The crypto engine 16 9 than performs an encipher operation to encipher th~ data parnmeter under the pre~ent operational key. The enciphered 11 re~ult i~ the~. transferred by a ~erie~ of 8 PIOR commands 12 from the crypto engine 16 for ~torage in de3~gnated field3 13 of the terminal or ho~t memory. The notation 14 ECPH~EKMKO,DATA] IERoDATA i3 used to describe thi~ operation whereby the term ECPH ~ndicate~ the function, the contents lS of the bracket indicate the succes~ive key parameter and 17 data parameter inputs to the crypto engine and the arrow 18 point~ to the re~ult.
19 Referring now to Fig. 9, there i8 shown a simplified bloc~ diagram of a decipher data (DCP~ function. Thi~
21 ~unctlon i~ a combination of the DECK function and the DEC
22 function and is carried out by the following ~equence of 23 command~: (1) DECK (2) 8 PIOW'~ (3) DEC (4) 8 PIOW'~ and 24 t5) 8 PIOR'8. ~he firBt part of this function i~ identical to that for the enc$pher data function ln~ofar a~ loading an 26 oper~tlonal key in clear form as the working key of the 27 crypto engine 16. After the operational key loading i~
28 completed, the crypto engine controls are then ~et to a 29 declpher mode of operation by the DEC command and the data parameter of the function, con~l~ting of DATA enciphered ~119Z~

1 under the operational key, i8 loaded into the crypto engine 2 16 by means of 8 ~uccessive PIOW data commands. The crypto 3 engine 16 then performs the decipher operation to decipher 4 the data parameter under control of the present operational key. The deciphered result i3 then transferred by a series 6 of 8 PIOR command-4 from the crypto engine 16 for storage in 7 designated fields of the hoqt memory 2. The notation DCP~[EK~XO,EK~DATA]~DATA is used to describe thi~ operation 9 whereby the term DCPI~ indicates the function, the contents of the bracket indicate the ~uccesYive key parameter and the 11 data parameter inputs to the crypto engine and the arrow 12 points to the result.

1~9; :~8 1 DETAILED DESCRIPTION OF THE INVENTION:
2 In a data communication network employing crypto-3 graphy for communication security of data communication 4 ~essions between ~tations of the network remo~e from one another, it is necessary to e~tablish a common ses~ion or 6 operational key at two of the ~tations of the network, 7 in order to permit data enciphered at one ~tation under 8 control of the operational key at that stàtion to be g communicated to the other station over a communication line 80 that the enciphered data can be decip~ered ~nder 11 control of the ~perational key at the other station in order 12 to obtain the first station data in clear form at the second 13 statisn. Likewise, by having the common operational key, 14 data enciphered at the second station under control of the operational key at that station can be communicated over the 16 communication line to the first station so that the enciphered 17 data can be deciphered under control of the operational key 18 at the first station in order to obtain the second station 19 data in clear form at the first station.
In order to establish the common operational key at 21 both ~tat10ns, it is nece~ary to provide a protocol where 22 the operational key establi~hed at one staticn can be 23 cummunicated in protected form to the other station by 24 enciphering the operational key under a communication key which is known by the receiving station 80 that the enciphered 26 operational key can ~e deciphered at the receiving ~tation 27 to obtain the operational key in clear form to permit 28 enciphering/deciphering data operations betw~en the two Ki977012 -43- -ll~g~6~

1 stations. An opponent who wiretaps the communication line 2 and records an entire communication se~sion by day and 3 attempts to decipher the enciphered data communication will 4 be blocked inasmuch as he does not have available to him the communication key under which the operational key i8 enclphered.
6 However, this communication may be exposed by a ~o called 7 "midnight attack" in which the opponent who wiretapped the 8 communication line and recorded the communication ses~ion gain~
g unauthori~d access at night to the station which received the communication session by day. Since the station ha~ installed 11 within its cryptographic facility the communication key which 12 was used by the other station to com~unicate the enciphered 13 operational key, the opponent can play ~ack the recording into 14 the terminal in such a manner that the ~tation is unaware that it is in data communication with other than the other station.
16 During the playback, the operational key enciphered under 17 the communication key will be deciphered by the station' 8 18 communication key to obtain the operational key in clear form 19 as a working key for the cryptographic facility. The opponent may then play back the enciphered data of the other station 21 and obtain the other station data in clear form.
22 The verification arrangement of the present invention 23 will prevent thls midnight attack a~ it permits the first 24 station to send a challenge to the source of the data commu-nication in accordance with the operational key at the first 26 statio~ requiring the source to reply with a cryptographic 27 me~age in accordance with the operational key at the second 28 station in such a form that the first station can verify 29 that the source of the cryptographic mes~age is in fact the second station only if the operational keys o~ the two Xig77012 -44-11192~8 1 stations are identical. The detailed descriptions which 2 follow describe various embodiments of the verification 3 arrangement of the present invention involving two stations 4 which may be in a single or multiple domain communication network. In the case of a single domain network, the first 6 station may consist of a remote communication terminal 7 having a data security device, and the second station may 8 consist of a host system having a data security device, 9 and an associated application program. In the case of a multiple domain network, the first station may consist of 11 a remote communication terminal having a data security 12 device, associated with a host system in one domain having 13 a data security device, or an application program 14 associated with such a host system while the second station may consist of a similar type of communication terminal or 16 application program associated with a similar type of host 17 system in another domain of the multiple domain communication 18 network.

KI977012 ~45~
R

6~3 1 In order to simplify and aid in the understanding of the 2 present invention, simplified block diagrams are used to 3 illustrate the cryptographic operations carried out by the 4 cryptographic facility at each station.
Referring now to Figs. lOa and lOb, there is shown a 6 block diagram of the verification arrangement showing a data 7 communication from a first station to a second station. In 8 order to further simplify and aid in the understanding of 9 the present invention, let it be assumed that station 1 is a communication terminal and station 2 is a host system in 11 either a single or multiple domain communication network.
12 Further, let it be assumed that a communication session has 13 been established between the two stations such that a common 14 session or operational key now resides in location A of the lS host memory in the form EKMH0KS, and in location F of the 16 terminal memory in the form EK~5TKS, where KMH0 is the host 17 system master key and KMT iS the terminal master key, and 18 that a copy of the operational key in the form EKMTKS, which 19 was communicated to the terminal by the host system, resides in location D of the host memory. Because of the fact that 21 the crypto engine operates on a 64 bit basis, the data words 22 in the terminal and host memories are shown, in simplified 23 form, as containing 64 bit data words. The terminal and 24 host memories may be random access type of memories, which are well known in the prior art, and which are addressable 26 on a byte basis.

11~9~Z~3 1 The description which now follows i9 keyed to numbered notations in the figures in order to aid in ~mder~tanding 3 the sequence of operations performed in carrying out the 4 verification operation. Referring now to ~ig. 10a, (1) an encipher r;cpH function is first performed involving a 6 combination of a decipher key DECK command operation f~llowed 7 by an encipher data ENC command operation. Accordingly, in 8 executing this function, the terminal data security device 9 is set to the decipher key mode of operation by the DECX
command causing the terminal master key KMT to be read out 11 of the master key memory and transferred a~ the working key 12 to the working key register of the crypto engine. By a 13 series of PIOW commands, the operational key enciphered 14 under the terminal master key i.e. FKMTKS, i8 read out of location F of the terminal memory and loaded into the crypto 16 engine. The crypto engine then performs a decipher key 17 operation to obtain the operational key KS in clear iorm 18 which is loaded back in the working key register of the 19 crypto engine as the working key replacing the previou~ly loaded terminal master key KMT. The crypto engine controls 21 are then set to an encipher data mode of operation by the 22 ENC command and by another series of PIOW commands, the 23 operational key enciphered under the terminal master key 24 i.e. ~KMTKS, i8 again read out of location F of the terminal memory and loaded into the crypto engine. The cryp~o en~ine 26 then performs an encipher operation to encipher the enciphered 27 operational key under the working key i.e. K~, to obtain the 2~ enciphered result ~KS(EKMT~S) defined as being a p3eudo-29 random number RM. The enciphered re~ult RN i~ then tran~-Ki977012 -47- u ~1~9~6~

1 ferred by a ~eries of PIOR commandQ from the crypto 2 engine for storage $n location J of the terminal memory.
3 (2) Half of the data word stored in location G i~ used a~
4 a general purpose counter for a variety of ~dependent purposes. When an unpredictable number i~ required, the 6 current count ~alue CT i~ incremented ~y a constant 1 stored 7 in location H by an ADD operation carried out by the terminal 8 proce~sor providing a new count having a value CTi which ls 9 stored back in location G. The other half of the data word in location G is a con~tant of all zeros. ConQequently, the 11 data word in location G now cOnSi~tQ of the count value CTi 12 and the all zeros value providing a number having a variabls 13 quantity for subsequent u~e. (3) The terminal proce~sor now 14 performs an exclusive OR operation by which the random number RN stored in location J i8 modulo-2 ~dded to th~ data 16 word in lw ation G to provide a first verification number 17 N~(RNeCTi) (RN), the symbol ~ refexring to the modulo-2 18 addition. The first verification number N i~ then Qtored in 19 location K of the terminal memory.
(4) At this point, an encipher ENC or ECPH ~unction i8 21 performed to encipher the first verification number N under 22 the operational key XS to provide th~ enciphered result 23 EKSN for transmission to the ho~t sy~tem. If the terminal 24 is a cluster type of terminal having other I~O device~
a8~0ciated with it for performing ~ er communication 26 se88ion~, the crypto engine may have been used for such 27 other gessions and, as a result, the working key contained 28 in the working register of the crypto englne may no longer 29 contain the operational key for the present communication session. Therefore, under that circumstance, an ECPH function 31 would be required in order to carry out another DECR opcration ~11926B

1 to reload the operational key of the present communicatlon 2 se~sion into the working key register of the crypto engine 3 in order to properly carry out the encipher ENC operation on 4 the verification number N. On the other hand, ~f the operational key of the pre~ent com~unication se~sion still 6 re~ides in the working key register of the crypto engine, 7 then it is only necessary to perform the encipher ENC opera ion.
8 Accordingly, the ~rypto engine controls are either already g set for the encipher mode of operation as a result of the previou3 encipher operation or are set to this mode by a 11 new ENC command if the cipher engine had been ~ub~e~uently 12 u~ed for other communication sessions. By an~ther serie~
13 of PIOW commands, the first verification number is read 14 out of location K of the terminal memory and loaded into the crypto engine and an encipher operation is carried 16 out to encipher the f~r~t verification number N under the 17 operational key KS to obtain the enciphered re~ult E~SN.
18 The enciphered result EKSN i8 then transferred by a series 19 of PIOR commands from the crypto engine for storage ln locatlon L of the terminal memory. (5) The first verlflca-21 tion number enciphered under the operatlonal key i.e. F.KSN, 22 i~ now communicated from the terminal to the host ~ystem 23 and, referring to ~ig. 10b, i~ stored in location B of the 24 hogt memorY.
At this pcint, the host ~ystem can perform a veri-26 fication operation to verify that the source of the enciphered 27 me~sage now stored in location B of the host memory came 28 from the terminal if the o~erational key at the host sy~tem 29 i~ identical to the operational key at the terminal. (6) Accoxdin~ly, a DCPH function is performed invol~lng a Xi977012 -49-9~6~3 1 combination of a decipher key DECK operation followed ~y a 2 decipher data DEC operation. In executing this function, 3 the host data security device is set to the decipher key 4 mode of operation by the DECK command causing the ho~t master key ~MH0 to be read out of the master key memory and 6 transferred as t.he working key to the working key register 7 of the crypto engine. By a series of PIO~ command~, the ~ operational key enciphered under the host master key i.e.
g EKMIIpXS, is read out of location ~ of the host memory and loaded into the crypto engine. The crypto engine then 11 performs a decipher key operation to obtain the operational 12 key KS in clear form which is loaded back in the working key 13 register of the crypto engine as the working key replacing 14 the previously loaded host master key KMH~. The crypto engine controls are then set to a decipher data mode of 16 operation by the DEC command and by another serie~ of PIOW
17 command~, the first verification number enciphered under the 18 operational key of the terminal i.e. EKS~, is read out of 19 location B of the ho~t memory and loaded into the crypto engine. The crypto engine then performs the d~cipher data 21 operation to decipher the first verification number enciphered 22 under the operational key of the terminal under control of 23 host system to obtain a second verification number 'N' which 24 should be equal to the first verification number N if the operational key of the host system is identical to the 26 operational key of the terminal. The deciphered re~ult 27 'N's'[RN4CTi]' 'lRNl'is then transferred by a ~eries of PIOR
28 commands from the crypto engine for storage in location C of 29 the host memory.

(7) At this point, an encipher ENC or FCPH functlon Ki977012 -50-~926~

1 is performed to encipher the enciphered operational key 2 i.e. EKMTRS stored in location D of the ho~t memory under 3 the operattonal key ~S at the host ~emory to provide an 4 enciphered result E~S(EKMT~S)=RN wh~ch should be equal to S the p~eudo-random number RN previously produced at the 6 terminal if the operational key at the ho~t system ~
7 identlcal to the operational key at the terminal. Since the 8 host ~ystem may be carrying out numerous communication session~
9 with other stations, ~t i8 possible that the crypto engine may be used for such sessions before an opportunity is provlded to 11 carry out the encipher operation. As a result, the working key 12 contalned in the working register of the crypto engine may no 13 longer contain the operational key for the present commNnicatlon 14 Be88ion. Therefore, under that circum~tance an ~CPH function 15 would be required in order to carry out another DECK operation 16 to reload the o~erational key of the present communication 17 ~ession into the working key register of the crypto engine in 18 order to properly carry out the encipher ENC operation on the 19 copy of the operational key stored in location ~ of the host 20 memory. On the other hand, if the operational key of the 21 present communication session ~till resides in the working 22 key regi~ter of the crypto engine, then it is only necessary 23 to perform the encipher ENC operation. Accordingly, either 24 the operational key of the host system i8 already present ~n the working key xegi~ter or the DECK operation i8 performed 26 to load the operational key of the ho~t ~ystem into the 27 work~ng key regi~te- of the crypto engine. The crypto 28 engine controls are then set to an encipher mode of operation 29 by the ~NC command and by a series of PIOW commands~ the 30 operational key enciphered under the terminal master key i.e.

Ki977012 -51-~19Z~i;B

1 EKMTKS, is read out of location D of the host memory and 2 loaded into the crypto engine. Ihe crypto engine then 3 performs the encipher operation to encipher the data word 4 read out of location V of the host memory under the opera-tional key to obtain the enciphered result E~S(EKM~XS) aRN
6 whlch should be equal to the pseudo-random number previou~ly 7 produced at the terminal if the operational key of the ho~t 8 8y8tem i8 identical to the operational key of the terminal.
9 The enciphered result RN i8 then tran~fexre~ by a ~eries of PIOR commands from the crypto engine for storaqe in location 11 E of the host memory. It can be seen that the second half of 12 the second ver$fication number 'RN' stored in locat$on ~ of 13 the ho~t memory should be equal to the second half of the 14 random number ~N stored in location ~ of the host memory if the operational key at the terminal and host system are 16 identical. (8) Accordingly, the host system proces~or now 17 performs a compare operation to compaxe the socond portion 18 of the data word in location C of the host memory i.e. 'RN' 19 w$th the secon~ portion of the da~a word in location ~ of th~ ho8t memor~ i.e. RN to veri~y that the terminal wa~ the 21 source of the enciphered message I~KS~. only ~f the operational 22 key at the host memory and the terminal are identi~al. If the 23 two numbers compare, then the verification operation may 24 proceed, whereas if the number~ do not compare, the ho~t ~y~tem may unbind the communication ~ession thereby terminating 26 further operation with the terminal.
27 At this point, the host system has verified that the 28 terminal is the source of the enciphered me~sage and that 29 both the terminal and the host system are using ~dentical operational keys. Now, the host system must provide a reply Ki977012 -52-1119~68 1 message back to the terminal to allow the terminal to verify 2 that the host sy~tem i8 the other end of the communication 3 se~ion. In order to complete the hand~haking protocol 4 between the two stations and to allow the terminal to verify that the host system is the genuine ~ource of the crypto-6 graphic data communication, it is necessary for the ho~t 7 system to create a reply message, in a form which is based 8 upon the operational key at the host ~ystem, for transmi~ion 9 to the terminal to ~ermit such verification only if the operational key at the terminal is identical to that at the 11 host ~ystem.
12 Referring now to Figs. lla and llb, there is illustrated 13 in block diagram form the second half of the handshaking protocol 14 by which the host system in Fig. lla provide~ a crypto-graphic data communication, based on the operational ~ey at 16 the ho~t system, for transmission to the terminal in Fig. llb to 17 permit such verification at the terminal. (1) A first function 18 is performed at the host system by which the ~econd verif~cation 19 number 'N's'~RN~CTi)' '(RN)' is modified to obtain a modified second verification number ~. The host system processor 21 accomplishe~ this function by performin~ an exclusive OR
22 operation by which the second verification number stored in 23 location C of the host memory i~ modulo-2 added to a constant 24 consisting of four bytes of ones and four bytes of zeroe~
stored in location M of the ho~t memory to prov~de a modlfied 26 second verification number ~ in which the fir~t four bytes 27 Of the qecond verification number are inverted and the 28 second four bytes of the ~econd verification number remain 29 unchanged. The modified second verification number '~' is then stored in location M of the host memory (2) An Ki977012 -53-i8 1 enclpher ECPH function is next performed involving the 2 combination of a decipher key DECK operation followed by an 3 encipher data ENC operation. In executing this function, 4 the host data security device is set to the decipher key mode of operation by the ~ECK command cau~ing the hb~t master key 6 KMH0 to be read out of the master key memory and transferrea a~
7 the working key to the working key regi~ter of the crypto 8 engine. By a ~eries of ~IOW commands, the oper~tional key 9 encipher~d under the hofit master key i.e. EKMH~RS i~ read out of location A of the ho~t memory and loaded into the crypto 11 engine. The crypto engine then performs a decipher key 12 operation to obtain the operational key XS is clear form which 13 i6 loaded back n the working key register of the crypto 14 engine a~ the working key replacing the previously loaded host ma~ter key RMHp. The crypto engine controls are then 16 set to an encipher data mode of operation by the FNC command 17 and by another ~erie~ of PIOW commands, the modified second 18 verification num~er '~ read out of location N of the ho3t 19 memory and loadod into the crypto engine. The crypto engine then perform~ the encipher operation to encipher the modif~ed 21 second verification number under the operational k~y KS to 22 obtain the enciphered result '~S~' The enc~phered re~ult 23 i~ then transferred by a series of PIOR commands rom the 24 crypto engine fox storage in location 0 of the host memory.
(3) The modified second verification number enciphered under 26 the operationa} key i.e. '~KS~' is then communicated from 27 the ho~t sy~tem to the terminal and, referring to ~ig. llb, 28 i8 stored 1n location P of the terminal memory.
29 At this point, ~ince the terminal stores the first verification number $n location K of the terminal memory, Ki977012 -54-ll~9Z68 , , the terminal can perform a verification operation to verify that the source of the reply message now stored in location P of the terminal memory is the host system if the opera-tional key at the host system is identical to the operational key at the terminal. This is accomplished at the terminal by deriving the second verification number which should be equal to the first verification number only if the operational keys are identical. (4) Accordingly, a decipher DCPH function is performed involving a combination of a decipher key DECK operation followed by a decipher data DECK operation. In executing this function, the terminal data security device is set to the decipher key mode of operation by the DECK command causing the terminal master key KMT to be read out of the master key memory and transferred as the working key to the working key register of the crypto engine. By a series of PIOW commands, the operational key enciphered under the terminal master key i.e. EKMTKS, is read out of location F of the terminal memory and loaded into the crypto engine. The crypto engine then performs the decipher key operation to obtain the operational key KS in clear form which is loaded back in the working register of the crypto engine as the working key replacing the previously loaded terminal master key KMT.
The crypto engine is then set to a decipher data mode of operation by the DEC command and by a series of PIOW
commands, the enciphered modified second verification number received from the host system is read out of location P of the terminal memory and loaded into the crypto engine. The crypto engine then performs a decipher operation to decipher the enciphered modified second verification number under control of the operational key to obtain the modified second ~;,7-~ ~,926~3 1 verification number '~' if the operational key at the 2 terminal is identical to the operational key at the host 3 system. The modified ~econd verification number '~' is then 4 tran~ferred by a serie~ of PIOR commands from the crypto engine for storage in location Q of the terminal memory.
6 ~5) A second function is performed at the terminal 7 which is the inverse of the first function that was previou~ly 8 performed at the host system so that the modified second 9 verification number '~'='(R2l~CI'i)' '(RN)' is modified in ~uch a way as to obtain the second verification number in 11 unmodified form. The terminal proce~sor accom~lishes this 12 function by performing an exclusive OR operation by which 13 the modified seCOnd verification number '~' ~tored in 14 location Q of the terminal memory is modulo-2 added to a con~tant consisting of four byte~ of ones and four bytes of 16 zeroe~ stored in location I of the terminal memory in order 17 to invert the first portion of the modified second verifica-18 tion number and to leave the ~econd portion unchanged re~ulting 19 in a number which is equal to the second verification number 'N'. The second verification numbex 'N' is then stored in 21 location R of the terminal memory. It can be seen that the 22 second verification number 'N' stored in location R of the 23 terminal memor~ should be equal to the first verification 24 number N stored in location K of the terminal memory only if the operational key at the terminal is identical to the 26 operational key at the host ~ystem. (6) The terminal 27 proces~or next performs a compare operation to compare the 28 first verification number N in location K of the terminal 29 memory with the second verification number 'N' stored in location R of the terminal memory which should be equal to Ki977012 -5G~

1~19~

each other if the operational keys at the two stations are identical. If the two numbers compare, it verifies that the host system was the source of the cryptographic data communication and further cryptographic data communi-cations may proceed between the terminal and the host system.On the other hand, if the two numbers do not compare, then the enciphered operational key stored in location F of the terminal memory is set to all zeroes to assure further communi-cation between the terminal and the host system is inhibited.
Therefore, with the verification arrangement of the present invention a dual verification has been provided whereby the host system verifies that the terminal is the source of cryptographic data communications only if the operational key at both stations are identical and the terminal verifies that the host system is the source of cryptographic data communications only if the operational key of the two stations are identical.
Referring now to Fig. 12, there is shown, in block form, an embodiment of an alternative arrangement performed at one station to verify that the source of the cryptographic data communication is the other station if the operational key at the two stations is identical. In this arrangement, the modified second verification number enciphered under the operational key at the host system is deciphered at the terminal to obtain the modified second verification number in clear form and the terminal performs a function which is identical to the function performed by the host system to create a number which should be equal to the modified second verification number if the operational key at the terminal is identical to the operational key at the host system.

.~ .

Starting from the point where the enciphered modified second verification number has been received at the terminal and is stored in location P of the terminal memory, (4) a DCPH
function is performed involving a combination of the decipher key DECK operation followed by a decipher data DEC operation.
In executing this function, the terminal data security device is set to the decipher key mode of operation by the DECK command causing the terminal master key KMT to be read out of the master key memory and transferred as the working key to the working key register of the crypto engine. By a series of PIOW commands, the operational key enciphered under the terminal master key i.e. EKMTKS, is read out of location F of the terminal memory and loaded into the crypto engine. The crypto engine then performs a decipher key operation to obtain the operational key KS in clear form which is loaded back in the working key register of the crypto engine as the working key replacing the previously loaded terminal master key KMT. The crypto engine controls are then set to a decipher data mode of operation by the DEC
command and by another series of PIOW commands, the enciphered modified second verification number received from the host memory is read out of location P of the terminal memory and loaded into the crypto engine. The crypto engine then performs a decipher operation to decipher the enciphered modified second verification number to obtain the modified second verification number in clear form which is then transferred by a series of PIOR commands from the crypto engine for storage in location Q of the term:inal memory.
Since the second verification number should be equal to the first verification number if the operational keys at the 11~9268 1 terminal and the host system are identical, and if the 2 terminal mod~fie~ the first verification number by the 3 same function that was performed to modify the ~econd 4 verification number then the resulting modified first s verification number should be equal to the modified second 6 verific~tion number if the operational keys at the termin~l 7 and the nost system are identical. (5) Accordingly, the 8 terminal proces60r now performs an exclu~ive OR operation by g which ti~e first veri~ication number stored in location K of the terminal memory is modulo-2 added to a constant conRiRting 11 of four bytes of ones and four bytes of zeroes stored in 12 location I of the terminal memory to pro~uce a result which 13 invert.R half of the first verification number and leaves the 14 Recond half uncnanged so as to produce a modified first verification nun~er which should be equal to the modified 16 second verificatio~ num~er if the operational key~ at ~le 17 terminal and the host system are identical. ~he modified 18 first verification num~er i9 then stored in location S of 19 the terminal memory. (6) Tne terminal processor then performs a compare operation to compare the modifie~ first 21 verification num~er stored in location S o the terminal 22 memory with the modified second verification number storad 23 in location ~ of the terl~nal memory and if the number~
24 compare it verifie~ tnat the host system wa~ the source of the cryptographic data co~ull~nication if tAe operational key 26 at the terminal and the host system are identical. On the 27 other hand, if the two n~ers do not compare, then the 28 operational key enciphered under the terminal master key 29 reset to z~ro to assure furuler meaningful communications are inhibited.

Kl977dl2 -i9--1~19Z6`B

1 Referring now to Fiq. 13, there is shown, in block form, 2 an embodiment of still another alternati~e arrangement 3 performed at one station to verify that the source of the 4 cryptographic data communication i5 the other station if the operational keys at the two stations are identical. In 6 this arrangemen , since the first verification number should 7 be equal to the second verification number if the operatlonal 8 keys at the terminal and at the host system are identic~l, 9 then the first verification number may be modified by the same function that was performed at the host system to 11 modify the second verification number to obt~.in a modified 12 first verif~cation number which should be equal to ~he 13 modified second verifica~ion nuFber if the operational keys 14 at the terminal and the host system are identical and the modified first verification number can then be enciphered 16 under the operational key at the terminal to obtain an 17 enciphered modified first verification-number which should 18 be equal to the enciphered modified second verification 19 number if the operational keys at the terminal. and the ho~t ~ystem are identical. Accordingly, startin~ from the polnt 21 where the enciphered modified second verification number ha~
22 been stored in location P of the terminal memory, (4) the 23 terminal processor now performs an exclusive ~R operation 24 by which the first verification number N stored in location X
Of the t~rminal memory is modulo 2 added to a con~tant 26 consisting of four bytes of all ones and four byte~ of all 27 zeroes to invert the first half of the first modification 28 number and to leave the second half unchanged with the 29 re~ult being equal to a modified first ~erification number ~ which should be e~ual to the modified second verification ~i977012 -6~-~926B

1 number if the operational keys at the terminal and at the 2 host system are identical. I~he resulting modified first 3 verification number ~ is stored at location S in the 4 terminal memory. (5) An encipher ~CPH function i9 now performed which involves a combination of a decipher key 6 DEC~ command operation followed by an encipher data FMC
7 command operAtion. Accordingly, in executing this function, 8 the terminal data security device is set to the decipher key g mode of operation by the DEC~ command causing the terminal 10 master ke~ XMT to be read out of the master key memory and 11 transferre~ as the working key to the working key register 12 Of the crypto engine. Py a series of PIOW commands, the 13 operational key enciphered under the terminal master key 14 ie- EKMTKS, is read out of location F of the terminal 15 memory and loaded into the crypto engine. The crypto engine 16 then performs a decipher key operation to obtain the opera-17 tional key E;S in clear form which is loaded bacX in the 18 working key register of the crypto engine a~ the working key 19 replacing the previously loaded terminal master key KMT.
20 ~he crypto engine controls are then set to an encipher data 21 mode of operation by the ~C command and by another ~eries ~2 of PI~W command~, the modified first verification number ~
23 is read out o~ location S of the terminal memory and loaded 24 into the crypto engine. The crypto engine then perform~ an 25 encipher operation to encipher the modified firqt verifica-26 tion num~er under the operational key to obtain the enciphered 27 result E~s~ which is transferred by a series of PIOR commands 28 from the crypto engine for storage in location T of the 29 terminal memory. (~) The terminal processor now performs a 30 compare operation to compare the enciphered modified flrst Ki977012 -61-11~;~

1 verification number stored in location T of the terminal 2 memory with the enciphered modified second verification 3 number stored in location P of the terminal memory to 4 verify that the host system was the source of the enciphered message only if the operational key at the host system is 6 identical to the operational key at the terminal. If the 7 two numbers compare, then the communication session between 8 the terminal and the host system may proceed whereas, if the 9 numbers do not compare, then the operational key enciphered under the terminal master key EKMTKS is set to zeroes 11 to assure further meaningful communication between the 12 terminal and the host system is inhibited.
13 While the above description of the dual verification 14 arrangement of the present invention has been described in terms of a communication terminal and a host system in a 16 single or multiple domain data communication network, it 17 will be apparent to those skilled in the art that the tech-18 nique is equally applicable where the first station is an 19 application program associated with a host system in one domain and the second station is an application program 21 associated with a host system in another domain of a multiple 22 domain data communication network. In such arrangements, 23 since the application programs do not have a cryptographic 24 facility of their own, use is made of each host systems data security device. Accordingly, after a communication session 26 is established between the two application programs, each 27 host memory contains an operational key enciphered under the KIg77012 -62-~s,, , "

~ ~9268 1 re~pective host master key e.g. E .KS and E kRS where KMH~ KMH0 2 ~ and k represent the different domains, and the operational 3 key enciphered under the application key of the application 4 program a~sociated with one of the host systems e.g. E ~S, KNA
where K~A the application key associated with the application 6 program is similar to ~irl for purpose~ of the verification 7 operation. Therefore, in this case, ~RNAKS at one host system can be used, as was ~KMTKS, to create a pseudo-random 9 number under control of the operational key decipnered by using ,3 j~S in a ~ECX operation WiliCh may then be combined KMH~
11 with a variable to establish a first verification number N
12 for encipherment under the operational key at the one host 13 system i.e. EKS~ for transmission by the application program 14 in one domain to the application program in the other ~omain.
At the host systern in the otner domain, usin~ the operational 16 key enciphered under the other nost system master key i.e.
17 ~ KS and the operational key enciphered under the RMI~>9'k 18 application key i.e. ~ KS both of wnich are stored in the KNA~
19 host memory of the host sy~tein in the other domain, a veri-fication operation can be performed similar to that previously 21 ~escribed to verify that the application pro~ram in one 22 domain is the source of the cryptographic data communication 23 to the application program in the other domain if t~e 24 operational keys at the two host systems are identical.
Similarly, by deciphering received message ~KSN from the 26 application program in the one domain and performing a similar 27 function to invert half of the deciphered n~er N to obtain 28 the n~-i~er ~, then, Dy usiny tle operationaI key enciphered 29 under the host master ~;ey of the host system in the other domain i.e. L, k~S, tne iiloai~iea number ~ may be enciphered ~19Z68 1 under the operational key at the other host ~ystem EKs~ for 2 transmi~sion by the application program as~ociated with the 3 ho~t ~ystem in the other domain to the application program 4 as~ociated with the host system in the one domain. In a manner similar to that described above, but using the 6 operational key enciphered under the host ma~ter key i.e.
7 E KS, of ~e ho~t system in the one domain, the KMH~
8 enciphered message EKS~ can be deciphered to obtain the 9 number ~l which by a ~imilar function can be modified to obtain the number 'N' to verify that the source of the 11 cryptographic data communication is the application program 12 in the other domain. The alternative techniques of the 13 verification arrangement can be equally used in thi~ situation 14 a~ well.
It will be apparent that the verificatlon technique of 16 the present invention provide~ as~urance that the cryptographic 17 keys at both stations are properly in place and working a3 to 18 permit ~ubsequent cryptographic data communlcations and that 19 it will preve~t the "midnight at~ack". The latter i~ as~ured ~ince the verification number that may be wiretapped by the 21 opponent during a particular se~sion will not be equal to 22 the verification number that i5 generated by the sendlng ~tat~on 23 for lt~ authentication check, Thu~, for example, if Nl i8 the 24 value generated by station 1 during the particular session which i~ wiretapped by the opponent, then at a Iater time, 26 when the opponent plays the recording into ~tation 1, a value 27 ~2~ where N2 ~ Nl, will be generated by ~tation 1 for its 28 authentication check. The prior value of EKS~l which was 29 wiretapped by the opponent will not ~ucceed when played back into station ~, since a compari~on of ~1 and N2, ~1 and ~2 or KI977012 ~64-~9:2~i8 1 EKS~2 will fail.
2 While the invention has been descri~ed in terms of 3 performing an encipher operation for enciphering data by 4 u~e of an encipher command and performing a decipher operation for deciphering enciphered data by us~ of a 6 decipher command, it will be recognized by tho~e skilled 7 in the art that these are inverse functions and, therefore, 8 are not limited to those types of operations. ~hus, a 9 decipher operation may be used to encipher data and an encipher operation may then be used to decipher the enciphered 11 data.
12 While the invention has been particularly shown and 13 described with reference to the preferred embodiments 14 hereof, it will be understood by those ~killed in the art that several changes in form and detail may be made 16 without departing from the spirit and scope of the 17 invention.
18 What is claimed i8:

Claims (16)

The embodiments of the invention in which an exclusive property or privilege is claimed are defined as follows:

1. In a data communication network providing communication se-curity for data communication sessions between a first station and a second station where each station has cryptographic apparatus provided with an operational key for cryptographic operations, a process for operational key verification comprising the steps of:
providing a first version of a verification number at said first station, enciphering said verification number under control of said operational key at said first station for transmission to said se-cond station, deciphering said enciphered verification number under control of said operational key at said second station to provide said veri-fication number, modifying said verification number at said second station to provide a modified verification number, enciphering said modified verification number under control of said operational key at said second station for transmission to said first station, and performing an operation at said first station in accordance with said verification number and said enciphered modified verification number to verify that said second station is the source of the cipher transmission to said first station only if said operational key at said first station is identical to said operational key at said second station.

2. In the process as defined in Claim 1 wherein said-verification number is a pseudo-random number.

3. In the process as defined in Claim 1 wherein said first station is a communication terminal and said second station is an application program associated with a host data processing system.

4. In the process as defined in Claim 1 wherein said first station is a first communication terminal and said second station is a second communication terminal.

5. In the process as defined in Claim 1 wherein said first station is a communication terminal associated with a host data processing system in one domain and said second station is an appli-cation program associated with a host data processing system in another domain of a multiple domain data communication network.

6. In the process as defined in Claim 1 wherein said first station is a first application program associated with a host data proces-sing system in one domain and said second station is a second appli-cation program associated with a host data processing system in another domain of a multiple domain data communication network.

7. In the process as defined in Claim 1 wherein said first station is a first communication terminal associated with a host data pro-cessing system in one domain and said second station is a second com-munication terminal associated with a host data processing system in another domain of a multiple domain data communication network.

8. In the process as defined in Claim 1 wherein the operation per-formed at said first station includes the steps of:
deciphering said enciphered modified verification number under control of said operational key at said first station to provide said modified verification number, inversely modifying said modified verification number at said first station to provide a second version of said verification number, and comparing said first version of said verification number with said second version of said verification number at said first station to verify that said second station is the source of the cipher transmission to said first station only if said operational key at said first station is identical to said operational key at said second station.

9. In the process as defined in Claim 1 wherein the opera-tion performed at said first station includes the steps of:
deciphering said enciphered modified verification number under control of said operational key at said first station to provide a first version of said modified verification number, modifying said verification number at said first station to provide a second version of said modified verification number, and comparing said first version of said modified verification number with said second version of said modified verification number at said first station to verify that said second station is the source of the cipher transmission to said first station only if the operational key at said first station is identical to the operational key at said second station.

10. In the process as defined in Claim 1 wherein the operation per-formed at said first station includes the steps of:
modifying said verification number at said first station to provide a modified verification number, enciphering said modified verification number under control of said operational key at said first station, and comparing said enciphered modified verification number with said enciphered modified verification number received from said second station at said first station to verify that said second station is the source of the cipher transmission to said first station only if said operational key at said first station is identical to said operational key at said second station.

11. In the process as defined in Claim 1 wherein the step of modi-fying said verification number comprises inverting a portion of said verification number.

12. In the process as defined in Claim 11 wherein the operation performed at said first station includes the steps of:

deciphering said enciphered modified verification number under control of said operational key at said first station to provide said modified verification number, inverting a portion of said modified verification number at said first station which corresponds to said portion of said verification number which was inverted to provide a second version of said verifi-cation number, and comparing said first version of said verification number with said second version of said verification number at said first station to verify that said second station is the source of the cipher trans-mission to said first station only if said operational key at said first station is identical to said operational key at said second station.

13. In the process as defined in Claim 11 wherein the operation performed at said first station includes the steps of:
deciphering said enciphered modified verification number under control of said operational key at said first station to provide a first version of said modified verification number, inverting a portion of said verification number at said first station to provide a second version of said modified verification number,and comparing said first version of said modified verification number with said second version of said modified verification number at said first station to verify that said second station is the source of the cipher transmission to said first station only if the operational key at said first station is identical to the operational key at said second station.

14. In the process as defined in Claim 11 wherein the operation performed at said first station includes the steps of:
inverting a portion of said verification number at said first station to provide a modified verification number, enciphering said modified verification number under control of said operational key at said first station, and comparing said enciphered modified verification number with said enciphered modified verification number received from said second station at said first station to verify that said second station is the source of the cipher transmission to said first station only if said operation-al key at said first station is identical to said operational key at said second station.

15. In a data communication network providing communication security for data communication sessions between a first station and a second station where each station has cryptographic apparatus provided with an operational key for cryptographic operations, a process for opera-tional key verification comprising the steps of:
providing a first number at said first station having a first portion and a second portion, modifying said first portion of said first number to provide a modified first number, enciphering said modified first number under control of said operational key at said first station for transmission to said second station, deciphering said enciphered modified first number under control of said operational key at said second station to provide a first verification number, providing a second verification number at said second station having a first portion and a second portion equal to said first por-tion and said second portion of said first number, and comparing said second portion of said first verification number with said second portion of said second verification number at said second station to verify that said first station is the source of the cipher transmission to said second station only if said operational key at said first station is identical to said operational key at said second station.

16. In a data communication network providing communication security for data communication sessions between a first station and a second station where each station has cryptographic apparatus provided with an operational key for cryptographic operations, a process for operational key verification comprising the steps of:
providing a first verification number at said first station having a first portion and a second portion, modifying said first portion of said first verification number to provide a modified first verification number, enciphering said modified first verification number under control of said operational key at said first station for transmission to said second station, deciphering said enciphered modified first verification number under control of said operational key at said second station to provide a second verification number, providing a third verification number at said second station having a first portion and a second portion equal to said first portion and said second portion of said first verification number, comparing said second portion of said second verification number with said second portion of said third verification number at said second station to verify that said first station is the source of the cipher transmission to said second station only if said operational key at said first station is identical to said operational key at said second station, modifying said second verification number at said second station to provide a modified second verification number, .
enciphering said modified second verification number under control of said operational key at said second station for transmission to said first station, and performing an operation at said first station in accordance with said first verification number and said enciphered modified second verification number to verify that said second station is the source of the cipher transmission to said first station only if said operational key at said first station is identical to said operational key at said second station.